June 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-122) Make use of factory from SASL-71 to obtain Subject for GSSAPI

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-122?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse resolved ELY-122. ---------------------------------- Resolution: Out of Date > Make use of factory from SASL-71 to obtain Subject for GSSAPI > ------------------------------------------------------------- > > Key: ELY-122 > URL: https://issues.jboss.org/browse/ELY-122 > Project: WildFly Elytron > Issue Type: Feature Request > Components: SASL > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.1.0.CR2 > > > By default we rely on the AccessControlContext in place at the time the SaslServer is created, the use of a factory allows greater control of the Subject in use especially in a managed environment. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-138) Client timed logout options

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-138?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-138: --------------------------------- Fix Version/s: 1.2.0.Beta1 (was: 1.1.0.CR2) > Client timed logout options > --------------------------- > > Key: ELY-138 > URL: https://issues.jboss.org/browse/ELY-138 > Project: WildFly Elytron > Issue Type: Task > Reporter: David Lloyd > Fix For: 1.2.0.Beta1 > > > It should be possible to configure a client-side authentication to auto-logout after either an absolute duration, or after some amount of idle time, or both. > The client-side authentication cache, whatever form it takes, must be aware of usages to update the logout time, for idle timeouts. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-124) Java 8+ supports unbound SASL servers; GSSAPI and DIGEST-MD5 both use this value

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-124?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-124: --------------------------------- Fix Version/s: 1.2.0.Beta1 (was: 1.1.0.CR2) > Java 8+ supports unbound SASL servers; GSSAPI and DIGEST-MD5 both use this value > -------------------------------------------------------------------------------- > > Key: ELY-124 > URL: https://issues.jboss.org/browse/ELY-124 > Project: WildFly Elytron > Issue Type: Task > Components: SASL > Reporter: David Lloyd > Assignee: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > > Since Java 8, the SaslServerFactory interface has been changed so that the serverName may be null. If null, the server name is considered "unbound" and the client can select what server name it wants to use. > The release notes say: > {quote} > SASL service for multiple host names: When creating a SASL server, the server name can be set to null to denote an unbound server, which means a client can request for the service using any server name. After a context is established, the server can retrieve the name as a negotiated property with the key name SASL.BOUND_SERVER_NAME. See RFE 7110803. > {quote} > The updated JavaDoc says: > {quote} > serverName - The fully qualified host name of the server to authenticate to, or null if the server is not bound to any specific host name. If the mechanism does not allow an unbound server, a SaslException will be thrown. > {quote} > The RFE link is: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7110803 > The two SASL mechanisms in Elytron that would be impacted by this are DIGEST-MD5 and GSSAPI. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-151) Ability to supply additional information during credential acquisition

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-151?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-151: --------------------------------- Fix Version/s: 1.2.0.Beta1 (was: 1.1.0.CR2) > Ability to supply additional information during credential acquisition > ---------------------------------------------------------------------- > > Key: ELY-151 > URL: https://issues.jboss.org/browse/ELY-151 > Project: WildFly Elytron > Issue Type: Enhancement > Components: API / SPI, Passwords > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > > I think this is the final known gap in our credential acquisition and validation API/SPI. > There are a couple of specifications that also allow for additional information to be used when obtaining a representation of a users credential, the most obvious being the session based variant of digest authentication where a nonce and cnonce are also incorporated. > A second variant with two different modes of operation would be the realm associated with the digest credential, currently we assume it is tightly associated with the storage representation of the credential but it could also be the case that the mech is requesting it for a specific realm. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-154) Session based DigestCredential support

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-154?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-154: --------------------------------- Fix Version/s: 1.2.0.Beta1 (was: 1.1.0.CR2) > Session based DigestCredential support > -------------------------------------- > > Key: ELY-154 > URL: https://issues.jboss.org/browse/ELY-154 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Passwords > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > > DigestCredential but where additional information is included such as nonce and cnonce to create a credential applicable to a session. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-153) Support DigestCredential with a specified realm name

