[jboss-jira] [JBoss JIRA] (ELY-535) Make use of realm events to handle password updates and resets for the OTP SASL mechanism
Farah Juma (JIRA)
issues at jboss.org
Tue May 17 09:59:00 EDT 2016
Farah Juma created ELY-535:
------------------------------
Summary: Make use of realm events to handle password updates and resets for the OTP SASL mechanism
Key: ELY-535
URL: https://issues.jboss.org/browse/ELY-535
Project: WildFly Elytron
Issue Type: Feature Request
Components: SASL
Reporter: Farah Juma
Assignee: Farah Juma
For the OTP SASL mechanism, the stored credential needs to be updated once a guess has been verified. In the standard case, this involves updating the stored hash based on the guess and decrementing the sequence number by 1. The OTP SASL mechanism also supports OTP sequence resets, where a user provides both a guess and a new OTP password with new parameters. If verification of the guess succeeds, then the stored credential is updated based on the new password and new parameters. However, if verification of the guess succeeds but the new password/parameters are invalid, then the stored hash is updated based on the guess and the sequence number is decremented by 1, as in the non-reset case (note that SASL auth fails in this case though).
PR #277 [adds handling|https://github.com/kabir/wildfly-elytron/blob/otp-test/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L728-L731] for a {{CredentialUpdateCallback}} in {{ServerAuthenticationContext}}. This is used to handle both the OTP sequence reset case as well as the non-reset case. Instead of manipulating the realm identity directly in the SAC callback handler, we should be able to make use of [realm events|https://github.com/wildfly-security/wildfly-elytron/pull/295] so that the realm itself can handle OTP updates and resets.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list