Uploaded image for project: 'AppFormer'
  1. AppFormer
  2. AF-1868

InfinispanContext hotrod client security config does not work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.18.0.Final
    • 2.15.0.Final
    • Security
    • 2019 Week 14-16
    • NEW
    • NEW

      The InfinispanContext ConfigurationBuilder settings to build the RemoteCacheManager in the client work fine if the server does not have security enabled. However, if it does, the exposed parameters by InfinispanContext are lacking and the client-server connection fails.

      Take, for example, this server configuration:

      <subsystem xmlns="urn:infinispan:server:endpoint:8.1">
   <hotrod-connector cache-container="clustered" socket-binding="hotrod-internal" name="hotrod-internal">
      <authentication security-realm="ApplicationRealm">
         <sasl server-name="jdg-server" mechanisms="DIGEST-MD5" qop="auth">
            <policy>
               <no-anonymous value="true" />
            </policy>
            <property name="com.sun.security.sasl.digest.utf8">true</property>
         </sasl>
      </authentication>
   </hotrod-connector>
</subsystem>

      Because the appformer InfinispanContext does not set the serverName property (in the case above, to match "jdg-server", this error will occur in the client:

      Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server

      WARN  [org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory] (MSC service thread 1-1) ISPN004015: Failed adding new server 172.17.0.15:11222: org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=4 returned server error (status=0x84): javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched URI: hotrod/null; expecting one of: hotrod/jdg-server

      (full stack trace will be attached).

      Additionally, the InfinispanContext also doesn't set the salsQop property to align (in the example above, to "auth").

      Thus, two new properties should be created:

      private static final String SERVER_NAME = "org.appformer.ext.metadata.infinispan.server.name";

      This would call AuthenticationConfigurationBuilder.serverName(String)

      private static final String SASL_QOP = "org.appformer.ext.metadata.infinispan.sasl.qop";

      This would call AuthenticationConfigurationBuilder.saslQop(SaslQop...)

      Allowing configuration of these two settings should allow the hotrod client to work when the server component is secured (although verification would be needed).

        1. AF-1868_stack-trace.log
          10 kB

            aparedes@redhat.com Adriel Paredes
            dward-se-jboss David Ward
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: