[jboss-jira] [JBoss JIRA] (ELY-41) Password Recognition and Parsing Framework

[Darran Lofthouse (JIRA)]

Darran Lofthouse created ELY-41:
-----------------------------------

             Summary: Password Recognition and Parsing Framework
                 Key: ELY-41
                 URL: https://issues.jboss.org/browse/ELY-41
             Project: WildFly Elytron
          Issue Type: Task
      Security Level: Public (Everyone can see)
          Components: API / SPI
            Reporter: Darran Lofthouse
             Fix For: 1.0.0.Beta1


I don't think having a single PasswordUtils that recognises and parses all password types is going to be a good idea long term - I think a lot of the responsibility for what is supported needs to come from the realm.

A scenario I am thinking is an LDAP server is configured to support clear text passwords, that server verifies the strength of the password before letting a user set it - this could be circumvented by setting the password value to something we would parse as one of the other password types.  The problem is the user could just hash 'password' - this would pass the LDAP servers dictionary attack check.

The second issue is that different formats could be realm specific, e.g. LDAP supports trival digests in formats slightly different to those we already support.

One idea I am starting to think about it a password parser that a realm can build up with a set of supported password types, working on LDAP it is apparent realms potentially need configuration for the credential types they will claim to support before the RealmIdentity is identified so not a major deviation from the work I am already finding necessary.




--
This message was sent by Atlassian JIRA
(v6.2.6#6264)