Friday, 11 April 2014

Clustered cache quickstart updates

As developers, it's always easy for us to "forget" about documentation and tutorials, and let them get out of date. And this is exactly what happened with our clustered cache tutorial.

Even though we kept updating the tutorial to use the latest configuration style, the core of the tutorial was still assuming that state transfer was disabled by default - something that we changed back in Infinispan 5.0.0.Final.

This was causing a bit of confusion, so I'm happy to report that I've updated the tutorial and I've removed all traces of the ClusterValidation class. Now the tutorial allows you to start as many nodes as you want, and it also shows how a joining node receives data from the existing members during startup.

Infinispan Security #1: Authorization

Dear all, with the release of 7.0.0.Alpha3, Infinispan has finally gained the ability to perform Access Control (aka Authorization) on CacheManagers and Caches. This is the first stepping-stone towards the full-fledged security work that will be completed during the 7.0 cycle.

Infinispan authorization is built around the standard security features available in a JDK near you, such as JAAS and the SecurityManager. Here's a worked example.

Running within a SecurityManager

In order for Infinispan to be able to enforce access restrictions, you should enable the SecurityManager in your JVM. This can be done from the command-line:

java ...

or programmatically:

System.setSecurityManager(new SecurityManager());

You don't have to use the default implementation that comes with the JDK, but if you do you need to supply an appropriate policy file. The Infinispan distribution comes with an example policy file which illustrates the permissions required by some of Infinispan's JAR files. Integrate these permissions with the ones required by your application.

While Infinispan's authorization can work without a SecurityManager for the basic cache operations (put, get, etc), some more complex tasks (distexec, map/reduce, query) will fail without one.

Configuring Infinispan for authorization

Authorization in Infinispan is configured at two levels: at the cache container and at the single cache.
Let's look at cache containers (aka CacheManagers) first:
Each cache container determines the following:
  • whether to use authorization, via the enabled attribute. 
  • a class which will map the user's principals to a set of roles
  • a set of named roles and the permissions they represent
We then need to define the specific roles for each cache:

As you can see you can choose to use only a subset of the roles defined at the container level.

Before you can start using a secured cache, you need to get yourself a

Obtaining a Subject

Infinispan is not fussy about how you obtain a JAAS Subject: you may use your container's features, or a third-party library (such as JBoss PicketBox or Apache Shiro). The important thing is that your Subject should be populated with a set of Principals which represent the user and the groups it belongs to in your security domain (e.g. LDAP, Active Directory, etc).
It is then the duty of the mapper to look through the principals associated with the Subject and convert them into roles suitable for matching those you have defined at the container level.
Once you have a Subject, you interact with the Cache within the context of a PrivilegedAction as follows:

Obviously if you're lucky enough to use Java 8, you can use the following, more concise, lambda-enabled code:

For more details consult the Security chapter in the Infinispan documentation and the JavaDocs.

Stay tuned for the next parts in the Infinispan security saga !

Infinispan 7.0.0.Alpha3 is out!

The Alpha3 release of Infinispan 7.0.0 is now available.


  • authorization at both CacheManager and Cache levels
  • some important enhancements for Map/Reduce's usability, like the ability to use an intermediate cache during Map/Reduce execution and for storing the final results of the Map/Reduce tasks
  • a much welcomed revamp of the Infinispan embedded configuration which has been aligned to with the server
For a complete list of features and bug fixes included in this release please refer to the release notesVisit our downloads section to find the latest release.

If you have any questions please check our forums, our mailing lists or ping us directly on IRC.