Details
-
Test
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
With the anonymous mechanism allowed its easy to get a false positive if you accidentally fail to set an authentication mechanism at all in a security test, since you can always connect with ANONYMOUS. This is especially the case where there are multiple elements that need to be authenticated, for example a test harness starting an admin tool which talks to a broker, or brokers talking to each other in a cluster. It might be safer to remove ANONYMOUS and ensure that every element in a security-related test does authenticate properly. A quick check shows that removing ANONYMOUS causes multilple tests to fail. It is possible that the tests are OK and those connections don't need authentication, but it might be clearer to require authentication from all players in a security related test.