January 2015 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-107) Add ability for security domains to create SSLContext directly from config

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-107?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-107: --------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Add ability for security domains to create SSLContext directly from config > -------------------------------------------------------------------------- > > Key: ELY-107 > URL: https://issues.jboss.org/browse/ELY-107 > Project: WildFly Elytron > Issue Type: Enhancement > Components: API / SPI > Reporter: David Lloyd > Assignee: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-34) Create a JAAS based security realm.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-34?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-34: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Create a JAAS based security realm. > ----------------------------------- > > Key: ELY-34 > URL: https://issues.jboss.org/browse/ELY-34 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Realms > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > Legacy integration is always going to be a concern so should verify that we can delegate to JAAS if required. > _Delegating to JAAS is always going to simplify the password types supported so this is more of an ensure we can integrate with JAAS rather than ensure we can fully integrate with JAAS._ -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-59) Custom properties within mechanism selection

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-59?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-59: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Custom properties within mechanism selection > -------------------------------------------- > > Key: ELY-59 > URL: https://issues.jboss.org/browse/ELY-59 > Project: WildFly Elytron > Issue Type: Task > Components: SASL > Reporter: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > Some custom properties should maybe impact on mechanism selection e.g. wildfly.sasl.channel-binding.mode if set to required GSSAPI should be excluded as it does not support channel binding. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-113) Move UsernamePasswordHashUtil main method functions to Main

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-113?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-113: --------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Move UsernamePasswordHashUtil main method functions to Main > ----------------------------------------------------------- > > Key: ELY-113 > URL: https://issues.jboss.org/browse/ELY-113 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Utils > Reporter: David Lloyd > Assignee: Jan Kalina > Priority: Minor > Fix For: 1.0.0.Beta1 > > > The UsernamePasswordHashUtil main routine should be part of the single command-line entry point class, Main. Or, possibly even eliminated in favor of general password codec/generation routines. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-41) Password Recognition and Parsing Framework

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-41?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-41: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Password Recognition and Parsing Framework > ------------------------------------------ > > Key: ELY-41 > URL: https://issues.jboss.org/browse/ELY-41 > Project: WildFly Elytron > Issue Type: Task > Components: API / SPI > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > I don't think having a single PasswordUtils that recognises and parses all password types is going to be a good idea long term - I think a lot of the responsibility for what is supported needs to come from the realm. > A scenario I am thinking is an LDAP server is configured to support clear text passwords, that server verifies the strength of the password before letting a user set it - this could be circumvented by setting the password value to something we would parse as one of the other password types. The problem is the user could just hash 'password' - this would pass the LDAP servers dictionary attack check. > The second issue is that different formats could be realm specific, e.g. LDAP supports trival digests in formats slightly different to those we already support. > One idea I am starting to think about it a password parser that a realm can build up with a set of supported password types, working on LDAP it is apparent realms potentially need configuration for the credential types they will claim to support before the RealmIdentity is identified so not a major deviation from the work I am already finding necessary. > Looking at the current PasswordUtils.java the following public utility methods are exposed: - > {code} > org.wildfly.security.password.PasswordUtils > org.wildfly.security.password.PasswordUtils.identifyAlgorithm(char[]) > org.wildfly.security.password.PasswordUtils.identifyAlgorithm(String) > org.wildfly.security.password.PasswordUtils.getCryptStringChars(PasswordSpec) > org.wildfly.security.password.PasswordUtils.getCryptString(PasswordSpec) > org.wildfly.security.password.PasswordUtils.parseCryptString(String) > org.wildfly.security.password.PasswordUtils.parseCryptString(char[]) > {code} > From the perspective of a realm the primary task I am trying to achieve is to take a password string and convert it to a PasswordSpec. Algorithm identification seems to be used primarily by tests, not convinced it is justified in an API. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-29) Common Use Cases

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-29?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-29: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Common Use Cases > ---------------- > > Key: ELY-29 > URL: https://issues.jboss.org/browse/ELY-29 > Project: WildFly Elytron > Issue Type: Task > Components: Testsuite > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > The API/SPI of Elytron is based around numerous discussions on the scenarios we need to support in an application server environment - this is a parent task to start adding some test cases that cover these scenarios. > Any subsequent API evolution has to take into account the scenarios we must - this will also be key to identifying backwards compatibility going forward. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-67) Password type: SCRAM pre-digested

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-67?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-67: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Password type: SCRAM pre-digested > --------------------------------- > > Key: ELY-67 > URL: https://issues.jboss.org/browse/ELY-67 > Project: WildFly Elytron > Issue Type: Sub-task > Reporter: David Lloyd > Assignee: Stefan Guilhen > Fix For: 1.0.0.Beta1 > > -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-56) Bridge Compatibility Between Existing SASL Mechanisms and Factories and Elytron

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-56?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-56: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Bridge Compatibility Between Existing SASL Mechanisms and Factories and Elytron > ------------------------------------------------------------------------------- > > Key: ELY-56 > URL: https://issues.jboss.org/browse/ELY-56 > Project: WildFly Elytron > Issue Type: Task > Reporter: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > To be designed. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-85) Support GSS-Proxy

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-85?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-85: -------------------------------- Fix Version/s: 1.0.0.Beta1 (was: 1.0.0.Alpha1) > Support GSS-Proxy > ----------------- > > Key: ELY-85 > URL: https://issues.jboss.org/browse/ELY-85 > Project: WildFly Elytron > Issue Type: Feature Request > Components: SASL > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Beta1 > > > GSS Proxy is something we should consider being able to support when running on an OS that supports it: - > https://fedorahosted.org/gss-proxy/ > The big first step will be to identify what is required to achieve this, is this something that can be solved with a custom login module or does this also impact on the Java supplied GSSAPI implementation. -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-129) Choose SASL mechanisms based on better criteria

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-129?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-129: --------------------------------- Fix Version/s: 1.0.0.Beta1 > Choose SASL mechanisms based on better criteria > ----------------------------------------------- > > Key: ELY-129 > URL: https://issues.jboss.org/browse/ELY-129 > Project: WildFly Elytron > Issue Type: Enhancement > Reporter: David Lloyd > Fix For: 1.0.0.Beta1 > > > SASL mechanism selection is based on properties right now, that specify only a few very limited criteria. > We should provide a better selection mechanism that allows selection based on the following criteria: > * Specify requirements of the mechanism itself > ** Algorithm usage > ** Key length (where applicable) > ** Parameters similar to existing Sasl ones, like: > *** QOP > *** Forward secrecy > *** Plaintext > *** Active attack susceptibility > *** etc. > * Specify requirements around the mechanism's circumstance > ** Restrict by enclosing channel security > *** Require TLS cipher suite parameters (using existing database parameters) > *** Require channel binding > In the end the client or server user should be able specify SASL mechanism usage using expressions that can express things like: > * Use PLAIN only if TLS is in use with AES encryption > * Use EXTERNAL only if TLS is in use > * Use no SASL mechanisms employing weak hash algorithms (MD5 and worse) > * Use only SASL mechanisms employing SHA-256 > * Use only SASL mechanisms that provide channel binding and require TLS > * Use only ANONYMOUS -- This message was sent by Atlassian JIRA (v6.3.11#6341)

9 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2015