qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robbie Gemmell" <gemme...@dcs.gla.ac.uk>
Subject RE: [jira] Created: (QPID-1491) Secure Management Console connections do not work[MESSAGE NOT SCANNED]
Date Mon, 01 Dec 2008 10:27:04 GMT
By this I assume you mean check the profiles given by the broker and pick
from them in order of security? I looked into doing that the other day but
im not sure how to achieve it as it is set up at present, since whilst you
can give it as many sasl profiles as you like for it to pick from based on
what the broker offers you can only seem to give the environment properties
for a JMXConnector one callback handler, which with the current use of
CRAM-MD5-HASHED on the broker(JMXManagedObjectRegistry) side means it needs
to know whether its dealing with hashed or non hashed principal databases to
ensure it sends the right thing. Using normal CRAM-MD5 for the JMX connector
instead would sort that, but to quote CRAMMD5Initialiser:
"//fixme we need a server that will correctly has the incomming plain text
for comparison to file.
 _logger.warn("we need a server that will correctly convert the incomming
plain text for comparison to file.");"

Expanding a little on my original email, the main reason removing
-Dsecurity=<profile> makes it unauthenticated is that it uses that property
to determine whether or not to use the jmxremote_optional.jar classes to
establish a JMXMP connection rather than an RMI based connection using the
standard connectors included with the JVM, and the RMIconnector server which
the broker starts up if admin security is disabled does not use
authentication. The reason you need to pick a security type when using the
JMXMP connector appears to be due to the above situation.

-----Original Message-----
From: aidan.skinner@gmail.com [mailto:aidan.skinner@gmail.com] On Behalf Of
Aidan Skinner
Sent: 01 December 2008 09:38
To: qpid-dev@incubator.apache.org
Subject: Re: [jira] Created: (QPID-1491) Secure Management Console
connections do not work[MESSAGE NOT SCANNED]

On Sun, Nov 30, 2008 at 4:41 PM, Robert Gemmell <gemmellr@dcs.gla.ac.uk>
wrote:

> This should be fixed by the patches I submitted previously, once the
remaining ones are applied to the trunk. After repairing the PLAIN
authentication, I used CRAM-MD5 several times without any issue.
>
> Also, just a note: removing -Dsecurity=CRAM-MD5 does not make it use
PLAIN, it makes the connection to the broker totally unauthenticated.
-Dsecurity=PLAIN makes it use PLAIN authentication.

Ugh, really? Lame. We should make it do SASL negotiation properly.

- Aidan
-- 
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
"Have we anything resembling a plan?" "Mm-hm. Ride till we find
them... and kill them all." - The 13th Warrior


Mime
View raw message