This is an automated email from the ASF dual-hosted git repository.
igodwin pushed a commit to branch release/1.8
in repository https://gitbox.apache.org/repos/asf/geode-native.git
commit 62aafc91d1d6519e0b769d4929413fac2209d304
Author: Dave Barnes <dbar...@pivotal.io>
AuthorDate: Fri Nov 9 16:08:31 2018 -0800
GEODE-4728 Geode NC doc: Add a Security topic
---
.../source/subnavs/geode-nc-nav.erb | 2 +-
.../configuring/sysprops.html.md.erb | 15 ----
.../security/LDAPserverauth.html.md.erb | 42 ----------
docs/geode-native-docs/security/PKCS.html.md.erb | 43 ----------
docs/geode-native-docs/security/SampleAuth.cs | 77 ++++++++++++++++++
.../security/authentication-levels.html.md.erb | 36 ---------
.../security/authentication.html.md.erb | 93 ++++++++++++++++++++++
.../security/authforcacheserver.html.md.erb | 40 ----------
.../security/caveatregionservice.html.md.erb | 43 ----------
.../config-clientauthorization.html.md.erb | 30 -------
.../createsecureconnregionservice.html.md.erb | 60 --------------
.../security/encrypted-auth.html.md.erb | 32 --------
.../security/handling-serv-auth-errors.html.md.erb | 24 ------
.../security/overviewauthentication.html.md.erb | 39 ---------
.../overviewclientauthorization.html.md.erb | 38 ---------
.../security/overviewencryptcred.html.md.erb | 59 --------------
.../security/overviewsecurity.html.md.erb | 46 -----------
.../security/postopauthorization.html.md.erb | 32 --------
.../security/security-systemprops.html.md.erb | 26 +-----
.../security/security.html.md.erb | 24 +++---
.../security/sslclientserver.html.md.erb | 21 +++--
.../security/systempropsforauth.html.md.erb | 85 --------------------
.../security/usingoperationcontext.html.md.erb | 38 ---------
23 files changed, 199 insertions(+), 746 deletions(-)
diff --git
a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
index 815b2f8..f654fb4 100644
--- a/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
+++ b/docs/geode-native-book/master_middleman/source/subnavs/geode-nc-nav.erb
@@ -74,7 +74,7 @@ limitations under the License.
</li>
<li>
- <a
href="/docs/geode-native/<%=vars.product_version_nodot%>/security/security.html">Security</a>
+ <a
href="/docs/geode-native/<%=vars.product_version_nodot%>/security/security.html">Security:
Authentication and Encryption</a>
</li>
<li>
<a
href="/docs/geode-native/<%=vars.product_version_nodot%>/transactions/transactions.html">Transactions</a>
diff --git a/docs/geode-native-docs/configuring/sysprops.html.md.erb
b/docs/geode-native-docs/configuring/sysprops.html.md.erb
index 1d20f5f..b319b0d 100644
--- a/docs/geode-native-docs/configuring/sysprops.html.md.erb
+++ b/docs/geode-native-docs/configuring/sysprops.html.md.erb
@@ -272,21 +272,6 @@ See [SSL Client/Server
Communication](../security/sslclientserver.html).
<td>null</td>
</tr>
<tr class="odd">
-<td><code class="ph codeph">security-client-kspasswd</code></td>
-<td>Password for the public key file store on the client.</td>
-<td></td>
-</tr>
-<tr class="odd">
-<td><code class="ph codeph">security-alias</code></td>
-<td>Alias name for the key in the keystore.</td>
-<td></td>
-</tr>
-<tr class="even">
-<td><code class="ph codeph">security-keystorepass</code></td>
-<td>Sets the password for the password-protected keystore.</td>
-<td></td>
-</tr>
-<tr class="odd">
<td><code class="ph codeph">ssl-enabled</code></td>
<td>True if SSL connection support is enabled.</td>
<td>empty</td>
diff --git a/docs/geode-native-docs/security/LDAPserverauth.html.md.erb
b/docs/geode-native-docs/security/LDAPserverauth.html.md.erb
deleted file mode 100644
index 4f31ef3..0000000
--- a/docs/geode-native-docs/security/LDAPserverauth.html.md.erb
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Using an LDAP Server for Client Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-An LDAP server can be used by a <%=vars.product_name%> cache server using the
sample LDAP implementation provided in the server distribution.
-
-See [Security](geodeman/managing/security/chapter_overview.html#security) in
the server manual to verify authentication credentials for clients attempting
to connect to the cache servers and sending user name and passwords using the
sample UserPassword scheme.
-
-**Note:**
-The user name and password with this sample implementation is sent out in
plaintext. For better security, either turn on credential encryption using
Diffie-Hellman key exchange, or use a scheme like PKCS.
-
-When a client initiates a connection to a cache server, the client submits its
credentials to the server and the server submits those credentials to the LDAP
server. To be authenticated, the credentials for the client need to match one
of the valid entries in the LDAP server. The credentials can consist of the
entry name and the corresponding password. If the submitted credentials result
in a connection to the LDAP server because the credentials match the
appropriate LDAP entries, then t [...]
