[jboss-jira] [JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory

Jochen Riedlinger (JIRA) jira-events at lists.jboss.org
Mon Jul 23 06:12:07 EDT 2012 

    [ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707229#comment-12707229 ] 

Jochen Riedlinger commented on SECURITY-671:
--------------------------------------------

Sure, your suggestion could work.

Unfortunately our admins will close the possibility to authenticate with plain username/password combinations soon. In Germany we have the "Federal Office for Information Security (BSI)". As we are a state bank we have to follow their guidelines.

To have SSL between the browser and JBoss and only Kerberos between JBoss and ActiveDirectory would be a clean solution (and even easy to integrate in the existing code).
                
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
>                 Key: SECURITY-671
>                 URL: https://issues.jboss.org/browse/SECURITY-671
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>         Environment: EAP 6.0.0 / JBossAS 7.1.2
>            Reporter: Jochen Riedlinger
>            Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list