[jboss-jira] [JBoss JIRA] (ELY-252) Take into account username after failed authentication for available mechs
Jan Kalina (JIRA)
issues at jboss.org
Tue Nov 14 10:15:00 EST 2017
[ https://issues.jboss.org/browse/ELY-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489966#comment-13489966 ]
Jan Kalina commented on ELY-252:
--------------------------------
This could be in theory implemented in ServerAuthenticationContext, as default value in NameCallback - but I dont think there are some SASL mechanims for which this would be useful - all mechs I remember have to obtain username from client by protocol and protocol does not allow server to provide default to the client...
> Take into account username after failed authentication for available mechs
> --------------------------------------------------------------------------
>
> Key: ELY-252
> URL: https://issues.jboss.org/browse/ELY-252
> Project: WildFly Elytron
> Issue Type: Task
> Components: SASL
> Reporter: Darran Lofthouse
> Fix For: 1.2.0.Beta11
>
>
> This is something we would need to be cautious about as it does risk revealing information to an attacker but after a files attempt we may have more information and be able to offer mechanisms based on this.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list