[infinispan-dev] Securing access to Infinispan REST server
Bill Burke
bburke at redhat.com
Wed Jul 7 09:41:29 EDT 2010
You could:
1. do everything in web.xml, role mappings, etc.
2. add @RolesAllowed to your JAX-RS methods, and just set up auth in
web.xml. This is better than #1 IMO, as URL schemes may change
3. Do role checks at Infinispan layer (not in web) and integrate with
the JBoss security manager. This is actually what HornetQ does and its
really really nice because you can automatically propagate security from
any component layer to hornetq (EJB, Servlet, etc.)
Galder Zamarreño wrote:
> Hi,
>
> During my REST/Cloud presentation, I got a particularly interesting question about the Infinispan REST server.
>
> As it is, once the REST module is deployed, anyone can access it as shown in http://community.jboss.org/wiki/AccessingdatainInfinispanviaRESTfulinterface
>
> Now, how would you go about authentication/authorization to access Infinispan via REST?
>
> Since at the end of the day the REST module is a war, users would need to tweak it accordingly in order to configure the security constraints under its web.xml defining the corresponding roles and authentication methods. Wouldn't they?
>
> I don't think it's possible for Infinispan to provide a more restricted Infinispan REST module, but instead some guidelines on how to secure it would be handy.
>
> Thoughts?
> --
> Galder Zamarreño
> Sr. Software Engineer
> Infinispan, JBoss Cache
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the infinispan-dev
mailing list