-
Bug
-
Resolution: Done
-
Critical
-
2.15.0.Final
-
2019 Week 14-16
-
NEW
-
NEW
The InfinispanContext ConfigurationBuilder settings to build the RemoteCacheManager in the client work fine if the server does not have security enabled. However, if it does, the exposed parameters by InfinispanContext are lacking and the client-server connection fails.
Take, for example, this server configuration:
<subsystem xmlns="urn:infinispan:server:endpoint:8.1"> <hotrod-connector cache-container="clustered" socket-binding="hotrod-internal" name="hotrod-internal"> <authentication security-realm="ApplicationRealm"> <sasl server-name="jdg-server" mechanisms="DIGEST-MD5" qop="auth"> <policy> <no-anonymous value="true" /> </policy> <property name="com.sun.security.sasl.digest.utf8">true</property> </sasl> </authentication> </hotrod-connector> </subsystem>
Because the appformer InfinispanContext does not set the serverName property (in the case above, to match "jdg-server", this error will occur in the client:
Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server
WARN [org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory] (MSC service thread 1-1) ISPN004015: Failed adding new server 172.17.0.15:11222: org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=4 returned server error (status=0x84): javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server
(full stack trace will be attached).
Additionally, the InfinispanContext also doesn't set the salsQop property to align (in the example above, to "auth").
Thus, two new properties should be created:
private static final String SERVER_NAME = "org.appformer.ext.metadata.infinispan.server.name";
This would call AuthenticationConfigurationBuilder.serverName(String)
private static final String SASL_QOP = "org.appformer.ext.metadata.infinispan.sasl.qop";
This would call AuthenticationConfigurationBuilder.saslQop(SaslQop...)
Allowing configuration of these two settings should allow the hotrod client to work when the server component is secured (although verification would be needed).
- blocks
-
RHDM-858 Add JDG hotrod security to config in RHDM
- Closed
-
RHPAM-1924 Add JDG hotrod security to config in RHPAM
- Closed