[
https://issues.apache.org/jira/browse/GEODE-2054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinmei Liao updated GEODE-2054:
-------------------------------
Summary: Do not use classpath: when looking for security-shiro-ini files
(was: Do not use classpath: when looking for seucrity-shiro-ini files)
> Do not use classpath: when looking for security-shiro-ini files
> ---------------------------------------------------------------
>
> Key: GEODE-2054
> URL: https://issues.apache.org/jira/browse/GEODE-2054
> Project: Geode
> Issue Type: Sub-task
> Reporter: Jinmei Liao
>
> 1. Hardcoding [1] the "resource path prefix" [2] (i.e. "classpath:") when the
> user decides to use Apache Shiro [3] to configure security for Apache Geode
> [4] is well, again, rather limiting.
> If a user specifies the Geode (System) property, "security-shiro-init",
> referencing an Apache Shiro INI configuration file, why not let the user
> decide the resource path source (i.e. classpath:, file:, or url:) of the INI
> file. For example...
> -Dgeode.security-shiro-init=file:/absolute/file/system/path/to/users/application/shiro.ini
> I would not arbitrarily restrict users to only the classapth for locating
> resources. It is unlikely the INI file will contain "sensitive" data (e.g.
> usernames/passwords, or even permission meta-data) in a production
> environment. It is more likely, that the users will be configuring 1 or more
> Shiro Realms declared in the [main] section of the INI file to load the
> security configuration meta-data from an external repository.
> Additionally, Apache Shiro has the ability to detect file changes, and
> dynamically reload the INI security configuration file [5] when the file:
> resource path (i.e. file system) is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
