2 Replies Latest reply on May 17, 2013 8:58 AM by nadirx

    Infinispan's jGroups AUTH

    tomas11
    tomas11 Apr 26, 2013 4:18 AM

      Hi

       

      I've got couple of questions regarding AUTH protocol that is used in Infinispan's jGroups.

       

      - Is jGroups AUTH protocol using secure (https?) connection for exchanging auth tokens?

       

      - How secure is using AUTH protocol in Infinispan's configuration? I've found that it can be vulnerable to replay attacks - https://issues.jboss.org/browse/JGRP-1487

       

      - How big issuse it is? How we can prevent unauthenticated members to join the cluster and still be on safe side with replay attacks?

       

      - Are there any other standard ways to secure authentication in Infinispan?

       

      Can someone help me with this?

      Thanks

        • 1. Re: Infinispan's jGroups AUTH
          tomas11
          tomas11 May 15, 2013 8:58 AM (in response to tomas11)

          Any replies / advices regarding this?

          Thanks

            • Actions
          • 2. Re: Infinispan's jGroups AUTH
            nadirx
            nadirx May 17, 2013 8:58 AM (in response to tomas11)

            Hi Tomas, I think that the current AUTH protocol implementations are mostly proof-of-concept and haven't been extensively tested for security holes such as the potential replay attack. Security is one of the things we will be working on for Infinispan 6.0, and we'll gladly accept any contributions (ideas, suggestions and obviously code are all welcome).

              • Actions