[jboss-jira] [JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
Jochen Riedlinger (JIRA)
jira-events at lists.jboss.org
Tue Jul 24 02:21:06 EDT 2012
[ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707459#comment-12707459 ]
Jochen Riedlinger edited comment on SECURITY-671 at 7/24/12 2:20 AM:
---------------------------------------------------------------------
here is the implementation and configuration.
In LBankSPNEGOLoginModule.java I only changed the method "usernamePasswordLogin()" and added the method "getUsernameAndPassword()". And I have two new member variables.
If "usernamePasswordLogin()" (and the member variables) would be protected instead of private, the changes could be seen easier, because I could just imp0lement a subclass.
Then you need this start parameters
-Djava.security.krb5.conf=%JBOSS_HOME%/modules/de/lbank/conf/main/properties/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
In part_of_standalone.xml, you can see the three security domains used
was (Author: j_ri):
here is the implementation and configuration.
In LBankSPNEGOLoginModule.java I only changed the method "usernamePasswordLogin()" and added the method "getUsernameAndPassword()". And I have two new member variables.
If "usernamePasswordLogin()" (and the member variables) would be protected instead of private, the changes could be seen easier.
Then you need this start parameters
-Djava.security.krb5.conf=%JBOSS_HOME%/modules/de/lbank/conf/main/properties/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
In part_of_standalone.xml, you can see the three security domains used
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
> Key: SECURITY-671
> URL: https://issues.jboss.org/browse/SECURITY-671
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Environment: EAP 6.0.0 / JBossAS 7.1.2
> Reporter: Jochen Riedlinger
> Assignee: Darran Lofthouse
> Attachments: krb5.conf, Krb5TicketInitiator.java, LBankSPNEGOLoginModule.java, part_of_standalone.xml
>
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list