[security-dev] Resteasy authentication
Bill Burke
bburke at redhat.com
Thu Nov 29 11:00:36 EST 2012
On 11/28/2012 10:01 AM, Darran Lofthouse wrote:
> Just catching up on some threads before getting back to some HTTP
> authentication myself.
>
> On 11/26/2012 09:38 PM, Bill Burke wrote:
>> * Browser-based clients can't negotiate
>
> That is not completely true - there is a limited level of negotiation
> within browsers as HTTP already supports multiple mechanisms concurrently.
>
There's not many protocols that the browser supports for
WWW-Authenticate challenges. (Basic and Digest?) An SSL connection set
up to "NEED" a client-cert will force the browser to prompt the user for
a cert. But this isn't negotiation, its, provide me a cert or you are
not allowed to connect.
> Within AS7 and Remoting for SASL we provide the client with a list of
> supported mechanism, the client chooses one mechanism - tries to auth,
> fails and then tries the next mechanism on the list. It is true that
> this sequence is not possible within HTTP.
>
> However for the HTTP authenticators I am currently working instead of
> sending the client the simple list we send them a response containing a
> challenge for each supported mechanism - the browser then chooses which
> mechanism it supports and uses it to respond to the challenge.
>
I think browsers can just handle basic and digest auth. That's it. Both
protocols are not really used for browser-based apps.
>> * client-cert auth is just completely different than other auth
>> mechanisms as is part of the socket connection set up, and nothing to do
>> with HTTP
>
> Combining client-cert auth with other http mechanisms is more about
> prioritising the order we make the decisions regarding authenticating so
> checking if there is a client certificate available on the connection
> that we can use to authenticate before we make the decision to send the
> challenges.
>
This is problematic too for a couple of reasons. YOu can set up your
socket layer (in JBoss) to NEED a client cert, but unfortunately, this
will be for *EVERY* web app. If you change SSL to "WANT" client-cert,
I'm not sure every browser will prompt you for a client cert.
Another thing that sucks is that JBossWeb pretty much requires you to
plug in a global truststore for client-certs when you configure SSL for
it. So, you can't have different truststores for different apps and
have the security domain handle the verification of the client certificate.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list