‹ All Tutorials

Securing Caches with Role-Based Authorization

What You Will Learn

How to create a cache with role-based authorization so that only users with specific roles can perform operations on it.

Prerequisites

  • Java 17+

  • An Infinispan Server running on localhost:11222 (or Docker/Podman available for Testcontainers)

Start an Infinispan Server with Docker or Podman:

docker run -it --rm -p 11222:11222 -e USER=admin -e PASS=password quay.io/infinispan/server:latest
Tip
 You can replace docker with podman in the command above if you use Podman.
Tip
 If no server is running, the tutorial code automatically starts an Infinispan Server using Testcontainers.

Step 1: Define a Secured Cache

Create a cache configuration that restricts access to the deployer role:

<distributed-cache name="securedCache">
    <encoding media-type="application/x-protostream"/>
    <security>
        <authorization enabled="true" roles="deployer" />
    </security>
</distributed-cache>

Only users with the deployer role can read or write to this cache. Other authenticated users will get an authorization error.

Step 2: Connect and Access Caches

Connect with the default admin credentials:

   public static void connectToInfinispan() throws Exception {
      ConfigurationBuilder configurationBuilder = TutorialsConnectorHelper.connectionConfig();
      URI securedCacheConfig = InfinispanAuthorizationCache.class.getClassLoader().getResource("securedCache.xml").toURI();
      configurationBuilder.remoteCache(SECURED_CACHE).configurationURI(securedCacheConfig);

      // Connect to Infinispan with an additional cache that is secured with authorization for
      // deployer role only. We are connecting with 'admin' user that has 'admin' role.
      cacheManager = TutorialsConnectorHelper.connect(configurationBuilder);
      cache = cacheManager.getCache(TUTORIAL_CACHE_NAME);
      securedCache = cacheManager.getCache(SECURED_CACHE);
   }

Step 3: Observe Authorization in Action

Access to the unrestricted cache works normally, but accessing the secured cache without the required role throws an exception:

   static void manipulateCache() {
      // Store a value in a non secured cache
      cache.put("key", "value");

      try {
         // Store a value in a cache where your role is has not access granted
         securedCache.put("key", "value");
      } catch (HotRodClientException ex) {
         message = ex.getMessage().toLowerCase();
         System.out.println(ex.getMessage());
      }
   }

Step 4: Run the Tutorial

mvn package exec:java

You will see an authorization error message when trying to write to the secured cache, demonstrating that RBAC is enforced.

What’s Next

Infinispan is released under the Apache 2.0 open source license. The source code is available on GitHub.

Thanks to
Zulip Weblate
Navigation
Get Help
Contribute
Follow Us
Commonhaus Foundation
Copyright © Infinispan. All rights reserved. For details on trademarks, please visit the Trademark Policy and Trademark List. Trademarks of third parties are owned by their respective holders and their mention here does not suggest any endorsement or association.