[jboss-jira] [JBoss JIRA] (ELY-991) SASL Digest client handles callbacks incorrectly

Jan Kalina (JIRA) issues at jboss.org
Wed Oct 25 13:35:00 EDT 2017 

    [ https://issues.jboss.org/browse/ELY-991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481897#comment-13481897 ] 

Jan Kalina commented on ELY-991:
--------------------------------

Because CredentialCallback construction for digest password requires to already have realm choosen (it has to be provided as part of parameterSpec), RealmChoiceCallback (and the RealmCallback too as it should be used to choose realm when no options are provided) needs to be handled in standalone callback handler call -> no reason to repeat its call for individual credential callbacks.

> SASL Digest client handles callbacks incorrectly
> ------------------------------------------------
>
>                 Key: ELY-991
>                 URL: https://issues.jboss.org/browse/ELY-991
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Mechanisms, SASL
>            Reporter: David Lloyd
>            Assignee: Jan Kalina
>
> Right now the SASL digest client handles callbacks like this:
> * If a realm choice is available use RealmChoiceCallback to get it, and fail if it is not supported
> * Try to use RealmCallback+NameCallback+CredentialCallback (with digest password)
> * Try to use RealmCallback+NameCallback+CredentialCallback (with two-way password)
> * Try to use RealmCallback+NameCallback+PasswordCallback
> This is a problem because RealmChoiceCallback should not be required, and if it was supported, RealmCallback is not needed.  It's basically OK to retry realm selection and name selection if the credential was unsupported.
> The logic should probably be more like this:
> * Try to use <a realm callback>+NameCallback+CredentialCallback (with digest password)
> ** First try with RealmChoiceCallback if there is a choice
> ** Then try with RealmCallback if RealmChoiceCallback is unsupported
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> * Try to use <a realm callback>+NameCallback+CredentialCallback (with two-way password)
> ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice
> ** Then try RealmCallback if it was not eliminated above
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> * Try to use <a realm callback>+NameCallback+PasswordCallback
> ** First try with RealmChoiceCallback if it was not eliminated above and there is a choice
> ** Then try RealmCallback if it was not eliminated above
> ** If there is no default realm, fail
> ** Otherwise try with no realm callback and use the default realm
> This way we don't retry callbacks that don't work, and we don't fail if RealmCallback is not supported.  If no user name or credential is given, then the attempt should be considered a failure and the next credential tried without eliminating any realm callbacks.  If no realm is given then the attempt should be a failure without trying other realm callback options, because the callback is supported but there was no realm given (which is a programming error).
> If a user name or realm is given in an earlier stage, it should stay as the default for later stages.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list