org.apache.geode.examples.security

Class ExampleSecurityManager

java.lang.Object

org.apache.geode.examples.security.ExampleSecurityManager

All Implemented Interfaces:

SecurityManager

public class ExampleSecurityManager
extends Object
implements SecurityManager

This class provides a sample implementation of SecurityManager for authentication and authorization initialized from data provided as JSON.

A Geode member must be configured with the following:

security-manager = org.apache.geode.examples.security.ExampleSecurityManager

The class can be initialized with from a JSON resource called security.json. This file must exist on the classpath, so members should be started with an appropriate --classpath option.

The format of the JSON for configuration is as follows:

 
 {
   "roles": [
     {
       "name": "admin",
       "operationsAllowed": [
         "CLUSTER:MANAGE",
         "DATA:MANAGE"
       ]
     },
     {
       "name": "readRegionA",
       "operationsAllowed": [
         "DATA:READ"
       ],
       "regions": ["RegionA", "RegionB"]
     }
   ],
   "users": [
     {
       "name": "admin",
       "password": "secret",
       "roles": ["admin"]
     },
     {
       "name": "guest",
       "password": "guest",
       "roles": ["readRegionA"]
     }
   ]
 }
 
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ExampleSecurityManager.Role
static class	ExampleSecurityManager.User

Field Summary

Fields

Modifier and Type	Field and Description
protected static String	DEFAULT_JSON_FILE_NAME
static String	SECURITY_JSON

Fields inherited from interface org.apache.geode.security.SecurityManager

PASSWORD, TOKEN, USER_NAME

Constructor Summary

Constructors

Constructor and Description
ExampleSecurityManager()

Method Summary

Modifier and Type	Method and Description
Object	authenticate(Properties credentials) Verify the credentials provided in the properties Your security manager needs to validate credentials coming from all communication channels.
boolean	authorize(Object principal, ResourcePermission context) Authorize the ResourcePermission for a given Principal
ExampleSecurityManager.User	getUser(String user)
void	init(Properties securityProperties) Initialize the SecurityManager.
boolean	initializeFromJsonResource(String jsonResource)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.geode.security.SecurityManager

close

Field Detail

SECURITY_JSON

public static final String SECURITY_JSON

See Also:

Constant Field Values

DEFAULT_JSON_FILE_NAME

protected static final String DEFAULT_JSON_FILE_NAME

See Also:

Constant Field Values

Constructor Detail

ExampleSecurityManager

public ExampleSecurityManager()

Method Detail

authorize

public boolean authorize(Object principal,
                         ResourcePermission context)

Description copied from interface: SecurityManager

Authorize the ResourcePermission for a given Principal

Specified by:

authorize in interface SecurityManager

Parameters:

principal - The principal that's requesting the permission

context - The permission requested

Returns:

true if authorized, false if not

init

public void init(Properties securityProperties)
          throws NotAuthorizedException

Description copied from interface: SecurityManager

Initialize the SecurityManager. This is invoked when a cache is created

Specified by:

init in interface SecurityManager

Parameters:

securityProperties - the security properties obtained using a call to DistributedSystem.getSecurityProperties()

Throws:

NotAuthorizedException

authenticate

public Object authenticate(Properties credentials)
                    throws AuthenticationFailedException

Description copied from interface: SecurityManager

Verify the credentials provided in the properties Your security manager needs to validate credentials coming from all communication channels. If you use AuthInitialize to generate your client/peer credentials, then the input of this method is the output of your AuthInitialize.getCredentials method. But remember that this method will also need to validate credentials coming from gfsh/jmx/rest client, the framework is putting the username/password under security-username and security-password keys in the property, so your securityManager implementation needs to validate these kind of properties as well. if a channel supports token-based-authentication, the token will be passed to the security manager in the property with the key "security-token".

Specified by:

authenticate in interface SecurityManager

Parameters:

credentials - it contains the security-username, security-password or security-token, as keys of the properties, also the properties generated by your AuthInitialize interface

Returns:

a serializable principal object

Throws:

AuthenticationFailedException - if the credentials are invalid, this exception will be seen by the client.

initializeFromJsonResource

public boolean initializeFromJsonResource(String jsonResource)

getUser

public ExampleSecurityManager.User getUser(String user)