[jboss-jira] [JBoss JIRA] (ELY-281) Investigate if it's possible to modify the OTP SASL mechanism and password implementation to make use of the credential verification API

David Lloyd (JIRA) issues at jboss.org
Wed Sep 2 10:24:05 EDT 2015 

    [ https://issues.jboss.org/browse/ELY-281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13104574#comment-13104574 ] 

David Lloyd commented on ELY-281:
---------------------------------

One possible slight modification to this approach might be to add a method to the realm identity indicating that authentication was completed - this would avoid the possible problem where a verification should not "count" towards the OTP authentication.

I can't think of a good solution to requiring realms to use {{PasswordFactory}}.  Ideally they *should* but I can't say for sure that they always *must*...

> Investigate if it's possible to modify the OTP SASL mechanism and password implementation to make use of the credential verification API
> ----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-281
>                 URL: https://issues.jboss.org/browse/ELY-281
>             Project: WildFly Elytron
>          Issue Type: Feature Request
>          Components: SASL
>            Reporter: Farah Juma
>            Assignee: Farah Juma
>
> The main idea here is to be able to pass the guess that's being verified to the realm and have the realm handle updating the stored credential if verification succeeds.
> Relevant chat discussion:
> {quote}
> \[8:42 AM\] Darran Lofthouse: @KabirKhan Ok, so you are trying to test OTP and require updates to be applied to the realm
> \[8:43 AM\] Darran Lofthouse: One option is to update the ServerAuthenticationContext to make an update
> \[8:43 AM\] Kabir Khan: That is what I had planned
> \[8:43 AM\] Darran Lofthouse: I do also wonder if a second option may be to use the credential verification API we have instead so the credential being verified is passed into the realm and the realm can handle updates internally
> \[8:44 AM\] Darran Lofthouse: although have not been in the credential in detail to see if this is possible
> \[8:44 AM\] Kabir Khan: Possibly, I'd need to look at the code a bit better though
> \[8:44 AM\] Kabir Khan: the first option is what stood out to me
> \[8:45 AM\] Darran Lofthouse: the first option may match with how the credential and mech are currently implemented - but does risk us adding more and more behaviour to ServerAuthenticationContext
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list