[jboss-jira] [JBoss JIRA] Resolved: (SECURITY-141) Fallback to FORM authentication if SPNEGO not available

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Sun Nov 28 08:03:30 EST 2010 

     [ https://jira.jboss.org/browse/SECURITY-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved SECURITY-141.
---------------------------------------

    Fix Version/s:     (was:  Negotiation_2.0.3.SP4 )
       Resolution: Done


If a <form-login-config> is defined for the web application the login page will also
be sent with the challenge for SPNEGO.

For browsers that respond with NTLM an additional loop will be added under SECURITY-448 to challenge using BASIC authentication as the user will have already provided the username and password in a pop up.

After the FORM authentication the user is redirected to the page they were attempting to browse before the challenge - this implementation does not currently cache the POST data as in general the SPNEGO process is not suitable when using POST.

> Fallback to FORM authentication if SPNEGO not available
> -------------------------------------------------------
>
>                 Key: SECURITY-141
>                 URL: https://jira.jboss.org/browse/SECURITY-141
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2.0.4
>
>
> Need to consider how this will work especially regarding security domains, possible to do something active directory - password-stacking and an LDAP login module that for negotiation does just role mapping and for non negotiation also does authentication.
> This issue is to allow fallback to FORM authentication where SPNEGO is not supported.
> As a side effect this should also allow username/password authentication where SPNEGO did not take place e.g. direct calls to EJBs from non web-tier.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list