-
-**Configuration Settings**
-
-In the `geode.properties` file for the client, specify the
`UserPasswordAuthInit` callback, the user name, and the password, like this:
-
-``` pre
-security-client-auth-library=securityImpl
-security-client-auth-factory=createUserPasswordAuthInitInstance
-security-username=<username>
-security-password=<password>
-```
-
-For server side settings and LDAP server configuration, see the server's
security documentation.
diff --git a/docs/geode-native-docs/security/PKCS.html.md.erb
b/docs/geode-native-docs/security/PKCS.html.md.erb
deleted file mode 100644
index ae4be30..0000000
--- a/docs/geode-native-docs/security/PKCS.html.md.erb
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Using PKCS for Encrypted Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-This section discusses the concepts and configurations for the sample
UserPassword and PKCS implementations. Descriptions of their interfaces,
classes, and methods are available in the API.
-
-**Note:**
-Native client samples are provided in source form only in the "templates"
directory within the product directory.
-
-With PKCS, clients send encrypted authentication credentials in the form of
standard PKCS signatures to a <%=vars.product_name%> cache server when they
connect to the server. The credentials consist of the alias name and digital
signature created using the private key that is retrieved from the provided
keystore. The server uses a corresponding public key to decrypt the
credentials. If decryption is successful then the client is authenticated and
it connects to the cache server. For unsu [...]
-
-When clients require authentication to connect to a cache server, they use the
`PKCSAuthInit` class implementing the `AuthInitialize` interface to obtain
their credentials. For the PKCS sample provided by <%=vars.product_name%>, the
credentials consist of an alias and an encrypted byte array. The private key is
obtained from the PKCS\#12 keystore file. To accomplish this,` PKCSAuthInit`
gets the alias retrieved from the `security-alias `property, and the keystore
path from the `security- [...]
-
-**The securityImpl Library**
-
-To use the PKCS sample implementation, you need to build OpenSSL and then
build the securityImpl library. In the `geode.properties `file for the client,
specify the `PKCSAuthInit` callback, the keystore path, the security alias, and
the keystore password, like this:
-
-``` pre
-security-client-auth-library=securityImpl
-security-client-auth-factory=createPKCSAuthInitInstance
-security-keystorepath=<PKCS#12 keystore path>
-security-alias=<alias>
-security-keystorepass=<keystore password>
-```
-
-For server side settings and PKCS configuration, see the server's security
documentation.
diff --git a/docs/geode-native-docs/security/SampleAuth.cs
b/docs/geode-native-docs/security/SampleAuth.cs
new file mode 100644
index 0000000..4b7181e
--- /dev/null
+++ b/docs/geode-native-docs/security/SampleAuth.cs
@@ -0,0 +1,77 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements. See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+using System;
+using Apache.Geode.Client;
+
+namespace Apache.Geode.Examples.AuthInitialize
+{
+ class Program
+ {
+ static void Main(string[] args)
+ {
+ var cacheFactory = new CacheFactory()
+ .Set("log-level", "none")
+ .SetAuthInitialize(new ExampleAuthInitialize());
+
+ var cache = cacheFactory.Create();
+ var poolFactory = cache.GetPoolFactory()
+ .AddLocator("localhost", 10334);
+ poolFactory.Create("pool");
+ var regionFactory = cache.CreateRegionFactory(RegionShortcut.PROXY)
+ .SetPoolName("pool");
+ var region = regionFactory.Create<string, string>("region");
+
+ region["a"] = "1";
+ region["b"] = "2";
+
+ var a = region["a"];
+ var b = region["b"];
+
+ Console.Out.WriteLine("a = " + a);
+ Console.Out.WriteLine("b = " + b);
+
+ cache.Close();
+ }
+ }
+
+ class ExampleAuthInitialize : IAuthInitialize
+ {
+ public ExampleAuthInitialize()
+ {
+ // TODO initialize your resources here
+ Console.Out.WriteLine("ExampleAuthInitialize::ExampleAuthInitialize
called");
+ }
+
+ public void Close()
+ {
+ // TODO close your resources here
+ Console.Out.WriteLine("ExampleAuthInitialize::Close called");
+ }
+
+ public Properties<string, object> GetCredentials(Properties<string,
string> props, string server)
+ {
+ // TODO get your username and password
+ Console.Out.WriteLine("ExampleAuthInitialize::GetCredentials called");
+
+ var credentials = new Properties<string, object>();
+ credentials.Insert("username", "john");
+ credentials.Insert("password", "secret");
+ return credentials;
+ }
+ }
+}
diff --git a/docs/geode-native-docs/security/authentication-levels.html.md.erb
b/docs/geode-native-docs/security/authentication-levels.html.md.erb
deleted file mode 100644
index a7501b5..0000000
--- a/docs/geode-native-docs/security/authentication-levels.html.md.erb
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Process and Multiuser Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-Client connections can be authenticated at two levels, process and multiuser.
-
-- **Process**. Each pool creates a configured minimum number of connections
across the server group. The pool accesses the least-loaded server for each
cache operation.
-
- Process-level connections represent the overall client process and are the
standard way a client accesses the server cache.
-
-- **Multi-user**. Each user/pool pair creates a connection to one server and
then sticks with it for operations. If the server is unable to respond to a
request, the pool selects a new one for the user.
-
- Typically, application servers or web servers that act as clients to
<%=vars.product_name%> servers make multi-user connections. Multi-user allows a
single application or web server process to service a large number of users
with varied access permissions.
-
-By default, server pools use process-level authentication. Enable multi-user
authentication by setting a pool's `multi-user-secure-mode-enabled` attribute
to `true`.
-
-<img src="../common/images/security-client-connections.gif"
id="security__image_85B98E185AD84C59AC22974A63080559" class="image" />
-
-Credentials can be sent in encrypted form using the Diffie-Hellman key
exchange algorithm. See [Encrypt Credentials with
Diffie-Hellman](overviewencryptcred.html#security) for more information.
diff --git a/docs/geode-native-docs/security/authentication.html.md.erb
b/docs/geode-native-docs/security/authentication.html.md.erb
new file mode 100644
index 0000000..098527b
--- /dev/null
+++ b/docs/geode-native-docs/security/authentication.html.md.erb
@@ -0,0 +1,93 @@
+---
+title: Authentication
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+A client is authenticated when it connects, with valid credentials, to a
<%=vars.product_name%> cache server that is configured with the client
`Authenticator` callback.
+
+Examples of various implementations can be found in the Native Client source
distribution's `../templates/security`` directory.
+
+An `AuthenticationRequiredException` is thrown when the server is configured
with security and the
+client does not present its credentials while attempting to connect.
+
+The following excerpts are taken from the .NET example provided with your
Native Client distribution in the `../examples/dotnet/AuthInitialize` directory.
+
+```cs
+using System;
+using Apache.Geode.Client;
+
+namespace Apache.Geode.Examples.AuthInitialize
+{
+ class Program
+ {
+ static void Main(string[] args)
+ {
+ var cacheFactory = new CacheFactory()
+ .Set("log-level", "none")
+ .SetAuthInitialize(new ExampleAuthInitialize());
+
+ var cache = cacheFactory.Create();
+ var poolFactory = cache.GetPoolFactory()
+ .AddLocator("localhost", 10334);
+ poolFactory.Create("pool");
+ var regionFactory = cache.CreateRegionFactory(RegionShortcut.PROXY)
+ .SetPoolName("pool");
+ var region = regionFactory.Create<string, string>("region");
+
+ region["a"] = "1";
+ region["b"] = "2";
+
+ var a = region["a"];
+ var b = region["b"];
+
+ Console.Out.WriteLine("a = " + a);
+ Console.Out.WriteLine("b = " + b);
+
+ cache.Close();
+ }
+ }
+
+ class ExampleAuthInitialize : IAuthInitialize
+ {
+ public ExampleAuthInitialize()
+ {
+ // TODO initialize your resources here
+ Console.Out.WriteLine("ExampleAuthInitialize::ExampleAuthInitialize
called");
+ }
+
+ public void Close()
+ {
+ // TODO close your resources here
+ Console.Out.WriteLine("ExampleAuthInitialize::Close called");
+ }
+
+ public Properties<string, object> GetCredentials(Properties<string,
string> props, string server)
+ {
+ // TODO get your username and password
+ Console.Out.WriteLine("ExampleAuthInitialize::GetCredentials called");
+
+ var credentials = new Properties<string, object>();
+ credentials.Insert("username", "john");
+ credentials.Insert("password", "secret");
+ return credentials;
+ }
+ }
+}
+
+```
diff --git a/docs/geode-native-docs/security/authforcacheserver.html.md.erb
b/docs/geode-native-docs/security/authforcacheserver.html.md.erb
deleted file mode 100644
index 43713de..0000000
--- a/docs/geode-native-docs/security/authforcacheserver.html.md.erb
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Configuring Authentication by the Cache Server
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-When the cache server receives client credentials during the handshake
operation, the server authenticates the client with the callback configured in
the `security-client-authenticator` system property. The handshake succeeds or
fails depending on the results of the authentication process.
-
-Here is an example of how you could configure `security-client-authenticator`
in the `geode.properties` file:
-
-``` pre
-security-client-authenticator=templates.security.PKCSAuthenticator.create
-```
-
-In the preceding configuration sample, `PKCSAuthenticator` is the callback
class implementing the `Authenticator` interface and `create` is its factory
method.
-
-The following example shows an implementation of the static `create` method:
-
-``` pre
-public static Authenticator create() {
- return new PKCSAuthenticator();
-}
-```
-
-
diff --git a/docs/geode-native-docs/security/caveatregionservice.html.md.erb
b/docs/geode-native-docs/security/caveatregionservice.html.md.erb
deleted file mode 100644
index d8b8463..0000000
--- a/docs/geode-native-docs/security/caveatregionservice.html.md.erb
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Requirements and Caveats for RegionService
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-For each region, you can perform operations through the `Cache` instance or
the `RegionService` instances, but not both.
-
-**Note:**
-Through the `Cache` you can create a region that uses a pool configured for
multi-user authentication, then access and do work on the region using your
`RegionService` instances.
-
-To use `RegionService`:
-
-- Configure regions as EMPTY. Depending on your data access requirements,
this configuration might affect performance, because the client goes to the
server for every `get`.
