qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan Conway (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-4122) Remove ANONYMOUS from mechanisms allowed in ACL tests
Date Mon, 09 Jul 2012 16:21:35 GMT
Alan Conway created QPID-4122:

             Summary: Remove ANONYMOUS from mechanisms allowed in ACL tests
                 Key: QPID-4122
                 URL: https://issues.apache.org/jira/browse/QPID-4122
             Project: Qpid
          Issue Type: Test
            Reporter: Alan Conway
            Priority: Minor

With the anonymous mechanism allowed its easy to get a false positive if you accidentally
fail to set an authentication mechanism at all in a security test, since you can always connect
with ANONYMOUS. This is especially the case where there are multiple elements that need to
be authenticated, for example a test harness starting an admin tool which talks to a broker,
or brokers talking to each other in a cluster. It might be safer to remove ANONYMOUS and ensure
that every element in a security-related test does authenticate properly. A quick check shows
that removing ANONYMOUS causes multilple tests to fail. It is possible that the tests are
OK and those connections don't need authentication, but it might be clearer to require authentication
from all players in a security related test.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message