You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "James Flemer (JIRA)" <ji...@apache.org> on 2015/03/04 23:01:39 UTC
[jira] [Commented] (QPID-5922) [Java Broker] By default restrict
the use of PLAIN authentication to secure channels
[ https://issues.apache.org/jira/browse/QPID-5922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14347643#comment-14347643 ]
James Flemer commented on QPID-5922:
------------------------------------
Awww... this makes "demo mode" much more work. As a note ... RabbitMQ only supports PLAIN and AMQPLAIN (https://www.rabbitmq.com/authentication.html). This "fix" means that RabbitMQ and Qpid interoperability is broken except over SSL.
Maybe a user who knows what they really want should be able to set some property or config option to allow insecure authentication.
> [Java Broker] By default restrict the use of PLAIN authentication to secure channels
> ------------------------------------------------------------------------------------
>
> Key: QPID-5922
> URL: https://issues.apache.org/jira/browse/QPID-5922
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Fix For: 0.29
>
>
> PLAIN authentication sends passwords in the clear - in general this should not be used over communication channels which are not themselves encrypted.
> For any given authentication provider we should allow the user to set the subset of SASL mechanisms which should not be offered if the attempt to authenticate is not occurring on a secure channel.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org