-- If you are running durable CQs through the region services, stop and start
the offline event storage for the client as a whole. The server manages one
queue for the entire client process, so you need to request the stop and start
of durable client queue (CQ) event messaging for the cache as a whole, through
the ClientCache instance. If you closed the `RegionService` instances, event
processing would stop, but the events from the server would continue, and would
be lost.
-
- Stop with:
-
- ``` pre
- cachePtr->close(true);
- ```
-
- Start up again in this order:
- 1. Create the cache.
- 2. Create all region service instances. Initialize CQ listeners.
- 3. Call the cache `readyForEvents` method.
-
-
diff --git
a/docs/geode-native-docs/security/config-clientauthorization.html.md.erb
b/docs/geode-native-docs/security/config-clientauthorization.html.md.erb
deleted file mode 100644
index 0a73159..0000000
--- a/docs/geode-native-docs/security/config-clientauthorization.html.md.erb
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configuring Client Authorization
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-You can configure authorization on a per-client basis for various cache
operations such as create, get, put, query invalidations, interest
registration, and region destroys. On the server side, the
`securityclient-accessor` system property in the server’s `gemfire.properties`
file specifies the authorization callback.
-
-For example:
-
-`security-client-accessor=templates.security.XmlAuthorization.create`
-
-In this system property setting, `XmlAuthorization` is the callback class that
implements the `AccessControl` interface. The `XmlAuthorization` sample
implementation provided with Geode expects an XML file that defines
authorization privileges for the clients. For details of this sample
implementation and the `AccessControl` interface, see the [Authorization
Example](../../managing/security/authorization_example.html#authorization_example).
-
-
diff --git
a/docs/geode-native-docs/security/createsecureconnregionservice.html.md.erb
b/docs/geode-native-docs/security/createsecureconnregionservice.html.md.erb
deleted file mode 100644
index 563dcd4..0000000
--- a/docs/geode-native-docs/security/createsecureconnregionservice.html.md.erb
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Creating Multiple Secure User Connections
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-To create multiple, secure connections to your servers from a single client,
so the client can service different user types, you create an authenticated
`RegionService` for each user.
-
-Typically, a <%=vars.product_name%> client embedded in an application server
supports data requests from many users. Each user can be authorized to access a
subset of data on the servers. For example, customer users are allowed to see
and update only their own orders and shipments.
-
-The authenticated users all access the same Cache through instances of the
`RegionService` interface. See
[RegionService](../client-cache/caching-apis.html#caching-apis__section_8F81996678B64BBE94EF352527F7F006).
-
-To implement multiple user connections in your client cache, create your Cache
as usual, with these additions:
-
-1. Configure your client’s server pool for multiple secure user
authentication. Example:
-
- ``` pre
- <pool name="serverPool" multiuser-authentication="true">
- <locator host="host1" port="44444"/>
- </pool>
- ```
-
- This enables access through the pool for the `RegionService` instances and
disables it for the Cache instance.
-
-2. After you create your cache, for each user, call your Cache instance
`createAuthenticatedView` method, providing the user’s particular credentials.
These are create method calls for two users:
-
- ``` pre
- PropertiesPtr credentials1 = Properties::create();
- credentials1->insert("security-username", "root1");
- credentials1->insert("security-password", "root1");
- RegionServicePtr userCache1 =
cachePtr->createAuthenticatedView(credentials1);
-
- PropertiesPtr credentials2 = Properties::create();
- credentials2->insert("security-username", "root2");
- credentials2->insert("security-password", "root2");
- RegionServicePtr userCache2 =
cachePtr->createAuthenticatedView(credentials2);
- ```
-
- For each user, do all of your caching and region work through the assigned
region service pointer. Use the region service to get your regions, and the
query service, if you need that, and then do your work with them. Access to the
server cache will be governed by the server’s configured authorization rules
for each individual user.
-
-3. To close your cache, close the Cache instance.
-
-- **[Requirements and Caveats for RegionService](caveatregionservice.html)**
-
-
diff --git a/docs/geode-native-docs/security/encrypted-auth.html.md.erb
b/docs/geode-native-docs/security/encrypted-auth.html.md.erb
deleted file mode 100644
index fe08234..0000000
--- a/docs/geode-native-docs/security/encrypted-auth.html.md.erb
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Encrypted Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-You can set up encrypted authentication using Diffie-Hellman or the sample
PKCS implementation.
-
-- **[Encrypt Credentials with Diffie-Hellman](overviewencryptcred.html)**
-
- For secure transmission of sensitive credentials like passwords, encrypt
credentials using the Diffie-Hellman key exchange algorithm. With
Diffie-Hellman enabled, you can have your client authenticate its servers.
-
-- **[Using PKCS for Encrypted Authentication](PKCS.html)**
-
- This section discusses the concepts and configurations for the sample
UserPassword and PKCS implementations. Descriptions of their interfaces,
classes, and methods are available in the API.
-
-
diff --git
a/docs/geode-native-docs/security/handling-serv-auth-errors.html.md.erb
b/docs/geode-native-docs/security/handling-serv-auth-errors.html.md.erb
deleted file mode 100644
index 9294684..0000000
--- a/docs/geode-native-docs/security/handling-serv-auth-errors.html.md.erb
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Server Authentication Errors
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-An `AuthenticationRequiredException` is thrown when the server is configured
with security and the client does not present its credentials while attempting
to connect. This can occur if the `securityclient-auth-factory` and
`security-client-auth-library` properties are not configured on the client.
-
-
diff --git a/docs/geode-native-docs/security/overviewauthentication.html.md.erb
b/docs/geode-native-docs/security/overviewauthentication.html.md.erb
deleted file mode 100644
index 70ee2af..0000000
--- a/docs/geode-native-docs/security/overviewauthentication.html.md.erb
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-A client is authenticated when it connects, with valid credentials, to a
<%=vars.product_name%> cache server that is configured with the client
`Authenticator` callback.
-
-Once the client is authenticated, the server assigns the client a unique ID
and principal, used to authorize operations. The client must trust all cache
servers in the server system as it may connect to any one of them.
-
-- **[Configuring Credentials for Authentication](systempropsforauth.html)**
-
- The native client uses system properties to acquire valid credentials for
authentication by the server. You define these properties in the
`geode.properties` file, which the native client accesses during startup.
-
-- **[Configuring Authentication by the Cache
Server](authforcacheserver.html)**
-
- When the cache server receives client credentials during the handshake
operation, the server authenticates the client with the callback configured in
the `security-client-authenticator` system property. The handshake succeeds or
fails depending on the results of the authentication process.
-
-- **[Server Authentication Errors](handling-serv-auth-errors.html)**
-
-- **[Creating Multiple Secure User
Connections](createsecureconnregionservice.html)**
-
- To create multiple, secure connections to your servers from a single
client, so the client can service different user types, you create an
authenticated `RegionService` for each user.
-
diff --git
a/docs/geode-native-docs/security/overviewclientauthorization.html.md.erb
b/docs/geode-native-docs/security/overviewclientauthorization.html.md.erb
deleted file mode 100644
index f2127a9..0000000
--- a/docs/geode-native-docs/security/overviewclientauthorization.html.md.erb
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Client Authorization
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-Using a provided callback that implements the `AccessControl` interface, you
can configure each server to authorize some or all cache operations.
-
-The callback can also modify or even disallow the data being provided by the
client in the operation, such as a put or a `putAll` operation. The callback
can also register itself as a post-processing filter that is passed operation
results like `get`, `getAll`, and `query`.
-
-- **[Configuring Client Authorization](config-clientauthorization.html)**
-
- You can configure authorization on a per-client basis for various cache
operations such as create, get, put, query invalidations, interest
registration, and region destroys. On the server side, the
`securityclient-accessor` system property in the server’s `geode.properties`
file specifies the authorization callback.
-
-- **[Post-Operative Authorization](postopauthorization.html)**
-
- Authorization in the post-operation phase occurs on the server after the
operation is complete and before the results are sent to the client.
-
-- **[Determining Pre- or Post-Operation
Authorization](usingoperationcontext.html)**
-
- The `OperationContext` object that is passed to the `authorizeOperation`
method of the callback as the second argument provides an `isPostOperation`
method that returns true when the callback is invoked in the post-operation
phase.
-
-
diff --git a/docs/geode-native-docs/security/overviewencryptcred.html.md.erb
b/docs/geode-native-docs/security/overviewencryptcred.html.md.erb
deleted file mode 100644
index 2ca30a1..0000000
--- a/docs/geode-native-docs/security/overviewencryptcred.html.md.erb
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Encrypt Credentials with Diffie-Hellman
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-For secure transmission of sensitive credentials such as passwords, encrypt
credentials using the Diffie-Hellman key exchange algorithm. With
Diffie-Hellman enabled, you can have your client authenticate its servers.
-
-## <a id="security__section_1BB8F13C7ACB44668FF337F59A3BA5AE"
class="no-quick-link"></a>Enabling Diffie-Hellman
-
-Set the `security-client-dhalgo` system property in the `geode.properties`
file to the password for the public key file store on the client (the name of a
valid symmetric key cipher supported by the JDK).
-
-Valid `security-client-dhalgo` property values are `DESede`, `AES`, and
`Blowfish`, which enable the Diffie-Hellman algorithm with the specified cipher
to encrypt the credentials.
-
-For the `AES` and `Blowfish` algorithms, optionally specify the key size for
the `security-client-dhalgo` property. Valid key size settings for the `AES`
algorithm are `AES:128`, `AES:192`, and `AES:256`. The colon separates the
algorithm name and the key size. For the `Blowfish` algorithm, key sizes from
128 to 448 bits are supported. For example:
-
-``` pre
-security-client-dhalgo=Blowfish:128
-```
-
-For `AES` algorithms, you may need Java Cryptography Extension (JCE) Unlimited
Strength Jurisdiction Policy Files from Sun or equivalent for your JDK.
-
-Adding settings for Diffie-Hellman on clients also enables challenge response
from server to client in addition to encryption of credentials using the
exchanged key to avoid replay attacks from clients to servers. Clients can also
enable authentication of servers, with challenge-response from client to server
to avoid server-side replay attacks.
-
-## <a id="security__section_F881653044EC4AB5BE88F673890F2A40"
class="no-quick-link"></a>Client Authentication of Server
-
-With Diffie-Hellman enabled, you can have your client authenticate its servers.
-
-1. Generate a `.pem` file for each pkcs12 keystore:
-
- 1. Enter this command from a pkcs12 file or a pkcs keystore: <a
id="security__fig_3CAFDE3CB29348A19AF3BE3591AFA2F7"></a>
-
- ``` pre
- user@host: ~> openssl pkcs12 -nokeys -in <keystore/pkcs12 file> -out
<outputfilename.pem >
- ```
-
- 2. Concatenate the generated .pem files into a single .pem file. You will
use this file name in the next step.
-
-2. In the `geode.properties` file:
-
- 1. Set `security-client-kspath` to the file name of the `.pem` file
password for the public key file store on the client.
- 2. Set `security-client-kspasswd` to the password for the public key file
store on the client.
-
-
diff --git a/docs/geode-native-docs/security/overviewsecurity.html.md.erb
b/docs/geode-native-docs/security/overviewsecurity.html.md.erb
deleted file mode 100644
index a965c5e..0000000
--- a/docs/geode-native-docs/security/overviewsecurity.html.md.erb
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Security
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-*Security* describes how to implement the security framework for the
<%=vars.product_name%> native client, including authentication, authorization,
encryption, and SSL client/server communication.
-
-The security framework authenticates clients that attempt to connect to a
<%=vars.product_name%> cache server and authorizes client cache operations. You
can also configure it for client authentication of servers, and you can plug in
your own implementations for authentication and authorization.
-
-- **[Authentication](overviewauthentication.html)**
-
- A client is authenticated when it connects, with valid credentials, to a
<%=vars.product_name%> cache server that is configured with the client
`Authenticator` callback.
-
-- **[Encrypted Authentication](encrypted-auth.html)**
-
- You can set up encrypted authentication using Diffie-Hellman or the sample
PKCS implementation.
-
-- **[Client Authorization](overviewclientauthorization.html)**
-
- Using a provided callback that implements the `AccessControl` interface,
you can configure each server to authorize some or all cache operations.
-
-- **[Security-Related System Properties
(geode.properties)](security-systemprops.html)**
-
- The table describes the security-related system properties in the
`geode.properties` file for native client authentication and authorization.
-
-- **[SSL Client/Server Communication](sslclientserver.html)**
-
- This section describes how to configure OpenSSL; implement SSL-based
communication between your clients and servers; and run clients and servers
with SSL enabled.
-
-
diff --git a/docs/geode-native-docs/security/postopauthorization.html.md.erb
b/docs/geode-native-docs/security/postopauthorization.html.md.erb
deleted file mode 100644
index 663eece..0000000
--- a/docs/geode-native-docs/security/postopauthorization.html.md.erb
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Post-Operative Authorization
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-Authorization in the post-operation phase occurs on the server after the
operation is complete and before the results are sent to the client.
-
-The callback can modify the results of certain operations, such as `query`,
`get` and `keySet`, or even completely disallow the operation. For example, a
post-operation callback for a query operation can filter out sensitive data or
data that the client should not receive, or even completely fail the operation.
-
-The `security-client-accessor-pp` system property in the server’s
`gemfire.properties` file specifies the callback to invoke in the
post-operation phase. For example:
-
-``` pre
-security-client-accessor-pp=templates.security.XmlAuthorization.create
-```
-
-
diff --git a/docs/geode-native-docs/security/security-systemprops.html.md.erb
b/docs/geode-native-docs/security/security-systemprops.html.md.erb
index 3197a76..81eba0e 100644
--- a/docs/geode-native-docs/security/security-systemprops.html.md.erb
+++ b/docs/geode-native-docs/security/security-systemprops.html.md.erb
@@ -24,21 +24,13 @@ The table describes the security-related system properties
in the `geode.propert
<a id="security__section_6DC4C72A2EEB432AA40DE97D438FD1E7"></a><a
id="security__table_92A6A66523764199A19BCD66BA189921"></a>
<table>
-<caption><span class="tablecap">Table 1. System Properties for Client
Authentication and Authorization</span></caption>
+<caption><span class="tablecap">System Properties for Client Authentication
and Authorization</span></caption>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
-<td><code class="ph codeph">security-client-auth-factory</code></td>
-<td>Sets the key for the <code class="ph codeph">AuthInitialize</code> factory
function.</td>
-</tr>
-<tr class="even">
-<td><code class="ph codeph">security-client-auth-library</code></td>
-<td>Registers the path to the <code class="ph codeph">securityImpl.dll</code>
library.</td>
-</tr>
-<tr class="odd">
<td><code class="ph codeph">security-client-dhalgo</code></td>
<td>Returns the Diffie-Hellman secret key cipher algorithm.</td>
</tr>
@@ -47,24 +39,12 @@ The table describes the security-related system properties
in the `geode.propert
<td>Path to a .pem file, which contains the public certificates for all
<%=vars.product_name%> cache servers to which the client can connect through
specified endpoints.</td>
</tr>
<tr class="odd">
-<td><code class="ph codeph">security-client-kspasswd</code></td>
-<td>Password for the public key file store on the client.</td>
-</tr>
-<tr class="odd">
-<td><code class="ph codeph">security-alias</code></td>
-<td>Alias name for the key in the keystore.</td>
-</tr>
-<tr class="even">
-<td><code class="ph codeph">security-keystorepass</code></td>
