[wildfly-dev] Removing curl support from management HTTP
Darran Lofthouse
darran.lofthouse at jboss.com
Wed Jan 8 15:19:12 EST 2014
On 08/01/14 20:00, Aleksandar Kostadinov wrote:
> I'm not sure what other auth mechanism you are talking about. There
> might be something new and very elaborated.
>
> But the problem with non-encrypted connections is that any hash could be
> used without the need to recover the plain text password.
They still need to go through the trouble of processing the hash to
discover the password used to create the hash.
However I will start some threads later on the actual changes, all I am
looking for at the moment is to verify how widely tools like curl are
currently used to confirm if we need to spend time considering them.
> With cookies,
> one can sniff and use them.
> Yes, it is somehow worse to steal the plaintext password but at the end
> do benefits outweight the inconvenience and effort?
>
> Jason Greene wrote, On 01/08/2014 07:25 PM (EEST):
>> So the big problem is that http digest has not been updated to use stronger crypto hash. There is a proposed RFC but no one has implemented it.
>>
>> We could implement it and contribute that to curl as well but I suspect we still need standard digest compatibility until most OS's have caught up with that version of curl.
>>
>> Alternatively we could move to SSL by default, and switch to plain with scrypt and solve the various challenges there.
>>
>>> On Jan 8, 2014, at 11:02 AM, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:
>>>
>>>
>>>
>>>> On 08/01/14 15:39, Thomas Segismont wrote:
>>>> Le 08/01/2014 15:36, Darran Lofthouse a écrit :
>>>>> Not necessarily, new features are being discussed regarding
>>>>> authentication at this point I am just trying to confirm if my
>>>>> perception that users are using tools like curl is actually true ;-)
>>>>
>>>> Sorry this is maybe a stupid question but what do you mean by "curl
>>>> support"? Is there anything special done when the HTTP client is curl?
>>>
>>> As it stands today as we are only using the standard HTTP authentication
>>> mechanisms there is nothing special other than maybe a --digest argument
>>> to make a call using curl.
>>>
>>>>
>>>> Thomas
>>>>
>>>> _______________________________________________
>>>> wildfly-dev mailing list
>>>> wildfly-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>> _______________________________________________
>>> wildfly-dev mailing list
>>> wildfly-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
More information about the wildfly-dev
mailing list