[security-dev] Undertow / IdentityManager and Digest Authentication
darran.lofthouse at jboss.com
Tue Apr 30 08:26:28 EDT 2013
As there is going to be an integration layer between Undertow and
PicketLink IDM I think the main requirement for PicketLink IDM is going
to be: -
- Where PLIDM has access to plain text passwords for a specified
account and using the specified digest algorithm generate the digest for
the username, realm and password separated by colons.
- Where PLIDM is storing pre-prepared digests for a specified account
look up the pre-prepared username, realm, password digest for the
This latter option relates to something I brought up a while ago where a
single credential could be associated with an account in a number of
different formats - what this means is that the Digest algorithms can
potentially go beyond MD5 to use stronger digest algorithms.
The pre-prepared digests do offer some protection but PLIDM would still
be responsible for storing them securely to provide protection against
accidental disclosure. The most important thing however is that we do
not need the plain text passwords to be passed onto the Undertow or SASL
classes handling the actual authentication.
On 30/04/13 12:56, Shane Bryzak wrote:
> Looks pretty straight forward - what do you need from the PicketLink
> side for this? The PLIDM implementation should be quite simple, I can
> help out with it if required.
> On 30/04/13 19:24, Darran Lofthouse wrote:
>> I have been saying for a while that I need to raise a discussion
>> regarding the verification of Digest based requests against an
>> At the moment this is predominantly needed for Undertow although there
>> is also a need for same with SASL.
>> The following document describes the proposed use of the Undertow
>> IdentityManager API and the requirement for the implementation i.e. what
>> we would need from PicketLink IDM once wrapped in the WildFly integration: -
>> The three methods on the IdentityManager interface previously used for
>> Digest based authentication will all be removed.
>> An identity manager that can provide this capability will also be
>> compatible with SASL based authentication without needing to be aware of
>> the actual verification requirements within SASL.
>> Darran Lofthouse.
>> security-dev mailing list
>> security-dev at lists.jboss.org
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev