[jboss-jira] [JBoss JIRA] (WFLY-1217) Pass through Digest authentication against LDAP

Darran Lofthouse (JIRA) issues at jboss.org
Mon Jul 14 11:54:32 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-1217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-1217:
-----------------------------------

    Issue Type: Feature Request  (was: Task)


Just converting this to a feature request to better represent it's type.

This is is as a result of a conversion along the lines of "Wouldn't it be nice if we could do X" where X is to relay Digest challenges from the LDAP server to the client in place of our own challenges and then we send the resulting response back to the LDAP server.

In addition to integration issues within WildFly this would also require substantial changes to the SASL libraries, the Digest server would of course need to be able to send proxied challenges to the client instead of handling them itself and also it would need to forward responses it receives - there would most likely need to be a new SASL Client that communicates with the LDAP Server and also handles a lot of the proxying.

Libraries used for the communication would most likely also need modification as it is not easy within the SASL mechs here to detect a successful completed exchange.

But the most important factor is that we have not proven proxying in this way is even possible, there are certain man in the middle protections within the mechanisms that may actually prevent this from happening.  The first step really is to verify if this is even possible.

> Pass through Digest authentication against LDAP
> -----------------------------------------------
>
>                 Key: WFLY-1217
>                 URL: https://issues.jboss.org/browse/WFLY-1217
>             Project: WildFly
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>              Labels: Common_Authentication
>             Fix For: Awaiting Volunteers
>
>
> It is possible for a client to authenticate against an LDAP server using Digest authentication.
> This task is to make use of this with both our SASL mechanism and HTTP authenticator to provide a pass through check.
> We need AS7-3691 first and then this needs to be implemented in a way that can consistently be used for both SASL and HTTP Digest.



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list