[ https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15493790#comment-15493790 ]
ASF subversion and git services commented on KARAF-4520: -------------------------------------------------------- Commit 225943bf6c20cd471eeaced261d9711b4f4b8f22 in karaf's branch refs/heads/master from [~ch...@die-schneider.net] [ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=225943b ] [KARAF-4520] Inline digest handling to avoid dependency to CXF and wss4j > Add DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS > realm > ------------------------------------------------------------------------------- > > Key: KARAF-4520 > URL: https://issues.apache.org/jira/browse/KARAF-4520 > Project: Karaf > Issue Type: Improvement > Components: karaf-security > Reporter: Freeman Fang > Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.6, 4.0.7 > > > So far the assumption with JAAS login modules is that the password is to be > compared "as is". However per the ws-security spec, the PasswordDigest for > UsernameToken is "the concatenation of the nonce plus the creation time plus > the password. The nonce is 16 bytes long and is passed along as a base64 > encoded value. The way this works is that the client creates the password > hash using all of this information plus the password". So the PasswordDigest > would change per each invocation, so we can't simply store the passwords in a > digest form in the properties file. > The way to make it work, I think we need a DigestPasswordLoginModule which > use a customized checkPassword method where can compare the stored password > and the digest password from PasswordCallback (we may need take a close look > how this part implemented in WSS4J for digest password comparing) -- This message was sent by Atlassian JIRA (v6.3.4#6332)