[
https://issues.jboss.org/browse/WFLY-1067?page=com.atlassian.jira.plugin....
]
Richard Achmatowicz edited comment on WFLY-1067 at 9/29/14 11:44 AM:
---------------------------------------------------------------------
At the clustering meeting last week, given that there are now three possible security
protocol layers (AUTH, ENCRYPT, SASL), we proposed introducing a new child-type:
{noformat}
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp"/>
<protocol type="PING"/>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<security-protocol type="AUTH" mech="DIGEST"
realm="JGroupsRealm"/>
<security-protocol type="ENCRYPT" mech="Client-CERT"
realm="JGroupsRealm"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
{noformat}
If there were further configuration required for any security protocol which was not made
available via the realm, this could be provided as properties as usual.
In the case of providing a secret key to TP for probe, a realm attribute could be added
to the transport child to handle that case.
was (Author: rachmato):
At the clustering meeting last week, given that there are now three possible security
protocol layers, we proposed introducing a new child-type:
{noformat}
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp"/>
<protocol type="PING"/>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<security-protocol type="AUTH" mech="DIGEST"
realm="JGroupsRealm"/>
<security-protocol type="ENCRYPT" mech="Client-CERT"
realm="JGroupsRealm"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
{noformat}
In the case of providing a secret key to TP for probe, a realm attribute could be added to
the transport child to handle that case.
If there were further configuration required for any security protocol which was not made
available via the realm, this could be provided as properties as usual.
Integrate JGroups with core AS security infrastructure
------------------------------------------------------
Key: WFLY-1067
URL:
https://issues.jboss.org/browse/WFLY-1067
Project: WildFly
Issue Type: Feature Request
Components: Clustering, Security
Reporter: Brian Stansberry
Assignee: Richard Achmatowicz
Container task for better integrating JGroups security with overall AS security. The
basic concept is the various security aware aspects of JGroups will expose an SPI, and the
AS can create implementations of those SPIs that integrate with the AS security realms.
The AS JGroups subsystem will inject the implementation into the JGroups runtime
components.
Subtasks are for the various aspects. These can be done separately but a common overall
design should be created to ensure a consistent approach is taken.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)