Vijay Bhaskar Chintalapati created ISPN-4314: ------------------------------------------------ Summary: Authentication is not enforced at Server when a Hotrod client doesn't enable authentication AND when the cache/cache manager doesn't enforce authorization Key: ISPN-4314 URL: https://issues.jboss.org/browse/ISPN-4314 Project: Infinispan Issue Type: Bug Components: Security, Server Affects Versions: 7.0.0.Alpha4 Reporter: Vijay Bhaskar Chintalapati Assignee: Tristan Tarrant Consider a situation where : - Hotrod server enforces authentication via security-realms by defining a <authentication .../> element in <hotrod-connector .. /> element - "security-cm" (for example) cache container, tied to the hotrod-connector above, doesn't define authorization in the configuration file - "security" (for example) cache of security-cm also doesn't (mainly because if cannot) enforce authorization - a Hotrod client uses a regular ConfigurationBuilder without enabling security In the above scenario any cache operations are permitted without any restrictions. This authentication should be enforced at all times as defined at the <hotrod-connector .../> and shouldn't be based on authorization at cache-containers -- This message was sent by Atlassian JIRA (v6.2.3#6260)