[ 
https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15493080#comment-15493080
 ] 

Jean-Baptiste Onofré commented on KARAF-4520:
---------------------------------------------

I think the jaas modules should have a dedicated bundle. Especially, if we 
isolate DigestPasswordLoginModule in a dedicated bundle, we avoid the refresh.

> Add  DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS 
> realm
> -------------------------------------------------------------------------------
>
>                 Key: KARAF-4520
>                 URL: https://issues.apache.org/jira/browse/KARAF-4520
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-security
>            Reporter: Freeman Fang
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.1.0, 4.0.6, 4.0.7
>
>
> So far the assumption with JAAS login modules is that the password is to be 
> compared "as is". However per the ws-security spec, the PasswordDigest for 
> UsernameToken is "the concatenation of the nonce plus the creation time plus 
> the password. The nonce is 16 bytes long and is passed along as a base64 
> encoded value. The way this works is that the client creates the password 
> hash using all of this information plus the password". So the PasswordDigest 
> would change per each invocation, so we can't simply store the passwords in a 
> digest form in the properties file.
> The way to make it work, I think we need a DigestPasswordLoginModule which 
> use a customized checkPassword method where can compare the stored password 
> and the digest password from PasswordCallback (we may need take a close look 
> how this part implemented in WSS4J for digest password comparing)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to