qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Stitcher <astitc...@redhat.com>
Subject Re: Dispatch: Default value of authenticatePeer
Date Thu, 04 Aug 2016 20:49:20 GMT
On Wed, 2016-08-03 at 18:40 +0100, Gordon Sim wrote:
> ...
> I would agree that the routers authenticatePeer option should be true
> by 
> default.
> 

The proton-c default for transport_require_auth (the underlying API) is
false for backward compatibility with code existing before the SASL API
that went into 0.9.

ISTR that there was reasonable concern at the time that things would
start to fail in puzzling ways if the behaviour changed with no
warning. I would much prefer to defauilt to secure, but that wasn't the
consensus at the time (as I remember it).

Having said that about the underlying proton-c API, I see no reason why
that should be the default for Dispatch, especially if SASL mechanisms
are defined.

However I think that not requiring authentication is perfectly
reasonable (as long as you intend to do it) and so there shouldn't be a
warning for it.

Incidentally any connection that bypasses authentication will be
treated the same as if it connected using the ANONYMOUS mechanism and
given user name "anonymous". I would expect that this should be used in
any ACLs in force.

Andrew


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message