[jira] [Resolved] (GEODE-9494) HTTP Session State Module - Security Properties

[Juan Ramos (Jira)]

     [ 
https://issues.apache.org/jira/browse/GEODE-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Juan Ramos resolved GEODE-9494.
-------------------------------
    Fix Version/s: 1.15.0
       Resolution: Fixed

> HTTP Session State Module - Security Properties
> -----------------------------------------------
>
>                 Key: GEODE-9494
>                 URL: https://issues.apache.org/jira/browse/GEODE-9494
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Juan Ramos
>            Assignee: Juan Ramos
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.15.0
>
>
> In order to configure authentication and authorization, the geode cache must 
> be configured with either the {{security-client-auth-init}} or 
> {{security-peer-auth-init}} properties.
>  The implementation of the {{AuthInitialize}} interface is supposed to obtain 
> credentials for a client or peer and, in practice, it should be able to 
> connect to an external data source or use some extra configuration as to know 
> where to retrieve the actual credentials from. The 
> {{AuthInitialize.getCredentials()}} method receives all gemfire properties 
> configured with the prefix {{security-}} and its expected to use them in 
> order to configure itself.
>  The {{AbstractCache}} class, however, prevents the user from configuring any 
> property not returned by the {{AbstractDistributionConfig._getAttNames()}} 
> method, and this does not include those properties starting with 
> {{security-}}:
> {noformat}
>   public void setProperty(String name, String value) {
>     // TODO Look at fake attributes
>     if (name.equals("className")) {
>       return;
>     }
>     // Determine the validity of the input property
>     boolean validProperty = false;
>     // TODO: AbstractDistributionConfig is internal and _getAttNames is 
> designed for testing.
>     for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
>       if (name.equals(gemfireProperty)) {
>         validProperty = true;
>         break;
>       }
>     }
> ...
> }
> {noformat}
> The above, in turn, makes almost impossible for users to correctly implement 
> {{AuthInitialize}} without leveraging system properties or hardcoded paths 
> for external configuration.
> —
> As a side note, {{security-username}} and {{security-password}} are not 
> "formal" distributed system properties, so they also can't be used when 
> configuring the HTTP session state module:
> {noformat}
>   <Listener 
> className="org.apache.geode.modules.session.catalina.ClientServerCacheLifecycleListener"
>     security-username="myUser"
>     security-password="myPassword"/>
> {noformat}
> {noformat}
> 10-Aug-2021 12:15:57.118 WARNING [main] 
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The 
> input property named security-username is not a valid GemFire property. It is 
> being ignored.
> 10-Aug-2021 12:15:57.123 WARNING [main] 
> org.apache.geode.modules.session.bootstrap.AbstractCache.setProperty The 
> input property named security-password is not a valid GemFire property. It is 
> being ignored.
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)