]
Darran Lofthouse updated ELY-153:
---------------------------------
Fix Version/s: 1.0.0.Alpha4
(was: 1.0.0.Alpha3)
Support DigestCredential with a specified realm name
----------------------------------------------------
Key: ELY-153
URL:
https://issues.jboss.org/browse/ELY-153
Project: WildFly Elytron
Issue Type: Sub-task
Components: Passwords
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 1.0.0.Alpha4
This would imply the password is retrievable and the realm associated by the
authentication mechanism.
I see the following scenarios to be covered by this: -
- Realm that does not store pre-hashed and so is open to the mechanism providing the
realm name.
- Realms where one or more realm names may be in use.
- One identity with multiple credentials each with a different realm.
- Different realms used for different identities but no more than one per identity.
If this is accomplished using a CallbackHandler then there are couple of Callback
options: -
1. getCredentialSupport on the realm, a RealmChoiceCallback can be used by a realm that
advertises all the realm names it knows, where realm names are selected the response can
take into account if all or some of the identities in that realm have a credential stored
for that realm.
2. getCredentialSupport on the realm can also support RealmCallback, in this case the
mechanism specifies one realm name.
3. These two can be repeated on the RealmIdentity, in that case however as a specific
identity is being referenced the response can be much more specific.
4. On getCredential the Callbacks can both be supported but in both cases can allow the
selection of a single realm.
Another option could be an extension to RealmChoiceCallback that also indicates the level
of support for each realm it contains.
Whilst exploring this, being able to identify the message digest algorithm support level
should also be considered in parallel.
Also I see solving this as a simple pre-requisite for ELY-154