[
https://issues.apache.org/jira/browse/GEODE-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen Nichols closed GEODE-9494.
-------------------------------
> HTTP Session State Module - Security Properties
> -----------------------------------------------
>
> Key: GEODE-9494
> URL: https://issues.apache.org/jira/browse/GEODE-9494
> Project: Geode
> Issue Type: Bug
> Components: http session
> Reporter: Juan Ramos
> Assignee: Juan Ramos
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.15.0
>
>
> In order to configure authentication and authorization, the geode cache must
> be configured with either the {{security-client-auth-init}} or
> {{security-peer-auth-init}} properties.
> The implementation of the {{AuthInitialize}} interface is supposed to obtain
> credentials for a client or peer and, in practice, it should be able to
> connect to an external data source or use some extra configuration as to know
> where to retrieve the actual credentials from. The
> {{AuthInitialize.getCredentials()}} method receives all gemfire properties
> configured with the prefix {{security-}} and its expected to use them in
> order to configure itself.
> The {{AbstractCache}} class, however, prevents the user from configuring any
> property not returned by the {{AbstractDistributionConfig._getAttNames()}}
> method, and this does not include those properties starting with
> {{security-}}:
> {noformat}
> public void setProperty(String name, String value) {
> // TODO Look at fake attributes
> if (name.equals("className")) {
> return;
> }
> // Determine the validity of the input property
> boolean validProperty = false;
> // TODO: AbstractDistributionConfig is internal and _getAttNames is
> designed for testing.
> for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
> if (name.equals(gemfireProperty)) {
> validProperty = true;
> break;
> }
> }
> ...
> }
> {noformat}
> The above, in turn, makes almost impossible for users to correctly implement
> {{AuthInitialize}} without leveraging system properties or hardcoded paths
> for external configuration.
> —
> As a side note, {{security-username}} and {{security-password}} are not
> "formal" distributed system properties, so they also can't be used when
> configuring the HTTP session state module:
> {noformat}
> <Listener
> className="org.apache.geode.modules.session.catalina.ClientServerCacheLifecycleListener"
> security-username="myUser"
> security-password="myPassword"/>
> {noformat}
> {noformat}
> 10-Aug-2021 12:15:57.118 WARNING [main]
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The
> input property named security-username is not a valid GemFire property. It is
> being ignored.
> 10-Aug-2021 12:15:57.123 WARNING [main]
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The
> input property named security-password is not a valid GemFire property. It is
> being ignored.
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
