Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1283

Channel binding SASL mechanisms should be preferred by Elytron clients

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR3
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Allow SCRAM SASL mechanisms on server:

      <configurable-sasl-server-factory name="scram-facotry" sasl-server-factory="elytron">
          <filters>
              <filter pattern="SCRAM-*"/>
          </filters>
      </configurable-sasl-server-factory>
      

      Also configure the SSL for remoting connection, so the PLUS mechanisms are supported.

      Allow SCRAM on client

      AuthenticationConfiguration.empty()
          .setSaslMechanismSelector(SaslMechanismSelector.fromString("#FAMILY(SCRAM)"))
          .useName("user1").usePassword("password1");
      

      and also configure trustManager to the AuthenticationContext.

      As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS

      Show
      Allow SCRAM SASL mechanisms on server: <configurable-sasl-server-factory name= "scram-facotry" sasl-server-factory= "elytron" > <filters> <filter pattern= "SCRAM-*" /> </filters> </configurable-sasl-server-factory> Also configure the SSL for remoting connection, so the PLUS mechanisms are supported. Allow SCRAM on client AuthenticationConfiguration.empty() .setSaslMechanismSelector(SaslMechanismSelector.fromString( "#FAMILY(SCRAM)" )) .useName( "user1" ).usePassword( "password1" ); and also configure trustManager to the AuthenticationContext. As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS

      Description

      The *-PLUS SASL mechanisms (i.e. variants with channel binding) should be preferred by Elytron over the non-plus ones.

      The channel binding RFC-5056 in section 2.1 states:

            *  If the authentication protocol used by the application supports
               channel binding, the application SHOULD use it.
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  fjuma Farah Juma
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: