Hi,
I am also trying to develop a security plugin for Ignite. Security context
in case of visor call is null and even the SecurityContextHolder wont work.
Because,
1. *SecurityContextHolder* has a ThreadLocal variable holding the
*SecurityContext*. So if your calls of authenticate and authorize happen in
same thread like the *REST* call, it will work. Try printing
Thread.currentThread().getName() in your calls. You will understand what I
am saying.
2. When you connect visor to the grid, *authenticateNode* method is called.
And after that any call you make calls *authorize* method only , that too
if plugin was configured on visor. So *SecurityContextHolder.set()* happens
in the *authenticateNode* which is called in *tcp-dicovery-worker* thread.
And *SecurityContextHolder.get()* happens in *authorize* method which is
called in a separate thread depending on the visor call. So here
*SecurityContextHolder* will not work.
For cases of visor or any server node, thick client joining the cluster,
*SecurityContext* is passed null. To overcome this, you need to store local
nodes security context in a field in your plugin say *localSecurityContext*
representing security context of local node. You can try something like this
:
/public class MySecurityProcessor extends GridProcessorAdapter implements
DiscoverySpiNodeAuthenticator, GridSecurityProcessor, IgnitePlugin {
*private MySecurityContext localSecurityContext;*
................
public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {
........................
//write your logic to authenticate node and return Security Context
//Check if node is local, and store the security context in your local
variable before returning
* if(node.isLocal()) localSecurityContext= .......*
}
public SecurityContext authenticate(AuthenticationContext
authenticationContext) throws IgniteCheckedException {
SecuritySubject secureSecuritySubject = new SecuritySubject(
authenticationContext.subjectId(),
authenticationContext.subjectType(),
authenticationContext.credentials().getLogin(),
authenticationContext.address()
);
SecurityContext securityContext = new
MySecurityContext(secureSecuritySubject, accessToken);
SecurityContextHolder.set(securityContext);
return securityContext;
}
public void authorize(String name, SecurityPermission perm, SecurityContext
securityCtx) throws SecurityException {
System.out.println( SecurityContextHolder.get());
System.out.println( securityCtx );
//If context is null use localSecurityContext
*if(securityCtx==null) securityCtx=localSecurityContext;*
//do some authorization
.....................
}
......
}/
Note that this will work if *isGlobalNodeAuthentication* is true. Because
only then *authenticateNode* method is called on each joining node (instead
of coordinator) and you can save the context in local variable. Also the
joining node must also have the plugin configured for this to work.
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
