[ https://jira.jboss.org/jira/browse/SECURITY-448?page=com.atlassian.jira.p... ] Jacob Orshalick updated SECURITY-448: ------------------------------------- Attachment: jboss-negotiation-common-v1.patch jboss-negotiation-spnego-v1.patch The provided patch refactors the NegotiationAuthenticator and the SPNEGOLoginModule to allow a fallback authenticator to be provided and provides a new NegotiationWithBasicFallbackAuthenticator class. This class can be configured in place of the NegotiationAuthenticator in jboss-service.xml to allow fallback to BASIC authentication. An additional login-module must be configured within the SPNEGO application-policy to authenticate the user based on username/password. This implementation relies on the SPNEGOLoginModule being defined as required="optional" to allow the second login-module a chance to authenticate the user when fallback occurs. The patch handles fallback in 2 cases: 1. The browser sends NTLM credentials or invalid Kerberos credentials 2. The browser does not support SPNEGO authentication (not a trusted domain) All testing at this point has used the UserRolesLoginModule for verifying fallback BASIC credentials. Please let me know if the patch is suitable or needs any modification. If you need the patch in any other format, or would request any changes to the implementation, I would be happy to make any requested changes. Thanks! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/jira/browse/SECURITY-448?page=com.atlassian.jira.p... ] Jacob Orshalick updated SECURITY-448: ------------------------------------- Attachment: jboss-negotiation-common-v1.patch Cleaned up imports and headers for new classes. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/jira/browse/SECURITY-448?page=com.atlassian.jira.p... ] Vladimir Ze'ev Bunich commented on SECURITY-448: ------------------------------------------------ it would be nice to have another <module-option name="useDomainQualifedUserNames">true/false</module-option> in AdvancedLdapLoginModule Currently the received principal names can be in form of username@DOMAIN this flag set to false should strip the "@DOMAIN" part , and leave just the username value for Authentication. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated SECURITY-448: -------------------------------------- Assignee: (was: Darran Lofthouse) -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated SECURITY-448: -------------------------------------- Fix Version/s: Negotiation_2.0.4 -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plug... ] Andrew Davie commented on SECURITY-448: --------------------------------------- I voted this up as I am basically looking for: 1) fallback login method 2) stripping domain from domain qualified names, or at least allowing the functionality other ldap adapters seem to support, e.g. %u. 3) being able to overide SSO and log in with an alternate method. We basically have an AD we want to authenticate against with SSO. But sometimes we would like to do the same but not with SSO, i.e. like with LDAP. This can be for various reasons, e.g. SSO not supported (for whatever reason), SSO not supported as client not in the domain, or for simple support reasons, or demo/test reasons. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plug... ] Andrew Davie commented on SECURITY-448: --------------------------------------- Thats good to hear, where can I find details on this, it isnt in the documentation I have found? -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plug... ] Andrew Davie commented on SECURITY-448: --------------------------------------- Ok for anyone else hunting for some of this info I found some of the puzzle from other places Darran has been. e.g. Security-446. The following strips out the realm: <module-option name="removeRealmFromPrincipal">true</module-option> -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plug... ] Darran Lofthouse commented on SECURITY-448: ------------------------------------------- Jochen - that is exactly one of the scenarios I want to cover once we move beyond JBoss Negotiation as I mentioned in the other issue - the current architecture of the authentication valves means that the SPNEGO valve can only extend one existing mechanism for all other mechanisms it means a duplication within the SPNEGO valve. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/SECURITY-448?page=com.atlassian.jira.plug... ] Jochen Riedlinger updated SECURITY-448: --------------------------------------- Attachment: NegotiationAuthenticator.java I just extended the Authenticator in the way that it does a form fallback, if <form-login-page> is configured. If a form login page is not configured it goes all the way back to BASIC. Perhaps it's helpful for others, too. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira