[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions about implementing Atom security

I'm scrambling to finish my Java-based Atom client and server this week (which I will make available to all). I'm making good progress but I ran into a bit of a roadblock last night: authentication.

So I have some questions...

The Atom protocol spec allows digest authentication and CGI authentication. I've already got a WSSE implementation (client and server), so I wonder:

Question 1: does WSSE qualify as CGI authentication
Question 2: are clients going to implement WSSE if the BigCos and WordPress don't

One way to implement digest in a Servlet application appears to be Servlet Authentication. But, Roller already uses Servlet Authentication with auth-method=FORM. Unfortunately, a Servlet app can only pick one so at the moment auth-form=DIGEST is out of the question for Roller. Still, I have a stupid question:

Question 3: does Servlet Authentication qualify as digest authentication for Atom?

We've considered switching from Servlet Authentication to Acegi (an open source security library) and Acegi claims to support digest authentication, but I've noticed the the Acegi requires that the server has cleartext access to user passwords. In my WSSE implementation I also require clear-text passwords. That brings me to this question:

Question 4: do all digest and WSSE implementations require server-side access to
clear-text passwords or is that just a weakness of the implementations I looked at?

- Dave