[
https://issues.apache.org/jira/browse/QPID-5922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14073104#comment-14073104
]
Rob Godfrey commented on QPID-5922:
-----------------------------------
Add the following attribute definition to AuthenticationProvider:
{code}
@ManagedAttribute( defaultValue = "[ \"PLAIN\" ]")
List<String> getSecureOnlyMechanisms();
{code}
And then ensure that all mechanisms in this list are excluded from the offered
mechanisms when authentication is attempted.
Ensure that attempts to use mechanisms other than those offered always results
in an error.
Remove the AMQPLAIN mechanism (which simply duplicates the effective
functionality of PLAIN for historical reasons)
Add PLAIN as a mechanism to SCRAM-* and MD5 hashes authentication providers to
allow clients who do not implement the more complex Sasl mechanisms to
authenticate if they can establish a secure channel.
> [Java Broker] By default restrict the use of PLAIN authentication to secure
> channels
> ------------------------------------------------------------------------------------
>
> Key: QPID-5922
> URL: https://issues.apache.org/jira/browse/QPID-5922
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Fix For: 0.29
>
>
> PLAIN authentication sends passwords in the clear - in general this should
> not be used over communication channels which are not themselves encrypted.
> For any given authentication provider we should allow the user to set the
> subset of SASL mechanisms which should not be offered if the attempt to
> authenticate is not occurring on a secure channel.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
