[security-dev] Undertow / IdentityManager and Digest Authentication

Bill Burke bburke at redhat.com
Tue Apr 30 10:05:07 EDT 2013



On 4/30/2013 9:47 AM, Darran Lofthouse wrote:
> Sent my last message using the wrong account so it may arrive but
> writing again just in case.
>
> The Digest Credential is what we need stored but we would potentially
> need more than one to be stored to cope with different hash algorithms
> being used.
>
> The issue regarding what is currently in PicketLink is that it is
> causing HTTP specific aspects of Digest authentication to leak into the
> IDM and at the same time is only implementing a small subset of the
> RFC2617 specification.  We need access to the same pre-prepared digests
> for SASL authentication but this is using a slightly different format
> for the digests that are compared.
>

Are you sure there is a leakage here?  That was my fear at first, but it 
looks as though this isn't true.  Review these again:

[1] 
https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialStorage.java

[5] 
https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/DigestCredentialHandler.java

You'd just write additional handlers and storage classes for your 
specific protocols (i.e. SASL).  These objects can be provided to 
Picketlink IDM *at runtime* correct?  So doesn't look like there is any 
leakage as your Undertow protocol handler would be providing the 
callback objects.

> In addition to this we need the entire messages being exchanged both
> inbound and outbound to be digested along with these pre-prepared hashes
> for the purpose of adding integrity protection for the messages
> exchanged.  There is also a middle ground of providing an appropriate
> header so that the server can also prove it knows the clients password.
>

Couldn't you store the Http Request, byte[] of full message inside the 
Credentials parameter passed into the Handler's verify method?  You have 
to cache the message anyways so that the application can obtain what it 
needs.

> This is why we need access to the pre-prepared digest for the chosen
> algorithm or at the very least an option to request PLIDM pushed it into
> a MessageDigest instance (Maybe PLIDM provides the MessageDigest and
> wraps it).
>
> Otherwise there is going to be a lot of HTTP specific and SASL specific
> code to potentially push into an IDM and the IDM is going to have to be
> much more involved in the actual message exchanges.
>

Again, I don't think this is true because the Undertow Digiest 
Authenticator can produce the appropriate handlers, no?  Maybe Shane 
should review why they have what they have?  In a previous email thread 
he talked a bit about chained IDMs where one or all may have to verify a 
credential.  Also, maybe an option to query storage directly should be 
available from Picketlink IDM API (if there isn't one already).  The 
keeps both metadata and verification separate concerns, IMO.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list