[jboss-jira] [JBoss JIRA] (AS7-4646) Management Console needs to support FORM authentication

[ https://issues.jboss.org/browse/AS7-4646?page=com.atlassian.jira.plugin.s... ] Jess Sightler commented on AS7-4646: ------------------------------------ @Darran: Thanks for the clarification, but this still leaves several problems with Digest: 1. Current implementations use MD5. MD5 is not FIPS compliant, and therefore cannot be used for password storage in our environment 2. The LDAP server uses SSHA, and HTTP Digest is incompatible with this 3. Storing the hash, even with a modified realm, still suffers from weak salt. From the RFC: http://tools.ietf.org/html/rfc2617#section-4.13 "The security implications of this are that if this password file is compromised, then an attacker gains immediate access to documents on the server using this realm. Unlike, say a standard UNIX password file, this information need not be decrypted in order to access documents in the server realm associated with this file. On the other hand, decryption, or more likely a brute force attack, would be necessary to obtain the user's password. This is the reason that the realm is part of the digested data stored in the password file. It means that if one Digest authentication password file is compromised, it does not automatically compromise others with the same username and password (though it does expose them to brute force attack)." IMO, DIGEST is actually worse than BASIC for our purposes, but BASIC is explicitly prohibited. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira