[jboss-jira] [JBoss JIRA] (AS7-4646) Management Console needs to support FORM authentication
Jess Sightler (JIRA)
jira-events at lists.jboss.org
Thu Apr 26 14:59:20 EDT 2012
[ https://issues.jboss.org/browse/AS7-4646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688128#comment-12688128 ]
Jess Sightler edited comment on AS7-4646 at 4/26/12 2:58 PM:
-------------------------------------------------------------
DoD Security Requirements:
http://iase.disa.mil/stigs/a-z.html
http://iase.disa.mil/stigs/downloads/zip/app_services_checklist_v1r1-1-20060921.zip
See Sec3A, Requirement APS0140:
"Only DIGEST, FORM, and CLIENT-CERT types can be used when setup and configured properly:"
I don't really know why "DIGEST" is listed as acceptible (as a practical matter it isn't, due to other security restrictions).
Technically, it doesn't have to be FORM based, as a Javascript transmission would also pass. Just HTTP BASIC will be a significant hindrance to AS/EAP deployment within government installations, though.
was (Author: jsightler):
DoD Security Requirements:
http://iase.disa.mil/stigs/a-z.html
http://iase.disa.mil/stigs/downloads/zip/app_services_checklist_v1r1-1-20060921.zip
See Sec3A, Requirement APS0140:
"Only DIGEST, FORM, and CLIENT-CERT types can be used when setup and configured properly:"
I don't really know why "DIGEST" is listed as acceptible (as a practical matter it isn't, due to other security restrictions).
Technically, it doesn't have to be FORM based, but this will be a significant blocker to AS/EAP deployment within government installations otherwise.
> Management Console needs to support FORM authentication
> -------------------------------------------------------
>
> Key: AS7-4646
> URL: https://issues.jboss.org/browse/AS7-4646
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Console
> Reporter: Jess Sightler
> Assignee: Jason Greene
> Labels: security
>
> Many clients have security requirements that disallow HTTP Basic authentication. HTTP Digest is also disallowed due to the requirement to store plaintext passwords on the server. HTTP Form based authentication would provide a much smoother experience for users and comply with client requirements.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list