[JIRA] Commented: (NXP-6212) Add HTTP Digest Auth support in Nuxeo (RFC 2617)

Wed, 12 Jan 2011 06:09:02 -0800 

    [ 
https://jira.nuxeo.org/browse/NXP-6212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=87206#action_87206
 ] 

Thierry Delprat commented on NXP-6212:
--------------------------------------

There is still a main issue (as visible in the current implementation) : RFC 
2617 requires the server to know the user password in clear text.

This is a real issue :
 - Nuxeo API does not allow to retrieve the password
 - The password may not be stored in clear text in the backend 
 - LDAP server usually don't allow to retrieve the password (and anyway usually 
only store a digest of the password).

We basically have 2 options :

# Option 1 : make the password available via API
Technically we can access the underlying directory and get the password.
But :
 - this won't work for most LDAP backend
 - this may not work in SQL if password is stored as a digest

# Option 2 : "gather password"
Since Digest Auth will mainly be used for WSS, we may put a requirement that 
user has first to login once on Nuxeo via the WebUI.
At this time, we could gather the user passord and store it in a DIGEST AUTh 
dedicated directory : 
 - either store it directly 
or 
 - store what is needed by DIGEST AUTH : MD5 (username;realm:password)

But :
 - if user password changes, the user will have to login again via Web UI
 - this can not work with an external SSO server
 - in terms of security this is not very good



> Add HTTP Digest Auth support in Nuxeo (RFC 2617)
> ------------------------------------------------
>
>                 Key: NXP-6212
>                 URL: https://jira.nuxeo.org/browse/NXP-6212
>             Project: Nuxeo Enterprise Platform
>          Issue Type: New Feature
>          Components: Security / Rights
>            Reporter: Thierry Delprat
>            Assignee: Thierry Delprat
>             Fix For: 5.4.1
>
>
> We need to implement  RFC 2617 HTTP DIGEST AUTH support in Nuxeo.
> Even if the standard is old and not widely used, it is a requirement for 
> WSS/WebDav under recent versions of MS Windows.
> An initial implementation has been contributed by Gagnavarslan 
> => see : http://hg.nuxeo.com/sandbox/nuxeo-fs-connector/rev/712c9a606296
> This initial implementation contains both a AuthPlugin (for the filter) and a 
> LoginModulePlugin (for the LoginModule).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to