You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Jinmei Liao (JIRA)" <ji...@apache.org> on 2016/11/03 17:28:58 UTC
[jira] [Updated] (GEODE-2054) Do not use classpath: when looking
for seucrity-shiro-ini files
[ https://issues.apache.org/jira/browse/GEODE-2054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jinmei Liao updated GEODE-2054:
-------------------------------
Description:
1. Hardcoding [1] the "resource path prefix" [2] (i.e. "classpath:") when the user decides to use Apache Shiro [3] to configure security for Apache Geode [4] is well, again, rather limiting.
If a user specifies the Geode (System) property, "security-shiro-init", referencing an Apache Shiro INI configuration file, why not let the user decide the resource path source (i.e. classpath:, file:, or url:) of the INI file. For example...
-Dgeode.security-shiro-init=file:/absolute/file/system/path/to/users/application/shiro.ini
I would not arbitrarily restrict users to only the classapth for locating resources. It is unlikely the INI file will contain "sensitive" data (e.g. usernames/passwords, or even permission meta-data) in a production environment. It is more likely, that the users will be configuring 1 or more Shiro Realms declared in the [main] section of the INI file to load the security configuration meta-data from an external repository.
Additionally, Apache Shiro has the ability to detect file changes, and dynamically reload the INI security configuration file [5] when the file: resource path (i.e. file system) is used.
> Do not use classpath: when looking for seucrity-shiro-ini files
> ---------------------------------------------------------------
>
> Key: GEODE-2054
> URL: https://issues.apache.org/jira/browse/GEODE-2054
> Project: Geode
> Issue Type: Sub-task
> Reporter: Jinmei Liao
>
> 1. Hardcoding [1] the "resource path prefix" [2] (i.e. "classpath:") when the user decides to use Apache Shiro [3] to configure security for Apache Geode [4] is well, again, rather limiting.
> If a user specifies the Geode (System) property, "security-shiro-init", referencing an Apache Shiro INI configuration file, why not let the user decide the resource path source (i.e. classpath:, file:, or url:) of the INI file. For example...
> -Dgeode.security-shiro-init=file:/absolute/file/system/path/to/users/application/shiro.ini
> I would not arbitrarily restrict users to only the classapth for locating resources. It is unlikely the INI file will contain "sensitive" data (e.g. usernames/passwords, or even permission meta-data) in a production environment. It is more likely, that the users will be configuring 1 or more Shiro Realms declared in the [main] section of the INI file to load the security configuration meta-data from an external repository.
> Additionally, Apache Shiro has the ability to detect file changes, and dynamically reload the INI security configuration file [5] when the file: resource path (i.e. file system) is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)