Repository: incubator-geode Updated Branches: refs/heads/develop 72e9cbe4e -> cd8187b13
GEODE-17: pass the properties created by authInit to the security manager Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/cd8187b1 Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/cd8187b1 Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/cd8187b1 Branch: refs/heads/develop Commit: cd8187b135b269e22e9cdbf5a755cf2d97862efb Parents: 72e9cbe Author: Jinmei Liao <[email protected]> Authored: Sun Sep 11 20:49:48 2016 -0700 Committer: Jinmei Liao <[email protected]> Committed: Tue Sep 13 07:29:13 2016 -0700 ---------------------------------------------------------------------- .../membership/gms/auth/GMSAuthenticator.java | 4 +- .../internal/cache/tier/sockets/HandShake.java | 4 +- .../internal/security/GeodeSecurityUtil.java | 34 ++++++++++++---- .../security/IntegratedSecurityService.java | 5 +++ .../internal/security/SecurityService.java | 1 + .../security/shiro/CustomAuthRealm.java | 19 ++------- .../shiro/GeodeAuthenticationToken.java | 41 ++++++++++++++++++++ .../security/shiro/JMXShiroAuthenticator.java | 20 ++++++---- .../support/LoginHandlerInterceptor.java | 7 ++-- ...GMSAuthenticatorWithSecurityManagerTest.java | 8 ++-- .../security/IntegratedClientAuthDUnitTest.java | 2 +- .../gemfire/codeAnalysis/excludedClasses.txt | 1 + 12 files changed, 100 insertions(+), 46 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java index 7fc212c..9ecd2b7 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java @@ -121,9 +121,7 @@ public class GMSAuthenticator implements Authenticator { String failMsg = null; try { if(this.securityService.isIntegratedSecurity()){ - String username = credentials.getProperty("security-username"); - String password = credentials.getProperty("security-password"); - this.securityService.login(username, password); + this.securityService.login(credentials); } else { invokeAuthenticator(secProps, member, credentials); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java index 8dfb476..64cf1b6 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java @@ -1790,9 +1790,7 @@ public class HandShake implements ClientHandShake Authenticator auth = null; try { if(AcceptorImpl.isIntegratedSecurity()){ - String username = credentials.getProperty("security-username"); - String password = credentials.getProperty("security-password"); - return securityService.login(username, password); + return securityService.login(credentials); } else { Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java index 5fa5564..260121d 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java @@ -32,11 +32,11 @@ import org.apache.geode.security.PostProcessor; import org.apache.geode.security.ResourcePermission; import org.apache.geode.security.ResourcePermission.Operation; import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.SecurableComponents; import org.apache.geode.security.SecurityManager; import org.apache.logging.log4j.Logger; import org.apache.shiro.SecurityUtils; import org.apache.shiro.ShiroException; -import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.Ini.Section; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.DefaultSecurityManager; @@ -47,14 +47,15 @@ import org.apache.shiro.util.ThreadContext; import org.apache.shiro.util.ThreadState; import com.gemstone.gemfire.GemFireIOException; -import org.apache.geode.security.SecurableComponents; import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.ClassLoadUtil; import com.gemstone.gemfire.internal.cache.EntryEventImpl; import com.gemstone.gemfire.internal.logging.LogService; import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; +import com.gemstone.gemfire.internal.security.shiro.GeodeAuthenticationToken; import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal; import com.gemstone.gemfire.internal.util.BlobHelper; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; import com.gemstone.gemfire.management.internal.security.ResourceOperation; import com.gemstone.gemfire.security.AuthenticationFailedException; import com.gemstone.gemfire.security.GemFireSecurityException; @@ -118,27 +119,44 @@ public class GeodeSecurityUtil { } /** + * convenient method for testing + * @param username + * @param password + * @return + */ + public static Subject login(String username, String password){ + if(StringUtils.isBlank(username) || StringUtils.isBlank(password)) + return null; + + Properties credentials = new Properties(); + credentials.setProperty(ResourceConstants.USER_NAME, username); + credentials.setProperty(ResourceConstants.PASSWORD, password); + return login(credentials); + } + + /** * @return null if security is not enabled, otherwise return a shiro subject */ - public static Subject login(String username, String password) { + public static Subject login(Properties credentials) { if (!isIntegratedSecurity) { return null; } + if(credentials == null) + return null; + // this makes sure it starts with a clean user object ThreadContext.remove(); Subject currentUser = SecurityUtils.getSubject(); - - UsernamePasswordToken token = - new UsernamePasswordToken(username, password); + GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials); try { - logger.info("Logging in " + username); + logger.info("Logging in " + token.getPrincipal()); currentUser.login(token); } catch (ShiroException e) { logger.info(e.getMessage(), e); - throw new AuthenticationFailedException("Authentication error. Please check your username/password.", e); + throw new AuthenticationFailedException("Authentication error. Please check your credentials.", e); } return currentUser; http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java index a6ec7fa..d294859 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java @@ -60,6 +60,11 @@ public class IntegratedSecurityService implements SecurityService, Serializable } @Override + public Subject login(final Properties credentials) { + return GeodeSecurityUtil.login(credentials); + } + + @Override public Subject login(final String username, final String password) { return GeodeSecurityUtil.login(username, password); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java index dd8c69b..c975751 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java @@ -31,6 +31,7 @@ public interface SecurityService { ThreadState bindSubject(Subject subject); Subject getSubject(); + Subject login(Properties credentials); Subject login(String username, String password); void logout(); Callable associateWith(Callable callable); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java index 09b8d5f..ad27ec3 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java @@ -25,14 +25,12 @@ import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; -import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.Permission; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import