qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: Dispatch: Default value of authenticatePeer
Date Wed, 03 Aug 2016 17:08:25 GMT
On 03/08/16 17:54, Robbie Gemmell wrote:
> On 3 August 2016 at 17:37, Jakub Scholz <jakub@scholz.cz> wrote:
>> Hi,
>>
>> When I have listener configured like this:
>>
>> listener {
>>     role: normal
>>     host: 0.0.0.0
>>     port: amqp
>>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5
>>     linkCapacity: 1000
>> }
>>
>> Is it really expected that it allows anonymous access? It seems that unless
>> I add to the listener configuration also "authenticatePeer: yes", it will
>> always allow anonymous access to clients which don't trigger the SASL
>> layer.
>>
>> This seems to me as something quite counter-intuitive and dangerous,
>> because on a first look someone (like me for example :-o) might expect that
>> this configuration allows only username/password authenticated access.
>>
>> Wouldn't it make more sense to have anonymous access disabled by default?
>> At least when SASL layer is configured for given listener? Or is it just me
>> who finds this confusing?
>>
>> Regards
>> Jakub
>
> From previous discussion (mainly around Proton where some of the
> underlying behaviour originates) I believe it is actually expected
> behaviour, but like you I don't think it is very intuitive, and would
> again suggest we change it.

I think this is different from proton's behaviour (and from qpidd's) 
where the similar flags are false by default. (This is a distinct 
concern from the default sasl mechanisms enabled).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message