<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Challenge/Response enabled Authentication Framework
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/anil.saldhana">Anil Saldhana</a> in <i>PicketBox Development</i> - <a href="https://community.jboss.org/message/749605#749605">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Wondering if SASL is the perfect candidate for a challenge/response enabled authentication framework with multiple authentication mechanism support.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Wikipedia entry on <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">SASL</a>.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Apart from a challenge/response framework, it has support for the following protocols.</p><h2><span class="mw-headline" id="SASL_mechanisms"></span></h2><p>A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms<sup class="reference" id="cite_ref-0"><a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-0">[1]</a></sup> include:</p><ul><li>"EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/IPsec">IPsec</a> or <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</a>)</li><li>"ANONYMOUS", for unauthenticated guest access</li><li>"PLAIN", a simple <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Cleartext">cleartext</a> <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Password">password</a> mechanism. PLAIN obsoleted the LOGIN mechanism.</li><li>"OTP", a <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/One-time_password">one-time password</a> mechanism. OTP obsoleted the SKEY Mechanism.</li><li>"SKEY", an <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/S/KEY">S/KEY</a> mechanism.</li><li>"<a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/CRAM-MD5">CRAM-MD5</a>", a simple challenge-response scheme based on <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/HMAC">HMAC-MD5</a>.</li><li>"<a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Digest_access_authentication">DIGEST-MD5</a>", <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/HTTP">HTTP</a> Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offers a data security layer.</li><li>"<a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/SCRAM">SCRAM</a>", modern challenge-response scheme based mechanism with channel binding support</li><li>"<a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/NTLM">NTLM</a>", an NT LAN Manager authentication mechanism</li><li>"<a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/GSSAPI">GSSAPI</a>", for <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Kerberos_protocol">Kerberos</a> V5 authentication via the <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface">GSSAPI</a>. GSSAPI offers a data-security layer.</li><li><a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport">GateKeeper</a> (& <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport">GateKeeperPassport</a>), a challenge-response mechanism developed by <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Microsoft">Microsoft</a> for <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/MSN_Chat">MSN Chat</a></li></ul><p>The <tt>GS2</tt> family of mechanisms supports arbitrary <a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/GSS-API">GSS-API</a> mechanisms in SASL.<sup class="reference" id="cite_ref-1"><a class="jive-link-external-small" href="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-1">[2]</a></sup> It is now standardized as <a class="jive-link-external-small" href="http://tools.ietf.org/html/rfc5801">RFC 5801</a>.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I consulted Darran about this and here are his thoughts.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">
(09:09:34 AM) anilsaldhana: darran: regarding a challenge/response based authentication framework, do u think sasl is sufficient?
(09:10:34 AM) anilsaldhana: darran: given that it has many possible protocols including silent
(09:11:50 AM) darran: asaldhan, from a non-HTTP perspective my feeling is yes, some of the Java provided APIs are not as easy / safe as they should be but the actual process at the transport level is good, we could optimise to do more concurrently but thats about it really
darran dehort
(09:13:07 AM) anilsaldhana: darran: right. I was asking mainly from non-http perspective.
(09:13:19 AM) anilsaldhana: darran: thanks for the guidance.
(09:13:53 AM) darran: a couple of API examples are CallbackHandler issues related to not clearly advertising what is supported or what is needed regarding callbacks, from a mechanism perspective there is also a lack of 'lifecycle' say to confirm success or failure of an auth process but all of these could be addressed without afecting the underlynig use of SASL
(09:14:42 AM) anilsaldhana: darran: of course.
</code></pre><h2></h2><p>PicketBox Core can natively support SASL. We will include darran's jboss-sasl project.</p><h2> <span class="mw-headline" id="SASL-aware_application_protocols"></span></h2><p><span class="mw-headline"><br/></span></p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/749605#749605">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in PicketBox Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>