Repository: incubator-geode Updated Branches: refs/heads/feature/GEODE-17 a38795e82 -> d28bdfc29
Formatting changes Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/0ba0aee3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/0ba0aee3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/0ba0aee3 Branch: refs/heads/feature/GEODE-17 Commit: 0ba0aee3ae3f3852b44c0e1a68e3bfd7de3eda79 Parents: a38795e Author: tushark <[email protected]> Authored: Wed Nov 4 13:08:12 2015 +0530 Committer: tushark <[email protected]> Committed: Wed Nov 4 13:08:12 2015 +0530 ---------------------------------------------------------------------- .../security/GemFireAuthentication.java | 200 +++++++++---------- .../security/GemFireAuthenticationProvider.java | 72 ++++--- 2 files changed, 133 insertions(+), 139 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/0ba0aee3/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java ---------------------------------------------------------------------- diff --git a/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java b/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java index 23f43e0..8471a65 100644 --- a/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java +++ b/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java @@ -26,117 +26,115 @@ import com.vmware.gemfire.tools.pulse.internal.log.PulseLogWriter; * * To use GemFire Integrated Security Model set Spring Application Profile to pulse.authentication.gemfire * - * 1. Authentication : - * 1.a GemFire profile creates JMX connection with given credentials at the login time. - * 1.b Successful connect is considered as Successful Authentication for Pulse WebApp - * - * + * 1. Authentication : + * 1.a GemFire profile creates JMX connection with given credentials at the login time. + * 1.b Successful connect is considered as Successful Authentication for Pulse WebApp + * + * * 2. Authorization : - * 2.a Using newly created authenticated connection AccessControlMXBean is called to get authentication - * levels. See @See {@link #populateAuthorities(JMXConnector)}. This sets Spring Security Authorities - * 2.b DataBrowser end-points are required to be authorized against Spring Granted Authority - * @See spring-security.xml - * 2.c When executing Data-Browser query, user-level jmx connection is used so at to put access-control - * over the resources query is accessing. - * @See #com.vmware.gemfire.tools.pulse.internal.data.JMXDataUpdater#executeQuery - * - * 3. Connection Management - Spring Security LogoutHandler closes session level connection + * 2.a Using newly created authenticated connection AccessControlMXBean is called to get authentication + * levels. See @See {@link #populateAuthorities(JMXConnector)}. This sets Spring Security Authorities + * 2.b DataBrowser end-points are required to be authorized against Spring Granted Authority + * + * @See spring-security.xml + * 2.c When executing Data-Browser query, user-level jmx connection is used so at to put access-control + * over the resources query is accessing. + * @See #com.vmware.gemfire.tools.pulse.internal.data.JMXDataUpdater#executeQuery + * + * 3. Connection Management - Spring Security LogoutHandler closes session level connection * - * TODO : Better model would be to maintain background connection map for Databrowser instead - * of each web session creating rmi connection and map user to correct entry in the connection map + * TODO : Better model would be to maintain background connection map for Databrowser instead + * of each web session creating rmi connection and map user to correct entry in the connection map * * @author Tushar Khairnar * @since version 9.0 */ -public class GemFireAuthentication extends UsernamePasswordAuthenticationToken { +public class GemFireAuthentication extends UsernamePasswordAuthenticationToken { private final static PulseLogWriter LOGGER = PulseLogWriter.getLogger(); - - private JMXConnector jmxc=null; - - public GemFireAuthentication(Object principal, Object credentials, Collection<GrantedAuthority> list, JMXConnector jmxc) { - super(principal, credentials, list); - this.jmxc = jmxc; - } - private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; - - - public void closeJMXConnection(){ - try { - jmxc.close(); - } catch (IOException e) { - throw new RuntimeException(e); - } - } - - public