[jira] [Commented] (QPIDJMS-294) The SCRAM-SHA-* SASL mechanisms should verify the server final message if it is sent in the additional-data field of sasl-outcome

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/QPIDJMS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16085885#comment-16085885
 ] 

ASF GitHub Bot commented on QPIDJMS-294:
----------------------------------------

GitHub user k-wall opened a pull request:

    https://github.com/apache/qpid-jms/pull/9

    QPIDJMS-294: Ensure that SASL mechanism has completed before allowing…

    … authentication to complete successfully
    
    This change allows the SCRAM mechanisms to ensure that server final message 
is verified correctly.
    
    The lack of unit tests around AmqpSaslAuthenticator is bothersome.   To 
address this, I think to extract an SaslMechanismFinder allowing a mock (and a 
mock Mechanism) to be substituted for unit testing purposes.  This would allow 
simple mock based tests to be written for AmqpSaslAuthenticator and the 
interactions with both Proton and Mechanism verified, including the new 
verifyComplete path.   Comments welcome.   
    
    This change would be breaking for users of the Qpid Broker J < 6.0.4 using 
the SCRAM SHA authentication, but simple work arounds are available (upgrading 
to a bug-fix release or a simple configuration change to use a different SASL 
mech).
    
    
    


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/k-wall/qpid-jms master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/qpid-jms/pull/9.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #9
    
----

----


> The SCRAM-SHA-* SASL mechanisms should verify the server final message if it 
> is sent in the additional-data field of sasl-outcome
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPIDJMS-294
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-294
>             Project: Qpid JMS
>          Issue Type: Bug
>            Reporter: Rob Godfrey
>
> Currently the client will only verify the server final message if it is sent 
> as an extra challenge in the sasl exchange.
> The client should also verify if the server final message is sent as 
> additional-data on the sasl outcome (which is really the way this should 
> always be sent).
> In order to do this PROTON-1486 will need fixing



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org