]
Ryan Emerson updated ISPN-12320:
--------------------------------
Status: Open (was: New)
Disabling authentication per endpoint is not possible
-----------------------------------------------------
Key: ISPN-12320
URL:
https://issues.redhat.com/browse/ISPN-12320
Project: Infinispan
Issue Type: Bug
Components: Hot Rod, REST, Security
Affects Versions: 12.0.0.Dev03
Reporter: Ryan Emerson
Assignee: Tristan Tarrant
Priority: Major
Currently it's not possible to configure the server so that authentication is only
enabled on either the REST or HotRod endpoint. When utilising authentication elements on
either endpoint it's mandatory for the `<endpoints ...` `security-realm` attribute
to be set, otherwise the following exception is thrown:
{code:java}
11:04:12,367 FATAL (main) [org.infinispan.SERVER] ISPN080028: Infinispan Server failed to
start org.infinispan.commons.CacheConfigurationException: ISPN080021: Authentication
cannot be configured without a security realm
at
org.infinispan.server.configuration.hotrod.HotRodServerConfigurationParser.parseAuthentication(HotRodServerConfigurationParser.java:204)
at
org.infinispan.server.configuration.hotrod.HotRodServerConfigurationParser.parseHotRodConnector(HotRodServerConfigurationParser.java:111)
at
org.infinispan.server.configuration.hotrod.HotRodServerConfigurationParser.readElement(HotRodServerConfigurationParser.java:56)
at
org.infinispan.configuration.parsing.ParserRegistry.parseElement(ParserRegistry.java:224)
at
org.infinispan.configuration.parsing.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:60)
at
org.infinispan.server.configuration.ServerConfigurationParser.parseEndpoints(ServerConfigurationParser.java:1126)
at
org.infinispan.server.configuration.ServerConfigurationParser.parseServerElements(ServerConfigurationParser.java:121)
at
org.infinispan.server.configuration.ServerConfigurationParser.readElement(ServerConfigurationParser.java:92)
at
org.infinispan.configuration.parsing.ParserRegistry.parseElement(ParserRegistry.java:224)
at
org.infinispan.configuration.parsing.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:60)
at org.infinispan.configuration.parsing.Parser.readElement(Parser.java:127)
at
org.infinispan.configuration.parsing.ParserRegistry.parseElement(ParserRegistry.java:224)
at org.infinispan.configuration.parsing.ParserRegistry.parse(ParserRegistry.java:194)
at org.infinispan.configuration.parsing.ParserRegistry.parse(ParserRegistry.java:180)
at org.infinispan.configuration.parsing.ParserRegistry.parse(ParserRegistry.java:169)
at org.infinispan.server.Server.parseConfiguration(Server.java:270)
at org.infinispan.server.Server.<init>(Server.java:198)
at org.infinispan.server.Bootstrap.runInternal(Bootstrap.java:138)
at org.infinispan.server.tool.Main.run(Main.java:98)
at org.infinispan.server.Bootstrap.main(Bootstrap.java:40)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.infinispan.server.loader.Loader.run(Loader.java:76)
at org.infinispan.server.loader.Loader.main(Loader.java:39)
{code}
However, setting the security-realm attribute means that authentication is automatically
configured for endpoints that do no have a {{<authentication>}} element set. So the
following xml always results in REST authentication being enabled.
{code:xml}
<endpoints socket-binding="default"
security-realm="default">
<hotrod-connector name="hotrod">
<authentication>
<sasl mechanisms="SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256
SCRAM-SHA-1 DIGEST-SHA-512 DIGEST-SHA-384 DIGEST-SHA-256 DIGEST-SHA DIGEST-MD5 PLAIN"
/>
</authentication>
</hotrod-connector>
<rest-connector name="rest"/>
</endpoints>
{code}
It should be possible for REST auth to be disabled and HotRod auth enabled and
vice-versa.