You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by radha jai <ja...@gmail.com> on 2019/05/21 05:41:58 UTC
failed to get the security context object
Hi,
Please Some one reply on this.
I have implemented the grid security processor and setting the
securityconext holder in the authenticate function as below,
public class MySecurityProcessor extends GridProcessorAdapter implements
DiscoverySpiNodeAuthenticator, GridSecurityProcessor, IgnitePlugin {
................
public SecurityContext authenticate(AuthenticationContext
authenticationContext) throws IgniteCheckedException {
SecuritySubject secureSecuritySubject = new SecuritySubject(
authenticationContext.subjectId(),
authenticationContext.subjectType(),
authenticationContext.credentials().getLogin(),
authenticationContext.address()
);
SecurityContext securityContext = new
MySecurityContext(secureSecuritySubject, accessToken);
SecurityContextHolder.set(securityContext);
return securityContext;
}
public void authorize(String name, SecurityPermission perm, SecurityContext
securityCtx) throws SecurityException {
System.out.println( SecurityContextHolder.get());
System.out.println( securityCtx );
//do some authorization
.....................
}
......
}
In plugin provider i am creating the component : GridSecurityProcessor.
The server starts without throwing any error, also plugin provider also
starts.
Questions:
1. When i start the visor , it is able to connect to ignite server. If i
execute some commands in visor like: top , cache,etc, authorize function is
getting called and always gives the security context as NULL. How do i get
the securitycontext? . Also when visor is called authenticate function is
not getting called.
2. When rest api call is made to create a cache why the authroize function
is getting called twice? one my GridRestProcessor and GridCacheProcessor?
In this scenario: secuirty context i am getting from
SecurityContextHolder.get(). So no issues.
regards
Radha
Re: failed to get the security context object
Posted by radha <ja...@gmail.com>.
Hi,
Sorry for the late reply.
Thanks for the response. I am able to get the context as you mentioned.
Also when i try to work with sqlline, while executing the command ,
1. authorise function get securitycontext value always null.
2. Using SecurityContextHolder.get() ,I am getting the securitycontext
some time and some time i wont get.
Also i dont want to set the globalauthentication to true, authentication
should happen only on the coordinator node.
What might be the problem?
Thanks
Radha
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: failed to get the security context object
Posted by Zaheer <za...@gmail.com>.
Hi,
I am also trying to develop a security plugin for Ignite. Security context
in case of visor call is null and even the SecurityContextHolder wont work.
Because,
1. *SecurityContextHolder* has a ThreadLocal variable holding the
*SecurityContext*. So if your calls of authenticate and authorize happen in
same thread like the *REST* call, it will work. Try printing
Thread.currentThread().getName() in your calls. You will understand what I
am saying.
2. When you connect visor to the grid, *authenticateNode* method is called.
And after that any call you make calls *authorize* method only , that too
if plugin was configured on visor. So *SecurityContextHolder.set()* happens
in the *authenticateNode* which is called in *tcp-dicovery-worker* thread.
And *SecurityContextHolder.get()* happens in *authorize* method which is
called in a separate thread depending on the visor call. So here
*SecurityContextHolder* will not work.
For cases of visor or any server node, thick client joining the cluster,
*SecurityContext* is passed null. To overcome this, you need to store local
nodes security context in a field in your plugin say *localSecurityContext*
representing security context of local node. You can try something like this
:
/public class MySecurityProcessor extends GridProcessorAdapter implements
DiscoverySpiNodeAuthenticator, GridSecurityProcessor, IgnitePlugin {
*private MySecurityContext localSecurityContext;*
................
public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
........................
//write your logic to authenticate node and return Security Context
//Check if node is local, and store the security context in your local
variable before returning
* if(node.isLocal()) localSecurityContext= .......*
}
public SecurityContext authenticate(AuthenticationContext
authenticationContext) throws IgniteCheckedException {
SecuritySubject secureSecuritySubject = new SecuritySubject(
authenticationContext.subjectId(),
authenticationContext.subjectType(),
authenticationContext.credentials().getLogin(),
authenticationContext.address()
);
SecurityContext securityContext = new
MySecurityContext(secureSecuritySubject, accessToken);
SecurityContextHolder.set(securityContext);
return securityContext;
}
public void authorize(String name, SecurityPermission perm, SecurityContext
securityCtx) throws SecurityException {
System.out.println( SecurityContextHolder.get());
System.out.println( securityCtx );
//If context is null use localSecurityContext
*if(securityCtx==null) securityCtx=localSecurityContext;*
//do some authorization
.....................
}
......
}/
Note that this will work if *isGlobalNodeAuthentication* is true. Because
only then *authenticateNode* method is called on each joining node (instead
of coordinator) and you can save the context in local variable. Also the
joining node must also have the plugin configured for this to work.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/