Merge pull request #45982 from karesti/fix-fips

Infinispan client default auth to DIGEST-SHA-512

Author: gastaldi

docs/src/main/asciidoc/infinispan-client-reference.adoc

@@ -299,6 +299,7 @@ distributedCache:
 
 You can use the following authentication mechanisms with the Infinispan client:
 
+* DIGEST-SHA-512 (default)
 * DIGEST-MD5
 * PLAIN (recommended only in combination with TLS encryption)
 * EXTERNAL

extensions/infinispan-client/deployment/src/main/java/io/quarkus/infinispan/client/deployment/InfinispanClientProcessor.java

@@ -307,15 +307,16 @@ InfinispanPropertiesBuildItem setup(ApplicationArchivesBuildItem applicationArch
         String[] elytronClasses = new String[] {
                 "org.wildfly.security.sasl.plain.PlainSaslClientFactory",
                 "org.wildfly.security.sasl.scram.ScramSaslClientFactory",
+                "org.wildfly.security.sasl.digest.DigestClientFactory",
                 "org.wildfly.security.credential.BearerTokenCredential",
                 "org.wildfly.security.credential.GSSKerberosCredential",
                 "org.wildfly.security.credential.KeyPairCredential",
                 "org.wildfly.security.credential.PasswordCredential",
                 "org.wildfly.security.credential.PublicKeyCredential",
                 "org.wildfly.security.credential.SecretKeyCredential",
                 "org.wildfly.security.credential.SSHCredential",
-                "org.wildfly.security.credential.X509CertificateChainPrivateCredential",
-                "org.wildfly.security.credential.X509CertificateChainPublicCredential"
+                "org.wildfly.security.digest.SHA512_256MessageDigest",
+                "org.wildfly.security.credential.X509CertificateChainPrivateCredential"
         };
 
         reflectiveClass.produce(ReflectiveClassBuildItem.builder(elytronClasses).reason(getClass().getName()).build());

extensions/infinispan-client/deployment/src/test/java/org/quarkus/infinispan/client/deployment/InfinispanDefaultMinimalConfigurationTest.java

@@ -32,7 +32,7 @@ public void infinispanConnectionConfiguration() {
         assertThat(configuration.clientIntelligence()).isEqualTo(ClientIntelligence.HASH_DISTRIBUTION_AWARE);
         assertThat(configuration.remoteCaches()).isEmpty();
         assertThat(configuration.security().authentication().enabled()).isTrue();
-        assertThat(configuration.security().authentication().saslMechanism()).isEqualTo("DIGEST-MD5");
+        assertThat(configuration.security().authentication().saslMechanism()).isEqualTo("DIGEST-SHA-512");
         assertThat(configuration.security().ssl().enabled()).isFalse();
     }
 }

extensions/infinispan-client/runtime/src/main/java/io/quarkus/infinispan/client/runtime/InfinispanClientRuntimeConfig.java

@@ -109,13 +109,14 @@ public interface InfinispanClientRuntimeConfig {
     /**
      * Sets SASL mechanism used by authentication.
      * Available values:
-     * * `DIGEST-MD5` - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials. This is the default.
+     * * `DIGEST-SHA-512` - Uses the SHA-512 hashing algorithm to securely hash and verify credentials. This is the default.
+     * * `DIGEST-MD5` - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials.
      * * `EXTERNAL` - Uses client certificates to provide valid identities to Infinispan Server and enable encryption.
      * * `PLAIN` - Sends credentials in plain text (unencrypted) over the wire in a way that is similar to HTTP BASIC
      *             authentication. You should use `PLAIN` authentication only in combination with TLS encryption.
      */
     // @formatter:on
-    @WithDefault("DIGEST-MD5")
+    @WithDefault("DIGEST-SHA-512")
     Optional<String> saslMechanism();
 
     /**