[JBoss JIRA] (ELY-153) Support DigestCredential with a specified realm name
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-153?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-153:
---------------------------------
Fix Version/s: 1.1.0.Beta41
(was: 1.1.0.Beta39)
> Support DigestCredential with a specified realm name
> ----------------------------------------------------
>
> Key: ELY-153
> URL: https://issues.jboss.org/browse/ELY-153
> Project: WildFly Elytron
> Issue Type: Sub-task
> Components: Passwords
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.Beta41
>
>
> This would imply the password is retrievable and the realm associated by the authentication mechanism.
> I see the following scenarios to be covered by this: -
> - Realm that does not store pre-hashed and so is open to the mechanism providing the realm name.
> - Realms where one or more realm names may be in use.
> - One identity with multiple credentials each with a different realm.
> - Different realms used for different identities but no more than one per identity.
> If this is accomplished using a CallbackHandler then there are couple of Callback options: -
> 1. getCredentialSupport on the realm, a RealmChoiceCallback can be used by a realm that advertises all the realm names it knows, where realm names are selected the response can take into account if all or some of the identities in that realm have a credential stored for that realm.
> 2. getCredentialSupport on the realm can also support RealmCallback, in this case the mechanism specifies one realm name.
> 3. These two can be repeated on the RealmIdentity, in that case however as a specific identity is being referenced the response can be much more specific.
> 4. On getCredential the Callbacks can both be supported but in both cases can allow the selection of a single realm.
> Another option could be an extension to RealmChoiceCallback that also indicates the level of support for each realm it contains.
> Whilst exploring this, being able to identify the message digest algorithm support level should also be considered in parallel.
> Also I see solving this as a simple pre-requisite for ELY-154
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years
[JBoss JIRA] (ELY-54) Support for stronger hashes as alternatives to MD5
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-54?page=com.atlassian.jira.plugin.sys... ]
Darran Lofthouse updated ELY-54:
--------------------------------
Fix Version/s: 1.1.0.Beta41
(was: 1.1.0.Beta39)
> Support for stronger hashes as alternatives to MD5
> --------------------------------------------------
>
> Key: ELY-54
> URL: https://issues.jboss.org/browse/ELY-54
> Project: WildFly Elytron
> Issue Type: Feature Request
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.Beta41
>
>
> Presently Digest authentication is based on MD5 - however we should either update the mechanism or add new mechanisms to support the use of stronger hashes.
> As this library is used both client and server side installations that require the stronger hashes can just ensure the client and server have the latest version of this library - installations that still require interaction with MD5 will need to ensure that it is still available as a mechanism.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years
[JBoss JIRA] (ELY-439) Client Cert authentication using certificate passed from a proxy
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-439?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-439:
---------------------------------
Fix Version/s: 1.1.0.Beta41
(was: 1.1.0.Beta39)
> Client Cert authentication using certificate passed from a proxy
> ----------------------------------------------------------------
>
> Key: ELY-439
> URL: https://issues.jboss.org/browse/ELY-439
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: HTTP
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.Beta41
>
>
> Undertow contains a feature where by the Proxy server can handle SSL and pass the certificate chain to Undertow - this is then used for the actual client cert authentication.
> We need to cover this type of scenario within our generic HTTP authentication framework.
> We could further wrap the SSLSession in a similar way Undertow does - or we could make the chain availbale as a fall back.
> Related to this we also need to work on the different attachment contexts, that may affect how we consider SSLSession attachments.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years
[JBoss JIRA] (ELY-422) Default SSLContext?
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-422?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-422:
---------------------------------
Fix Version/s: 1.1.0.Beta41
(was: 1.1.0.Beta39)
> Default SSLContext?
> -------------------
>
> Key: ELY-422
> URL: https://issues.jboss.org/browse/ELY-422
> Project: WildFly Elytron
> Issue Type: Task
> Components: SSL
> Reporter: Darran Lofthouse
> Fix For: 1.1.0.Beta41
>
>
> We know we want one, what we don't know is exactly that it means and is it an Elytron concern or subsystem concern.
> One issue is within Elytron our SSLContext implementations are either server side specific or client side specific - we may even want to review if there is any way to review what it is being used for and act accordingly.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years