[
https://jira.jboss.org/jira/browse/SECURITY-448?page=com.atlassian.jira.p...
]
Jacob Orshalick updated SECURITY-448:
-------------------------------------
Attachment: jboss-negotiation-common-v1.patch
jboss-negotiation-spnego-v1.patch
The provided patch refactors the NegotiationAuthenticator and the SPNEGOLoginModule to
allow a fallback authenticator to be provided and provides a new
NegotiationWithBasicFallbackAuthenticator class. This class can be configured in place of
the NegotiationAuthenticator in jboss-service.xml to allow fallback to BASIC
authentication.
An additional login-module must be configured within the SPNEGO application-policy to
authenticate the user based on username/password. This implementation relies on the
SPNEGOLoginModule being defined as required="optional" to allow the second
login-module a chance to authenticate the user when fallback occurs.
The patch handles fallback in 2 cases:
1. The browser sends NTLM credentials or invalid Kerberos credentials
2. The browser does not support SPNEGO authentication (not a trusted domain)
All testing at this point has used the UserRolesLoginModule for verifying fallback BASIC
credentials.
Please let me know if the patch is suitable or needs any modification. If you need the
patch in any other format, or would request any changes to the implementation, I would be
happy to make any requested changes. Thanks!
Fallback to BASIC authenticator if authentication fails
-------------------------------------------------------
Key: SECURITY-448
URL:
https://jira.jboss.org/jira/browse/SECURITY-448
Project: JBoss Security and Identity Management
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Jacob Orshalick
Assignee: Darran Lofthouse
Attachments: jboss-negotiation-common-v1.patch,
jboss-negotiation-spnego-v1.patch
This issue is related to SECURITY-141, but is a request to allow fallback to BASIC
authentication where SPNEGO is not supported. As a side effect this should also allow
username/password authentication where SPNEGO did not take place.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira