Hi Geode Community, We are pleased to announce that the work on OQL Method Invocation Security work has been completed and pushed to develop. It will be available in the next release - Apache Geode 1.12
These following goals have been achieved: - Pluggable method authorizers. - OQL method invocation security "on" by default when Security is enabled at the cluster level. - Authorizers stored and retrieved through the cluster configuration service. - QueryService.allowUntrustedMethodInvocation marked as deprecated. - Prevents RCE (Remote Code Execution) exploits and other vulnerabilities in OQL expressions when security is enabled at the cluster level. - Configurable in runtime - Invoke methods on domain classes (present on the system classpath or deployed through gfsh) as part of OQL queries, relatively easy and with little to no configuration changes. These following method authorizers are available out of the box: - RestrictedMethodAuthorizer - UnrestrictedMethodAuthorizer - RegExMethodAuthorizer - JavaBeanAccessorMethodAuthorizer Details about architecture can be found here: https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security Regards Nabarun Nag
