[security-dev] Undertow IDM

Darran Lofthouse darran.lofthouse at jboss.com
Thu Apr 25 04:06:31 EDT 2013


One point - within Undertow access to the IDM should not necessarily be 
considered an authentication attempt, i.e. in Digest the IDM may be 
accessed even if the nonce is known to be out of date.

However we do have a notification framework within Undertow for 
successful and failed authentication attempts - that would be a better 
point to handle any locking.

Although at the same point would need be very careful how this is 
handled before it becomes an easy denial of service route.


On 24/04/13 20:38, Pedro Igor Silva wrote:
> I think PL IDM can supply most of the methods defined in the IdentityManager interface.
>
> Only not sure about the somethings related with password reset and account locking. Althought the Credential API maintains the history of password updates and custom attributes can also be used. Not sure, but maybe we should have that in PL IDM, built-in support for password reset and account locking.
 >
> Regarding DIGEST authentication and the getPassword method, if using PL IDM this method is not necessary because we always store the HA1 value (MD5(username:realm:password)). So you only need to pass the provided password that it will be checked internally.

That is going to be a bigger discussion but not one for this thread, in 
Undertow we need support for stronger hashes in addition to MD5 and also 
need access to the pre-hashed value at the very least to complete the 
Digest implementation.

> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Wednesday, April 24, 2013 3:54:48 PM
> Subject: [security-dev] Undertow IDM
>
> Hi all,
> https://github.com/undertow-io/undertow/tree/master/core/src/main/java/io/undertow/security/idm
>
> I am wondering how we can use PicketLink IDM in Undertow.
>
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>


More information about the security-dev mailing list