[jboss-jira] [JBoss JIRA] (AS7-4646) Management Console needs to support FORM authentication

Jess Sightler (JIRA) jira-events at lists.jboss.org
Fri Apr 27 09:20:17 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688356#comment-12688356 ] 

Jess Sightler commented on AS7-4646:
------------------------------------

@Darran: Thanks for the clarification, but this still leaves several problems with Digest:

1. Current implementations use MD5. MD5 is not FIPS compliant, and therefore cannot be used for password storage in our environment
2. The LDAP server uses SSHA, and HTTP Digest is incompatible with this
3. Storing the hash, even with a modified realm, still suffers from weak salt. From the RFC:
http://tools.ietf.org/html/rfc2617#section-4.13
   "The security implications of this are that if this password file is
   compromised, then an attacker gains immediate access to documents on
   the server using this realm. Unlike, say a standard UNIX password
   file, this information need not be decrypted in order to access
   documents in the server realm associated with this file. On the other
   hand, decryption, or more likely a brute force attack, would be
   necessary to obtain the user's password. This is the reason that the
   realm is part of the digested data stored in the password file. It
   means that if one Digest authentication password file is compromised,
   it does not automatically compromise others with the same username
   and password (though it does expose them to brute force attack)."

IMO, DIGEST is actually worse than BASIC for our purposes, but BASIC is explicitly prohibited.
                
> Management Console needs to support FORM authentication
> -------------------------------------------------------
>
>                 Key: AS7-4646
>                 URL: https://issues.jboss.org/browse/AS7-4646
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Console
>            Reporter: Jess Sightler
>            Assignee: Jason Greene
>              Labels: security
>
> Many clients have security requirements that disallow HTTP Basic authentication. HTTP Digest is also disallowed due to the requirement to store plaintext passwords on the server. HTTP Form based authentication would provide a much smoother experience for users and comply with client requirements.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list