[
https://issues.apache.org/jira/browse/QPID-7198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15395289#comment-15395289
]
Lorenz Quack commented on QPID-7198:
------------------------------------
Keith, after reflection I did some more changes:
* I moved the caching logic into a class of its own
({{AuthenticationResultCacher}})and got rid of {{CryptoUtil}}.
* I added the remote address of the ConnectionPrincipal into the hash so that
a second authentication result with the same credentials but a different remote
IP will not hit the cache.
* I applied multiple (4096 by default) rounds of hashing to make a brute force
attack a bit more difficult. Note that after discussion with Rob we felt it was
not necessary to add Salt to the hash for the following reasons:
** The cache should never be exposed and if an attacker has access to the
memory they can intercept the password much easier.
** A Salt would only really work with LDAP where it can be associated with the
username but would not work with OAuth2 where all we have is a access_token
* I merged your error handling simplification into the new code.
* I updated the documentation you introduced.
> LDAP and OAUTH2 Authentication Providers should cache authentication results
> for a short period
> -----------------------------------------------------------------------------------------------
>
> Key: QPID-7198
> URL: https://issues.apache.org/jira/browse/QPID-7198
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Assignee: Lorenz Quack
> Fix For: qpid-java-6.1
>
> Attachments:
> 0001-QPID-7198-Java-Broker-WIP-Make-LDAP-and-OAUTH2-Authe.patch
>
>
> The OAUTH2 and LDAP authentication providers should be changed to cache
> authentication results for a short (configurable) period. If the same
> authentication provider receives the same credentials again (i.e. matching
> username and password in the case of LDAP), it should reuse the cached
> authentication result. The cached authentication result should expire
> automatically. Negative authentication results should be cached too.
> This will serve to reduce load on authentication backends (such as
> Directories). It will be especially useful when the REST API to used for
> programmatically monitoring the Broker which otherwise may create an
> excessive load on the backend.
> The authentication provider must not retain the user passwords in clear. The
> size of the cache should be constrained.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
