Authentication Example
This example demonstrates the basics of an implementation of the
SecurityManager.authenticate
method.
The remainder of the example may be found in the Apache Geode
source code in the
geode-core/src/main/java/org/apache/geode/examples/security
directory.
Of course, the security implementation of every installation is unique, so this example cannot be used in a production environment. Its use of the user name as a returned principal upon successful authentication is a particularly poor design choice, as any attacker that discovers the implementation can potentially spoof the system.
This example assumes that a set of user name and password pairs
representing users that may be successfully authenticated
has been read into a data structure upon initialization.
Any component that presents the correct password for a user name
successfully authenticates,
and its identity is verified as that user.
Therefore, the implementation of the authenticate
method
checks that the user name provided within the credentials
parameter
is in its data structure.
If the user name is present,
then the password provided within the credentials
parameter
is compared to the data structure’s known password for that user name.
Upon a match, the authentication is successful.
Username, Password Authentication Example
public Object authenticate(final Properties credentials)
throws AuthenticationFailedException {
String user = credentials.getProperty(ResourceConstants.USER_NAME);
String password = credentials.getProperty(ResourceConstants.PASSWORD);
User userObj = this.userNameToUser.get(user);
if (userObj == null) {
throw new AuthenticationFailedException(
"SampleSecurityManager: wrong username/password");
}
if (user != null
&& !userObj.password.equals(password)
&& !"".equals(user)) {
throw new AuthenticationFailedException(
"SampleSecurityManager: wrong username/password");
}
return user;
}
Token with Expiry Authentication Example
public Object authenticate(final Properties credentials)
throws AuthenticationFailedException, AuthenticationExpiredException {
String encodedToken = credentials.getProperty(ResourceConstants.TOKEN);
if (this.tokenHasExpired(encodedToken)) {
throw new AuthenticationExpiredException("SampleSecurityManager: token has expired");
}
User user = this.encodedTokenToUser.get(encodedToken);
if (user == null) {
throw new AuthenticationFailedException("SampleSecurityManager: unable to get user from token");
}
return user;
}