[security-dev] Undertow / IdentityManager and Digest Authentication

Bill Burke bburke at redhat.com
Tue Apr 30 09:00:15 EDT 2013

I"ve personally always had a real problem with the IdentityManager 
dealing with protocol specific aspects or even verifying credentials. 
Verifying credentials can often be a product of the auth protocol, 
digest is a perfect example.  Having the IDM manage nonces and such is 
even more wrong as you're placing a lot on a service that is supposed to 
be generic.    Protocol and verification should be separate from the IDM 
API.  The IDM API should be an identity store for identity metadata only.

Instead you should be querying the IDM for metadata you need to perform 
the authentication protocol.

i.e. for Digest (this is pseudo-code, but I hope you understand)

byte[] hash = idm.getUserData(user, "USERNAME_REALM_PASSWORD_MD5_HASH");
if (hash == null) {
    String username = idm.getUserData(user, "USERNAME");
    String password = idm.getUserData(user, "UNHASHED_PASSWORD");
    String realm = idm.getUserData(user, "REALM_NAME");

    hash = hashMD5(username, password, realm);


There's nothing stopping Picketlink from providing utility libraries to 
help implement the digest protocol, but IMO, metadata, protocol, and 
credential verification need to be completely separate APIs.  I've 
brought this up with the Picketlink team a few times and it was in one 
ear, out the other.  "You can just not use the credential verification 
methods on IDM API".  I hope you can at least be more open to my 
concerns and discuss them a little.

On 4/30/2013 5:24 AM, Darran Lofthouse wrote:
> I have been saying for a while that I need to raise a discussion
> regarding the verification of Digest based requests against an
> IdentityManager.
> At the moment this is predominantly needed for Undertow although there
> is also a need for same with SASL.
> The following document describes the proposed use of the Undertow
> IdentityManager API and the requirement for the implementation i.e. what
> we would need from PicketLink IDM once wrapped in the WildFly integration: -
> https://community.jboss.org/wiki/Undertow-IdentityManager-DigestAuthentication
> The three methods on the IdentityManager interface previously used for
> Digest based authentication will all be removed.
> An identity manager that can provide this capability will also be
> compatible with SASL based authentication without needing to be aware of
> the actual verification requirements within SASL.
> Regards,
> Darran Lofthouse.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list