[security-dev] Undertow IDM
Darran Lofthouse
darran.lofthouse at jboss.com
Thu Apr 25 04:06:31 EDT 2013
One point - within Undertow access to the IDM should not necessarily be
considered an authentication attempt, i.e. in Digest the IDM may be
accessed even if the nonce is known to be out of date.
However we do have a notification framework within Undertow for
successful and failed authentication attempts - that would be a better
point to handle any locking.
Although at the same point would need be very careful how this is
handled before it becomes an easy denial of service route.
On 24/04/13 20:38, Pedro Igor Silva wrote:
> I think PL IDM can supply most of the methods defined in the IdentityManager interface.
>
> Only not sure about the somethings related with password reset and account locking. Althought the Credential API maintains the history of password updates and custom attributes can also be used. Not sure, but maybe we should have that in PL IDM, built-in support for password reset and account locking.
>
> Regarding DIGEST authentication and the getPassword method, if using PL IDM this method is not necessary because we always store the HA1 value (MD5(username:realm:password)). So you only need to pass the provided password that it will be checked internally.
That is going to be a bigger discussion but not one for this thread, in
Undertow we need support for stronger hashes in addition to MD5 and also
need access to the pre-hashed value at the very least to complete the
Digest implementation.
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Wednesday, April 24, 2013 3:54:48 PM
> Subject: [security-dev] Undertow IDM
>
> Hi all,
> https://github.com/undertow-io/undertow/tree/master/core/src/main/java/io/undertow/security/idm
>
> I am wondering how we can use PicketLink IDM in Undertow.
>
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
More information about the security-dev
mailing list