[infinispan-issues] [JBoss JIRA] (ISPN-4314) Authentication is not enforced at Server when a Hotrod client doesn't enable authentication AND when the cache/cache manager doesn't enforce authorization
Vijay Bhaskar Chintalapati (JIRA)
issues at jboss.org
Thu May 22 17:58:56 EDT 2014
Vijay Bhaskar Chintalapati created ISPN-4314:
------------------------------------------------
Summary: Authentication is not enforced at Server when a Hotrod client doesn't enable authentication AND when the cache/cache manager doesn't enforce authorization
Key: ISPN-4314
URL: https://issues.jboss.org/browse/ISPN-4314
Project: Infinispan
Issue Type: Bug
Components: Security, Server
Affects Versions: 7.0.0.Alpha4
Reporter: Vijay Bhaskar Chintalapati
Assignee: Tristan Tarrant
Consider a situation where :
- Hotrod server enforces authentication via security-realms by defining a <authentication .../> element in <hotrod-connector .. /> element
- "security-cm" (for example) cache container, tied to the hotrod-connector above, doesn't define authorization in the configuration file
- "security" (for example) cache of security-cm also doesn't (mainly because if cannot) enforce authorization
- a Hotrod client uses a regular ConfigurationBuilder without enabling security
In the above scenario any cache operations are permitted without any restrictions. This authentication should be enforced at all times as defined at the <hotrod-connector .../> and shouldn't be based on authorization at cache-containers
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the infinispan-issues
mailing list