[infinispan-dev] Hot Rod secured by default

Radim Vansa rvansa at redhat.com
Thu Mar 30 12:04:44 EDT 2017

I don't see an example/quickstart using security on the tutorials page 
[1]. Could you provide one that would show what all would the user have 
to configure in order to do HotRod hello world?

While secure OOTB is good, I like performant OOTB. And it seems to me 
that "I need security" is something they'll probably think about when 
deploying (if they need that), and will look it up, I wouldn't like to 
see "turn off security" in the perf tuning guide. So I'd say -1 to SSL 
by default.

-1 to PLAIN authentication without encryption, that's not a safe 
default. [2]


[1] http://infinispan.org/tutorials/
[2] http://www.prokofiev.ru/prikol/pics/p12/winfirewall.jpg

On 03/30/2017 02:39 PM, Tristan Tarrant wrote:
> Let me add another item:
> combined with Sebastian's PR [1] we could also turn on encryption by
> default using a self-signed certificate. We would also need to have an
> easy option (i.e. a boolean, false by default) on the Hot Rod clients to
> trust all certs.
> This means that a Hot Rod client would need to be configured as follows:
> ConfigurationBuilder clientBuilder = new ConfigurationBuilder();
> clientBuilder
>     .security()
>       .authentication()
>         .username("user").realm("realm").password("password")
>       .ssl()
>         .enable().trustAll(true);
> without having to manually set up callback handlers or trustmanagers.
> I don't think this would affect the user experience too much.
> Tristan
> [1] https://github.com/infinispan/infinispan/pull/5036
> On 30/03/2017 14:25, Tristan Tarrant wrote:
>> Dear all,
>> after a mini chat on IRC, I wanted to bring this to everybody's attention.
>> We should make the Hot Rod endpoint require authentication in the
>> out-of-the-box configuration.
>> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
>> mechanism against the ApplicationRealm and require users to run the
>> add-user script.
>> This would achieve two goals:
>> - secure out-of-the-box configuration, which is always a good idea
>> - access to the "protected" schema and script caches which is prevented
>> when not on loopback on non-authenticated endpoints.
>> Tristan

Radim Vansa <rvansa at redhat.com>
JBoss Performance Team

More information about the infinispan-dev mailing list