-<td>Sets the password for the password-protected keystore.</td>
-</tr>
-<tr class="odd">
<td><code class="ph codeph">ssl-enabled</code></td>
<td>True if SSL connection support is enabled.</td>
</tr>
<tr class="even">
<td><code class="ph codeph">ssl-keystore</code></td>
-<td>Name of the .PEM keystore file, containing the client’s private key. Not
set by default. Required if <code class="ph codeph">ssl-enabled</code> is
true.</td>
+<td>Name of the .pem keystore file, containing the client’s private key. Not
set by default. Required if <code class="ph codeph">ssl-enabled</code> is
true.</td>
</tr>
<tr class="odd">
<td><code class="ph codeph">ssl-keystore-password</code></td>
@@ -72,7 +52,7 @@ The table describes the security-related system properties in
the `geode.propert
</tr>
<tr class="even">
<td><code class="ph codeph">ssl-truststore</code></td>
-<td><p>Name of the .PEM truststore file, containing the servers’ public
certificate. Not set by default. Required if <code class="ph
codeph">ssl-enabled</code> is true</p></td>
+<td><p>Name of the .pem truststore file, containing the servers’ public
certificate. Not set by default. Required if <code class="ph
codeph">ssl-enabled</code> is true</p></td>
</tr>
</tbody>
</table>
diff --git a/docs/geode-native-docs/security/security.html.md.erb
b/docs/geode-native-docs/security/security.html.md.erb
index e63e280..3bbcc61 100644
--- a/docs/geode-native-docs/security/security.html.md.erb
+++ b/docs/geode-native-docs/security/security.html.md.erb
@@ -1,5 +1,5 @@
---
-title: Security
+title: Security: Authentication and Encryption
---
<!--
@@ -19,22 +19,20 @@ See the License for the specific language governing
permissions and
limitations under the License.
-->
-The security framework authenticates clients as they connect to a
<%=vars.product_name%> cache server and authorizes client cache operations. You
can also configure it for client authentication of servers, and you can plug in
your own implementations for authentication and authorization.
+Most security configuration takes place on the <%=vars.product_name%> server.
The server's security
+framework authenticates clients as they connect to a cache server and
authorizes client cache
+operations using developer-provided implementations for authentication and
authorization.
-For an explanation of the server-side implementation of security, see
[Security](geodeman/managing/security/chapter_overview.html) in the
*<%=vars.product_name%> User Guide*.
+For an explanation of the server-side implementation of security features,
+see [Security](geodeman/managing/security/chapter_overview.html) in the
*<%=vars.product_name%> User Guide*.
-The following sections describe some client-specific security considerations:
+A Native Client application must address two security concerns when connecting
to a <%=vars.product_name%> server:
-- **Authentication**
+- **[Authentication](authentication.html)**
- Geode Native requires providing an authentication implementation.
Examples of these implementations can be found in /templates/security. Build
and link the implementation and set the implementation’s properties on the
cache.
+ The Client must submit its authentication credentials to the server using
the developer-provided authentication implementation expected by the server.
-- **[Security-Related System Properties](security-systemprops.html)**
-
- The table describes the security-related system properties in the
`geode.properties` file for native client authentication and authorization.
-
-- **[SSL Client/Server Communication](sslclientserver.html)**
-
- This section describes how to configure OpenSSL, implement SSL-based
communication between your clients and servers, and run clients and servers
with SSL enabled.
+- **[TLS/SSL Client/Server Communication Encryption](sslclientserver.html)**
+ Communication between client and server must be encrypted so
authentication credentials and other transmissions cannot be viewed by
third-parties.
diff --git a/docs/geode-native-docs/security/sslclientserver.html.md.erb
b/docs/geode-native-docs/security/sslclientserver.html.md.erb
index d97cc76..a84d28c 100644
--- a/docs/geode-native-docs/security/sslclientserver.html.md.erb
+++ b/docs/geode-native-docs/security/sslclientserver.html.md.erb
@@ -1,5 +1,5 @@
---
-title: SSL Client/Server Communication
+title: TLS/SSL Client-Server Communication Encryption
---
<!--
@@ -19,18 +19,25 @@ See the License for the specific language governing
permissions and
limitations under the License.
-->
-This section describes how to configure OpenSSL, implement SSL-based
communication between your clients and servers, and run clients and servers
with SSL enabled.
+This section describes how to implement TLS-based communication between your
clients and servers using the OpenSSL encryption utility.
# Set Up OpenSSL
-The open-source OpenSSL toolkit provides a full-strength general purpose
cryptography library to operate along with the PKCS sample implementation for
encrypted authentication of native client credentials.
+The open-source OpenSSL toolkit provides a full-strength general purpose
cryptography library for encrypting client-server communications.
Download and install OpenSSL 1.1.1 for your specific operating system.
-For Windows platforms, you can use either the regular or the "Light" version.
-**Note for Windows users:** If you use Cygwin, do not use the OpenSSL library
that comes with
-Cygwin, which is built with `cygwin.dll` as a dependency. Instead, download a
fresh copy from
-OpenSSL as described in the following section.
+**Notes for Windows users:**
+
+- For Windows platforms, you can use either the regular or the "Light" version
of SSL.
+
+- Use a 64-bit implementation of OpenSSL.
