1 2 Previous Next 16 Replies Latest reply on Jun 11, 2007 6:47 AM by Anil Saldanha

    SASL Authentication



      Over at http://www.buni.org we need to implement SASL authentication for our IMAP support. We need it to integrate with the JBoss implementation of JAAS. Therefore I have placed a patch for SASL Authentication in the security JIRA project (against the 4.0 branch): http://jira.jboss.com/jira/browse/SECURITY-36

      Currently it only supports CRAM-MD5 (DIGEST-MD5 should only be matter of extending the configuration and GSSAPI might require a bit more thought) and doesn't support initial response yet.

      I do have commit access so if you are happy with this code, let me know if you like me to add this. It would be useful for us if we could get this into the next stable release.

      How to use the SASL authentication:

      The SASL support is an extension to the UsernamePasswordLoginModule so it is available for all authentication repositories (e.g. Database, LDAP, etc.). To enable it add the following configuration:

       <login-module code = "..."
       flag = "sufficient">
       <module-option name = "sasl.enabled">true</module-option>
       <module-option name = "sasl.encoding">base64</module-option>
       <module-option name = "sasl.hostname">localhost</module-option>
       name = "sasl.mechanism">CRAM-MD5</module-option>

      Client code then needs to pass the challenge/response data as base64 encoded strings using the TextInputCallback/TextOutputCallback. Also should handle the NameCallback to get username of the client trying to authenticate.

      CallbackHandler ch = new CallbackHandler() {
       public void handle(Callback[] callbacks) throws
       IOException, UnsupportedCallbackException {
       for (int idx = 0; idx < callbacks.length; idx++) {
       Callback cb = callbacks[idx];
       if (cb instanceof NameCallback) {
       NameCallback nc = (NameCallback) cb;
       } else if (cb instanceof TextInputCallback) {
       TextInputCallback tic = (TextInputCallback) cb;
       byte[] response = receive(); // Gets the response
       String s = Base64.encodeBytes(response);
       } else if (cb instanceof TextOutputCallback) {
       TextOutputCallback toc = (TextOutputCallback) cb;
       String s = toc.getMessage();
       byte[] challenge = Base64.decode(s);
       send(challenge); // Send the challenge to the client
      LoginContent lc = new LoginContent("...", ch);

      For more information check the SaslLoginTestCase.

        • 1. Re: SASL Authentication
          Anil Saldanha Master

          Thanks for the patch. I will probably pull the stuff into a separate login module that has the sasl behavior.

          • 2. Re: SASL Authentication

            I placed the code in the UsernamePasswordLoginModule so that it would work with the existing modules Database, LDAP etc. I was looking at the code and was thinking that one possible refactoring could be to seperate the login mechanism (standard login, hashed login, sasl) from the user/roles repository (database, LDAP, file), perhaps using a strategy pattern or similar.


            • 3. Re: SASL Authentication
              Scott Stark Master

              We do want to refactor the login modules to only be focused on authentication with roles coming from an authorization phase. For legacy compatibility they still need to be able to pull in the roles where that capability exists.

              Have you tested the sasl with an ldap server that supports it? I would't think that this could be integrated at the login module level since it tends to come in at the jndi level.

              • 4. Re: SASL Authentication


                I think I may have caused a little confusion with this patch, I don't think I explained it particularly well.

                This patch doesn't enable JBoss connect to an external SASL enabled server. It is designed to make JBoss the SASL authentication provider, so where the username/password pairs come from doesn't really matter. In other words, it allows SASL enabled clients (e.g. IMAP mail clients) to authenticate against a JBoss server.


                • 5. Re: SASL Authentication
                  Andrew Oliver Master

                  Scott this is similar to what we here (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=69569&start=10) in UserRolesLoginModule (which allowed you to check the incoming PWD against MD5HEX[PWD+SharedSecret]). This is sorta the reverse since the password is used to hash the secret. If you look here: http://www.faqs.org/rfcs/rfc2222.html at their IMAP example. Supposing that a JBoss login module provides the user/password then w/o exposing user/password up the stack, this allows you to use the login module to authenticate w/sasl using any of the existing JBoss login modules. Allowing JBoss to authenticate to LDAP w/sasl is an othogonal concern (probably more suited to later extension of what is presently the LdapExtLoginModule thingy). Does that make sense?

                  • 6. Re: SASL Authentication
                    Scott Stark Master

                    Ok, I see. What I would like to do then is get a few more handshake oriented auth methods like DIGEST and the existing SRP login modules based on this to flesh out what should be at the base login module level for the jbossas 4.2 version of security.

                    Where we really want to go is the direction of the JSR196(Java Authentication Service Provider Interface for Containers), which I view as more an extension of JAAS.

                    • 7. Re: SASL Authentication
                      Anil Saldanha Master

                      JSR-196 is going to be in JEE6. It does have support for challenge-response kind of scenarios. The pfd should be finalized soon.

                      • 8. Re: SASL Authentication
                        Andrew Oliver Master

                        So what is the state of the 196 stuff? I read it on the JBossSX wiki the plan. Is that JEE 5.0?

                        • 9. Re: SASL Authentication
                          Scott Stark Master

                          It won't be in the spec until EE6. We are going to include it in jbossas5 though.

                          • 10. Re: SASL Authentication
                            Anil Saldanha Master

                            I do not think it is right for a login module to have sasl server semantics. This is because JAAS->LM->SASL Server.

                            The right thing to do is: SASL->JAAS So may be the right thing to do for JBoss 4.x is to have a sasl enabled security manager implementation, something like the current JaasSecurityManager that is plugged into the JaasSecurityManagerService.

                            Of course for JBoss5, we will find a better sasl enabled solution.

                            For the time being, Mike, may be you want to have a separate login module that does sasl?

                            • 11. Re: SASL Authentication

                              I'm not sure that I understand the problem.

                              A seperate LoginModule doesn't really make sense, because then it would not be able to reuse the existing DB/LDAP/File store for the authentication data.


                              • 12. Re: SASL Authentication
                                Anil Saldanha Master

                                I am saying is that the login modules in JBoss should not be further tainted with sasl semantics just the way they have been done with authorization semantics. The login modules are supposed to just do authentication and establishment of the subject.

                                The sasl enabled implementation of the SubjectSecurityManager(or AuthenticationManager) can still delegate to the JAAS framework underneath.

                                • 13. Re: SASL Authentication

                                  Are you saying that a SASL authentication mechanism should be implemented on top of JAAS rather than as part of the JBoss Security? I don't think that will work as the SASL mechanism requires the password in order to perform some of the data hashing. The JAAS API does not allow the retrieval of user credentials (only submission).


                                  • 14. Re: SASL Authentication
                                    Anil Saldanha Master

                                    I am saying that there should be an implementation of the SubjectSecurityManager interface just like the JaasSecurityManager. This will implement the method isValid(Principal,Object cred). So you will be given an userid and password. Now you can internally call the jaas framework(where you can get the expected password from ldap,db wherever). This is the right approach.

                                    1 2 Previous Next