Details
-
Enhancement
-
Resolution: Won't Do
-
Minor
-
None
-
7.1.0.ER2
Description
The handing of non-PLUS vs. PLUS Elytron SASL mechanisms has to be documented as there are some caveats in the usage. (Details are discussed on JIRAs JBEAP-11396 and its follow up JBEAP-12231)
Some of the Elytron SASL mechanisms has variant with channel binding (then their name ends with "-PLUS"). E.g. for the SCRAM-SHA-1 mechanism there exists also SCRAM-SHA-1-PLUS mechanism.
Example scenario of the problematic behavior (in 7.1.0.ER2) :
- Server administrator configures support for SCRAM-SHA-1 SASL mechanism in Elytron
- Elytron Client (e.g. management client) set supports for SCRAM-SHA-1 too
This configuration works nicely when SSL context is not used for the remoting connection.
This configuration doesn't work, when SSL context is used for the remoting connection
Attachments
Issue Links
- blocks
-
JBEAP-7694 [DOC RFE] Provide a set of SASL authentication mechanisms
- Closed
- is related to
-
JBEAP-11396 Elytron - *-PLUS SASL mechanisms don't work - part of channel binding integration seems to be missing
- Verified
-
JBEAP-12231 Handle properly non-PLUS Elytron SASL mechanisms when SSL context is used (i.e. channel binding is possible)
- Verified