[keycloak-dev] Cluster security

Matthew Casperson matthew.casperson at autogeneral.com.au
Wed Nov 11 17:05:37 EST 2015


The docs state that "By default there's nothing to prevent unauthorized
nodes from joining the cluster and sending potentially malicious messages
to the cluster." (
http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html
)

Is this still the case if the jgroups stack in Wildfly has implemented the
AUTH protocol? For example, the Openshift Wildfly config looks something
like this:

    <stack name="tcp">
        <transport type="TCP" socket-binding="jgroups-tcp">
            <property name="external_addr">${env.OPENSHIFT_GEAR_DNS}</property>
            <property
name="external_port">${env.OPENSHIFT_WILDFLY_CLUSTER_PROXY_PORT}</property>
            <property
name="bind_port">${env.OPENSHIFT_WILDFLY_CLUSTER_PORT}</property>
            <property name="bind_addr">${env.OPENSHIFT_WILDFLY_IP}</property>
            <property name="defer_client_bind_addr">true</property>
        </transport>
        <protocol type="TCPPING">
            <property name="timeout">30000</property>
            <property
name="initial_hosts">${env.OPENSHIFT_WILDFLY_CLUSTER}</property>
            <property name="port_range">0</property>
            <property name="num_initial_members">1</property>
        </protocol>
        <protocol type="MERGE2"/>
        <protocol type="FD"/>
        <protocol type="VERIFY_SUSPECT"/>
        <protocol type="BARRIER"/>
        <protocol type="pbcast.NAKACK"/>
        <protocol type="UNICAST2"/>
        <protocol type="pbcast.STABLE"/>
        <protocol type="AUTH">
            <property name="auth_class">org.jgroups.auth.MD5Token</property>
            <property name="token_hash">SHA</property>
            <property name="auth_value">${env.OPENSHIFT_SECRET_TOKEN}</property>
        </protocol>
        <protocol type="pbcast.GMS"/>
        <protocol type="UFC"/>
        <protocol type="MFC"/>
        <protocol type="FRAG2"/>
        <!--protocol type="pbcast.STATE_TRANSFER"/>
        <protocol type="pbcast.FLUSH"/-->
    </stack>



-- 
*Matthew Casperson*
*Senior Front End Developer*
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833

-- 


This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright. 
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised. 
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151112/51a9c0f1/attachment.html 


More information about the keycloak-dev mailing list