10:08 a.m.
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: http://jira.jboss.com/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public (Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assigned To: Darran Lofthouse
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:51 p.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[ http://jira.jboss.com/jira/browse/SECURITY-141?page=all ]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: 2.0.3.Beta2
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: http://jira.jboss.com/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assigned To: Darran Lofthouse
Fix For: 2.0.3.Beta2
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:43 p.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[ http://jira.jboss.com/jira/browse/SECURITY-141?page=all ]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: (was: 2.0.3.Beta2)
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: http://jira.jboss.com/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assigned To: Darran Lofthouse
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:36 a.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[
https://jira.jboss.org/jira/browse/SECURITY-141?page=com.atlassian.jira.p...
]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: Negotiation_2.0.4.GA
SPNEGO itself is the negotiation mechanism, this may not be possible except for NTLM.
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.4.GA
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:16 a.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[
https://jira.jboss.org/jira/browse/SECURITY-141?page=com.atlassian.jira.p...
]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: Negotiation_2.0.3.SP2
(was: Negotiation_2.0.4.GA)
Description:
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
was:Need to consider how this will work especially regarding security domains, possible
to do something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.3.SP2
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:03 p.m.
New subject: [JBoss JIRA] Commented: (SECURITY-141) Fallback to different authenticator if authentication fails
[
https://jira.jboss.org/jira/browse/SECURITY-141?page=com.atlassian.jira.p...
]
Jacob Orshalick commented on SECURITY-141:
------------------------------------------
Hi Darran,
Is this ticket also related to falling back to a lesser WWW-Authenticate mechanism? (e.g.
Digest or Basic). I have implemented a solution that refactors the
NegotiationAuthenticator allowing the user to configure Basic fallback if they choose. In
addition, the solution makes it pretty simple to incorporate Digest fallback as well.
Would there be interest in this patch? If needed, I would be happy to create a separate
ticket and provide the implementation. Thanks!
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/jira/browse/SECURITY-141
Project: JBoss Security and Identity Management
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.3.SP3
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:13 a.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[
https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin...
]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: Negotiation_2.0.3.SP4
(was: Negotiation_2.0.3.SP3)
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.3.SP4
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:08 p.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to different authenticator if authentication fails
[
https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin...
]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Fix Version/s: Negotiation_2.0.4
Fallback to different authenticator if authentication fails
-----------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.3.SP4 , Negotiation_2.0.4
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:33 p.m.
New subject: [JBoss JIRA] Updated: (SECURITY-141) Fallback to FORM authentication if SPNEGO not available
[
https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin...
]
Darran Lofthouse updated SECURITY-141:
--------------------------------------
Summary: Fallback to FORM authentication if SPNEGO not available (was: Fallback to
different authenticator if authentication fails)
Fallback to FORM authentication if SPNEGO not available
-------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.3.SP4 , Negotiation_2.0.4
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:03 a.m.
New subject: [JBoss JIRA] Resolved: (SECURITY-141) Fallback to FORM authentication if SPNEGO not available
[
https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin...
]
Darran Lofthouse resolved SECURITY-141.
---------------------------------------
Fix Version/s: (was: Negotiation_2.0.3.SP4 )
Resolution: Done
If a <form-login-config> is defined for the web application the login page will
also
be sent with the challenge for SPNEGO.
For browsers that respond with NTLM an additional loop will be added under SECURITY-448 to
challenge using BASIC authentication as the user will have already provided the username
and password in a pop up.
After the FORM authentication the user is redirected to the page they were attempting to
browse before the challenge - this implementation does not currently cache the POST data
as in general the SPNEGO process is not suitable when using POST.
Fallback to FORM authentication if SPNEGO not available
-------------------------------------------------------
Key: SECURITY-141
URL: https://jira.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.0.4
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:21 p.m.
New subject: [JBoss JIRA] (SECURITY-141) Fallback to FORM authentication if SPNEGO not available
[
https://issues.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plug...
]
Darran Lofthouse reopened SECURITY-141:
---------------------------------------
Fallback to FORM authentication if SPNEGO not available
-------------------------------------------------------
Key: SECURITY-141
URL: https://issues.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2.1.0
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:23 p.m.
New subject: [JBoss JIRA] (SECURITY-141) Fallback to FORM authentication if SPNEGO not available
[
https://issues.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plug...
]
Darran Lofthouse resolved SECURITY-141.
---------------------------------------
Fix Version/s: Negotiation_2_0_4
Resolution: Done
Ported to 2.0.4 by Marek Posolda
Fallback to FORM authentication if SPNEGO not available
-------------------------------------------------------
Key: SECURITY-141
URL: https://issues.jboss.org/browse/SECURITY-141
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Negotiation
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: Negotiation_2_0_4, Negotiation_2.1.0
Need to consider how this will work especially regarding security domains, possible to do
something active directory - password-stacking and an LDAP login module that for
negotiation does just role mapping and for non negotiation also does authentication.
This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
As a side effect this should also allow username/password authentication where SPNEGO did
not take place e.g. direct calls to EJBs from non web-tier.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4797
days inactive
6135
days old
11 comments
4 participants
participants (4)
-
Darran Lofthouse (JIRA) -
Darran Lofthouse (Reopened) (JIRA)
-
Darran Lofthouse (Resolved) (JIRA)
-
Jacob Orshalick (JIRA)