[
https://issues.jboss.org/browse/WFCORE-2615?page=com.atlassian.jira.plugi...
]
Ondrej Lukas commented on WFCORE-2615:
--------------------------------------
There is lack of documentation that we do not know how the final list of supported
mechanisms on client side should be created.
Javadoc for allow-sasl-mechanisms is:
_Create a new configuration which is the same as this configuration, but which explicitly
allows only the given named mechanisms. Any unlisted mechanisms will not be supported
unless the configuration supports it._
XSD about allow-sasl-mechanisms says:
_List of SASL mechanisms to be used unless specifically forbidden._
[~dmlloyd] We have following questions:
* Could you please provide us an information how the final list of supported mechanisms on
client side is created?
* What is "the configuration" from last sentence of javadoc?
* If definition is the same as you said in your previous comment, why
authentication-configuration provides attribute {{allow-all-mechanisms}}?
Attribute allow-sasl-mechanisms is ignored in Elytron Authentication
Configuration
----------------------------------------------------------------------------------
Key: WFCORE-2615
URL:
https://issues.jboss.org/browse/WFCORE-2615
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 3.0.0.Beta10
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Blocker
Attachments: dep.war, wireshark.pcapng
In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration
includes some SASL mechanisms then this attribute (and mechanisms configured there) is not
taken into account during choosing SASL mechanism. It means that client tries to use all
of mechanisms allowed on server side even if client does not allow them. e.g. in case when
server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it
tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.
See log from wireshark in attachments. This is log for server configured through
"Steps to Reproduce".
This happens also for using allow-sasl-mechanisms from wildfly config and also for
programatically configured client.
We request blocker since it allows to use some SASL mechanisms even if they are not
allowed on client side.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)