[
https://issues.apache.org/jira/browse/QPID-6540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rob Godfrey resolved QPID-6540.
-------------------------------
Resolution: Fixed
Fix Version/s: 6.0 [Java]
Applied patch from Lorenz with a few modifications
> Add ability to disable one or more of an authentication provider's mechanisms
> -----------------------------------------------------------------------------
>
> Key: QPID-6540
> URL: https://issues.apache.org/jira/browse/QPID-6540
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Affects Versions: 0.32
> Reporter: Lorenz Quack
> Assignee: Rob Godfrey
> Fix For: 6.0 [Java]
>
> Attachments:
> 0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch
>
>
> Currently authentication providers such as the Scam Providers offer the
> client a choice to authenticate using mechanisms PLAIN or SCRAM_SHA. The
> former is already restricted to those using a secure transport.
> If a client chooses SCRAM_SHA, then the secret is the salted password (stored
> within Broker configuration) rather than the plain password itself.
> If an attacker has access to the salted password, then they can use it to
> login via this mechanism.
> It would be good if an authentication provider had the ability to disable one
> or more mechanisms. Then an authentication provider such as SCRAM could be
> configured to accept only PLAIN (which would be accepted only over SSL),
> which would force the user to be in possession of the clear text password.
> A port should verify that the given authentication provider exposes at least
> one usable mechanism. That is, if a plain port is configured with a Auth
> Provider with only plain, presumably, the Port should fail to start.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
