[jboss-jira] [JBoss JIRA] (WFCORE-2615) Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

Ondrej Lukas (JIRA) issues at jboss.org
Mon Apr 10 05:09:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFCORE-2615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13391282#comment-13391282 ] 

Ondrej Lukas commented on WFCORE-2615:
--------------------------------------

[~dmlloyd] Thanks for clarification.

We still think that optimal solution is provide this feature as white-list. Other solutions can lead to confusions and also can mean more effort.

In case we decide to leave the current behavior in application server then we should consider renaming allow-sasl-mechanisms to something more descriptive. Instead of meaning "allow mechanisms" it should mean something like "try this mechanism even if configuration does not include all needed attributes for this mechanism".

Moreover if current behavior will be part of application server then we have to provide more clear documentation in management model (for JBoss CLI read operation) and XSD.

I agree with:
_"... the lack of an allowed set seems to mean all-allowed to some people and none-allowed to other people ..."_
but in case when "allow-all" is provided and "forbid-all" does not exist then I think it indirectly implies that lack of allowed set means none-allowed (otherwise "allow-all" is useless).

We should consider whether "forbid-all" would be useful - in combination with "allow-sasl-mechanisms" it provides simple way how to enable only specific SASL mechanism. I understand that choosing of mechanism can be improved and there are not boundaries "how" to improve it (e.g. as you said, exclude mechanisms that use certain crypto primitives can be this improvement), but I think then providing "forbid-all" could really help during configuration.

[~dlofthouse] could you please share your point of view on this issue?

> Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration
> ----------------------------------------------------------------------------------
>
>                 Key: WFCORE-2615
>                 URL: https://issues.jboss.org/browse/WFCORE-2615
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.0.0.Beta10
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>         Attachments: dep.war, wireshark.pcapng
>
>
> In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.
> See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".
> This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.
> We request blocker since it allows to use some SASL mechanisms even if they are not allowed on client side.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list