Loading...

XML

Word

Printable

Steps to Reproduce:
Hide

Allow SCRAM SASL mechanisms on server:

<configurable-sasl-server-factory name="scram-facotry" sasl-server-factory="elytron"> <filters> <filter pattern="SCRAM-*"/> </filters> </configurable-sasl-server-factory>

Also configure the SSL for remoting connection, so the PLUS mechanisms are supported.

Allow SCRAM on client

AuthenticationConfiguration.empty() .setSaslMechanismSelector(SaslMechanismSelector.fromString("#FAMILY(SCRAM)")) .useName("user1").usePassword("password1");

and also configure trustManager to the AuthenticationContext.

As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS
Show
Allow SCRAM SASL mechanisms on server: <configurable-sasl-server-factory name= "scram-facotry" sasl-server-factory= "elytron" > <filters> <filter pattern= "SCRAM-*" /> </filters> </configurable-sasl-server-factory> Also configure the SSL for remoting connection, so the PLUS mechanisms are supported. Allow SCRAM on client AuthenticationConfiguration.empty() .setSaslMechanismSelector(SaslMechanismSelector.fromString( "#FAMILY(SCRAM)" )) .useName( "user1" ).usePassword( "password1" ); and also configure trustManager to the AuthenticationContext. As a result the SCRAM-SHA-* is selected by the client, instead of SCRAM-SHA-*-PLUS
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/911

The *-PLUS SASL mechanisms (i.e. variants with channel binding) should be preferred by Elytron over the non-plus ones.

The channel binding RFC-5056 in section 2.1 states:

      *  If the authentication protocol used by the application supports
         channel binding, the application SHOULD use it.

clones

JBEAP-12108 Channel binding SASL mechanisms should be preferred by Elytron clients