January 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-1369) FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-1369?page=com.atlassian.jira.plugin.s... ] Jan Kalina commented on ELY-1369: --------------------------------- [~mchoma] yes (btw, more auth-methods in web.xml delimited by comma:) {code}<auth-method>DIGEST-SHA-256,DIGEST-SHA-512-256,BASIC</auth-method>{code} > FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant > -------------------------------------------------------------------------- > > Key: ELY-1369 > URL: https://issues.jboss.org/browse/ELY-1369 > Project: WildFly Elytron > Issue Type: Bug > Components: HTTP > Affects Versions: 1.2.0.Beta3 > Reporter: Jan Kalina > Assignee: Jan Kalina > Fix For: 1.2.0.Beta11 > > > Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5]. > {code:java|title=DigestAuthenticationMechanism.java} > String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM)); > if (MD5.equals(algorithm) == false) { > throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm); > } > {code} > There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. [~dlofthouse] is it planned for [1] to target 7.1? > [1] https://issues.jboss.org/browse/ELY-286 > [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design > [3] https://tools.ietf.org/html/rfc2617 > [4] https://tools.ietf.org/html/rfc7616 > [5] https://access.redhat.com/support/cases/#/case/01761455 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-1369) FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-1369?page=com.atlassian.jira.plugin.s... ] Jan Kalina edited comment on ELY-1369 at 1/8/18 12:24 PM: ---------------------------------------------------------- [~mchoma] yes ( btw, more auth-methods in web.xml delimited by comma: ) {code}<auth-method>DIGEST-SHA-256,DIGEST-SHA-512-256,BASIC</auth-method>{code} was (Author: honza889): [~mchoma] yes (btw, more auth-methods in web.xml delimited by comma:) {code}<auth-method>DIGEST-SHA-256,DIGEST-SHA-512-256,BASIC</auth-method>{code} > FIPS mode, Elytron HTTP DIGEST authentication mechanism not fips compliant > -------------------------------------------------------------------------- > > Key: ELY-1369 > URL: https://issues.jboss.org/browse/ELY-1369 > Project: WildFly Elytron > Issue Type: Bug > Components: HTTP > Affects Versions: 1.2.0.Beta3 > Reporter: Jan Kalina > Assignee: Jan Kalina > Fix For: 1.2.0.Beta11 > > > Elytron HTTP DIGEST authentication comply to rfc2617 - which means MD5 is used by default (it means it is hardcode, with no way to configure another hash algorithm). But MD5 could make troubles in fips environment [5]. > {code:java|title=DigestAuthenticationMechanism.java} > String algorithm = convertToken(ALGORITHM, responseTokens.get(ALGORITHM)); > if (MD5.equals(algorithm) == false) { > throw log.mechUnsupportedAlgorithm(getMechanismName(), algorithm); > } > {code} > There exists proposed rfc7616 which makes algorithm configurable, work on new DIGEST features are covered by [1]. [~dlofthouse] is it planned for [1] to target 7.1? > [1] https://issues.jboss.org/browse/ELY-286 > [2] https://developer.jboss.org/wiki/ElytronHTTPDigestNonceHandling-Design > [3] https://tools.ietf.org/html/rfc2617 > [4] https://tools.ietf.org/html/rfc7616 > [5] https://access.redhat.com/support/cases/#/case/01761455 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-907) LdapRealm - different principal/credential for referrals

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-907?page=com.atlassian.jira.plugin.sy... ] Jan Kalina updated ELY-907: --------------------------- Component/s: Realms > LdapRealm - different principal/credential for referrals > -------------------------------------------------------- > > Key: ELY-907 > URL: https://issues.jboss.org/browse/ELY-907 > Project: WildFly Elytron > Issue Type: Feature Request > Components: Realms > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Optional > > When LdapRealm follows referrals, it uses the original context's environment properties, including principal/credential, to create a connection to the referred server. Sometimes you might want to follow the referral using different authentication information. > This can be done when using AuthenticationContext. > Note: how to pass different credentials into referred DirContext: > http://www.cs.binghamton.edu/~steflik/cs328/jndi/tutorial/ldap/referral/t... (part Authenticating to a Referral Context) -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-907) LdapRealm - different principal/credential for referrals

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-907?page=com.atlassian.jira.plugin.sy... ] Jan Kalina updated ELY-907: --------------------------- Issue Type: Feature Request (was: Enhancement) > LdapRealm - different principal/credential for referrals > -------------------------------------------------------- > > Key: ELY-907 > URL: https://issues.jboss.org/browse/ELY-907 > Project: WildFly Elytron > Issue Type: Feature Request > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Minor > > When LdapRealm follows referrals, it uses the original context's environment properties, including principal/credential, to create a connection to the referred server. Sometimes you might want to follow the referral using different authentication information. > This can be done when using AuthenticationContext. > Note: how to pass different credentials into referred DirContext: > http://www.cs.binghamton.edu/~steflik/cs328/jndi/tutorial/ldap/referral/t... (part Authenticating to a Referral Context) -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-907) LdapRealm - different principal/credential for referrals

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-907?page=com.atlassian.jira.plugin.sy... ] Jan Kalina updated ELY-907: --------------------------- Priority: Optional (was: Minor) > LdapRealm - different principal/credential for referrals > -------------------------------------------------------- > > Key: ELY-907 > URL: https://issues.jboss.org/browse/ELY-907 > Project: WildFly Elytron > Issue Type: Feature Request > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Optional > > When LdapRealm follows referrals, it uses the original context's environment properties, including principal/credential, to create a connection to the referred server. Sometimes you might want to follow the referral using different authentication information. > This can be done when using AuthenticationContext. > Note: how to pass different credentials into referred DirContext: > http://www.cs.binghamton.edu/~steflik/cs328/jndi/tutorial/ldap/referral/t... (part Authenticating to a Referral Context) -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-1173) InvalidNameState not used for non-existing identities in ServerAuthenticationContext

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-1173?page=com.atlassian.jira.plugin.s... ] Jan Kalina closed ELY-1173. --------------------------- Resolution: Rejected > InvalidNameState not used for non-existing identities in ServerAuthenticationContext > ------------------------------------------------------------------------------------ > > Key: ELY-1173 > URL: https://issues.jboss.org/browse/ELY-1173 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Minor > > There was added new state *InvalidNameState* into *ServerAuthenticationContext* as part of ELY-1115, but it is currently used only when principal is rewritten to null - not when identity is not found in security realm. > After adding this will be probably necessary to implement more State methods in *InvalidNameState* to have wildfly tests green. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-1449) Coverity: Dead local store in DigestUtil.java

by Ilia Vassilev (JIRA)

[ https://issues.jboss.org/browse/ELY-1449?page=com.atlassian.jira.plugin.s... ] Ilia Vassilev reassigned ELY-1449: ---------------------------------- Assignee: Ilia Vassilev > Coverity: Dead local store in DigestUtil.java > --------------------------------------------- > > Key: ELY-1449 > URL: https://issues.jboss.org/browse/ELY-1449 > Project: WildFly Elytron > Issue Type: Bug > Components: Utils > Affects Versions: 1.2.0.Beta10 > Reporter: Martin Choma > Assignee: Ilia Vassilev > Priority: Trivial > > In org.wildfly.security.mechanism.digest.DigestUtil.parseResponse(byte[], java.nio.charset.Charset, boolean, org.wildfly.security._private.ElytronMessages): This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=40661... -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-457) SASL SAML Authentication Mechanism

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-457?page=com.atlassian.jira.plugin.sy... ] Jan Kalina reassigned ELY-457: ------------------------------ Assignee: (was: Jan Kalina) > SASL SAML Authentication Mechanism > ---------------------------------- > > Key: ELY-457 > URL: https://issues.jboss.org/browse/ELY-457 > Project: WildFly Elytron > Issue Type: Feature Request > Components: SASL > Reporter: Darran Lofthouse > Fix For: 2.0.0.Alpha1 > > > https://tools.ietf.org/html/rfc6595 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-5410) jboss-web_10_0.xsd is inccorect

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFLY-5410?page=com.atlassian.jira.plugin.... ] ehsavoie Hugonnet resolved WFLY-5410. ------------------------------------- Resolution: Done > jboss-web_10_0.xsd is inccorect > ------------------------------- > > Key: WFLY-5410 > URL: https://issues.jboss.org/browse/WFLY-5410 > Project: WildFly > Issue Type: Bug > Components: Documentation > Affects Versions: 10.0.0.CR2 > Reporter: ehsavoie Hugonnet > Assignee: ehsavoie Hugonnet > > jboss-web_10_0.xsd requires an extension of javaee 7 xsd in the jboss namespace for <xsd:group ref="jboss:jndiEnvironmentRefsGroup"/>. > This was in jboss_commons_6_0.xsd for Javaee 6 so we need to have a similar schema for Javaee 7and import it in jboss-web_10_0.xsd. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-5410) jboss-web_10_0.xsd is inccorect

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFLY-5410?page=com.atlassian.jira.plugin.... ] ehsavoie Hugonnet edited comment on WFLY-5410 at 1/8/18 11:43 AM: ------------------------------------------------------------------ Was fixed in jboss-web_10_1.xsd as released schemas are not to be updated. was (Author: ehugonnet): Was fixed in jboss-web_10_1.xsd > jboss-web_10_0.xsd is inccorect > ------------------------------- > > Key: WFLY-5410 > URL: https://issues.jboss.org/browse/WFLY-5410 > Project: WildFly > Issue Type: Bug > Components: Documentation > Affects Versions: 10.0.0.CR2 > Reporter: ehsavoie Hugonnet > Assignee: Eduardo Martins > > jboss-web_10_0.xsd requires an extension of javaee 7 xsd in the jboss namespace for <xsd:group ref="jboss:jndiEnvironmentRefsGroup"/>. > This was in jboss_commons_6_0.xsd for Javaee 6 so we need to have a similar schema for Javaee 7and import it in jboss-web_10_0.xsd. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 4 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2018