<div dir="ltr">AUTH in JGroups only authenticates nodes that join a group. Nodes will discard messages that are not sent by a member of the group. However, someone could in theory eavesdrop on the messages and pick up the id assigned to a member of the group, they could then send a message masquerading as a member of the group.<div><br></div><div>We don't send any sensitive information through the cluster so even if someone was able to read messages sent to the cluster they would not be able to obtain anything valuable. Further there's very little a malicious node could do by sending fake messages to the cluster. With regards to realms, clients and users they would only be able to send invalidation messages, forcing nodes to re-load the data from the database. For sessions they could in theory create new user sessions, but these would not have any use as cookies and tokens are signed by the realms private key, so the fake sessions wouldn't have any use.</div><div><br></div><div>In summary enabling auth should be sufficient and encryption should not be required as long as you use the default clustering setup (invalidation-cache for realm, users and clients).</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 12 November 2015 at 08:52, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I believe enabling auth is sufficient, but I'm not 100% sure. I've sent an email to JGroups mailing list to confirm and I'll let you know.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 11 November 2015 at 23:05, Matthew Casperson <span dir="ltr"><<a href="mailto:matthew.casperson@autogeneral.com.au" target="_blank">matthew.casperson@autogeneral.com.au</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>The docs state that "By default there's nothing to prevent unauthorized nodes from joining the cluster and sending potentially malicious messages to the cluster." (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html</a>)<br><br></div>Is this still the case if the jgroups stack in Wildfly has implemented the AUTH protocol? For example, the Openshift Wildfly config looks something like this:<br><br><pre><code><span><code><span> </span><span></span></code><</span><span>stack name</span><span>=</span><span>"tcp"</span><span>></span><span>
</span><span><</span><span>transport type</span><span>=</span><span>"TCP"</span><span> socket</span><span>-</span><span>binding</span><span>=</span><span>"jgroups-tcp"</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"external_addr"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_GEAR_DNS</span><span>}</</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"external_port"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_WILDFLY_CLUSTER_PROXY_PORT</span><span>}</</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"bind_port"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_WILDFLY_CLUSTER_PORT</span><span>}</</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"bind_addr"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_WILDFLY_IP</span><span>}</</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"defer_client_bind_addr"</span><span>></span><span>true</span><span></</span><span>property</span><span>></span><span>
</span><span></</span><span>transport</span><span>></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"TCPPING"</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"timeout"</span><span>></span><span>30000</span><span></</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"initial_hosts"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_WILDFLY_CLUSTER</span><span>}</</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"port_range"</span><span>></span><span>0</span><span></</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"num_initial_members"</span><span>></span><span>1</span><span></</span><span>property</span><span>></span><span>
</span><span></</span><span>protocol</span><span>></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"MERGE2"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"FD"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"VERIFY_SUSPECT"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"BARRIER"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"pbcast.NAKACK"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"UNICAST2"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"pbcast.STABLE"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"AUTH"</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"auth_class"</span><span>></span><span>org</span><span>.</span><span>jgroups</span><span>.</span><span>auth</span><span>.</span><span>MD5Token</span><span></</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"token_hash"</span><span>></span><span>SHA</span><span></</span><span>property</span><span>></span><span>
</span><span><</span><span>property name</span><span>=</span><span>"auth_value"</span><span>></span><span>$</span><span>{</span><span>env</span><span>.</span><span>OPENSHIFT_SECRET_TOKEN</span><span>}</</span><span>property</span><span>></span><span>
</span><span></</span><span>protocol</span><span>></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"pbcast.GMS"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"UFC"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"MFC"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"FRAG2"</span><span>/></span><span>
</span><span><!--</span><span>protocol type</span><span>=</span><span>"pbcast.STATE_TRANSFER"</span><span>/></span><span>
</span><span><</span><span>protocol type</span><span>=</span><span>"pbcast.FLUSH"</span><span>/--></span><span>
</span><span></</span><span>stack</span><span>></span></code></pre><br clear="all"><div><div><div><div><br>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><b><font face="tahoma, sans-serif">Matthew Casperson</font></b></div><div><b><font face="tahoma, sans-serif">Senior Front End Developer</font></b></div><div><font face="tahoma, sans-serif">Technology, Space & Distribution</font></div><div><font face="tahoma, sans-serif">Auto & General Holdings Pty Ltd</font></div><div><font face="tahoma, sans-serif">P: 07) 3377 </font><span style="font-family:tahoma,sans-serif;font-size:small">8751</span><font face="tahoma, sans-serif"> (Direct: 3377 </font><span style="font-family:tahoma,sans-serif;font-size:small">8751</span><font face="tahoma, sans-serif">)</font></div><div><font face="tahoma, sans-serif">F: 07) 3377 8833<br><br></font></div><img style="border:0px none;max-width:100%;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;line-height:18px"><br></div></div></div></div>
</div></div></div></div></div>
<br>
<pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12px;white-space:pre-wrap;padding:8.5px;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;margin-top:0px;margin-bottom:9px;line-height:18px;background-color:rgb(245,245,245);border:1px solid rgba(0,0,0,0.14902);word-break:break-all;word-wrap:break-word">This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright.
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised.
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.</pre><br></div></div>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div>
</blockquote></div><br></div>