Juan Ramos created GEODE-9494: --------------------------------- Summary: Tomcat Session State Module - Security Properties Key: GEODE-9494 URL: https://issues.apache.org/jira/browse/GEODE-9494 Project: Geode Issue Type: Bug Components: http session Reporter: Juan Ramos
In order to configure authentication and authorization, the geode cache must be configured with either the {{security-client-auth-init}} or {{security-peer-auth-init}} properties. The implementation of the {{AuthInitialize}} interface is supposed to obtain credentials for a client or peer and, in practice, it should be able to connect to an external data source or use some extra configuration as to know where to retrieve the actual credentials from. The {{AuthInitialize.getCredentials()}} method receives all gemfire properties configured with the prefix {{security-}} and its expected to use them in order to configure itself. The {{AbstractCache}} class, however, prevents the user from configuring any property not returned by the {{AbstractDistributionConfig._getAttNames()}} method, and this does not include those properties starting with {{security-}}: {noformat} public void setProperty(String name, String value) { // TODO Look at fake attributes if (name.equals("className")) { return; } // Determine the validity of the input property boolean validProperty = false; // TODO: AbstractDistributionConfig is internal and _getAttNames is designed for testing. for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) { if (name.equals(gemfireProperty)) { validProperty = true; break; } } ... } {noformat} The above, in turn, makes almost impossible for users to correctly implement {{AuthInitialize}} without leveraging system properties or hardcoded paths for external configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)