Re: [infinispan-dev] Securing access to Infinispan REST server
You could:
1. do everything in web.xml, role mappings, etc.
2. add @RolesAllowed to your JAX-RS methods, and just set up auth in
web.xml. This is better than #1 IMO, as URL schemes may change
3. Do role checks at Infinispan layer (not in web) and integrate with
the JBoss security manager. This is actually what HornetQ does and its
really really nice because you can automatically propagate security from
any component layer to hornetq (EJB, Servlet, etc.)
Galder ZamarreƱo wrote:
Hi,
During my REST/Cloud presentation, I got a particularly interesting question about the
Infinispan REST server.
As it is, once the REST module is deployed, anyone can access it as shown in
http://community.jboss.org/wiki/AccessingdatainInfinispanviaRESTfulinterface
Now, how would you go about authentication/authorization to access Infinispan via REST?
Since at the end of the day the REST module is a war, users would need to tweak it
accordingly in order to configure the security constraints under its web.xml defining the
corresponding roles and authentication methods. Wouldn't they?
I don't think it's possible for Infinispan to provide a more restricted
Infinispan REST module, but instead some guidelines on how to secure it would be handy.
Thoughts?
--
Galder ZamarreƱo
Sr. Software Engineer
Infinispan, JBoss Cache
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com