Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-374

Ambiguous application of CredentialCallback

XMLWordPrintable

    • Low

      We have a problem where there is an ambiguous application of CredentialCallback.

      On the client, this callback is used to acquire the credential to use for outbound authentication. On the server, it is used in two ways:

      • For most authentication, it is used to acquire the credential that is used to verify the client identity.
      • For Entity authentication, it is used to acquire the credential that is used to identify the server to the client.

      The reason Entity can get away with this special behavior is that it uses the VerifyPeerTrustedCallback instead of CredentialCallbak for checking the peer. Unfortunately, it is not easy for a callback handler to know when CredentialCallback is being used for the host identity versus the authenticating user identity. This needs to be solved ASAP so that we can have server mechanisms that present a host identity as well as acquiring a credential for user authentication.

              Unassigned Unassigned
              dlloyd@redhat.com David Lloyd
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: