[jboss-jira] [JBoss JIRA] (WFCORE-2615) Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

David Lloyd (JIRA) issues at jboss.org
Thu Apr 6 09:22:01 EDT 2017 

    [ https://issues.jboss.org/browse/WFCORE-2615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13390196#comment-13390196 ] 

David Lloyd commented on WFCORE-2615:
-------------------------------------

Also: "We see security risk here since attributes allow-sasl-mechanisms and allow-all-mechanisms can cause that user infers that all mechanisms are forbidden as default - based on principle of least privilege."

I happen to agree; in fact, originally, this is how this worked, but it caused failures due in part to the fact that the lack of an allowed set seems to mean all-allowed to some people and none-allowed to other people.  Also there's the question of whether such a set implies order like a list or just acceptance like a set/filter.  We definitely don't want to force people to have to opt in to individual mechanisms.

Also missing is (for example) any way to exclude mechanisms that use certain crypto primitives like MD4, MD5, or SHA-1 in addition to any way to establish client-side ordering, which would ideally be separate from inclusion criteria.  Something like the openssl-style strings for TLS cipher suites, maybe (or maybe that's too big of a hammer for such a small nail).

> Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration
> ----------------------------------------------------------------------------------
>
>                 Key: WFCORE-2615
>                 URL: https://issues.jboss.org/browse/WFCORE-2615
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.0.0.Beta10
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>         Attachments: dep.war, wireshark.pcapng
>
>
> In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.
> See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".
> This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.
> We request blocker since it allows to use some SASL mechanisms even if they are not allowed on client side.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list