Uploaded image for project: 'AppFormer'
  1. AppFormer
  2. AF-1868

InfinispanContext hotrod client security config does not work

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 2.18.0.Final
    • 2.15.0.Final
    • Security
    • 2019 Week 14-16
    • NEW
    • NEW

    Description

      The InfinispanContext ConfigurationBuilder settings to build the RemoteCacheManager in the client work fine if the server does not have security enabled. However, if it does, the exposed parameters by InfinispanContext are lacking and the client-server connection fails.

      Take, for example, this server configuration:

      <subsystem xmlns="urn:infinispan:server:endpoint:8.1">
   <hotrod-connector cache-container="clustered" socket-binding="hotrod-internal" name="hotrod-internal">
      <authentication security-realm="ApplicationRealm">
         <sasl server-name="jdg-server" mechanisms="DIGEST-MD5" qop="auth">
            <policy>
               <no-anonymous value="true" />
            </policy>
            <property name="com.sun.security.sasl.digest.utf8">true</property>
         </sasl>
      </authentication>
   </hotrod-connector>
</subsystem>

      Because the appformer InfinispanContext does not set the serverName property (in the case above, to match "jdg-server", this error will occur in the client:

      Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server

      WARN  [org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory] (MSC service thread 1-1) ISPN004015: Failed adding new server 172.17.0.15:11222: org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=4 returned server error (status=0x84): javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server

      (full stack trace will be attached).

      Additionally, the InfinispanContext also doesn't set the salsQop property to align (in the example above, to "auth").

      Thus, two new properties should be created:

      private static final String SERVER_NAME = "org.appformer.ext.metadata.infinispan.server.name";

      This would call AuthenticationConfigurationBuilder.serverName(String)

      private static final String SASL_QOP = "org.appformer.ext.metadata.infinispan.sasl.qop";

      This would call AuthenticationConfigurationBuilder.saslQop(SaslQop...)

      Allowing configuration of these two settings should allow the hotrod client to work when the server component is secured (although verification would be needed).

      Attachments

        Issue Links

          blocks

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) RHDM-858 Add JDG hotrod security to config in RHDM

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) RHPAM-1924 Add JDG hotrod security to config in RHPAM

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              aparedes@redhat.com Adriel Paredes
              dward-se-jboss David Ward
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: