Anil Saldhana [
https://community.jboss.org/people/anil.saldhana] created the discussion
"Challenge/Response enabled Authentication Framework"
To view the discussion, visit:
https://community.jboss.org/message/749605#749605
--------------------------------------------------------------
Wondering if SASL is the perfect candidate for a challenge/response enabled authentication
framework with multiple authentication mechanism support.
Wikipedia entry on
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
SASL.
Apart from a challenge/response framework, it has support for the following protocols.
h2.
A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms
^http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-0 [1]^
include:
* "EXTERNAL", where authentication is implicit in the context (e.g., for
protocols already using
http://en.wikipedia.org/wiki/IPsec IPsec or
http://en.wikipedia.org/wiki/Transport_Layer_Security TLS)
* "ANONYMOUS", for unauthenticated guest access
* "PLAIN", a simple
http://en.wikipedia.org/wiki/Cleartext cleartext
http://en.wikipedia.org/wiki/Password password mechanism. PLAIN obsoleted the LOGIN
mechanism.
* "OTP", a
http://en.wikipedia.org/wiki/One-time_password one-time password
mechanism. OTP obsoleted the SKEY Mechanism.
* "SKEY", an
http://en.wikipedia.org/wiki/S/KEY S/KEY mechanism.
* "
http://en.wikipedia.org/wiki/CRAM-MD5 CRAM-MD5", a simple challenge-response
scheme based on
http://en.wikipedia.org/wiki/HMAC HMAC-MD5.
* "
http://en.wikipedia.org/wiki/Digest_access_authentication DIGEST-MD5",
http://en.wikipedia.org/wiki/HTTP HTTP Digest compatible challenge-response scheme based
upon MD5. DIGEST-MD5 offers a data security layer.
* "
http://en.wikipedia.org/wiki/SCRAM SCRAM", modern challenge-response scheme
based mechanism with channel binding support
* "
http://en.wikipedia.org/wiki/NTLM NTLM", an NT LAN Manager authentication
mechanism
* "
http://en.wikipedia.org/wiki/GSSAPI GSSAPI", for
http://en.wikipedia.org/wiki/Kerberos_protocol Kerberos V5 authentication via the
http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Progra...
GSSAPI. GSSAPI offers a data-security layer.
*
http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport GateKeeper
(&
http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport
GateKeeperPassport), a challenge-response mechanism developed by
http://en.wikipedia.org/wiki/Microsoft Microsoft for
http://en.wikipedia.org/wiki/MSN_Chat MSN Chat
The GS2 family of mechanisms supports arbitrary
http://en.wikipedia.org/wiki/GSS-API
GSS-API mechanisms in SASL.
^http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-1 [2]^ It
is now standardized as
http://tools.ietf.org/html/rfc5801 RFC 5801.
I consulted Darran about this and here are his thoughts.
(09:09:34 AM) anilsaldhana: darran: regarding a challenge/response based authentication
framework, do u think sasl is sufficient?
(09:10:34 AM) anilsaldhana: darran: given that it has many possible protocols including
silent
(09:11:50 AM) darran: asaldhan, from a non-HTTP perspective my feeling is yes, some of the
Java provided APIs are not as easy / safe as they should be but the actual process at the
transport level is good, we could optimise to do more concurrently but thats about it
really
darran dehort
(09:13:07 AM) anilsaldhana: darran: right. I was asking mainly from non-http perspective.
(09:13:19 AM) anilsaldhana: darran: thanks for the guidance.
(09:13:53 AM) darran: a couple of API examples are CallbackHandler issues related to not
clearly advertising what is supported or what is needed regarding callbacks, from a
mechanism perspective there is also a lack of 'lifecycle' say to confirm success
or failure of an auth process but all of these could be addressed without afecting the
underlynig use of SASL
(09:14:42 AM) anilsaldhana: darran: of course.
h2.
PicketBox Core can natively support SASL. We will include darran's jboss-sasl
project.
h2.
--------------------------------------------------------------
Reply to this message by going to Community
[
https://community.jboss.org/message/749605#749605]
Start a new discussion in PicketBox Development at Community
[
https://community.jboss.org/choose-container!input.jspa?contentType=1&...]