[QPID-7282] Java Broker should always send server-final message (if required) to the client on succesful SASL negotiation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.30, 0.32, qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2, qpid-java-6.0.3, qpid-java-6.1
Fix Version/s: qpid-java-6.0.4, qpid-java-6.1
Component/s: Broker-J
Labels:
None

Description

On Scram Sha SASL negotiation Broker does not send server-final challenge (ServerSignature) with the following authentication providers:

Simple (SimpleAuthenticationManager)
PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)

The sasl negotiation for Scram Sha SASL mechanisms should always include sending of server-final message in order to give a chance to verify server signature on a client as per RFC 5802

The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.

We need to change all existing Authentication Provider to support sending of final message

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Alex Rudyy

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 30/May/16 11:53

Updated:: 04/May/18 13:03

Resolved:: 03/Jun/16 12:43