qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lorenz Quack (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-6540) Add ability to disable one or more of an authentication provider's mechanisms
Date Tue, 12 May 2015 16:29:01 GMT

     [ https://issues.apache.org/jira/browse/QPID-6540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Lorenz Quack updated QPID-6540:
    Attachment: 0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch

includes tests

> Add ability to disable one or more of an authentication provider's mechanisms
> -----------------------------------------------------------------------------
>                 Key: QPID-6540
>                 URL: https://issues.apache.org/jira/browse/QPID-6540
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>    Affects Versions: 0.32
>            Reporter: Lorenz Quack
>         Attachments: 0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch
> Currently authentication providers such as the Scam Providers offer the client a choice
to authenticate using mechanisms PLAIN or SCRAM_SHA. The former is already restricted to those
using a secure transport.
> If a client chooses SCRAM_SHA, then the secret is the salted password (stored within
Broker configuration) rather than the plain password itself.
> If an attacker has access to the salted password, then they can use it to login via this
> It would be good if an authentication provider had the ability to disable one or more
mechanisms. Then an authentication provider such as SCRAM could be configured to accept only
PLAIN (which would be accepted only over SSL), which would force the user to be in possession
of the clear text password.
> A port should verify that the given authentication provider exposes at least one usable
mechanism. That is, if a plain port is configured with a Auth Provider with only plain, presumably,
the Port should fail to start.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message