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-153?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse resolved ELY-153. ---------------------------------- Resolution: Out of Date > Support DigestCredential with a specified realm name > ---------------------------------------------------- > > Key: ELY-153 > URL: https://issues.jboss.org/browse/ELY-153 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Passwords > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.1.0.CR2 > > > This would imply the password is retrievable and the realm associated by the authentication mechanism. > I see the following scenarios to be covered by this: - > - Realm that does not store pre-hashed and so is open to the mechanism providing the realm name. > - Realms where one or more realm names may be in use. > - One identity with multiple credentials each with a different realm. > - Different realms used for different identities but no more than one per identity. > If this is accomplished using a CallbackHandler then there are couple of Callback options: - > 1. getCredentialSupport on the realm, a RealmChoiceCallback can be used by a realm that advertises all the realm names it knows, where realm names are selected the response can take into account if all or some of the identities in that realm have a credential stored for that realm. > 2. getCredentialSupport on the realm can also support RealmCallback, in this case the mechanism specifies one realm name. > 3. These two can be repeated on the RealmIdentity, in that case however as a specific identity is being referenced the response can be much more specific. > 4. On getCredential the Callbacks can both be supported but in both cases can allow the selection of a single realm. > Another option could be an extension to RealmChoiceCallback that also indicates the level of support for each realm it contains. > Whilst exploring this, being able to identify the message digest algorithm support level should also be considered in parallel. > Also I see solving this as a simple pre-requisite for ELY-154 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-208) Update SASL mechanism testing to also be domain backed.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-208?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse resolved ELY-208. ---------------------------------- Resolution: Out of Date > Update SASL mechanism testing to also be domain backed. > ------------------------------------------------------- > > Key: ELY-208 > URL: https://issues.jboss.org/browse/ELY-208 > Project: WildFly Elytron > Issue Type: Task > Components: Testsuite > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.1.0.CR2 > > > There may be a little bit more work required before this is possible but we need to ensure SASL mechanisms are also tested using a CallbackHandler they are likely to encounter which will really be the one from ServerAuthenticationContext. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-200) Add a set of standard HTTP authentication mechanisms

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-200?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse resolved ELY-200. ---------------------------------- Resolution: Done > Add a set of standard HTTP authentication mechanisms > ---------------------------------------------------- > > Key: ELY-200 > URL: https://issues.jboss.org/browse/ELY-200 > Project: WildFly Elytron > Issue Type: Enhancement > Components: HTTP > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 1.1.0.CR2 > > > i.e. BASIC, DIGEST, CLENT_CERT, FORM (Generic), SPNEGO -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-181) Review JACC in Servlet and EJB subsystems

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-181?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse resolved ELY-181. ---------------------------------- Resolution: Out of Date > Review JACC in Servlet and EJB subsystems > ----------------------------------------- > > Key: ELY-181 > URL: https://issues.jboss.org/browse/ELY-181 > Project: WildFly Elytron > Issue Type: Sub-task > Components: API / SPI > Reporter: Pedro Igor > Assignee: Pedro Igor > Fix For: 1.1.0.CR2 > > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

[JBoss JIRA] (ELY-170) Transition the still useful parts of JBoss Negotiation into Elytron

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-170?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-170: --------------------------------- Fix Version/s: 1.2.0.Beta1 (was: 1.1.0.CR2) > Transition the still useful parts of JBoss Negotiation into Elytron > ------------------------------------------------------------------- > > Key: ELY-170 > URL: https://issues.jboss.org/browse/ELY-170 > Project: WildFly Elytron > Issue Type: Feature Request > Components: Utils > Reporter: Darran Lofthouse > Fix For: 1.2.0.Beta1 > > > Generally JBoss Negotiation should be obsolete, however some portions may be useful to be included in Elytron e.g. the SPNEGO parsing so that we can display some meaningful diagnostics. > By the time we reach the end of WildFly 10 nothing should require a direct dependency on JBoss Negotiation and really it should be removed from the application server distribution. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 6 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira June 2017