1 2 Previous Next 16 Replies Latest reply on Jun 11, 2007 6:47 AM by anil.saldhana

SASL Authentication

mikezzz Mar 14, 2007 10:40 AM

Hi,

Over at http://www.buni.org we need to implement SASL authentication for our IMAP support. We need it to integrate with the JBoss implementation of JAAS. Therefore I have placed a patch for SASL Authentication in the security JIRA project (against the 4.0 branch): http://jira.jboss.com/jira/browse/SECURITY-36

Currently it only supports CRAM-MD5 (DIGEST-MD5 should only be matter of extending the configuration and GSSAPI might require a bit more thought) and doesn't support initial response yet.

I do have commit access so if you are happy with this code, let me know if you like me to add this. It would be useful for us if we could get this into the next stable release.

How to use the SASL authentication:

The SASL support is an extension to the UsernamePasswordLoginModule so it is available for all authentication repositories (e.g. Database, LDAP, etc.). To enable it add the following configuration:

<authentication>
 <login-module code = "..."
 flag = "sufficient">
 <module-option name = "sasl.enabled">true</module-option>
 <module-option name = "sasl.encoding">base64</module-option>
 <module-option name = "sasl.hostname">localhost</module-option>
 <module-option
 name = "sasl.mechanism">CRAM-MD5</module-option>
 </login-module>
</authentication>

Client code then needs to pass the challenge/response data as base64 encoded strings using the TextInputCallback/TextOutputCallback. Also should handle the NameCallback to get username of the client trying to authenticate.

CallbackHandler ch = new CallbackHandler() {
 public void handle(Callback[] callbacks) throws
 IOException, UnsupportedCallbackException {
 for (int idx = 0; idx < callbacks.length; idx++) {
 Callback cb = callbacks[idx];
 if (cb instanceof NameCallback) {
 NameCallback nc = (NameCallback) cb;
 } else if (cb instanceof TextInputCallback) {
 TextInputCallback tic = (TextInputCallback) cb;
 byte[] response = receive(); // Gets the response
 String s = Base64.encodeBytes(response);
 tic.setText(s);
 } else if (cb instanceof TextOutputCallback) {
 TextOutputCallback toc = (TextOutputCallback) cb;
 String s = toc.getMessage();
 byte[] challenge = Base64.decode(s);
 send(challenge); // Send the challenge to the client
 }
 }
 }
};

LoginContent lc = new LoginContent("...", ch);
lc.login();

For more information check the SaslLoginTestCase.

1. Re: SASL Authentication

anil.saldhana Mar 14, 2007 11:05 AM (in response to mikezzz)

Thanks for the patch. I will probably pull the stuff into a separate login module that has the sasl behavior.
Actions
2. Re: SASL Authentication

mikezzz Mar 14, 2007 11:09 AM (in response to mikezzz)

I placed the code in the UsernamePasswordLoginModule so that it would work with the existing modules Database, LDAP etc. I was looking at the code and was thinking that one possible refactoring could be to seperate the login mechanism (standard login, hashed login, sasl) from the user/roles repository (database, LDAP, file), perhaps using a strategy pattern or similar.

Mike.
Actions
3. Re: SASL Authentication

starksm64 Mar 14, 2007 12:28 PM (in response to mikezzz)

We do want to refactor the login modules to only be focused on authentication with roles coming from an authorization phase. For legacy compatibility they still need to be able to pull in the roles where that capability exists.

Have you tested the sasl with an ldap server that supports it? I would't think that this could be integrated at the login module level since it tends to come in at the jndi level.
Actions
4. Re: SASL Authentication

mikezzz Mar 15, 2007 6:30 AM (in response to mikezzz)

Hi,

I think I may have caused a little confusion with this patch, I don't think I explained it particularly well.

This patch doesn't enable JBoss connect to an external SASL enabled server. It is designed to make JBoss the SASL authentication provider, so where the username/password pairs come from doesn't really matter. In other words, it allows SASL enabled clients (e.g. IMAP mail clients) to authenticate against a JBoss server.

