Juan Ramos created GEODE-9494:
---------------------------------
Summary: Tomcat Session State Module - Security Properties
Key: GEODE-9494
URL: https://issues.apache.org/jira/browse/GEODE-9494
Project: Geode
Issue Type: Bug
Components: http session
Reporter: Juan Ramos
In order to configure authentication and authorization, the geode cache must be
configured with either the {{security-client-auth-init}} or
{{security-peer-auth-init}} properties.
The implementation of the {{AuthInitialize}} interface is supposed to obtain
credentials for a client or peer and, in practice, it should be able to connect
to an external data source or use some extra configuration as to know where to
retrieve the actual credentials from. The {{AuthInitialize.getCredentials()}}
method receives all gemfire properties configured with the prefix {{security-}}
and its expected to use them in order to configure itself.
The {{AbstractCache}} class, however, prevents the user from configuring any
property not returned by the {{AbstractDistributionConfig._getAttNames()}}
method, and this does not include those properties starting with {{security-}}:
{noformat}
public void setProperty(String name, String value) {
// TODO Look at fake attributes
if (name.equals("className")) {
return;
}
// Determine the validity of the input property
boolean validProperty = false;
// TODO: AbstractDistributionConfig is internal and _getAttNames is
designed for testing.
for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
if (name.equals(gemfireProperty)) {
validProperty = true;
break;
}
}
...
}
{noformat}
The above, in turn, makes almost impossible for users to correctly implement
{{AuthInitialize}} without leveraging system properties or hardcoded paths for
external configuration.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
