[jboss-jira] [JBoss JIRA] (ELY-991) SASL Digest client handles callbacks incorrectly

Jan Kalina (JIRA) issues at jboss.org
Wed Oct 25 08:46:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina reassigned ELY-991:
------------------------------

    Assignee: Jan Kalina


> SASL Digest client handles callbacks incorrectly
> ------------------------------------------------
>
>                 Key: ELY-991
>                 URL: https://issues.jboss.org/browse/ELY-991
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Mechanisms, SASL
>            Reporter: David Lloyd
>            Assignee: Jan Kalina
>
> Right now the SASL digest client handles callbacks like this:
> * If a realm choice is available use RealmChoiceCallback to get it, and fail if it is not supported
> * Try to use RealmCallback+NameCallback+CredentialCallback (with digest password)
> * Try to use RealmCallback+NameCallback+CredentialCallback (with two-way password)
> * Try to use RealmCallback+NameCallback+PasswordCallback
> This is a problem because RealmChoiceCallback should not be required, and if it was supported, RealmCallback is not needed.  It's basically OK to retry realm selection and name selection if the credential was unsupported.
> The logic should probably be more like this:
> * Try to use <a realm callback>+NameCallback+CredentialCallback (with digest password)
> ** First try with RealmChoiceCallback if there is a choice
> ** Then try with RealmCallback if RealmChoiceCallback is unsupported
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> * Try to use <a realm callback>+NameCallback+CredentialCallback (with two-way password)
> ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice
> ** Then try RealmCallback if it was not eliminated above
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> * Try to use <a realm callback>+NameCallback+PasswordCallback
> ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice
> ** Then try RealmCallback if it was not eliminated above
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> This way we don't retry callbacks that don't work, and we don't fail if RealmCallback is not supported.  If no user name or credential is given, then the attempt should be considered a failure and the next credential tried without eliminating any realm callbacks.  If no realm is given then the attempt should be a failure without trying other realm callback options, because the callback is supported but there was no realm given (which is a programming error).
> If a user name or realm is given in an earlier stage, it should stay as the default for later stages.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list