[security-dev] Undertow / IdentityManager and Digest Authentication
sbryzak at redhat.com
Wed May 1 04:51:23 EDT 2013
On 01/05/13 16:50, Darran Lofthouse wrote:
> Here is another scenario I would like to verify.
> So far from what I have seen regarding the Credentials stored by
> PicketLink IDM my perception is that the stored Credential is very
> closely related to the authentication mechanism that will be used.
> So for a set-up where we know that Digest authentication is going to be
> used we may store a couple of pre-prepared digests.
> Is this stored Credential now available for username / plain text
> password authentication i.e. Could a web application be deployed with
> FORM auth and verify a credential with a plain text password even though
> it is a prepared digest stored?
Absolutely, the CredentialHandler is free to implement any logic you
want it to. The way it accesses the stored credential values is via the
CredentialStore  interface, which is an interface that an
IdentityStore may *optionally* implement if it wants to (both the JPA
and File based identity stores in PicketLink implement it, but the LDAP
store doesn't). So a CredentialHandler is free to query whichever
stored credential state it needs to. This means you could use a
combination of digest AND password based authentication in the same
application, and even for the same users; there would simply be two
separate CredentialHandlers which do the validation - one for digests,
one for passwords.
> Darran Lofthouse.
> security-dev mailing list
> security-dev at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security-dev