MBeanServerConnection getRemoteMBeanServer() { - try { - return jmxc.getMBeanServerConnection(); - } catch (IOException e) { - throw new RuntimeException(e); - } - } - - public static boolean authorize(String role){ - try { - GemFireAuthentication authentication = (GemFireAuthentication) SecurityContextHolder - .getContext().getAuthentication(); - MBeanServerConnection mbeanServer = authentication - .getRemoteMBeanServer(); - LOGGER.fine("#GemFireAuthentication : Checking for role="+role); - ObjectName name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN); - Object[] params = new Object[] {role}; - String[] signature = new String[] {String.class.getCanonicalName()}; - Boolean result = (Boolean)mbeanServer.invoke(name, "authorize", params, signature); - return result; - } catch (MalformedObjectNameException e) { - throw new RuntimeException(e); - } catch (InstanceNotFoundException e) { - throw new RuntimeException(e); - } catch (MBeanException e) { - throw new RuntimeException(e); - } catch (ReflectionException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new RuntimeException(e); - } - } + private JMXConnector jmxc = null; + + public GemFireAuthentication(Object principal, Object credentials, Collection<GrantedAuthority> list, + JMXConnector jmxc) { + super(principal, credentials, list); + this.jmxc = jmxc; + } + + private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; + + public void closeJMXConnection() { + try { + jmxc.close(); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + public MBeanServerConnection getRemoteMBeanServer() { + try { + return jmxc.getMBeanServerConnection(); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + public static boolean authorize(String role) { + try { + GemFireAuthentication authentication = (GemFireAuthentication) SecurityContextHolder.getContext() + .getAuthentication(); + MBeanServerConnection mbeanServer = authentication.getRemoteMBeanServer(); + LOGGER.fine("#GemFireAuthentication : Checking for role=" + role); + ObjectName name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN); + Object[] params = new Object[] { role }; + String[] signature = new String[] { String.class.getCanonicalName() }; + Boolean result = (Boolean) mbeanServer.invoke(name, "authorize", params, signature); + return result; + } catch (MalformedObjectNameException e) { + throw new RuntimeException(e); + } catch (InstanceNotFoundException e) { + throw new RuntimeException(e); + } catch (MBeanException e) { + throw new RuntimeException(e); + } catch (ReflectionException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new RuntimeException(e); + } + } - public static ArrayList<GrantedAuthority> populateAuthorities(JMXConnector jmxc) { - ObjectName name; - try { - name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN); - MBeanServerConnection mbeanServer = jmxc.getMBeanServerConnection(); - ArrayList<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); - authorities.add(new SimpleGrantedAuthority("ROLE_USER")); - for(String role : PulseConstants.PULSE_ROLES){ - Object[] params = new Object[] {role}; - String[] signature = new String[] {String.class.getCanonicalName()}; - boolean result = (Boolean)mbeanServer.invoke(name, "authorize", params, signature); - if(result){ - //spring sec require ROLE_ prefix - authorities.add(new SimpleGrantedAuthority("ROLE_"+role)); - } - } - return authorities; - } catch (MalformedObjectNameException e) { - throw new RuntimeException(e); - } catch (InstanceNotFoundException e) { - throw new RuntimeException(e); - } catch (MBeanException e) { - throw new RuntimeException(e); - } catch (ReflectionException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new RuntimeException(e); - } - } + public static ArrayList<GrantedAuthority> populateAuthorities(JMXConnector jmxc) { + ObjectName name; + try { + name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN); + MBeanServerConnection mbeanServer = jmxc.getMBeanServerConnection(); + ArrayList<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); + authorities.add(new SimpleGrantedAuthority("ROLE_USER")); + for (String role : PulseConstants.PULSE_ROLES) { + Object[] params = new Object[] { role }; + String[] signature = new String[] { String.class.getCanonicalName() }; + boolean result = (Boolean) mbeanServer.invoke(name, "authorize", params, signature); + if (result) { + // spring sec require ROLE_ prefix + authorities.add(new SimpleGrantedAuthority("ROLE_" + role)); + } + } + return authorities; + } catch (MalformedObjectNameException e) { + throw new RuntimeException(e); + } catch (InstanceNotFoundException e) { + throw new RuntimeException(e); + } catch (MBeanException e) { + throw new RuntimeException(e); + } catch (ReflectionException e) { + throw new RuntimeException(e); + } catch (IOException e) { + throw new RuntimeException(e); + } + } - public JMXConnector getJmxc() { - return jmxc; - } - - + public JMXConnector getJmxc() { + return jmxc; + } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/0ba0aee3/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthenticationProvider.java b/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthenticationProvider.java index 704c177..f297321 100644 --- a/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthenticationProvider.java +++ b/pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthenticationProvider.java @@ -16,7 +16,7 @@ import com.vmware.gemfire.tools.pulse.internal.data.Repository; import com.vmware.gemfire.tools.pulse.internal.log.PulseLogWriter; /** - * Spring security AuthenticationProvider for GemFire. It connects to + * Spring security AuthenticationProvider for GemFire. It connects to * gemfire manager using given credentials. Successful connect is treated * as successful authentication and web user is authenticated * @@ -24,45 +24,41 @@ import com.vmware.gemfire.tools.pulse.internal.log.PulseLogWriter; * @since version 9.0 */ public class GemFireAuthenticationProvider implements AuthenticationProvider { - - private final static PulseLogWriter LOGGER = PulseLogWriter.getLogger(); - - @Override - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { - - if (authentication instanceof GemFireAuthentication) { - GemFireAuthentication gemAuth = (GemFireAuthentication) authentication; - LOGGER.fine("GemAuthentication is connected? = " - + gemAuth.getJmxc()); - if(gemAuth.getJmxc()!=null && gemAuth.isAuthenticated()) - return gemAuth; - } - - String name = authentication.getName(); - String password = authentication.getCredentials().toString(); + private final static PulseLogWriter LOGGER = PulseLogWriter.getLogger(); - try { - LOGGER.fine("Connecting to GemFire with user=" + name); - JMXConnector jmxc = Repository.get().getCluster().connectToGemFire(name, password); - if(jmxc!=null) { - Collection<GrantedAuthority> list = GemFireAuthentication.populateAuthorities(jmxc); - GemFireAuthentication auth = new GemFireAuthentication( - authentication.getPrincipal(), - authentication.getCredentials(), list, jmxc); - LOGGER.fine("For user " + name + " authList="+ list); - return auth; - } else - throw new AuthenticationServiceException("JMX Connection unavailable"); - } catch (Exception e) { - throw new BadCredentialsException("Error connecting to GemFire JMX Server", e); - } - } + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { - @Override - public boolean supports(Class<?> authentication) { - return authentication.equals(UsernamePasswordAuthenticationToken.class); - } + if (authentication instanceof GemFireAuthentication) { + GemFireAuthentication gemAuth = (GemFireAuthentication) authentication; + LOGGER.fine("GemAuthentication is connected? = " + gemAuth.getJmxc()); + if (gemAuth.getJmxc() != null && gemAuth.isAuthenticated()) + return gemAuth; + } + + String name = authentication.getName(); + String password = authentication.getCredentials().toString(); + + try { + LOGGER.fine("Connecting to GemFire with user=" + name); + JMXConnector jmxc = Repository.get().getCluster().connectToGemFire(name, password); + if (jmxc != null) { + Collection<GrantedAuthority> list = GemFireAuthentication.populateAuthorities(jmxc); + GemFireAuthentication auth = new GemFireAuthentication(authentication.getPrincipal(), + authentication.getCredentials(), list, jmxc); + LOGGER.fine("For user " + name + " authList=" + list); + return auth; + } else + throw new AuthenticationServiceException("JMX Connection unavailable"); + } catch (Exception e) { + throw new BadCredentialsException("Error connecting to GemFire JMX Server", e); + } + } + + @Override + public boolean supports(Class<?> authentication) { + return authentication.equals(UsernamePasswordAuthenticationToken.class); + } }
