David Lloyd created ELY-991: ------------------------------- Summary: SASL Digest client handles callbacks incorrectly Key: ELY-991 URL: https://issues.jboss.org/browse/ELY-991 Project: WildFly Elytron Issue Type: Bug Components: Authentication Mechanisms, SASL Reporter: David Lloyd Right now the SASL digest client handles callbacks like this: * If a realm choice is available use RealmChoiceCallback to get it, and fail if it is not supported * Try to use RealmCallback+NameCallback+CredentialCallback (with digest password) * Try to use RealmCallback+NameCallback+CredentialCallback (with two-way password) * Try to use RealmCallback+NameCallback+PasswordCallback This is a problem because RealmChoiceCallback should not be required, and if it was supported, RealmCallback is not needed. It's basically OK to retry realm selection and name selection if the credential was unsupported. The logic should probably be more like this: * Try to use <a realm callback>+NameCallback+CredentialCallback (with digest password) ** First try with RealmChoiceCallback if there is a choice ** Then try with RealmCallback if RealmChoiceCallback is unsupported ** If there is no default realm, fail ** Otherwise try with no realm callback and use the default realm * Try to use <a realm callback>+NameCallback+CredentialCallback (with two-way password) ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice ** Then try RealmCallback if it was not eliminated above ** If there is no default realm, fail ** Otherwise try with no realm callback and use the default realm * Try to use <a realm callback>+NameCallback+PasswordCallback ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice ** Then try RealmCallback if it was not eliminated above ** If there is no default realm, fail ** Otherwise try with no realm callback and use the default realm This way we don't retry callbacks that don't work, and we don't fail if RealmCallback is not supported. If no user name or credential is given, then the attempt should be considered a failure and the next credential tried without eliminating any realm callbacks. If no realm is given then the attempt should be a failure without trying other realm callback options, because the callback is supported but there was no realm given (which is a programming error). If a user name or realm is given in an earlier stage, it should stay as the default for later stages. -- This message was sent by Atlassian JIRA (v7.2.3#72005)