[QPID-6540] Add ability to disable one or more of an authentication provider's mechanisms - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.32
Fix Version/s: qpid-java-6.0
Component/s: Broker-J
Labels:
None

Description

Currently authentication providers such as the Scam Providers offer the client a choice to authenticate using mechanisms PLAIN or SCRAM_SHA. The former is already restricted to those using a secure transport.

If a client chooses SCRAM_SHA, then the secret is the salted password (stored within Broker configuration) rather than the plain password itself.

If an attacker has access to the salted password, then they can use it to login via this mechanism.

It would be good if an authentication provider had the ability to disable one or more mechanisms. Then an authentication provider such as SCRAM could be configured to accept only PLAIN (which would be accepted only over SSL), which would force the user to be in possession of the clear text password.

A port should verify that the given authentication provider exposes at least one usable mechanism. That is, if a plain port is configured with a Auth Provider with only plain, presumably, the Port should fail to start.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch
12/May/15 16:28
14 kB
Lorenz Quack

Activity

People

Assignee:: Robert Godfrey

Reporter:: Lorenz Quack

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/May/15 11:25

Updated:: 12/May/15 23:57

Resolved:: 12/May/15 23:57