0 Replies Latest reply on Jul 9, 2008 10:25 AM by Lowry Curry

    authorization on endpoints spread across a cluster

    Lowry Curry Newbie

      I have a very simple filepoller/filesender scenario. I have a clustered environment consisting of 2 SMX instances, each running on a different box. I deploy the filepoller SA to instance running on host1. I deploy the filesender SA to instance running on host2.

      I've left the default authorization on host1 container's broker allowing all users/all roles:


      <sm:authorizationEntry service="*:" roles=""/>


      I've configured the broker on host2 to only allow access to the filesender endpoint to users with role 'mgr':


      <sm:authorizationEntry service="tut:file" endpoint="sender" roles="mgr"/>


      Effectively, what i want is to configure which users are allowed to invoke a particular JBI component instance, regardless of which cluster it resides, in this case my filesender should be restricted to users with 'mgr' role.

      But i don't see this happening. When I run the clustered scenario filepoller (on host1) -->filesender (on host2), i don't get any type of authorization error. I would expect to see one in this case because I'm not specifying any user/pass info in the message and therefore the filesender should deny access (it should only allow access to users with 'mgr' role).

      The kicker is, when i run this scenario in an unclustered environment with authorization configured as follows, it works, i.e. i get a "User not authenticated" error.


      <sm:authorizationEntry service="tut:file" endpoint="sender" roles="mgr"/>


      So it appears the authorizationEntries on host2 (in the clustered scenario) is being ignored. The authorizationEntries on host1 gets used instead.

      So a potential work around might be to keep all security.xml files consistent.

      if I combine the authorizationEntries, and sync the security config files for both smx instances in the cluster, I get the expected behavior.

      Is this behavior to be expected? I'd imagine not as the actual work of updating the security file for a small cluster is simple, but it will quickly become an issue for large clusters that span multiple network zones in an enterprise wide deployment.


      Edited by: lcurry on Jul 9, 2008 10:18 AM


      Edited by: lcurry on Jul 9, 2008 10:20 AM


      Edited by: lcurry on Jul 9, 2008 10:23 AM