Alex Rudyy created QPID-7282:
--------------------------------
Summary: Java Broker should always send server-final message (if
required) to the client on succesful SASL negotiation
Key: QPID-7282
URL: https://issues.apache.org/jira/browse/QPID-7282
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: qpid-java-6.0.3, qpid-java-6.0.2, qpid-java-6.0.1,
qpid-java-6.0, 0.32, 0.30, qpid-java-6.1
Reporter: Alex Rudyy
On Scram Sha SASL negotiation Broker does not send server-final challenge
(ServerSignature) with the following authentication providers:
* Simple (SimpleAuthenticationManager)
* Base64MD5PasswordFile (Base64MD5PasswordDatabaseAuthenticationManager)
* PlainPasswordFile (PlainPasswordDatabaseAuthenticationManager)
The sasl negotiation for Scram Sha SASL mechanisms should always include
sending of server-final message in order to give a chance to verify server
signature on a client as per [RFC
5802|https://tools.ietf.org/html/rfc5802#page-7]
{quote}
The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server. If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful, and it might have to drop the
connection.
{quote}
We need to change all existing Authentication Provider to support sending of
final message
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
