Uploaded image for project: 'Qpid JMS'
  1. Qpid JMS
  2. QPIDJMS-150

Scram SHA SASL support for authentication

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.9.0
    • Component/s: qpid-jms-client
    • Labels:
      None

      Description

      The SCRAM SHA-1 and 256 SASL mechanisms https://tools.ietf.org/html/rfc5802 offer better security than older SASL implementations. In particular the authentication information stored in the authentication database is not sufficient to impersonate the client if the database were to be stolen.

      (The Java Broker already supports these mechanisms. The intention is to switch to recommend SCRAM instead of CRAM-MD5 shortly. One barrier to making this switch is the absence of support in the client).

        Activity

        Hide
        k-wall Keith Wall added a comment -

        Working implementation of SCRAM SHA SASL 1 and 256.
        Tested against Java Broker.

        Show
        k-wall Keith Wall added a comment - Working implementation of SCRAM SHA SASL 1 and 256. Tested against Java Broker.
        Hide
        gemmellr Robbie Gemmell added a comment -

        I skimmed the patch very quickly (will take a closer look when I'm at less risk of sneezing everywhere ), the only things that stuck out doing that were: possibly use comment instead of javadoc for the licence header, and it could do with some tests (I'm guessing maybe some source material suffers similar issue? ), given they will be by far the most complicated of the supported mechs but also among the highest priority. SaslIntegrationTest has some brokerless SASL tests using the full client, but other than verifying when the mechs get selected pure unit test of the mechs might be a lot easier in this case.

        Show
        gemmellr Robbie Gemmell added a comment - I skimmed the patch very quickly (will take a closer look when I'm at less risk of sneezing everywhere ), the only things that stuck out doing that were: possibly use comment instead of javadoc for the licence header, and it could do with some tests (I'm guessing maybe some source material suffers similar issue? ), given they will be by far the most complicated of the supported mechs but also among the highest priority. SaslIntegrationTest has some brokerless SASL tests using the full client, but other than verifying when the mechs get selected pure unit test of the mechs might be a lot easier in this case.
        Hide
        k-wall Keith Wall added a comment - - edited

        Thanks for the initial comments. I've added some unit tests based on known-good data taken from the RFCs. (edit: latest patch further improves test cases).

        Show
        k-wall Keith Wall added a comment - - edited Thanks for the initial comments. I've added some unit tests based on known-good data taken from the RFCs. (edit: latest patch further improves test cases).
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 36469f1c7b2a8dcc3c773fd0316e952b7bab8472 in qpid-jms's branch refs/heads/master from Keith Wall
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=36469f1 ]

        QPIDJMS-150: Add support for SASL SCRAM SHA1/256 [RFC-5802/7677]

        • Include unit tests based on known good test data from their respective RFCs
        Show
        jira-bot ASF subversion and git services added a comment - Commit 36469f1c7b2a8dcc3c773fd0316e952b7bab8472 in qpid-jms's branch refs/heads/master from Keith Wall [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=36469f1 ] QPIDJMS-150 : Add support for SASL SCRAM SHA1/256 [RFC-5802/7677] Include unit tests based on known good test data from their respective RFCs
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit b4ce4fd40600cffa7443e963361006edb7323739 in qpid-jms's branch refs/heads/master from Robert Gemmell
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=b4ce4fd ]

        QPIDJMS-150: add some testing around mech selection and tweak priorities

        Show
        jira-bot ASF subversion and git services added a comment - Commit b4ce4fd40600cffa7443e963361006edb7323739 in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=b4ce4fd ] QPIDJMS-150 : add some testing around mech selection and tweak priorities
        Hide
        gemmellr Robbie Gemmell added a comment -

        Thanks for the updates, patch committed along with some other tests around mechanism selection. Might be nice to remove the ASCII limitation, but I'd guess folks aren't too likely to hit it so it should suffice for now.

        Show
        gemmellr Robbie Gemmell added a comment - Thanks for the updates, patch committed along with some other tests around mechanism selection. Might be nice to remove the ASCII limitation, but I'd guess folks aren't too likely to hit it so it should suffice for now.
        Hide
        gemmellr Robbie Gemmell added a comment - - edited

        Reopening, some of the tests failed in a new (to me) way on Travis and Appveyor:
        https://travis-ci.org/apache/qpid-jms/builds/111005093
        https://ci.appveyor.com/project/stumped2/qpid-jms/build/205

        Worked fine locally for me on 2 JVMs, for Tim, and on the ASF Jenkins. Need to take a look why Travis+Appveyor choked.

        Show
        gemmellr Robbie Gemmell added a comment - - edited Reopening, some of the tests failed in a new (to me) way on Travis and Appveyor: https://travis-ci.org/apache/qpid-jms/builds/111005093 https://ci.appveyor.com/project/stumped2/qpid-jms/build/205 Worked fine locally for me on 2 JVMs, for Tim, and on the ASF Jenkins. Need to take a look why Travis+Appveyor choked.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 78915455a42fb6cc8174f50aa673dd88116ae1ed in qpid-jms's branch refs/heads/master from Timothy Bish
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=7891545 ]

        QPIDJMS-150: Add missing throws tags to remove errors on strict checks.

        Show
        jira-bot ASF subversion and git services added a comment - Commit 78915455a42fb6cc8174f50aa673dd88116ae1ed in qpid-jms's branch refs/heads/master from Timothy Bish [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=7891545 ] QPIDJMS-150 : Add missing throws tags to remove errors on strict checks.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 160c102c847ee4f9c7dc6bf3d86d4c53ab2d88fa in qpid-jms's branch refs/heads/master from Robert Gemmell
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=160c102 ]

        QPIDJMS-150: make test base class public

        Show
        jira-bot ASF subversion and git services added a comment - Commit 160c102c847ee4f9c7dc6bf3d86d4c53ab2d88fa in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=160c102 ] QPIDJMS-150 : make test base class public
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 25b47e0b52f02e8df0edb8924ed820ef2bae60ac in qpid-jms's branch refs/heads/master from Robert Gemmell
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=25b47e0 ]

        QPIDJMS-150: remove some dead catch blocks the compiler complains about

        Show
        jira-bot ASF subversion and git services added a comment - Commit 25b47e0b52f02e8df0edb8924ed820ef2bae60ac in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=25b47e0 ] QPIDJMS-150 : remove some dead catch blocks the compiler complains about
        Hide
        gemmellr Robbie Gemmell added a comment -

        https://ci.appveyor.com/project/ApacheSoftwareFoundation/qpid-jms/build/8
        https://travis-ci.org/apache/qpid-jms/builds/111198397

        Builds are happy again after making the abstract test superclass public, resolving.

        Show
        gemmellr Robbie Gemmell added a comment - https://ci.appveyor.com/project/ApacheSoftwareFoundation/qpid-jms/build/8 https://travis-ci.org/apache/qpid-jms/builds/111198397 Builds are happy again after making the abstract test superclass public, resolving.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit de9539de3f8c5bc8dfa31adebd2d891419a47650 in qpid-jms's branch refs/heads/master from Robert Gemmell
        [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=de9539d ]

        QPIDJMS-150: update the config docs to include the new mechanisms

        Show
        jira-bot ASF subversion and git services added a comment - Commit de9539de3f8c5bc8dfa31adebd2d891419a47650 in qpid-jms's branch refs/heads/master from Robert Gemmell [ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=de9539d ] QPIDJMS-150 : update the config docs to include the new mechanisms

          People

          • Assignee:
            gemmellr Robbie Gemmell
            Reporter:
            k-wall Keith Wall
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development