[
https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15493882#comment-15493882
]
ASF subversion and git services commented on KARAF-4520:
--------------------------------------------------------
Commit 6740817aea494f5cbe5799bea7ded8a6ac608912 in karaf's branch
refs/heads/karaf-4.0.x from [~ch...@die-schneider.net]
[ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=6740817 ]
[KARAF-4520] Inline digest handling to avoid dependency to CXF and wss4j
> Add DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS
> realm
> -------------------------------------------------------------------------------
>
> Key: KARAF-4520
> URL: https://issues.apache.org/jira/browse/KARAF-4520
> Project: Karaf
> Issue Type: Improvement
> Components: karaf-security
> Reporter: Freeman Fang
> Assignee: Jean-Baptiste Onofré
> Fix For: 4.1.0, 4.0.6, 4.0.7
>
>
> So far the assumption with JAAS login modules is that the password is to be
> compared "as is". However per the ws-security spec, the PasswordDigest for
> UsernameToken is "the concatenation of the nonce plus the creation time plus
> the password. The nonce is 16 bytes long and is passed along as a base64
> encoded value. The way this works is that the client creates the password
> hash using all of this information plus the password". So the PasswordDigest
> would change per each invocation, so we can't simply store the passwords in a
> digest form in the properties file.
> The way to make it work, I think we need a DigestPasswordLoginModule which
> use a customized checkPassword method where can compare the stored password
> and the digest password from PasswordCallback (we may need take a close look
> how this part implemented in WSS4J for digest password comparing)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
