[jboss-jira] [JBoss JIRA] Updated: (SECURITY-448) Fallback to BASIC authenticator if authentication fails

Jacob Orshalick (JIRA) jira-events at lists.jboss.org
Fri Dec 18 16:42:30 EST 2009 

     [ https://jira.jboss.org/jira/browse/SECURITY-448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacob Orshalick updated SECURITY-448:
-------------------------------------

    Attachment: jboss-negotiation-common-v1.patch
                jboss-negotiation-spnego-v1.patch


The provided patch refactors the NegotiationAuthenticator and the SPNEGOLoginModule to allow a fallback authenticator to be provided and provides a new NegotiationWithBasicFallbackAuthenticator class.  This class can be configured in place of the NegotiationAuthenticator in jboss-service.xml to allow fallback to BASIC authentication.

An additional login-module must be configured within the SPNEGO application-policy to authenticate the user based on username/password.  This implementation relies on the SPNEGOLoginModule being defined as required="optional" to allow the second login-module a chance to authenticate the user when fallback occurs.

The patch handles fallback in 2 cases:

1.  The browser sends NTLM credentials or invalid Kerberos credentials
2.  The browser does not support SPNEGO authentication (not a trusted domain)

All testing at this point has used the UserRolesLoginModule for verifying fallback BASIC credentials.

Please let me know if the patch is suitable or needs any modification.  If you need the patch in any other format, or would request any changes to the implementation, I would be happy to make any requested changes.  Thanks!

> Fallback to BASIC authenticator if authentication fails
> -------------------------------------------------------
>
>                 Key: SECURITY-448
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-448
>             Project: JBoss Security and Identity Management
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>            Reporter: Jacob Orshalick
>            Assignee: Darran Lofthouse
>         Attachments: jboss-negotiation-common-v1.patch, jboss-negotiation-spnego-v1.patch
>
>
> This issue is related to SECURITY-141, but is a request to allow fallback to BASIC authentication where SPNEGO is not supported.  As a side effect this should also allow username/password authentication where SPNEGO did not take place.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list