qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Godfrey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-5922) [Java Broker] By default restrict the use of PLAIN authentication to secure channels
Date Wed, 04 Mar 2015 22:31:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-5922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14347696#comment-14347696

Rob Godfrey commented on QPID-5922:

And they can :-)

If you edit the config json file you'll see a section on the authentication providers, something
like this:

"authenticationproviders" : [ {
    "id" : "e5d6f234-d212-4fc9-9728-815a547eee86",
    "name" : "passwordFile",
    "type" : "PlainPasswordFile",
    "path" : "${qpid.home_dir}${file.separator}etc${file.separator}passwd",

you can add an entry in there to allow any authentication mechanism by setting the "secureOnlyMechanisms"
to the empty list (by default any mechanism which would reveal potentially confidential information
such as PLAIN and AMQPLAIN is in the list)....  so 

"authenticationproviders" : [ {
    "id" : "e5d6f234-d212-4fc9-9728-815a547eee86",
    "name" : "passwordFile",
    "type" : "PlainPasswordFile",
    "secureOnlyMechanims" : [ ],
    "path" : "${qpid.home_dir}${file.separator}etc${file.separator}passwd",

should work 

> [Java Broker] By default restrict the use of PLAIN authentication to secure channels
> ------------------------------------------------------------------------------------
>                 Key: QPID-5922
>                 URL: https://issues.apache.org/jira/browse/QPID-5922
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Rob Godfrey
>            Assignee: Rob Godfrey
>             Fix For: 0.29
> PLAIN authentication sends passwords in the clear - in general this should not be used
over communication channels which are not themselves encrypted.
> For any given authentication provider we should allow the user to set the subset of SASL
mechanisms which should not be offered if the attempt to authenticate is not occurring on
a secure channel.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message