Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1283

Channel binding SASL mechanisms should be preferred by Elytron clients

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 1.1.0.CR3
    • None
    • None
    • None
    • Hide

      Allow SCRAM SASL mechanisms on server:

      <configurable-sasl-server-factory name="scram-facotry" sasl-server-factory="elytron">
    <filters>
        <filter pattern="SCRAM-*"/>
    </filters>
</configurable-sasl-server-factory>

      Also configure the SSL for remoting connection, so the PLUS mechanisms are supported.

      Allow SCRAM on client

      AuthenticationConfiguration.empty()
    .setSaslMechanismSelector(SaslMechanismSelector.fromString("#FAMILY(SCRAM)"))
    .useName("user1").usePassword("password1");

      and also configure trustManager to the AuthenticationContext.

      As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS

      Show
      Allow SCRAM SASL mechanisms on server: <configurable-sasl-server-factory name= "scram-facotry" sasl-server-factory= "elytron" > <filters> <filter pattern= "SCRAM-*" /> </filters> </configurable-sasl-server-factory> Also configure the SSL for remoting connection, so the PLUS mechanisms are supported. Allow SCRAM on client AuthenticationConfiguration.empty() .setSaslMechanismSelector(SaslMechanismSelector.fromString( "#FAMILY(SCRAM)" )) .useName( "user1" ).usePassword( "password1" ); and also configure trustManager to the AuthenticationContext. As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS

    Description

      The *-PLUS SASL mechanisms (i.e. variants with channel binding) should be preferred by Elytron over the non-plus ones.

      The channel binding RFC-5056 in section 2.1 states:

            *  If the authentication protocol used by the application supports
         channel binding, the application SHOULD use it.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12108 Channel binding SASL mechanisms should be preferred by Elytron clients

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: