* If i would have adopted spring security for REST APIs, REST APIs security might not work with customer's existing security plugins. * - Not entirely true Neelkanth. But yeah we might have to change interface a bit little. For eg. HMAC will require User Secret which we dont really expose through plugins. So yes drop-in replacement of SpringSecurity was not possible but with some change in gem-interfaces it was.
*I believe, pulse has already used a spring security, We kept pulse out of integrated security as required a lot of changes to align towards integrated security. * - Pulse uses SpringSecurity as security framework where by implementing SpringSecurity interfaces where implementation call Gemfire security plugin we get best of both world. If you look current implementation it only requires implemention of AuthenticationProvider <http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/authentication/AuthenticationProvider.html>. Point here is that people understand SpringSecurity and if we adopt its easy for people to understand code, extend and contribute, experiment *TokenService* - Problem with TokenService is that it only passes on Principal but not current request context. Stateless service request has to be checked for integrity of all its request components - headers, request parameters, request URL. Current design trusts incoming request once token is found. So we are ultimately only authenticating Token instead of entire request. Personally I envision GemFire REST to be REST Key-value store where people can deploy it through cloud and expose REST interface without worrying about security, once security is properly configured. Current design has good trade-off by adding refresh token approach for preventing token mis-use. But there should be way for users to add check for token integrity. I am not saying this had to be default but we should not restrict it just principal and token regards, Tushar On Wed, Aug 12, 2015 at 11:20 AM, Nilkanth Patel <[email protected]> wrote: > Implementation is designed in the context of integrated security approach > where user/customer needs to install/configure single Authentication and > Authorization plugin and that should work for all channels that communicate > with server. FYI, we have not changed anything to existing geode C/S > security, rather planned to incorporate it into the other channels like > developer REST APIs, GFSH and M&M REST. > > In the design phase, We had a lot of brain storming regarding the approach > including Spring security for developer REST and others, some of the > findings that we had come across are. > > - Currently geode C/S security does not support the spring security, > In-fact we believed not preferable to add an extra layer of spring security > that can degrades ops performance. > - If i would have adopted spring security for REST APIs, REST APIs > security might not work with customer's existing security plugins. > - I believe, pulse has already used a spring security, We kept pulse out > of integrated security as required a lot of changes to align towards > integrated security. > > *Integrity of a security token* : > REST APIs are recommend to use with HTTPS, so tokens will be secured in > transit. If any one choose not to use https, he can use encrypted token > (using tokenservice impl). > Token service has a capabilities like generating, validating and > refreshing tokens. User can plug their choice of implementation, standard > (including JWT) or custom if they have. > > *Easy to use and flexible* > With this desing, We have agreed to provide default implementation for > TokenService, that will be used by default if user has not configured > "security-rest-token-service" system property. User needs to hook its own > (non-default) Tokenservice implementation using configuring > "security-rest-token-service" property. This will make sure that user does > not need to more work. > > Nilkanth Patel. > > > On Fri, Aug 7, 2015 at 9:05 PM, Tushar Khairnar <[email protected] > > wrote: > >> >> ----------------------------------------------------------- >> This is an automatically generated e-mail. To reply, visit: >> https://reviews.apache.org/r/37209/ >> ----------------------------------------------------------- >> >> (Updated Aug. 7, 2015, 3:35 p.m.) >> >> >> Review request for geode, Amogh Shetkar and Jens Deppe. >> >> >> Summary (updated) >> ----------------- >> >> GEODE-17 : Integrated Security Code Merge >> >> >> Repository: geode >> >> >> Description >> ------- >> >> GEODE-77 : Integrated Security Code Merge >> >> This is manual merge of code from int_security branch. >> >> Testing done : JMX RMI-connector testing done from JConsole, Gfsh >> interactive testing with different roles. DUnits are not yet integrated >> into open. >> >> >> Diffs >> ----- >> >> >> gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java >> d25063c >> >> gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java >> b7b2cd8 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java >> 472959d >> >> gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java >> 10094a9 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java >> b8dfeb3 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java >> f5ae3e5 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java >> 8ba07a2 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java >> 59f6537 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java >> f14d16c >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java >> f0a0a79 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java >> 3e5ba1a >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java >> b6c5219 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java >> e53d50a >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java >> 04fda7e >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java >> e935fcd >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java >> 43bfe73 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java >> 74695ee >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java >> d8f6983 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java >> 2eb1318 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java >> 279fb45 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java >> 919d6fe >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java >> 9e60839 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java >> 4591b53 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DiskStoreCommands.java >> 4614ce7 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DurableClientCommands.java >> 01910d6 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ExportImportSharedConfigurationCommands.java >> d4134ad >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/FunctionCommands.java >> 0d8c54a >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/GfshHelpCommands.java >> d9d4bea >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/IndexCommands.java >> c978381 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/LauncherLifecycleCommands.java >> 302d7bb >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/MemberCommands.java >> 797f654 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/MiscellaneousCommands.java >> da8f11d >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/PDXCommands.java >> d236d81 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/QueueCommands.java >> 7b298d6 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java >> 80ba89e >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ShellCommands.java >> 4bdab90 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/StatusCommands.java >> 5abd08a >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/WanCommands.java >> a6d9abf >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java >> 864907b >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java >> 58040cd >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlContext.java >> 1926db5 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java >> e217045 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java >> b0198e4 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/JMXOperationContext.java >> 375cc27 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java >> d85ce65 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java >> 50942c1 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java >> 1851977 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/Resource.java >> 4dc27e1 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceConstants.java >> 3f4d7cb >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java >> f149479 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java >> aa1c38c >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java >> 73ce926 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/ConfigCommandsController.java >> 517d942 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DataCommandsController.java >> 6767ec1 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java >> 2df3432 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/FunctionCommandsController.java >> de81543 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/MiscellaneousCommandsController.java >> 66d344f >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/WanCommandsController.java >> 1e22bd9 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java >> 8ebed02 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/http/support/SimpleHttpRequester.java >> 8bd9d37 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/AbstractHttpOperationInvoker.java >> dac1271 >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java >> 0dfbdbd >> >> gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/SimpleHttpOperationInvoker.java >> a122339 >> >> gemfire-core/src/test/java/com/gemstone/gemfire/internal/cache/extension/mock/MockExtensionCommands.java >> 89644f0 >> >> gemfire-core/src/test/java/com/gemstone/gemfire/management/internal/cli/CommandManagerJUnitTest.java >> ab9333d >> >> gemfire-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshExecutionStrategyJUnitTest.java >> 44aef44 >> >> gemfire-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthCodeTest.java >> 384493b >> >> gemfire-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationJUnit.java >> f061240 >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/AbstractBaseController.java >> feed8c7 >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/BaseControllerAdvice.java >> 5ae88bc >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/CommonCrudController.java >> ef52347 >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/FunctionAccessController.java >> 45d6f66 >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/PdxBasedCrudController.java >> 96551c6 >> >> gemfire-web-api/src/main/java/com/gemstone/gemfire/rest/internal/web/controllers/QueryAccessController.java >> b20c849 >> gemfire-web-api/src/main/webapp/WEB-INF/web.xml 554ef4b >> >> Diff: https://reviews.apache.org/r/37209/diff/ >> >> >> Testing >> ------- >> >> >> Thanks, >> >> Tushar Khairnar >> >> > -- Regards, Tushar Khairnar
