Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-991

SASL Digest client handles callbacks incorrectly

    XMLWordPrintable

Details

    Description

      Right now the SASL digest client handles callbacks like this:

      • If a realm choice is available use RealmChoiceCallback to get it, and fail if it is not supported
      • Try to use RealmCallback+NameCallback+CredentialCallback (with digest password)
      • Try to use RealmCallback+NameCallback+CredentialCallback (with two-way password)
      • Try to use RealmCallback+NameCallback+PasswordCallback

      This is a problem because RealmChoiceCallback should not be required, and if it was supported, RealmCallback is not needed. It's basically OK to retry realm selection and name selection if the credential was unsupported.

      The logic should probably be more like this:

      • Try to use <a realm callback>+NameCallback+CredentialCallback (with digest password)
        • First try with RealmChoiceCallback if there is a choice
        • Then try with RealmCallback if RealmChoiceCallback is unsupported
        • If there is no default realm, fail
        • Otherwise try with no realm callback and use the default realm
      • Try to use <a realm callback>+NameCallback+CredentialCallback (with two-way password)
        • First try with RealmChoiceCallback if it was not eliminated above and there is a choice
        • Then try RealmCallback if it was not eliminated above
        • If there is no default realm, fail
        • Otherwise try with no realm callback and use the default realm
      • Try to use <a realm callback>+NameCallback+PasswordCallback
        • First try with RealmChoiceCallback if it was not eliminated above and there is a choice
        • Then try RealmCallback if it was not eliminated above
        • If there is no default realm, fail
        • Otherwise try with no realm callback and use the default realm

      This way we don't retry callbacks that don't work, and we don't fail if RealmCallback is not supported. If no user name or credential is given, then the attempt should be considered a failure and the next credential tried without eliminating any realm callbacks. If no realm is given then the attempt should be a failure without trying other realm callback options, because the callback is supported but there was no realm given (which is a programming error).

      If a user name or realm is given in an earlier stage, it should stay as the default for later stages.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-1426 DigestSasl obtains URP digest for authzid instead of username

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              dlloyd@redhat.com David Lloyd
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: