[
https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin...
]
Darran Lofthouse resolved SECURITY-141.
---------------------------------------
Fix Version/s: (was: Negotiation_2.0.3.SP4 )
Resolution: Done
If a <form-login-config> is defined for the web application the login page will
also
be sent with the challenge for SPNEGO.
For browsers that respond with NTLM an additional loop will be added under SECURITY-448 to
challenge using BASIC authentication as the user will have already provided the username
and password in a pop up.
After the FORM authentication the user is redirected to the page they were attempting to
browse before the challenge - this implementation does not currently cache the POST data
as in general the SPNEGO process is not suitable when using POST.
Fallback to FORM authentication if SPNEGO not available
-------------------------------------------------------
Key: SECURITY-141
URL:
https://jira.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.4
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira