Lorenz Quack created QPID-6540:
----------------------------------
Summary: Add ability to disable one or more of an authentication
provider's mechanisms
Key: QPID-6540
URL: https://issues.apache.org/jira/browse/QPID-6540
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Affects Versions: 0.32
Reporter: Lorenz Quack
Currently authentication providers such as the Scam Providers offer the client
a choice to authenticate using mechanisms PLAIN or SCRAM_SHA. The former is
already restricted to those using a secure transport.
If a client chooses SCRAM_SHA, then the secret is the salted password (stored
within Broker configuration) rather than the plain password itself.
If an attacker has access to the salted password, then they can use it to login
via this mechanism.
It would be good if an authentication provider had the ability to disable one
or more mechanisms. Then an authentication provider such as SCRAM could be
configured to accept only PLAIN (which would be accepted only over SSL), which
would force the user to be in possession of the clear text password.
A port should verify that the given authentication provider exposes at least
one usable mechanism. That is, if a plain port is configured with a Auth
Provider with only plain, presumably, the Port should fail to start.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
