Google Git
Sign in
apache/qpid-cpp/428eafa1f65e22e04ea63b73aebcc192282df72c/./docs/book/src/cpp-broker/Qpid-Interoperability-Documentation.xml
blob: 74546693df2b256c0ce3b7cd4aaa3f182c2376f5 [file]
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section role="h2" id="QpidInteroperabilityDocumentation-QpidInteroperabilityDocumentation">
<title>Qpid Interoperability Documentation</title>
<para>
This page documents the various interoperable features of the
Qpid clients.
</para>
<section role="h3" id="QpidInteroperabilityDocumentation-SASL"><title>
SASL
</title>
<para>
</para>
<section role="h4" id="QpidInteroperabilityDocumentation-StandardMechanisms"><title>
Standard
Mechanisms
</title>
<para>
<ulink url="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#SASL_mechanisms"/>
</para><para>
This table list the various SASL mechanisms that each component
supports. The version listed shows when this
functionality was added to the product.
</para><table><title>SASL Mechanism Support</title><tgroup cols="7">
<tbody>
<row>
<entry>
Component
</entry>
<entry>
ANONYMOUS
</entry>
<entry>
CRAM-MD5
</entry>
<entry>
DIGEST-MD5
</entry>
<entry>
EXTERNAL
</entry>
<entry>
GSSAPI/Kerberos
</entry>
<entry>
PLAIN
</entry>
</row>
<row>
<entry>
C++ Broker
</entry>
<entry>
M3[<xref linkend="QpidInteroperabilityDocumentation-1"/>]
</entry>
<entry>
M3[<xref linkend="QpidInteroperabilityDocumentation-1"/>,<xref linkend="QpidInteroperabilityDocumentation-2"/>]
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
M3[<xref linkend="QpidInteroperabilityDocumentation-1"/>,<xref linkend="QpidInteroperabilityDocumentation-2"/>]
</entry>
<entry>
M1
</entry>
</row>
<row>
<entry>
C++ Client
</entry>
<entry>
M3[<xref linkend="QpidInteroperabilityDocumentation-1"/>]
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
M1
</entry>
</row>
<row>
<entry>
Java Broker
</entry>
<entry>
 
</entry>
<entry>
M1
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
M1
</entry>
</row>
<row>
<entry>
Java Client
</entry>
<entry>
 
</entry>
<entry>
M1
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
M1
</entry>
</row>
<row>
<entry>
.Net Client
</entry>
<entry>
M2
</entry>
<entry>
M2
</entry>
<entry>
M2
</entry>
<entry>
M2
</entry>
<entry>
 
</entry>
<entry>
M2
</entry>
</row>
<row>
<entry>
Python Client
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
?
</entry>
</row>
<row>
<entry>
Ruby Client
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
<entry>
?
</entry>
</row>
</tbody>
</tgroup></table>
<para id="QpidInteroperabilityDocumentation-1">
1: Support for these will be in M3 (currently available on
trunk).
</para>
<para id="QpidInteroperabilityDocumentation-2">2: C++ Broker uses <ulink url="http://freshmeat.net/projects/cyrussasl/">Cyrus SASL</ulink> which
supports CRAM-MD5 and GSSAPI but these have not been tested yet
</para>
<!--h4--></section>
<section role="h4" id="QpidInteroperabilityDocumentation-CustomMechanisms"><title>
Custom
Mechanisms
</title>
<para>
There have been some custom mechanisms added to our
implementations.
</para><table><title>SASL Custom Mechanisms</title><tgroup cols="3">
<tbody>
<row>
<entry>
Component
</entry>
<entry>
AMQPLAIN
</entry>
<entry>
CRAM-MD5-HASHED
</entry>
</row>
<row>
<entry>
C++ Broker
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
</row>
<row>
<entry>
C++ Client
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
</row>
<row>
<entry>
Java Broker
</entry>
<entry>
M1
</entry>
<entry>
M2
</entry>
</row>
<row>
<entry>
Java Client
</entry>
<entry>
M1
</entry>
<entry>
M2
</entry>
</row>
<row>
<entry>
.Net Client
</entry>
<entry>
 
</entry>
<entry>
 
</entry>
</row>
<row>
<entry>
Python Client
</entry>
<entry>
M2
</entry>
<entry>
 
</entry>
</row>
<row>
<entry>
Ruby Client
</entry>
<entry>
M2
</entry>
<entry>
 
</entry>
</row>
</tbody>
</tgroup></table>
<section><title>AMQPLAIN</title>
<para/>
</section>
<section><title>CRAM-MD5-HASHED</title>
<para>
The Java SASL implementations require that you have the password
of the user to validate the incoming request. This then means
that the user's password must be stored on disk. For this to be
secure either the broker must encrypt the password file or the
need for the password being stored must be removed.
</para><para>
The CRAM-MD5-HASHED SASL plugin removes the need for the plain
text password to be stored on disk. The mechanism defers all
functionality to the build in CRAM-MD5 module the only change is
on the client side where it generates the hash of the password
and uses that value as the password. This means that the Java
Broker only need store the password hash on the file system.
While a one way hash is not very secure compared to other forms
of encryption in environments where the having the password in
plain text is unacceptable this will provide and additional layer
to protect the password. In particular this offers some
protection where the same password may be shared amongst many
systems. It offers no real extra protection against attacks on
the broker (the secret is now the hash rather than the password).
</para>
</section>
<!--h4--></section>
<!--h3--></section>
<!--h2--></section>