Jason,
good point.
All that the auth cache does is saves the authenticated subject so that
we don't have to do the jaas routine (db/ldap etc).
We can certainly propagate the subject (that does not contain any
credentials). In the absence of a distributed cache, on failover or
loadbalancing (with no session affinity), the user will see some latency
(due to jaas modules getting kicked in for auth such that the subject
now gets into the local cache).
JCA login modules populate the subject with priv credentials. But the
auth cache design should account for now propagating subjects that
contain the priv credentials.
Regards,
Anil
On 03/18/2011 12:11 AM, Jason Greene wrote:
This sounds like a security weakness since you would be passing
credentials everywhere. It would probably be susceptible to various forms of cache
poisoning as well. Why does authentication info need to be distributed?
Sent from my iPad
On Mar 17, 2011, at 12:42 PM, Marcus Moyses<mmoyses(a)redhat.com> wrote:
> Yes, the idea is to have cache replication as optional.
>
> On 03/17/2011 04:38 PM, Brian Stansberry wrote:
>> Ok, cool.
>>
>> Then it's just[1] an issue of whether people configuring security want
>> to bring in a requirement for running the group communication subsystem
>> (and distributed caching if Infinispan is used). If it's an optional
>> thing it's really no different than wanting clustering capabilities for
>> other subsystems.
>>
>> [1] I can say "just" because I'm not the AS clustering lead anymore
so
>> details are all easy. ;-)
>>
>> On 3/17/11 1:56 PM, Anil Saldhana wrote:
>>> Brian,
>>> the cache is for authentication in the AS instances. We were looking
>>> at infinispan because
>>> then we could rely on its settings for ttl, strategies etc.
>>>
>>> Regards,
>>> Anil
>>>
>>> On 03/17/2011 01:47 PM, Brian Stansberry wrote:
>>>> Paul will be bringing in clustering services a la AS 6 (Paul: when?).
>>>>
>>>> But if this cache is to be used for management authentication, any
>>>> JGroups based solution is not an option. The management architecture is
>>>> not peer-to-peer.
>>>>
>>>> On 3/17/11 1:23 PM, Marcus Moyses wrote:
>>>>> Hello,
>>>>> I need to implement an authentication cache for AS7 and one of the
>>>>> requirements we need is that it should be replicated in all nodes.
>>>>> Do we have this use case implemented somewhere already? I was
thinking
>>>>> about using Infinispan but I don't see this dependency (or
JGroups for
>>>>> that matter) currently in AS7 so I was wondering if we are using
>>>>> something else that I'm not familiar with.
>>>>> I don't want to bring new dependencies if they are not necessary
;)
>>>>>
>>>>> Regards,