+
+- If you use Cygwin, do not use the OpenSSL library that comes with Cygwin,
which is built with
+`cygwin.dll` as a dependency. Instead, download a fresh copy from OpenSSL.
+
+- For many Windows applications, the most convenient way to install OpenSSL is
to use `choco` (see [chocolatey.org]
(https://chocolatey.org/packages/OpenSSL.Light)) to install the “Light” version
of OpenSSL.
+
## Step 1. Create keystores
diff --git a/docs/geode-native-docs/security/systempropsforauth.html.md.erb
b/docs/geode-native-docs/security/systempropsforauth.html.md.erb
deleted file mode 100644
index 5cbc80a..0000000
--- a/docs/geode-native-docs/security/systempropsforauth.html.md.erb
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Configuring Credentials for Authentication
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-The client uses system properties to acquire valid credentials for
authentication by the server. You define these properties in the
`geode.properties` file, which the client accesses during startup.
-
-## <a id="security__section_E1835A3B22D44D47A4C9DB54A3590B71"
class="no-quick-link"></a>security-client-auth-factory
-
-System property for the factory function of the class implementing the
`AuthInitialize` interface (`IAuthInitialize` in .NET). The .NET clients can
load both C++ and .NET implementations. For .NET implementations, this property
is the fully qualified name of the static factory function (including the
namespace and class).
-
-## <a id="security__section_15C6689C363B469B947B177E1DE73208"
class="no-quick-link"></a>security-client-auth-library
-
-System property for the library where the factory methods reside. The library
is loaded explicitly and the factory functions are invoked dynamically,
returning an object of the class implementing the `AuthInitialize` interface.
-
-Other implementations of the `AuthInitialize` interface may be required to
build credentials using properties that are also passed as system properties.
These properties also start with the security- prefix. For example, the PKCS
implementation requires an alias name and the corresponding keystore path,
which are specified as `security-alias` and `security-keystorepath`,
respectively. Similarly, `UserPasswordAuthInit `requires a username specified
in `security-username`, and the correspo [...]
-
-The `getCredentials` function for the `AuthInitialize` interface is called to
obtain the credentials. All system properties starting with security- are
passed to this callback as the first argument to the `getCredentials` function,
using this prototype:
-
-`PropertiesPtr getCredentials(PropertiesPtr& securityprops, const char
*server);`
-
-## <a id="security__section_869DD42F1B23450D9425712EBBD5CB1C"
class="no-quick-link"></a>Implementing the Factory Method for Authentication
(C++ and .NET)
-
-The following examples show how to implement the factory method in both C++
and .NET. **C++ Implementation**
-
-``` pre
-LIBEXP AuthInitialize* createPKCSAuthInitInstance()
-{
- return new PKCSAuthInit( );
-}
-```
-
-**.NET Implementation**
-
-``` pre
-public static IAuthInitialize Create()
-{
- return new UserPasswordAuthInit();
-}
-```
-
-Implementations of the factory method are user-provided. Credentials in the
form of properties returned by this function are sent by the client to the
server for authentication during the client’s handshake process with the server.
-
-The client installation provides sample security implementations in its
`templates/security` folder.
-
-## <a id="security__section_9DEC6B55C76D446FB0821AF3B3922BD6"
class="no-quick-link"></a>Acquiring Credentials Programmatically (C++ and .NET)
-
-This example shows a C++ client connecting with credentials.
-
-``` pre
-PropertiesPtr secProp = Properties::create();
-secProp->insert("security-client-auth-factory", "createPKCSAuthInitInstance");
-secProp->insert("security-client-auth-library", "securityImpl");
-secProp->insert("security-keystorepath", "keystore/geode.keystore");
-secProp->insert("security-alias", "geode");
-secProp->insert("security-keystorepass", "geodepass");
-CacheFactoryPtr cacheFactoryPtr = CacheFactory::createCacheFactory(secProp);
-```
-
-This example shows a .NET client.
-
-``` pre
-Properties secProp = Properties.Create();
-secProp.Insert("security-client-auth-factory",
- "Apache.Geode.Templates.Cache.Security.UserPasswordAuthInit.Create");
-secProp.Insert("security-client-auth-library", "securityImpl");
-secProp.Insert("security-username"," geode");
-secProp.Insert("security-password"," geodePass);
-```
diff --git a/docs/geode-native-docs/security/usingoperationcontext.html.md.erb
b/docs/geode-native-docs/security/usingoperationcontext.html.md.erb
deleted file mode 100644
index af5fea9..0000000
--- a/docs/geode-native-docs/security/usingoperationcontext.html.md.erb
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Determining Pre- or Post-Operation Authorization
----
-
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-
-The `OperationContext` object that is passed to the `authorizeOperation`
method of the callback as the second argument provides an `isPostOperation`
method that returns true when the callback is invoked in the post-operation
phase.
-
-For example:
-
-``` pre
-bool authorizeOperation(Region region, OperationContext context) {
- if (context.isPostOperation()) {
- //it's a post-operation
- } else {
- //it's a pre-operation
- }
-}
-```
-
-If an authorization failure occurs in a pre-operation or post-operation
callback on the server, the operation throws a `NotAuthorizedException` on the
client.
-
-For more information, see
[Authorization](geodeman/managing/security/authorization_overview.html).
