2 Replies Latest reply on Jul 20, 2012 8:58 AM by pbeltranl

    Upgrade httpclient version to support Windows Integrated Authentication

    pbeltranl Level 1

      I've see that BlazeDS 4.5 is still using the very old Jakarta HttpClient 3.0.1 library. That library does not support Windows Integrated Authentication (NTLM, Kerberos). This is a big issue, because such platform cannot be ignored and changing server authentication to Basic is not realistic in many cases. In fact, Windows native authentication was not a goal for BlazeDS because required NTCredentials are never used from the BlazeDS source code and there is not support to include the domain and workstation in the credentials: only username and password are sent to the server.


      Furthermore, password encryption should be supported between client app and BlazeDS server. I've debugged the code and credentials are sent in clear text (Base64 encoded, of course) inside a http header. This is a security thread that should be improved. This is quite simple to achieve by creating an in-memory certificate (bouncecastle.org) every time that BlazeDS is up and and automatic service destination configuration in order to get it. In that way, clients could download the public certificate and encrypt passwords (as3cryto works pretty well) before being sent to the server. That would not require https between clients and BlazeDS server.


      At the present (BlazeDS 4.0), the low security level for remote passwords and poor Windows support authentication makes BlazeDS a bad choice for enterprise services in many scenarios.


      Roadmap propousal:


      1. Ideally, modifying BlazeDS to use the latest 4.x httpclient library with JCIFS support included out of the box. As the API changed a lot between the 3.x and 4.x versions of the Httpclient project,  it would require a great effort and re-write some BlazeDS parts. Alternatively, HttpClient 3.x versions can be still be used. I've replaced the currently 3.0.1 by the 3.1.0 version (the latest 3.x version available) and BlazeDS compiles without problems ant it looks work fine too. As 3.x versions of HttpClient do not support Windows authentication, some modifications must be done in order to include support for JCIFS (it's quite easty to achieve).


      2. Modify BlazeDS proxy module (security filter) to support NTCretendials <- Send domain and workstation from the client. I think the easy way is looking for a specific http header. If it's present, then use NTLM credentials.


      3. Include bouncecastle.org libraries in blazeDS for automatic certificate generation. Include a parameter in the services-config.xml file to declare a specific certification level (512, 1024, 2048 bits and so on) and generate a certificate in memory everytime that BlazeDS server is started up. Create an automatic destination (programmatically on BlazeDS) in order to allow users to download the public key. Provide an as3 library to automatically download the public key from the BlazeDS server and also encrypt the password by using the as3crypto library. Include support for a new http header to indicate when the password is encrypted by using the public key. (Similar to 2nd step).


      That's all.