• Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Compatibility Kind:
    • Compatibility Risk:
    • Compatibility Risk Description:
      The default property value is empty so there is no out-of-box behavior change.
    • Interface Kind:
      System or security property
    • Scope:



      Provide a security property to restrict the mechanisms used by SASL.

      Problem states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

      That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.


      Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.


      Changes to src/

       * @implNote
       * ....
       * If a mechanism is listed in the
       * {@code jdk.sasl.disabledMechanisms} security property,
       * it will be ignored and won't be negotiated.
      public static SaslClient createSaslClient(
          String[] mechanisms,
          String authorizationId,
          String protocol,
          String serverName,
          Map<String,?> props,
          CallbackHandler cbh);
       * @implNote
       * ....
       * If {@code mechanism} is listed in the
       * {@code jdk.sasl.disabledMechanisms} security property,
       * it will be ignored and this method will return {@code null}.
      public static SaslServer
          createSaslServer(String mechanism,
                      String protocol,
                      String serverName,
                      Map<String,?> props,

      Add the following lines into conf/security/

      # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
      # Disabled mechanisms will not be negotiated by both SASL clients and servers.
      # These mechanisms will be ignored if they are specified in the mechanisms argument
      # of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
      # The value of this property is a comma-separated list of SASL mechanisms.
      # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
      # Example:
      #   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5


          Issue Links



              • Assignee:
                weijun Weijun Wang
                weijun Weijun Wang
                Reviewed By:
                Sean Mullan, Valerie Peng
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: