July 2015 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-153) Support DigestCredential with a specified realm name

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-153?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-153: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Support DigestCredential with a specified realm name > ---------------------------------------------------- > > Key: ELY-153 > URL: https://issues.jboss.org/browse/ELY-153 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Passwords > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > This would imply the password is retrievable and the realm associated by the authentication mechanism. > I see the following scenarios to be covered by this: - > - Realm that does not store pre-hashed and so is open to the mechanism providing the realm name. > - Realms where one or more realm names may be in use. > - One identity with multiple credentials each with a different realm. > - Different realms used for different identities but no more than one per identity. > If this is accomplished using a CallbackHandler then there are couple of Callback options: - > 1. getCredentialSupport on the realm, a RealmChoiceCallback can be used by a realm that advertises all the realm names it knows, where realm names are selected the response can take into account if all or some of the identities in that realm have a credential stored for that realm. > 2. getCredentialSupport on the realm can also support RealmCallback, in this case the mechanism specifies one realm name. > 3. These two can be repeated on the RealmIdentity, in that case however as a specific identity is being referenced the response can be much more specific. > 4. On getCredential the Callbacks can both be supported but in both cases can allow the selection of a single realm. > Another option could be an extension to RealmChoiceCallback that also indicates the level of support for each realm it contains. > Whilst exploring this, being able to identify the message digest algorithm support level should also be considered in parallel. > Also I see solving this as a simple pre-requisite for ELY-154 -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-151) Ability to supply additional information during credential acquisition

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-151?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-151: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Ability to supply additional information during credential acquisition > ---------------------------------------------------------------------- > > Key: ELY-151 > URL: https://issues.jboss.org/browse/ELY-151 > Project: WildFly Elytron > Issue Type: Enhancement > Components: API / SPI, Passwords > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > I think this is the final known gap in our credential acquisition and validation API/SPI. > There are a couple of specifications that also allow for additional information to be used when obtaining a representation of a users credential, the most obvious being the session based variant of digest authentication where a nonce and cnonce are also incorporated. > A second variant with two different modes of operation would be the realm associated with the digest credential, currently we assume it is tightly associated with the storage representation of the credential but it could also be the case that the mech is requesting it for a specific realm. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-147) Default Methods on the RealmIdentity interface

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-147?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-147: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Default Methods on the RealmIdentity interface > ---------------------------------------------- > > Key: ELY-147 > URL: https://issues.jboss.org/browse/ELY-147 > Project: WildFly Elytron > Issue Type: Feature Request > Components: API / SPI > Reporter: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > Review how much of the RealmIdentity interface can have default method implementations, e.g. verification could be implemented if we can obtain the credential. > Credential conversion is also another one we could cover, a mechanism should be able to start querying from the most specific type of credential it understands, if default methods on the realm can handle the conversion it will mean the mechanism can ignore the conversion. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-16) Add a RFC2256 based LDAP Realm

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-16?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-16: -------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Add a RFC2256 based LDAP Realm > ------------------------------ > > Key: ELY-16 > URL: https://issues.jboss.org/browse/ELY-16 > Project: WildFly Elytron > Issue Type: Sub-task > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > RFC2256 defines the userPassword attribute on LDAP entries, officially this is supposed to be clear text - however many vendors now support a one way hash where the hash algorithm is specified at the beginning of the attribute value: - > {noformat} > {ssha}izu672WN0xA2ZaYofeiWyQ5QKxEBMNsbyQKwRw== > {noformat} > {noformat} > ( 2.5.4.35 NAME 'userPassword' DESC 'RFC2256/2307: password of user' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 USAGE userApplications X-SCHEMA 'system' ) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-141) Add a Credential to Name Resolver SPI

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-141?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-141: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Add a Credential to Name Resolver SPI > ------------------------------------- > > Key: ELY-141 > URL: https://issues.jboss.org/browse/ELY-141 > Project: WildFly Elytron > Issue Type: Feature Request > Components: API / SPI > Reporter: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > We are predominantly considering this in the context of the validation side of the API. > However should still not exclude the possibility that after obtaining a RealmIdentity the validation may still be performed in the mechanism. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-54) Support for stronger hashes as alternatives to MD5

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-54?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-54: -------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Support for stronger hashes as alternatives to MD5 > -------------------------------------------------- > > Key: ELY-54 > URL: https://issues.jboss.org/browse/ELY-54 > Project: WildFly Elytron > Issue Type: Feature Request > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > Presently Digest authentication is based on MD5 - however we should either update the mechanism or add new mechanisms to support the use of stronger hashes. > As this library is used both client and server side installations that require the stronger hashes can just ensure the client and server have the latest version of this library - installations that still require interaction with MD5 will need to ensure that it is still available as a mechanism. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-200) Add a set of standard HTTP authentication mechanisms

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-200?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-200: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Add a set of standard HTTP authentication mechanisms > ---------------------------------------------------- > > Key: ELY-200 > URL: https://issues.jboss.org/browse/ELY-200 > Project: WildFly Elytron > Issue Type: Enhancement > Components: HTTP > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > i.e. BASIC, DIGEST, CLENT_CERT, FORM (Generic), SPNEGO -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-199) HTTP Authentication Mechanism API / SPI

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-199?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-199: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > HTTP Authentication Mechanism API / SPI > --------------------------------------- > > Key: ELY-199 > URL: https://issues.jboss.org/browse/ELY-199 > Project: WildFly Elytron > Issue Type: Sub-task > Components: HTTP > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > A web server agnostic HTTP authentication mechanism framework. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-178) Domain to domain identity propagation

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-178?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-178: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > Domain to domain identity propagation > ------------------------------------- > > Key: ELY-178 > URL: https://issues.jboss.org/browse/ELY-178 > Project: WildFly Elytron > Issue Type: Feature Request > Components: Realms > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > At the lowest level a users identity is associated with a single SecurityRealm, two accounts that authenticated against different realms will never be considered equal. > However on top of this we have the security domains, a security domain amongst other things is an aggregation of realms. Incoming server connections and also applications can be associated with a security domain. However we still have the following two scenarios of a call to complete the consideration for: - > Connection -> Deployment > Deployment -> Deployment > In the first case the connection may be associated with a security domain with a large set of realms, however the deployment may be associated with a smaller set of realms. In the case that the realm is in both of these domains we need the identity to be able to automatically propagate. > Same for deployment to deployment calls, if there is a common realm the identity should propagate. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

[JBoss JIRA] (ELY-176) HTTP AuthenticationMechanism Factory and Provider registration.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-176?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-176: --------------------------------- Fix Version/s: 1.0.0.Alpha4 (was: 1.0.0.Alpha3) > HTTP AuthenticationMechanism Factory and Provider registration. > --------------------------------------------------------------- > > Key: ELY-176 > URL: https://issues.jboss.org/browse/ELY-176 > Project: WildFly Elytron > Issue Type: Sub-task > Components: HTTP > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.0.0.Alpha4 > > > We are for now going to need to be Undertow specific unless we come up with a solution for a generic API/SPI to be implemented by HTTP mechanisms that also gives access to the request / response. > This task is to define a factory SPI and to make all known HTTP mechanisms available using this SPI. -- This message was sent by Atlassian JIRA (v6.3.15#6346)

10 years, 9 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2015