[jira] [Commented] (KARAF-4520) Add DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS realm

Thu, 15 Sep 2016 05:32:54 -0700 

    [ 
https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15493175#comment-15493175
 ] 

Christian Schneider commented on KARAF-4520:
--------------------------------------------

I looked into the issue. The problem indeed seems to be the depdency from 
jaas.modules to CXF. I think we need to be more careful with this bundle. It 
should not have any heavy dependencies... and CXF is especially heavy. The 
DigestPasswordLoginModule also depends on wss4j.

I found that we only need very little code from CXF and wss4j and was able to 
inline these parts into the DigestPasswordLoginModule. This allows to 
completely remove the dependencies to CXF and WSS4J. This should then also 
eliminate the refreshs of jaas.modules and indirectly ssh.

I also found that SyncopeLoginModule is quite heavy weight as it needs and 
embeds apache httpclient. This makes the jaas.modules bundle 1.2MB in size 
which is quite excessive.
So I will add a separate issue to move this module into its own bundle.

> Add  DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS 
> realm
> -------------------------------------------------------------------------------
>
>                 Key: KARAF-4520
>                 URL: https://issues.apache.org/jira/browse/KARAF-4520
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-security
>            Reporter: Freeman Fang
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.1.0, 4.0.6, 4.0.7
>
>
> So far the assumption with JAAS login modules is that the password is to be 
> compared "as is". However per the ws-security spec, the PasswordDigest for 
> UsernameToken is "the concatenation of the nonce plus the creation time plus 
> the password. The nonce is 16 bytes long and is passed along as a base64 
> encoded value. The way this works is that the client creates the password 
> hash using all of this information plus the password". So the PasswordDigest 
> would change per each invocation, so we can't simply store the passwords in a 
> digest form in the properties file.
> The way to make it work, I think we need a DigestPasswordLoginModule which 
> use a customized checkPassword method where can compare the stored password 
> and the digest password from PasswordCallback (we may need take a close look 
> how this part implemented in WSS4J for digest password comparing)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to