<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">What PicketLink stores for digests is
      the latter [1] (in no situation do we ever store plain text
      passwords).&nbsp; There are essentially two methods for validating and
      managing credentials in the IdentityManager [2] (three if you
      count one extra overloaded method):<br>
      <br>
      void validateCredentials(Credentials credentials);<br>
      void updateCredential(Agent agent, Object credential);<br>
      <br>
      There is no API method for retrieving an actual credential value
      so by design credential storage is quite secure.<br>
      <br>
      To briefly summarise how things work for a digest authentication
      in PicketLink; we would pass in an instance of DigestCredentials
      [3] to the IdentityManager.validateCredentials() method, which is
      essentially a wrapper around a Digest [4] (which should look quite
      familiar).&nbsp; The actual implementation of the validation logic can
      be found in DigestCredentialHandler [5].<br>
      <br>
      <br>
      [1]
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <a
href="https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialStorage.java">https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialStorage.java</a><br>
      [2]
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <a
href="https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/IdentityManager.java">https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/IdentityManager.java</a><br>
      [3]
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <a
href="https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/credential/DigestCredentials.java">https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/credential/DigestCredentials.java</a><br>
      [4]
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <a
href="https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/credential/Digest.java">https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/credential/Digest.java</a><br>
      [5]
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <a
href="https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialHandler.java">https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialHandler.java</a><br>
      <br>
      Shane<br>
      <br>
      On 30/04/13 22:26, Darran Lofthouse wrote:<br>
    </div>
    <blockquote cite="mid:517FB874.2030701@jboss.com" type="cite">
      <pre wrap="">As there is going to be an integration layer between Undertow and 
PicketLink IDM I think the main requirement for PicketLink IDM is going 
to be: -

  - Where PLIDM has access to plain text passwords for a specified 
account and using the specified digest algorithm generate the digest for 
the username, realm and password separated by colons.

  - Where PLIDM is storing pre-prepared digests for a specified account 
look up the pre-prepared username, realm, password digest for the 
algorithm specified.

This latter option relates to something I brought up a while ago where a 
single credential could be associated with an account in a number of 
different formats - what this means is that the Digest algorithms can 
potentially go beyond MD5 to use stronger digest algorithms.

The pre-prepared digests do offer some protection but PLIDM would still 
be responsible for storing them securely to provide protection against 
accidental disclosure.  The most important thing however is that we do 
not need the plain text passwords to be passed onto the Undertow or SASL 
classes handling the actual authentication.

Regards,
Darran Lofthouse.


On 30/04/13 12:56, Shane Bryzak wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Looks pretty straight forward - what do you need from the PicketLink
side for this?  The PLIDM implementation should be quite simple, I can
help out with it if required.

Shane

On 30/04/13 19:24, Darran Lofthouse wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">I have been saying for a while that I need to raise a discussion
regarding the verification of Digest based requests against an
IdentityManager.

At the moment this is predominantly needed for Undertow although there
is also a need for same with SASL.

The following document describes the proposed use of the Undertow
IdentityManager API and the requirement for the implementation i.e. what
we would need from PicketLink IDM once wrapped in the WildFly integration: -

<a class="moz-txt-link-freetext" href="https://community.jboss.org/wiki/Undertow-IdentityManager-DigestAuthentication">https://community.jboss.org/wiki/Undertow-IdentityManager-DigestAuthentication</a>

The three methods on the IdentityManager interface previously used for
Digest based authentication will all be removed.

An identity manager that can provide this capability will also be
compatible with SASL based authentication without needing to be aware of
the actual verification requirements within SASL.

Regards,
Darran Lofthouse.
_______________________________________________
security-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
        </blockquote>
        <pre wrap="">
_______________________________________________
security-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>

</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
security-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>