You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Owen Nichols (Jira)" <ji...@apache.org> on 2022/06/22 20:47:04 UTC

[jira] [Closed] (GEODE-9494) HTTP Session State Module - Security Properties

     [ https://issues.apache.org/jira/browse/GEODE-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Nichols closed GEODE-9494.
-------------------------------

> HTTP Session State Module - Security Properties
> -----------------------------------------------
>
>                 Key: GEODE-9494
>                 URL: https://issues.apache.org/jira/browse/GEODE-9494
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Juan Ramos
>            Assignee: Juan Ramos
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.15.0
>
>
> In order to configure authentication and authorization, the geode cache must be configured with either the {{security-client-auth-init}} or {{security-peer-auth-init}} properties.
>  The implementation of the {{AuthInitialize}} interface is supposed to obtain credentials for a client or peer and, in practice, it should be able to connect to an external data source or use some extra configuration as to know where to retrieve the actual credentials from. The {{AuthInitialize.getCredentials()}} method receives all gemfire properties configured with the prefix {{security-}} and its expected to use them in order to configure itself.
>  The {{AbstractCache}} class, however, prevents the user from configuring any property not returned by the {{AbstractDistributionConfig._getAttNames()}} method, and this does not include those properties starting with {{security-}}:
> {noformat}
>   public void setProperty(String name, String value) {
>     // TODO Look at fake attributes
>     if (name.equals("className")) {
>       return;
>     }
>     // Determine the validity of the input property
>     boolean validProperty = false;
>     // TODO: AbstractDistributionConfig is internal and _getAttNames is designed for testing.
>     for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
>       if (name.equals(gemfireProperty)) {
>         validProperty = true;
>         break;
>       }
>     }
> ...
> }
> {noformat}
> The above, in turn, makes almost impossible for users to correctly implement {{AuthInitialize}} without leveraging system properties or hardcoded paths for external configuration.
> —
> As a side note, {{security-username}} and {{security-password}} are not "formal" distributed system properties, so they also can't be used when configuring the HTTP session state module:
> {noformat}
>   <Listener className="org.apache.geode.modules.session.catalina.ClientServerCacheLifecycleListener"
>     security-username="myUser"
>     security-password="myPassword"/>
> {noformat}
> {noformat}
> 10-Aug-2021 12:15:57.118 WARNING [main] org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The input property named security-username is not a valid GemFire property. It is being ignored.
> 10-Aug-2021 12:15:57.123 WARNING [main] org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The input property named security-password is not a valid GemFire property. It is being ignored.
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.7#820007)