[jboss-jira] [JBoss JIRA] (AS7-4646) Management Console needs to support FORM authentication
Jess Sightler (JIRA)
jira-events at lists.jboss.org
Fri Apr 27 11:22:18 EDT 2012
[ https://issues.jboss.org/browse/AS7-4646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688410#comment-12688410 ]
Jess Sightler commented on AS7-4646:
------------------------------------
@Darran - The tradeoff with Digest it provides wirelevel security, in exchange for limits on how I can hash passwords on the server. For example, SSHA512 with a random salt per user is preferable over an MD5 of user:password:realm. Even with a non-standard realm, there are limits there. Obviously, this will improve if SHA1 support is ever added to most browsers.
HTTP BASIC allows me to maintain password storage in any way, while SSL provides the transport level security. For my scenarios, this is a better tradeoff.
I get your point and agree with you re: FORM. :-)
> Management Console needs to support FORM authentication
> -------------------------------------------------------
>
> Key: AS7-4646
> URL: https://issues.jboss.org/browse/AS7-4646
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Console
> Reporter: Jess Sightler
> Assignee: Jason Greene
> Labels: security
>
> Many clients have security requirements that disallow HTTP Basic authentication. HTTP Digest is also disallowed due to the requirement to store plaintext passwords on the server. HTTP Form based authentication would provide a much smoother experience for users and comply with client requirements.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list