com.gemstone.gemfire.internal.security.SecurityService; -import com.gemstone.gemfire.management.internal.security.ResourceConstants; public class CustomAuthRealm extends AuthorizingRealm { @@ -63,21 +61,10 @@ public class CustomAuthRealm extends AuthorizingRealm { @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { - UsernamePasswordToken authToken = (UsernamePasswordToken) token; - String username = authToken.getUsername(); - String password = new String(authToken.getPassword()); + GeodeAuthenticationToken authToken = (GeodeAuthenticationToken) token; + Object principal = securityManager.authenticate(authToken.getProperties()); + return new SimpleAuthenticationInfo(principal, authToken.getCredentials(), REALM_NAME); - Properties credentialProps = new Properties(); - credentialProps.put(ResourceConstants.USER_NAME, username); - credentialProps.put(ResourceConstants.PASSWORD, password); - - Object principal = securityManager.authenticate(credentialProps); - - try { - return new SimpleAuthenticationInfo(principal, authToken.getPassword(), REALM_NAME); - } catch (IllegalArgumentException e) { - throw new IllegalArgumentException("failed for " + username + " " + password, e); - } } @Override http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java new file mode 100644 index 0000000..cbee995 --- /dev/null +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.gemstone.gemfire.internal.security.shiro; + +import java.util.Properties; + +import org.apache.shiro.authc.UsernamePasswordToken; + +import com.gemstone.gemfire.management.internal.security.ResourceConstants; + +public class GeodeAuthenticationToken extends UsernamePasswordToken { + + Properties properties; + + public GeodeAuthenticationToken(Properties properties){ + super( + properties.getProperty(ResourceConstants.USER_NAME), + properties.getProperty(ResourceConstants.PASSWORD) + ); + this.properties = properties; + } + + public Properties getProperties(){ + return properties; + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java index fe895d4..064044e 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java @@ -43,19 +43,23 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList @Override public Subject authenticate(Object credentials) { - String username = null, password = null; - if (credentials instanceof String[]) { + String username = null; + Properties credProps = new Properties(); + if (credentials instanceof Properties) { + credProps = (Properties) credentials; + username = credProps.getProperty(ResourceConstants.USER_NAME); + } + else if (credentials instanceof String[]) { final String[] aCredentials = (String[]) credentials; username = aCredentials[0]; - password = aCredentials[1]; - } else if (credentials instanceof Properties) { - username = ((Properties) credentials).getProperty(ResourceConstants.USER_NAME); - password = ((Properties) credentials).getProperty(ResourceConstants.PASSWORD); - } else { + credProps.setProperty(ResourceConstants.USER_NAME, aCredentials[0]); + credProps.setProperty(ResourceConstants.PASSWORD, aCredentials[1]); + } + else { throw new AuthenticationFailedException(MISSING_CREDENTIALS_MESSAGE); } - org.apache.shiro.subject.Subject shiroSubject = this.securityService.login(username, password); + org.apache.shiro.subject.Subject shiroSubject = this.securityService.login(credProps); Principal principal; if(shiroSubject==null){ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java index c831d0a..85f2bef 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java @@ -20,9 +20,13 @@ import java.util.Collections; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.logging.log4j.Logger; +import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; + import com.gemstone.gemfire.cache.Cache; import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.logging.LogService; @@ -33,9 +37,6 @@ import com.gemstone.gemfire.management.internal.security.ResourceConstants; import com.gemstone.gemfire.management.internal.web.util.UriUtils; import com.gemstone.gemfire.security.Authenticator; -import org.apache.logging.log4j.Logger; -import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; - /** * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request * message as request parameters. http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java index b00b3ff..d59e304 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java @@ -22,13 +22,13 @@ import static org.mockito.Mockito.*; import java.util.Properties; +import org.junit.Test; +import org.junit.experimental.categories.Category; + import com.gemstone.gemfire.security.GemFireSecurityException; import com.gemstone.gemfire.test.junit.categories.SecurityTest; import com.gemstone.gemfire.test.junit.categories.UnitTest; -import org.junit.Test; -import org.junit.experimental.categories.Category; - /** * Unit tests GMSAuthenticator using new integrated security. */ @@ -135,7 +135,7 @@ public class GMSAuthenticatorWithSecurityManagerTest extends AbstractGMSAuthenti @Test public void authenticateShouldReturnFailureMessageIfLoginThrows() throws Exception { - when(securityService.login(anyString(), anyString())).thenThrow(new GemFireSecurityException("dummy")); + when(securityService.login(any(Properties.class))).thenThrow(new GemFireSecurityException("dummy")); props.setProperty(SECURITY_MANAGER, "dummy"); String result = authenticator.authenticate(member, props, props, member); assertThat(result).startsWith("Authentication failed. See coordinator"); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java index 0f53cbc..73bfcb4 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java @@ -51,7 +51,7 @@ public class IntegratedClientAuthDUnitTest extends AbstractSecureServerDUnitTest IgnoredException.addIgnoredException(AuthenticationFailedException.class.getName()); client2.invoke("logging in super-user with wrong password", () -> { - AuthenticationFailedException expected = new AuthenticationFailedException("Authentication error. Please check your username/password."); + AuthenticationFailedException expected = new AuthenticationFailedException("Authentication error. Please check your credentials."); catchException(new ClientCacheFactory(createClientProperties("super-user", "wrong")).setPoolSubscriptionEnabled(true) .addPoolServer("localhost", serverPort)) http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt b/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt index ddacf99..5e1a3c9 100644 --- a/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt +++ b/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt @@ -153,3 +153,4 @@ com/gemstone/gemfire/internal/cache/operations/ContainsKeyOperationContext org/apache/geode/security/ResourcePermission org/apache/geode/security/ResourcePermission$Operation org/apache/geode/security/ResourcePermission$Resource +com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken
