-
Enhancement
-
Resolution: Won't Do
-
Minor
-
None
-
7.1.0.ER2
The handing of non-PLUS vs. PLUS Elytron SASL mechanisms has to be documented as there are some caveats in the usage. (Details are discussed on JIRAs JBEAP-11396 and its follow up JBEAP-12231)
Some of the Elytron SASL mechanisms has variant with channel binding (then their name ends with "-PLUS"). E.g. for the SCRAM-SHA-1 mechanism there exists also SCRAM-SHA-1-PLUS mechanism.
Example scenario of the problematic behavior (in 7.1.0.ER2) :
- Server administrator configures support for SCRAM-SHA-1 SASL mechanism in Elytron
- Elytron Client (e.g. management client) set supports for SCRAM-SHA-1 too
This configuration works nicely when SSL context is not used for the remoting connection.
This configuration doesn't work, when SSL context is used for the remoting connection
- blocks
-
JBEAP-7694 [DOC RFE] Provide a set of SASL authentication mechanisms
- Closed
- is related to
-
JBEAP-11396 Elytron - *-PLUS SASL mechanisms don't work - part of channel binding integration seems to be missing
- Closed
-
JBEAP-12231 Handle properly non-PLUS Elytron SASL mechanisms when SSL context is used (i.e. channel binding is possible)
- Closed