[jboss-jira] [JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory

Jochen Riedlinger (JIRA) jira-events at lists.jboss.org
Mon Jul 23 08:59:06 EDT 2012 

    [ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707268#comment-12707268 ] 

Jochen Riedlinger commented on SECURITY-671:
--------------------------------------------

What do you mean with "standard Kerberos login module"? Do you mean com.sun.security.auth.module.Krb5LoginModule?
I can't use this directly in a security domain. Its LoginMethod always returns true, because it only puts the initialized Kerberos Ticket in the Subject as privat credentials. It has to be "surrounded" by JGSS-code.
Please take a look at the classes I added to the Support Case. Here the standard Krb5LoginModule is used in combination with the JGSS API. There the Krb5LoginModule created the Kerberos-Ticket from username/passsword.
But after this code is called it has to go to your SPNEGOLoginModule.innerLogin() method to accept the generated ticket. That's why I think my extensions should be integrated into the original SPNEGOLoginModule.
                
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
>                 Key: SECURITY-671
>                 URL: https://issues.jboss.org/browse/SECURITY-671
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>         Environment: EAP 6.0.0 / JBossAS 7.1.2
>            Reporter: Jochen Riedlinger
>            Assignee: Darran Lofthouse
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list