[
https://issues.apache.org/jira/browse/QPIDJMS-150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15155746#comment-15155746
]
Robbie Gemmell commented on QPIDJMS-150:
----------------------------------------
I skimmed the patch *very* quickly (will take a closer look when I'm at less
risk of sneezing everywhere :(), the only things that stuck out doing that
were: possibly use comment instead of javadoc for the licence header, and it
could do with some tests (I'm guessing maybe some source material suffers
similar issue?;) ), given they will be by far the most complicated of the
supported mechs but also among the highest priority. SaslIntegrationTest has
some brokerless SASL tests using the full client, but other than verifying when
the mechs get selected pure unit test of the mechs might be a lot easier in
this case.
> Scram SHA SASL support for authentication
> -----------------------------------------
>
> Key: QPIDJMS-150
> URL: https://issues.apache.org/jira/browse/QPIDJMS-150
> Project: Qpid JMS
> Issue Type: Improvement
> Components: qpid-jms-client
> Reporter: Keith Wall
> Attachments: 0001-QPIDJMS-150-Support-for-SASL-SCRAM-SHA1-256.patch
>
>
> The SCRAM SHA-1 and 256 SASL mechanisms https://tools.ietf.org/html/rfc5802
> offer better security than older SASL implementations. In particular the
> authentication information stored in the authentication database is not
> sufficient to impersonate the client if the database were to be stolen.
> (The Java Broker already supports these mechanisms. The intention is to
> switch to recommend SCRAM instead of CRAM-MD5 shortly. One barrier to making
> this switch is the absence of support in the client).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
