You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2015/05/13 01:58:00 UTC

[jira] [Assigned] (QPID-6540) Add ability to disable one or more of an authentication provider's mechanisms

     [ https://issues.apache.org/jira/browse/QPID-6540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rob Godfrey reassigned QPID-6540:
---------------------------------

    Assignee: Rob Godfrey

> Add ability to disable one or more of an authentication provider's mechanisms
> -----------------------------------------------------------------------------
>
>                 Key: QPID-6540
>                 URL: https://issues.apache.org/jira/browse/QPID-6540
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>    Affects Versions: 0.32
>            Reporter: Lorenz Quack
>            Assignee: Rob Godfrey
>             Fix For: 6.0 [Java]
>
>         Attachments: 0001-QPID-6540-Java-Broker-Add-ability-to-disable-one-or-.patch
>
>
> Currently authentication providers such as the Scam Providers offer the client a choice to authenticate using mechanisms PLAIN or SCRAM_SHA. The former is already restricted to those using a secure transport.
> If a client chooses SCRAM_SHA, then the secret is the salted password (stored within Broker configuration) rather than the plain password itself.
> If an attacker has access to the salted password, then they can use it to login via this mechanism.
> It would be good if an authentication provider had the ability to disable one or more mechanisms. Then an authentication provider such as SCRAM could be configured to accept only PLAIN (which would be accepted only over SSL), which would force the user to be in possession of the clear text password.
> A port should verify that the given authentication provider exposes at least one usable mechanism. That is, if a plain port is configured with a Auth Provider with only plain, presumably, the Port should fail to start.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org