qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Ross (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-4122) Remove ANONYMOUS from mechanisms allowed in ACL tests
Date Wed, 15 Mar 2017 00:26:41 GMT

     [ https://issues.apache.org/jira/browse/QPID-4122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Justin Ross updated QPID-4122:
------------------------------
    Component/s: C++ Tests

> Remove ANONYMOUS from mechanisms allowed in ACL tests
> -----------------------------------------------------
>
>                 Key: QPID-4122
>                 URL: https://issues.apache.org/jira/browse/QPID-4122
>             Project: Qpid
>          Issue Type: Test
>          Components: C++ Tests
>            Reporter: Alan Conway
>            Assignee: michael goulish
>            Priority: Minor
>
> With the anonymous mechanism allowed its easy to get a false positive if you accidentally
fail to set an authentication mechanism at all in a security test, since you can always connect
with ANONYMOUS. This is especially the case where there are multiple elements that need to
be authenticated, for example a test harness starting an admin tool which talks to a broker,
or brokers talking to each other in a cluster. It might be safer to remove ANONYMOUS and ensure
that every element in a security-related test does authenticate properly. A quick check shows
that removing ANONYMOUS causes multilple tests to fail. It is possible that the tests are
OK and those connections don't need authentication, but it might be clearer to require authentication
from all players in a security related test.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message