Multi-factor authentication support ----------------------------------- Key: JBWS-1549 URL: http://jira.jboss.com/jira/browse/JBWS-1549 Project: JBoss Web Services Issue Type: Feature Request Security Level: Public(Everyone can see) Components: jbossws-native Reporter: William DeCoste Fix For: jbossws-3.x Intuit request. Notes: Implementation of WSS should support 2-factor or multi-factor authentication for confidentiality, i.e. support via username token profile, binary profile, certificate profile. Currently UsernameToken is not fully supported (see WS-SEC-01). The BinarySecurityToken block provides a holder for any binary based security token. However, there needs to be an additional specification to define the token. Currently there are specs for REL tokens, Kerberos tickets, x509 certificates and SAML tokens. For example, to allow support for fingerprint scanning, there would need to be a specification for biometric tokens. XCBF is an Oasis approved specification for describing biometric tokens in XML. however, the corresponding token profile (Web Services Security XCBF Token Profile) was in 2nd draft in November 2002; I can't find any later work on this specification. Another option would be to just invent your own specification. However, there would need to be some understanding between each party as to how to handle this token. Interceptors could be used to generate and verify these tokens. Clearly this is not a particularly desirable option. JBossWS 1.2 will support WS-Security x509 Token Profile. However, there is currently no interoperability with the JEE declarative security. See the JBossWS Jiras issue, JBWS-652, for more information. WS-Security allows multiple authentication types of authentication tokens to be specified. For example, a request may contain a UsernameToken element and an x509 certificate with a corresponding signature. JBoss supports multi-factor authentication in that it will verify the signature and then pass the username and password on for JAAS authentication. There is currently no support for multifactor JAAS authentication.