qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robbie Gemmell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PROTON-1606) (Proton-J) Using Sasl needs to be optional for Client Role
Date Wed, 04 Oct 2017 17:03:00 GMT

    [ https://issues.apache.org/jira/browse/PROTON-1606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16191571#comment-16191571

Robbie Gemmell commented on PROTON-1606:

You say it breaks your ability to use amqps. Would I be right in assuming what you mean is
that you cant use ANONMOUS when using TLS either because your service doesn't offer that mechanism,
or perhaps because it does but aligns using it with requirement to perform other actions (e.g
a higher level token-based authentication system) that you don't want to do?

In either case, I'd assume that to authenticate you instead normally either use another SASL
mechnism, e.g PLAIN might do since its over TLS, or instead require use of client certificate
based authentication but still want to avoid ANONYMOUS if offered when doing so (and could
also drop the SASL layer entirely). Traditionally servers supporting the latter would offer
the SASL EXTERNAL mechanism to clients with certificates. If you know its either of those
cases then its possible to do those already by adjusting the SASL behaviour in the connection
bound callback. If not, I don't think a method on the transport would really work with how
it is created and used, so its probably better to think about adding something to stop the
reactor creating the transport SASL layer to begin with.

> (Proton-J) Using Sasl needs to be optional for Client Role
> ----------------------------------------------------------
>                 Key: PROTON-1606
>                 URL: https://issues.apache.org/jira/browse/PROTON-1606
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-j
>    Affects Versions: proton-j-0.22.0
>         Environment: N/A
>            Reporter: tim taylor
>   Original Estimate: 8h
>  Remaining Estimate: 8h
> In order for my application to use Proton-j for amqps messaging, the Sasl layer cannot
be created by the global handler (IOHandler) at CONNECTION_LOCAL_OPEN time. The code below
breaks our ability to use proton-j for amqps messaging as a CLIENT against our service.
> ...
> sasl = transport.sasl();
> sasl.client();
> sasl.setMechanisms("ANONYMOUS");
> ...
> I need these three lines of code to be optional in the global handler, or for a new API
that allows a transport implementation to undo creating the Sasl layer.
> Something like:
>     ....
>     Transport transport = event.getConnection().getTransport();
>     transport.disableSasl();
>     ....
> The service I am hitting against is not using Proton-j as the SERVER role.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message