blob: ad223792b53c38591d63508aaabd93ca89a6ade1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
h2. Qpid Interoperability Documentation
This page documents the various interoperable features of the Qpid clients.
h3. SASL
{anchor:sasl}
h4. Standard Mechanisms
[SASL Mechanisms |http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#SASL_Mechanisms]
This table list the various SASL mechanisms that each component supports. The version listed shows when this
functionality was added to the product.
|| Component || ANONYMOUS || CRAM-MD5 || DIGEST-MD5 || EXTERNAL || GSSAPI/Kerberos || PLAIN ||
| C++ Broker |M3 |M3 | M3 |0.8\[[#1]\]|M3 | M1 |
| C++ Client |M3 |0.5 | 0.5 |0.8\[[#1]\]| | M1 |
| Java Broker | | M1 | | | | M1 |
| Java Client | | M1 | | M1 | | M1 |
| .Net Client | M2 | M2 | M2 | M2 | | M2 |
| Python Client |0.6\[[#2]\]|0.6\[[#2]\]|0.6\[[#2]\] |0.6\[[#2]\]|0.6\[[#2]\] | M4 |
| Ruby Client |0.6\[[#2]\]|0.6\[[#2]\]|0.6\[[#2]\] |0.6\[[#2]\]|0.6\[[#2]\] | M4 |
{anchor:1}
1: Only enabled for client authenticated SSL connections.
{anchor:2}
2: On linux only via cyrus-sasl integration.
h4. Custom Mechanisms
There have been some custom mechanisms added to our implementations.
|| Component || AMQPLAIN || CRAM-MD5-HASHED ||
| C++ Broker | | |
| C++ Client | | |
| Java Broker | M1 | M2 |
| Java Client | M1 | M2 |
| .Net Client | | |
| Python Client | M2 | |
| Ruby Client | M2 | |
h5. AMQPLAIN
h5. CRAM-MD5-HASHED
The Java SASL implementations require that you have the password of the user to validate the incoming request. This then means that the user's password must be stored on disk. For this to be secure either the broker must encrypt the password file or the need for the password being stored must be removed.
The CRAM-MD5-HASHED SASL plugin removes the need for the plain text password to be stored on disk. The mechanism defers all functionality to the build in CRAM-MD5 module the only change is on the client side where it generates the hash of the password and uses that value as the password. This means that the Java Broker only need store the password hash on the file system. While a one way hash is not very secure compared to other forms of encryption in environments where the having the password in plain text is unacceptable this will provide and additional layer to protect the password. In particular this offers some protection where the same password may be shared amongst many systems. It offers no real extra protection against attacks on the broker (the secret is now the hash rather than the password).
|
