[jboss-jira] [JBoss JIRA] (ELY-154) Session based DigestCredential support
Darran Lofthouse (JIRA)
issues at jboss.org
Mon Apr 23 11:11:00 EDT 2018
[ https://issues.jboss.org/browse/ELY-154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13565510#comment-13565510 ]
Darran Lofthouse commented on ELY-154:
--------------------------------------
What this means is the password is never revealed in any re-usable form.
Where we have username / realm / password hashes that hash can then be used both client side and server side for future messages.
Session based Digest mean that the only hashes in the application server are never re-usable, if the heap of the application server was stolen and the hashes on the heap analysed they would not be useful.
There does then need to be another server able to generate these session based hashes.
> Session based DigestCredential support
> --------------------------------------
>
> Key: ELY-154
> URL: https://issues.jboss.org/browse/ELY-154
> Project: WildFly Elytron
> Issue Type: Sub-task
> Components: Passwords
> Reporter: Darran Lofthouse
>
> DigestCredential but where additional information is included such as nonce and cnonce to create a credential applicable to a session.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list