Mike.
Actions
5. Re: SASL Authentication

acoliver Mar 15, 2007 3:47 PM (in response to mikezzz)

Scott this is similar to what we here (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=69569&start=10) in UserRolesLoginModule (which allowed you to check the incoming PWD against MD5HEX[PWD+SharedSecret]). This is sorta the reverse since the password is used to hash the secret. If you look here: http://www.faqs.org/rfcs/rfc2222.html at their IMAP example. Supposing that a JBoss login module provides the user/password then w/o exposing user/password up the stack, this allows you to use the login module to authenticate w/sasl using any of the existing JBoss login modules. Allowing JBoss to authenticate to LDAP w/sasl is an othogonal concern (probably more suited to later extension of what is presently the LdapExtLoginModule thingy). Does that make sense?
Actions
6. Re: SASL Authentication

starksm64 Mar 15, 2007 4:58 PM (in response to mikezzz)

Ok, I see. What I would like to do then is get a few more handshake oriented auth methods like DIGEST and the existing SRP login modules based on this to flesh out what should be at the base login module level for the jbossas 4.2 version of security.

Where we really want to go is the direction of the JSR196(Java Authentication Service Provider Interface for Containers), which I view as more an extension of JAAS.
Actions
7. Re: SASL Authentication

anil.saldhana Mar 15, 2007 6:01 PM (in response to mikezzz)

JSR-196 is going to be in JEE6. It does have support for challenge-response kind of scenarios. The pfd should be finalized soon.
Actions
8. Re: SASL Authentication

acoliver Mar 15, 2007 9:48 PM (in response to mikezzz)

So what is the state of the 196 stuff? I read it on the JBossSX wiki the plan. Is that JEE 5.0?
Actions
9. Re: SASL Authentication

starksm64 Mar 16, 2007 1:39 AM (in response to mikezzz)

It won't be in the spec until EE6. We are going to include it in jbossas5 though.
Actions
10. Re: SASL Authentication

anil.saldhana May 22, 2007 1:58 PM (in response to mikezzz)

I do not think it is right for a login module to have sasl server semantics. This is because JAAS->LM->SASL Server.

The right thing to do is: SASL->JAAS So may be the right thing to do for JBoss 4.x is to have a sasl enabled security manager implementation, something like the current JaasSecurityManager that is plugged into the JaasSecurityManagerService.

Of course for JBoss5, we will find a better sasl enabled solution.

For the time being, Mike, may be you want to have a separate login module that does sasl?
Actions
11. Re: SASL Authentication

mikezzz May 22, 2007 2:33 PM (in response to mikezzz)

I'm not sure that I understand the problem.

A seperate LoginModule doesn't really make sense, because then it would not be able to reuse the existing DB/LDAP/File store for the authentication data.

Mike.
Actions
12. Re: SASL Authentication

anil.saldhana May 22, 2007 3:23 PM (in response to mikezzz)

I am saying is that the login modules in JBoss should not be further tainted with sasl semantics just the way they have been done with authorization semantics. The login modules are supposed to just do authentication and establishment of the subject.

The sasl enabled implementation of the SubjectSecurityManager(or AuthenticationManager) can still delegate to the JAAS framework underneath.
Actions
13. Re: SASL Authentication

mikezzz May 23, 2007 3:12 AM (in response to mikezzz)

Are you saying that a SASL authentication mechanism should be implemented on top of JAAS rather than as part of the JBoss Security? I don't think that will work as the SASL mechanism requires the password in order to perform some of the data hashing. The JAAS API does not allow the retrieval of user credentials (only submission).

Mike.
Actions
14. Re: SASL Authentication

anil.saldhana May 23, 2007 8:55 AM (in response to mikezzz)

I am saying that there should be an implementation of the SubjectSecurityManager interface just like the JaasSecurityManager. This will implement the method isValid(Principal,Object cred). So you will be given an userid and password. Now you can internally call the jaas framework(where you can get the expected password from ldap,db wherever). This is the right approach.
Actions

1 2 Previous Next

Go to original post