qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: Dispatch: Default value of authenticatePeer
Date Wed, 03 Aug 2016 16:54:12 GMT
On 3 August 2016 at 17:37, Jakub Scholz <jakub@scholz.cz> wrote:
> Hi,
>
> When I have listener configured like this:
>
> listener {
>     role: normal
>     host: 0.0.0.0
>     port: amqp
>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5
>     linkCapacity: 1000
> }
>
> Is it really expected that it allows anonymous access? It seems that unless
> I add to the listener configuration also "authenticatePeer: yes", it will
> always allow anonymous access to clients which don't trigger the SASL
> layer.
>
> This seems to me as something quite counter-intuitive and dangerous,
> because on a first look someone (like me for example :-o) might expect that
> this configuration allows only username/password authenticated access.
>
> Wouldn't it make more sense to have anonymous access disabled by default?
> At least when SASL layer is configured for given listener? Or is it just me
> who finds this confusing?
>
> Regards
> Jakub

>From previous discussion (mainly around Proton where some of the
underlying behaviour originates) I believe it is actually expected
behaviour, but like you I don't think it is very intuitive, and would
again suggest we change it.

Robbie

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message