[JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory

Tuesday, 24 July 2012

    [
https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plug...
] 

Jochen Riedlinger edited comment on SECURITY-671 at 7/24/12 2:20 AM:
---------------------------------------------------------------------

here is the implementation and configuration.

In LBankSPNEGOLoginModule.java I only changed the method
"usernamePasswordLogin()" and added the method
"getUsernameAndPassword()". And I have two new member variables.
If "usernamePasswordLogin()" (and the member variables) would be protected
instead of private, the changes could be seen easier, because I could just imp0lement a
subclass.

Then you need this start parameters
-Djava.security.krb5.conf=%JBOSS_HOME%/modules/de/lbank/conf/main/properties/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false

In part_of_standalone.xml, you can see the three security domains used

      was (Author: j_ri):
    here is the implementation and configuration.

In LBankSPNEGOLoginModule.java I only changed the method
"usernamePasswordLogin()" and added the method
"getUsernameAndPassword()". And I have two new member variables.
If "usernamePasswordLogin()" (and the member variables) would be protected
instead of private, the changes could be seen easier.

Then you need this start parameters
-Djava.security.krb5.conf=%JBOSS_HOME%/modules/de/lbank/conf/main/properties/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false

In part_of_standalone.xml, you can see the three security domains used

...
 Negotiation/SPNEGO: Fallback to authenticate Form/Basic with
ActiveDirectory
 ----------------------------------------------------------------------------

                 Key: SECURITY-671
                 URL: https://issues.jboss.org/browse/SECURITY-671
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Feature Request
      Security Level: Public(Everyone can see) 
         Environment: EAP 6.0.0 / JBossAS 7.1.2
            Reporter: Jochen Riedlinger
            Assignee: Darran Lofthouse
         Attachments: krb5.conf, Krb5TicketInitiator.java, LBankSPNEGOLoginModule.java,
part_of_standalone.xml

 Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and
SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your
imlementation, because it is officially supported.
 Unfortunately I find that your implementation is not yet finished because it lacks in a
fallback solution that is able to validate username/password from BASIC/FORM
authentication with ActiveDirectory.
 Since I had this feature in my old implementation I want to offer to contribute it here
to the Negotiation component of the project (unfortunately there is no JIRA component for
Negotiation).
 I think this would be valuable for anybody using SPNEGO.
 My implementation would even word for remote-ejb-calls (with plain username password sent
OR when sending a kerberos ticket in the password field)
 If you are interested I'll upload my code and configuration instructions (RedHat
employees can already see it in Support Case 00640390). 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006