[keycloak-dev] Cluster security
Stian Thorgersen
sthorger at redhat.com
Thu Nov 12 02:52:28 EST 2015
I believe enabling auth is sufficient, but I'm not 100% sure. I've sent an
email to JGroups mailing list to confirm and I'll let you know.
On 11 November 2015 at 23:05, Matthew Casperson <
matthew.casperson at autogeneral.com.au> wrote:
> The docs state that "By default there's nothing to prevent unauthorized
> nodes from joining the cluster and sending potentially malicious messages
> to the cluster." (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html
> )
>
> Is this still the case if the jgroups stack in Wildfly has implemented the
> AUTH protocol? For example, the Openshift Wildfly config looks something
> like this:
>
> <stack name="tcp">
> <transport type="TCP" socket-binding="jgroups-tcp">
> <property name="external_addr">${env.OPENSHIFT_GEAR_DNS}</property>
> <property name="external_port">${env.OPENSHIFT_WILDFLY_CLUSTER_PROXY_PORT}</property>
> <property name="bind_port">${env.OPENSHIFT_WILDFLY_CLUSTER_PORT}</property>
> <property name="bind_addr">${env.OPENSHIFT_WILDFLY_IP}</property>
> <property name="defer_client_bind_addr">true</property>
> </transport>
> <protocol type="TCPPING">
> <property name="timeout">30000</property>
> <property name="initial_hosts">${env.OPENSHIFT_WILDFLY_CLUSTER}</property>
> <property name="port_range">0</property>
> <property name="num_initial_members">1</property>
> </protocol>
> <protocol type="MERGE2"/>
> <protocol type="FD"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="BARRIER"/>
> <protocol type="pbcast.NAKACK"/>
> <protocol type="UNICAST2"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="AUTH">
> <property name="auth_class">org.jgroups.auth.MD5Token</property>
> <property name="token_hash">SHA</property>
> <property name="auth_value">${env.OPENSHIFT_SECRET_TOKEN}</property>
> </protocol>
> <protocol type="pbcast.GMS"/>
> <protocol type="UFC"/>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> <!--protocol type="pbcast.STATE_TRANSFER"/>
> <protocol type="pbcast.FLUSH"/-->
> </stack>
>
>
>
> --
> *Matthew Casperson*
> *Senior Front End Developer*
> Technology, Space & Distribution
> Auto & General Holdings Pty Ltd
> P: 07) 3377 8751 (Direct: 3377 8751)
> F: 07) 3377 8833
>
>
>
> This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
> The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright.
> It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised.
> If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151112/fd938300/attachment-0001.html
More information about the keycloak-dev
mailing list