Re: [jetty-users] Adding Credential Types?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Adding Credential Types?

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Fri, 4 Nov 2011 22:05:57 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Whoops.

Sorry.

That is no longer a proposal.

It's got a formal RFC assigned to it now - http://tools.ietf.org/html/rfc5843

Additional Hash Algorithms for HTTP Instance Digests

Joakim Erdfelt

joakim@xxxxxxxxxxx

http://webtide.com | http://intalio.com

(the people behind jetty and cometd)

On Fri, Nov 4, 2011 at 10:04 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

Som quick research turned up these two specs ...

http://tools.ietf.org/html/rfc3230
Instance Digests in HTTP
This only talks about SHA-1 (for SHA-512 you want SHA-2)

and a proposal/draft
http://tools.ietf.org/html/draft-bryan-http-digest-algorithm-values-update-04

Additional Hash Algorithms for HTTP Instance Digests
This introduces SHA-2 algorithms to RFC3230

refs:
SHA-1 - http://en.wikipedia.org/wiki/SHA-1

SHA-2 - http://en.wikipedia.org/wiki/SHA-2

--
Joakim Erdfelt

joakim@xxxxxxxxxxx

http://webtide.com | http://intalio.com
(the people behind jetty and cometd)

On Fri, Nov 4, 2011 at 9:31 PM, Guy Hillyer <jetty-users@xxxxxxxxxxxxxx> wrote:
Stephen, I am no expert, but I happen to have started working in this
area in the past couple of days. Jetty's abstract Credential class does
not seem to be extensible, since it has knowledge of its concrete (and
nested) subtypes.

But I think the problem goes deeper than that. You need cooperation
from the browser to extend credential types. How will you achieve that?

As far as I know (not very) the last word on http authentication
standards is RFC2617, which specifies MD5. I'd be happy to learn that
there is more flexibility here than I understand there to be.

On 11/04/2011 11:28 PM, Stephen G. Walizer wrote:
> I'd like to extend the authentication system in an embedded Jetty 7 to use a custom variant of JDBCLoginService so that it knows the password format without requiring the prefix:data format (for example md5:hash). I can see how I could build and set a new LoginService but how would I go about adding additional Credential types to be used?
>
> Alternately I'd even settle for adding Credential types using the algorithm:data format for something more secure like SHA-512.
>
> Thanks!
> -----------------------------------------------------------
> - stephen.g.walizer - sgw@xxxxxxxxxxx
> -----------------------------------------------------------
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] Adding Credential Types?
  - From: Stephen G. Walizer

References:
- Re: [jetty-users] Adding Credential Types?
  - From: Guy Hillyer
- Re: [jetty-users] Adding Credential Types?
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] Adding Credential Types?
Next by Date: Re: [jetty-users] Adding Credential Types?
Previous by thread: Re: [jetty-users] Adding Credential Types?
Next by thread: Re: [jetty-users] Adding Credential Types?
Index(es):
- Date
- Thread

Breadcrumbs