[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions about implementing Atom security
I'm scrambling to finish my Java-based Atom client and server this week
(which I will make available to all). I'm making good progress but I
ran into a bit of a roadblock last night: authentication.
So I have some questions...
The Atom protocol spec allows digest authentication and CGI
authentication. I've already got a WSSE implementation (client and
server), so I wonder:
Question 1: does WSSE qualify as CGI authentication
Question 2: are clients going to implement WSSE if the BigCos and
One way to implement digest in a Servlet application appears to be
Servlet Authentication. But, Roller already uses Servlet Authentication
with auth-method=FORM. Unfortunately, a Servlet app can only pick one
so at the moment auth-form=DIGEST is out of the question for Roller.
Still, I have a stupid question:
Question 3: does Servlet Authentication qualify as digest
authentication for Atom?
We've considered switching from Servlet Authentication to Acegi (an
open source security library) and Acegi claims to support digest
authentication, but I've noticed the the Acegi requires that the server
has cleartext access to user passwords. In my WSSE implementation I
also require clear-text passwords. That brings me to this question:
Question 4: do all digest and WSSE implementations require
server-side access to
clear-text passwords or is that just a weakness of the
implementations I looked at?