2 Replies Latest reply: Mar 15, 2010 5:59 AM by xiang yingbing RSS

Security issues of JBoss cache replication

xiang yingbing Master
Hi all,

I have some Security related questions:

case.1.
     a)I  created an JBoss cache instance in standalone java application:
           myCache = new DefaultCacheFactory<Object, Object>().createCache("d:/test/all.xml", true);
           put some values in the cache.
     b)I  created an JBoss cache instance in another standalone java application,
        I can see the values.
       
     c)If A hacker[standalone java client] create the same cache instance, then he can see the content of my myCache ???
        How to secure it?
    
    
    
case.2.
a)I create the cache in jboss5.1
myCache = new DefaultCacheFactory<Object, Object>().createCache("d:/test/all.xml", true);
and put some values.

b) I  created an JBoss cache instance in standalone java application
     
But, in my standalone java application, i can NOT see the values!!!
Why???
How to see the values?




attachment: d:/test/all.xml

<?xml version="1.0" encoding="UTF-8"?>
<jbosscache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="urn:jboss:jbosscache-core:config:3.1">

    <transaction
        transactionManagerLookupClass="org.jboss.cache.transaction.GenericTransactionManagerLookup" />

    <eviction wakeUpInterval="5000">
        <default algorithmClass="org.jboss.cache.eviction.LRUAlgorithm"
            eventQueueSize="200000">
            <property name="maxNodes" value="5000" />
            <property name="timeToLive" value="1000000" />
        </default>
    </eviction>

    <clustering mode="r" clusterName="EmsServerCluster">
        <jgroupsConfig configFile="udp.xml" />
    </clustering>
</jbosscache>
  • 1. Re: Security issues of JBoss cache replication
    xiang yingbing Master

    The JBoss cache document says nothing about the security.

     

     

    Case.2:

    I want to use JBoss5.1 as the server and cache some useful info[for example, alarms] in JBoss cache.

    When client is started, it need to synchronized the cache with the server to get the useful info.

     

    SSL is used.

    set JAVA_OPTS=-DserverName=10.80.2.196 -Dgvu.singletonMaster.vip=10.80.2.218 -Djavax.net.ssl.keyStore=D:/gvu/tools/jboss-5.1.0.GAjdk6/server/gvu/conf/gvuserverkeystore -Djavax.net.ssl.trustStore=D:/gvu/tools/jboss-5.1.0.GAjdk6/server/gvu/conf/gvuservertruststore -Djavax.net.ssl.trustStorePassword=xxx -Djavax.net.ssl.keyStorePassword=xxx -Djboss.gvu.ejb.interface.protocol=sslsocket -Dsslport=3843
    ./run.bat -c gvu -g GVUPartition -u 239.255.100.101 -b 10.80.2.196

     

     

     

    Why client can NOT see the values cached in the server, while two standalone clients can see each other's cached value?


  • 2. Re: Security issues of JBoss cache replication
    xiang yingbing Master

    The other question is,

    If hacker create the same cache with name cluster=DefaultPartition-HAPartitionCache and set too many values in the cache,

            then the jboss server will be out of memory???