Hi Mark, Thanks for your comments. My responses inline.
>1. Your reference to sending an encrypted user certificate file to the >server demonstrates a lack of understanding of PKI that undermines my >confidence that you know what you are doing when it comes to security. I think I wasn't being clear here. I didn't mean a certificate file as used in PKI. I was simply giving an example of some other type of data (besides a simple string) that could be used as an authentication key. The example was simply a file of any sort. >2. JAAS provides plug-in authentication. Sure it does, but NOT for FORM logins. Tomcat (and all other java web servers I've come across) allow only authenticating with a username and password. This gives flexibility with FORM logins working with Tomcat. >3. Password hashing is already supported. While password hashing may be supported, that is only ONE example of a manipulation that might be required on a key for authentication. Everytime a new mechanism arises, making a new implementation in Tomcat can create a bit of a mess, but with this form auth API, you can just plug it in. >4. The implementation is Tomcat specific and hence is non-portable. That's true in the short but as I said there was no change of Tomcat's code and the internal implementation of Tomcat is actually hidden from the Plugin classes. So it's actually quite easy to make an implementation of this for a number of web servers (and I'm actually making one for Jetty right now). So you could keep these classes as their own API that plugs in to Tomcat (which is how I made it. The only class Tomcat needs to know about is FormAuthenticator). David __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
