karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-4520) Add DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS realm
Date Fri, 09 Sep 2016 02:43:21 GMT

    [ https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15475686#comment-15475686
] 

Freeman Fang commented on KARAF-4520:
-------------------------------------

The  DigestPasswordLoginModule introduce the dependency for CXF, even it's the optional dependency,
it's still the kind of circle dependency, which can cause such issue here. I suggest we move
the  DigestPasswordLoginModule into CXF, create a new module like osgi/karaf/jaas in CXF,
and remove  DigestPasswordLoginModule from Karaf, so if users need DigestPasswordLoginModule,
they just install a bundle from CXF.

JB, WDYT?

> Add  DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS realm
> -------------------------------------------------------------------------------
>
>                 Key: KARAF-4520
>                 URL: https://issues.apache.org/jira/browse/KARAF-4520
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-security
>            Reporter: Freeman Fang
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.1.0, 4.0.6, 4.0.7
>
>
> So far the assumption with JAAS login modules is that the password is to be compared
"as is". However per the ws-security spec, the PasswordDigest for UsernameToken is "the concatenation
of the nonce plus the creation time plus the password. The nonce is 16 bytes long and is passed
along as a base64 encoded value. The way this works is that the client creates the password
hash using all of this information plus the password". So the PasswordDigest would change
per each invocation, so we can't simply store the passwords in a digest form in the properties
file.
> The way to make it work, I think we need a DigestPasswordLoginModule which use a customized
checkPassword method where can compare the stored password and the digest password from PasswordCallback
(we may need take a close look how this part implemented in WSS4J for digest password comparing)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message