Authorization and Security with Embedded Infinispan

What You Will Learn

How to configure role-based access control (RBAC) on embedded Infinispan caches, define roles with specific permissions, and enforce authorization so that only users with the correct roles can access cache data.

Prerequisites

Java 17+

Step 1: Add the Embedded Dependency

Add Infinispan core to your pom.xml:

<dependency>
   <groupId>org.infinispan</groupId>
   <artifactId>infinispan-core</artifactId>
</dependency>

Step 2: Configure Authorization, Roles, and Start the Cache Manager

Enable authorization on the cache manager, define roles with specific permissions, and start the cache manager under an admin subject that has LIFECYCLE permission. The IdentityRoleMapper maps the principal name directly to the role name:

        // Setup up a clustered cache manager
        GlobalConfigurationBuilder global = GlobalConfigurationBuilder.defaultClusteredBuilder();

        // Enable authorization and define the roles and their permissions.
        global.security().authorization().enable()
                // Defines how to map a principal to a role.
                // The identity will simply map the principal name to the role name.
                // For example, user "admin" will map to role "admin", and so on.
                .principalRoleMapper(new IdentityRoleMapper())
                .groupOnlyMapping(false)
                // Define different roles and associate the permissions.
                .role(ADMIN_ROLE).permission(AuthorizationPermission.ALL)
                .role(SECRET_ROLE).permission(AuthorizationPermission.ALL)
                .role(READ_ONLY_ROLE).permission(AuthorizationPermission.ALL_READ)
                .role(WRITE_ONLY_ROLE).permission(AuthorizationPermission.ALL_WRITE);

        // Initialize the cache manager
        // We pass false to not start automatically.
        // Then we call start using the admin user. The user needs LIFECYCLE permission.
        dcm = new DefaultCacheManager(global.build(), false);
        Security.doAs(ADMIN_USER, dcm::start);

Step 3: Create Caches with Authorization and Enforce Access Control

Create caches with authorization enabled, restricting a secret cache to specific roles. Wrap cache operations with Security.doAs to execute under a specific user. Unauthorized access throws a SecurityException:

        // First, create the first cache.
        // This cache is accessible to any role.
        ConfigurationBuilder builder1 = new ConfigurationBuilder();
        builder1.clustering().cacheMode(CacheMode.DIST_SYNC);
        builder1.security().authorization().enable();

        // We utilize an admin to create the cache.
        cache = Security.doAs(ADMIN_USER, () -> dcm.administration().withFlags(CacheContainerAdmin.AdminFlag.VOLATILE)
                .getOrCreateCache(CACHE_NAME, builder1.build()));


        // Now we create a cache only accessible to users with the secret role.
        ConfigurationBuilder builder2 = new ConfigurationBuilder();
        builder2.clustering().cacheMode(CacheMode.DIST_SYNC);
        // The cache must include both roles so it can be stopped by the admin user as well.
        builder2.security().authorization().enable().roles(ADMIN_ROLE, SECRET_ROLE);

        // We utilize an admin to create the cache.
        secretCache = Security.doAs(ADMIN_USER, () -> dcm.administration().withFlags(CacheContainerAdmin.AdminFlag.VOLATILE)
                .getOrCreateCache(SECRET_CACHE_NAME, builder2.build()));

Step 4: Run the Tutorial

mvn package exec:java

The output shows successful reads from the normal and secret caches with the correct users, and a SecurityException when an unauthorized user attempts to access the secret cache.

What’s Next

Add Prometheus metrics to monitor your caches
Explore distributed caching for multi-node setups