[jboss-jira] [JBoss JIRA] (AS7-4646) Management Console needs to support FORM authentication

Jason Greene (JIRA) jira-events at lists.jboss.org
Fri Apr 27 10:46:19 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688391#comment-12688391 ] 

Jason Greene commented on AS7-4646:
-----------------------------------

You just described the principle of digest. The whole point is that you never send a password, or anything that can be used as one over the wire. Someone can record all your traffic, and they That is the tradeoff. You basically choose, secure your storage, or secure the wire. You can't have both. Usually the storage point is far easier to secure than every network intermediary you could possibly have traffic on, in particular if its a public facing internet connection that crosses untrusted networks. You are certainly more vulnerable in that a recovered digest database gives an attacker immediate access to all users on the same realm. This is an identical problem to having a keystore. Someone steals your keys and its game over (until you revoke them). As to this FIPS SHA1 over MD5 requirement, it would be nice if browsers were updated to support SHA DIGEST, however the known MD5 weaknesses require some knowledge of the plaintext, and DIGEST doesn't have that property, so the advantages aren't that significant. 

Using SSL greatly reduces the weakness of passing passwords in the clear over the wire, so using FORM or BASIC starts to make more sense, and allows you to have strong storage security. It is certainly the most flexible configuration. However, BASIC is no less secure than FORM though, so whoever came up with that rule has no idea what they are talking about. In fact FORM has some ugly weaknesses that BASIC does not, namely the potential to hijack session tokens without having to even care which user owns it. Also our management interface isn't just a browser application, it supports usage from REST-like HTTP client applications, and FORM just doesn't make sense for those. This makes me wonder how on earth could any form of password scheme would survive these security standards, since they all use BASIC?

If we did a javascript login, it would look like form but would still be stateless, we would be either using BASIC or DIGEST headers from the javascript code. The funny thing about BASIC being disallowed, is I could use a different auth header, I could call it "NOTBASIC", or maybe I could even call it "FORM". Under the hood its the same as every other plain text transmission method. You are sending the password over the wire.


                
> Management Console needs to support FORM authentication
> -------------------------------------------------------
>
>                 Key: AS7-4646
>                 URL: https://issues.jboss.org/browse/AS7-4646
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Console
>            Reporter: Jess Sightler
>            Assignee: Jason Greene
>              Labels: security
>
> Many clients have security requirements that disallow HTTP Basic authentication. HTTP Digest is also disallowed due to the requirement to store plaintext passwords on the server. HTTP Form based authentication would provide a much smoother experience for users and comply with client requirements.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list