[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug... ]
Darran Lofthouse commented on SECURITY-671:
-------------------------------------------
Have you tried using the standard Kerberos login module in the second domain?
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months
[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
by Jochen Riedlinger (JIRA)
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug... ]
Jochen Riedlinger commented on SECURITY-671:
--------------------------------------------
Sure, your suggestion could work.
Unfortunately our admins will close the possibility to authenticate with plain username/password combinations soon. In Germany we have the "Federal Office for Information Security (BSI)". As we are a state bank we have to follow their guidelines.
To have SSL between the browser and JBoss and only Kerberos between JBoss and ActiveDirectory would be a clean solution (and even easy to integrate in the existing code).
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months
[JBoss JIRA] (AS7-5233) different startup behaviour: commandline parameters and jboss.properties files
by Gernot P (JIRA)
Gernot P created AS7-5233:
-----------------------------
Summary: different startup behaviour: commandline parameters and jboss.properties files
Key: AS7-5233
URL: https://issues.jboss.org/browse/AS7-5233
Project: Application Server 7
Issue Type: Bug
Components: Server
Affects Versions: 7.1.1.Final
Reporter: Gernot P
Assignee: Jason Greene
Starting my domain with
${JBOSS_HOME}/bin/domain.sh -Djboss.domain.base.dir=/domain1
the host-controller.log and process-controller.log are written (as expected) to /domain1/log
But starting my domain with
${JBOSS_HOME}/bin/domain.sh --properties=/domain1/jboss.properties
where /domain1/jboss.properties contains following line
jboss.domain.base.dir=/domain1
the host-controller.log and process-controller.log are written to ${JBOSS_HOME}/domain/log
The same result (logfiles are written to ${JBOSS_HOME}/domain/log) with /domain1/jboss.properties with following two lines:
jboss.domain.base.dir=/domain1
jboss.domain.log.dir=/domain1/log
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months
[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug... ]
Darran Lofthouse commented on SECURITY-671:
-------------------------------------------
You can use any login module you choose in the fallback domain so it does not need to be a database module - the most common choice in the scenario you describe would be to use one of the LDAP login modules in the second domain to authenticate against LDAP using the username and password.
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months
[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
by Jochen Riedlinger (JIRA)
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug... ]
Jochen Riedlinger reopened SECURITY-671:
----------------------------------------
No, fallback to FORM is not really supported.
With fallback I mean that if a user enters username/password in the form (yes this part is already there) the LoginModule "generates" the according SPNEGO/Kerberos ticket itself and verifies it with ActiveDirectory.
At the moment the fallback to FORM can only delegate to another "basic" LoginModule (like DatabaseLoginModule, etc.). So the exsisting "pseudo-fallback" has another datastore for the fallback instead of doing a fallback to the same Datastore(ActiveDirectory) as the actual original SPNEGO authentication does.
I hope this explaination was better, so you understand now what's the advantage of my idea.
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months
[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug... ]
Darran Lofthouse resolved SECURITY-671.
---------------------------------------
Resolution: Rejected
Fallback to FORM authentication is already supported.
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 11 months