[JBoss JIRA] (SECURITY-255) IdentityLoginModule Incomplete password-stacking useFirstPass implementation
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-255?page=com.atlassian.jira.plug... ]
Darran Lofthouse updated SECURITY-255:
--------------------------------------
Fix Version/s: Negotiation_2_1_7
(was: Negotiation_2_1_6)
> IdentityLoginModule Incomplete password-stacking useFirstPass implementation
> ----------------------------------------------------------------------------
>
> Key: SECURITY-255
> URL: https://issues.jboss.org/browse/SECURITY-255
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Affects Versions: 2.0.2.CR6
> Reporter: Darran Lofthouse
> Fix For: Negotiation_2_1_7
>
>
> The IdentityLoginModule has got an incomplete useFirstPass implementation.
> The login() method does start with: -
> if( super.login() == true )
> return true;
> To skip login if useFirstPass is set and authentication has already occurred.
> However at the end of login() setting the principal in the shared state map should only happen if useFirstPass was set.
> Also for this to work a credential also needs to be stored in the sharedStateMap otherwise other modules will assume authentication has not occurred.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 5 months
[JBoss JIRA] (SECURITY-352) Cache Server Subject
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-352?page=com.atlassian.jira.plug... ]
Darran Lofthouse updated SECURITY-352:
--------------------------------------
Fix Version/s: Negotiation_2_1_7
(was: Negotiation_2_1_6)
> Cache Server Subject
> --------------------
>
> Key: SECURITY-352
> URL: https://issues.jboss.org/browse/SECURITY-352
> Project: PicketBox
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Reporter: Darran Lofthouse
> Fix For: Negotiation_2_1_7
>
>
> Each authentication process currently has 3 AS-REQ requests (6 if pre-auth is an issue)
> One request for each of the SPNEGO round trips and then one request for the LDAP search.
> Attempts to make use of a local ticket cache failed: -
> <!--
> <module-option name="useTicketCache">true</module-option>
> <module-option name="renewTGT">true</module-option>
> <module-option name="ticketCache">/home/darranl/src/negotiation-as/jboss-4.2.2.GA-AD/testserver.cache</module-option>
> -->
> As the keytab had not been read it meant that the requirements for storeKey were not met, this is needed for SPNEGO.
> <module-option name="storeKey">true</module-option>
> A mechanism to cache the server subject is needed.
> The expiration time of the ticket can be obtained to decide how long to cache the ticket for: -
> Set<Object> privateCredentials = serverSubject.getPrivateCredentials();
> for (Object current : privateCredentials)
> {
> if (current instanceof KerberosTicket)
> {
> KerberosTicket ticket = (KerberosTicket) current;
> System.out.println(ticket.getEndTime());
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 5 months