[
https://issues.apache.org/jira/browse/QPID-3396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13436665#comment-13436665
]
Pavel Moravec commented on QPID-3396:
-------------------------------------
> Again I think the correct behaviour is to look at the selected mech (after
> negotiation with the peer) and then see if user/pass is required. If so then
> throw an exception.
With the current C++ broker and auth=no, the broker sends in connection.start
AMQP command auth.mechanisms "ANONYMOUS" and also "PLAIN" - the second is due
to allowing some tests (per gsim). If a client chooses PLAIN mechanism here and
sends whatever credentials, the broker silently ignores them.
But that would cause a problem in our case as:
- client library got no crednetials from the client
- broker offers PLAIN and ANONYMOUS mechs, not telling anything about no auth
required
- library chooses PLAIN as more secure and fails due to no credentials
Therefore I suggest the patch that checks during URL parsing if credentials are
missing _and_ sasl_mechs is not specified - only in that case, it restricts the
mechanisms to ANONYMOUS GSSAPI EXTERNAL as these dont require credetials in
this way.
I tested the patch works fine in all combinations "auth=yes/no" x "credentials
provided / not provided" x "/etc/sasl2/qpidd.conf restricted mech_list to ..".
I have _not_ verify GSSAPI mechanism only.
> Specifying username/password in JMS clients should not be mandatory
> -------------------------------------------------------------------
>
> Key: QPID-3396
> URL: https://issues.apache.org/jira/browse/QPID-3396
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: 0.18
> Reporter: Pavel Moravec
> Priority: Minor
> Attachments: CredentialsMandatory.java
>
>
> Description of problem:
> Section 3.2.2 of the Programming in Apache Qpid guide says that the
> username/password in the JNDI connection URL is optional:
> amqp://[<user>:<pass>@][<clientid>]<virtualhost>[?<option>='<value>'[&<option>='<value>']]
> However skipping the [<user>:<pass>@] part in an URL leads to exception
> raised.
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. Set auth=no in /etc/qpidd.conf
> 2. Run connectionURLWithoutUserInfo in attached JUnit test
> Actual results:
> Exception raised:
> User information not found on url between indicies 7 and 1
> amqp://clientid/test?brokerlist='tcp://localhost:5672' ^ at
> org.apache.qpid.url.URLHelper.parseError(URLHelper.java:143) at
> org.apache.qpid.url.URLHelper.parseError(URLHelper.java:138) at
> org.apache.qpid.client.url.URLParser.parseURL(URLParser.java:111) at
> org.apache.qpid.client.url.URLParser.<init>(URLParser.java:42) at
> org.apache.qpid.client.AMQConnectionURL.<init>(AMQConnectionURL.java:63) at
> com.gs.mrg.eval.PLAIN_AuthenticationExample.connectionURLWithoutUserInfo(PLAIN_AuthenticationExample.java:109)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597) at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
> at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
> at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
> at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
> at
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
> at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:274) at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
> at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:48)
> at org.junit.runners.ParentRunner$3.run(ParentRunner.java:242) at
> org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:58) at
> org.junit.runners.ParentRunner.runChildren(ParentRunner.java:240) at
> org.junit.runners.ParentRunner.access$000(ParentRunner.java:48) at
> org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:233) at
> org.junit.runners.ParentRunner.run(ParentRunner.java:303) at
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49)
> at
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Expected results:
> No exception raised, the broker should authenticate the connection request.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
