On Wed, 2015-09-09 at 15:57 +0000, Clemens Vasters wrote: > Hi Andrew, > > I agree that the server should only offer EXTERNAL when the client > has presented a valid cert. > > We have the case that we still want to use PLAIN or ANONYMOUS even in > that case, however, since we'll want to use a particular permissions > -bound key not representable by the cert, or differentiated per-node > (link) access control with the AMQP claims-based model,
This is a new thing to me - do you have a pointer to documentationa about the "claims-based" (access control?) model. > So I/we would really like to have an override hook for this. The > flags seem cheap; a pn_messenger_set_allowed_sasl_mechs() > function would be just as cheap. Advantage of the flag is that it > integrates nicely with flag that's already there. As I said I'm not against this - I significantly prefer a new API rather than flags for the reasons I stated earlier. pn_messenger_set_allowed_sasl_mechs() seems like a reasonable (if wordy) name (together with an accessor pn_messenger_get_...). > > For the flags I've done the work and can send a PR. I also fixed the > bug I filed yesterday about pn_messenger_set_flags in one go as it's > the same function. Can you point me at the JIRA for this bug? Thanks Andrew
