[infinispan-dev] SASL noanonymous policy
vjuranek at redhat.com
Wed Mar 1 04:15:00 EST 2017
the behaviour of HR authentication handler has changed recently . Now, if
HR authentication is enabled, anonymous access over HR is disabled unless SASL
property NOANONYMOUS is set to false. While I agree that disabling anonymous
access by default is reasonable, on the other hand I find this approach
confusing for 2 reasons:
* my understanding of ISPN security mode was that "what is not explicitly
forbidden it's allowed" (this is itself IMHO quite confusing, but OK) - e.g.
if the security is defined on cache container level, access to all caches is
granted to anyone, unless security is defined also for given cache. Recent
change takes different approach "what is not explicitly allowed is forbidden",
IMHO making whole security configuration even more confusing for the users.
* SASL policy is actually intended for SASL mechanism negotiation (see e.g.
"How SASL Mechanisms are Installed and Selected" in ) so that it doesn't
have to be specified explicitly and shouldn't be used in server logic. Using
it in sever logic can be again quite confusing for users and, even worse, can
result into security flaws - e.g. admin which expects that EXTERNAL
authentication will be used will set SASL policy to NOANONYMOUS and the side
effect would be that any unsecured cache can be access by any (non
IMHO HR authentication handler should be rewritten so that is just passes SASL
policy to SASL server and don't use it in sever logic and we also should sick
with one approach "what is not allowed is forbidden" or "what is not forbidden
is allowed" and we should use it consistently everywhere where security comes
into the play.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 473 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/infinispan-dev/attachments/20170301/24a093b2/attachment-0001.bin
More information about the infinispan-dev