[jira] [Commented] (QPID-6540) Add ability to disable one or more of an authentication provider's mechanisms

Tue, 12 May 2015 16:58:27 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-6540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14541055#comment-14541055
 ] 

ASF subversion and git services commented on QPID-6540:
-------------------------------------------------------

Commit 1679124 from [~godfrer] in branch 'java/trunk'
[ https://svn.apache.org/r1679124 ]

QPID-6540 : add ability to disable mechanisms of an authentication provider 
(patch from Lorenz Quack)

> Add ability to disable one or more of an authentication provider's mechanisms
> -----------------------------------------------------------------------------
>
>                 Key: QPID-6540
>                 URL: https://issues.apache.org/jira/browse/QPID-6540
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>    Affects Versions: 0.32
>            Reporter: Lorenz Quack
>             Fix For: 6.0 [Java]
>
>         Attachments: 
> 0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch
>
>
> Currently authentication providers such as the Scam Providers offer the 
> client a choice to authenticate using mechanisms PLAIN or SCRAM_SHA. The 
> former is already restricted to those using a secure transport.
> If a client chooses SCRAM_SHA, then the secret is the salted password (stored 
> within Broker configuration) rather than the plain password itself.
> If an attacker has access to the salted password, then they can use it to 
> login via this mechanism.
> It would be good if an authentication provider had the ability to disable one 
> or more mechanisms. Then an authentication provider such as SCRAM could be 
> configured to accept only PLAIN (which would be accepted only over SSL), 
> which would force the user to be in possession of the clear text password.
> A port should verify that the given authentication provider exposes at least 
> one usable mechanism. That is, if a plain port is configured with a Auth 
> Provider with only plain, presumably, the Port should fail to start.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to