2 Replies Latest reply: Mar 15, 2010 5:59 AM by xiang yingbing RSS

    Security issues of JBoss cache replication

    xiang yingbing Master
      Hi all,

      I have some Security related questions:

      case.1.
           a)I  created an JBoss cache instance in standalone java application:
                 myCache = new DefaultCacheFactory<Object, Object>().createCache("d:/test/all.xml", true);
                 put some values in the cache.
           b)I  created an JBoss cache instance in another standalone java application,
              I can see the values.
             
           c)If A hacker[standalone java client] create the same cache instance, then he can see the content of my myCache ???
              How to secure it?
          
          
          
      case.2.
      a)I create the cache in jboss5.1
      myCache = new DefaultCacheFactory<Object, Object>().createCache("d:/test/all.xml", true);
      and put some values.

      b) I  created an JBoss cache instance in standalone java application
           
      But, in my standalone java application, i can NOT see the values!!!
      Why???
      How to see the values?




      attachment: d:/test/all.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <jbosscache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="urn:jboss:jbosscache-core:config:3.1">

          <transaction
              transactionManagerLookupClass="org.jboss.cache.transaction.GenericTransactionManagerLookup" />

          <eviction wakeUpInterval="5000">
              <default algorithmClass="org.jboss.cache.eviction.LRUAlgorithm"
                  eventQueueSize="200000">
                  <property name="maxNodes" value="5000" />
                  <property name="timeToLive" value="1000000" />
              </default>
          </eviction>

          <clustering mode="r" clusterName="EmsServerCluster">
              <jgroupsConfig configFile="udp.xml" />
          </clustering>
      </jbosscache>
        • 1. Re: Security issues of JBoss cache replication
          xiang yingbing Master

          The JBoss cache document says nothing about the security.

           

           

          Case.2:

          I want to use JBoss5.1 as the server and cache some useful info[for example, alarms] in JBoss cache.

          When client is started, it need to synchronized the cache with the server to get the useful info.

           

          SSL is used.

          set JAVA_OPTS=-DserverName=10.80.2.196 -Dgvu.singletonMaster.vip=10.80.2.218 -Djavax.net.ssl.keyStore=D:/gvu/tools/jboss-5.1.0.GAjdk6/server/gvu/conf/gvuserverkeystore -Djavax.net.ssl.trustStore=D:/gvu/tools/jboss-5.1.0.GAjdk6/server/gvu/conf/gvuservertruststore -Djavax.net.ssl.trustStorePassword=xxx -Djavax.net.ssl.keyStorePassword=xxx -Djboss.gvu.ejb.interface.protocol=sslsocket -Dsslport=3843
          ./run.bat -c gvu -g GVUPartition -u 239.255.100.101 -b 10.80.2.196

           

           

           

          Why client can NOT see the values cached in the server, while two standalone clients can see each other's cached value?


          • 2. Re: Security issues of JBoss cache replication
            xiang yingbing Master

            The other question is,

            If hacker create the same cache with name cluster=DefaultPartition-HAPartitionCache and set too many values in the cache,

                    then the jboss server will be out of memory???