[security-dev] Resteasy authentication

Bill Burke bburke at redhat.com
Thu Nov 29 11:00:36 EST 2012

On 11/28/2012 10:01 AM, Darran Lofthouse wrote:
> Just catching up on some threads before getting back to some HTTP
> authentication myself.
> On 11/26/2012 09:38 PM, Bill Burke wrote:
>> * Browser-based clients can't negotiate
> That is not completely true - there is a limited level of negotiation
> within browsers as HTTP already supports multiple mechanisms concurrently.

There's not many protocols that the browser supports for 
WWW-Authenticate challenges.  (Basic and Digest?)  An SSL connection set 
up to "NEED" a client-cert will force the browser to prompt the user for 
a cert.  But this isn't negotiation, its, provide me a cert or you are 
not allowed to connect.

> Within AS7 and Remoting for SASL we provide the client with a list of
> supported mechanism, the client chooses one mechanism - tries to auth,
> fails and then tries the next mechanism on the list.  It is true that
> this sequence is not possible within HTTP.
> However for the HTTP authenticators I am currently working instead of
> sending the client the simple list we send them a response containing a
> challenge for each supported mechanism - the browser then chooses which
> mechanism it supports and uses it to respond to the challenge.

I think browsers can just handle basic and digest auth. That's it. Both 
protocols are not really used for browser-based apps.

>> * client-cert auth is just completely different than other auth
>> mechanisms as is part of the socket connection set up, and nothing to do
>> with HTTP
> Combining client-cert auth with other http mechanisms is more about
> prioritising the order we make the decisions regarding authenticating so
> checking if there is a client certificate available on the connection
> that we can use to authenticate before we make the decision to send the
> challenges.

This is problematic too for a couple of reasons.  YOu can set up your 
socket layer (in JBoss) to NEED a client cert, but unfortunately, this 
will be for *EVERY* web app.  If you change SSL to "WANT" client-cert, 
I'm not sure every browser will prompt you for a client cert.

Another thing that sucks is that JBossWeb pretty much requires you to 
plug in a global truststore for client-certs when you configure SSL for 
it.  So, you can't have different truststores for different apps and 
have the security domain handle the verification of the client certificate.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list