[jira] [Assigned] (GEODE-9494) Tomcat Session State Module - Security Properties

Tue, 10 Aug 2021 04:42:04 -0700 


     [ 
https://issues.apache.org/jira/browse/GEODE-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Juan Ramos reassigned GEODE-9494:
---------------------------------

    Assignee: Juan Ramos

> Tomcat Session State Module - Security Properties
> -------------------------------------------------
>
>                 Key: GEODE-9494
>                 URL: https://issues.apache.org/jira/browse/GEODE-9494
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Juan Ramos
>            Assignee: Juan Ramos
>            Priority: Major
>
> In order to configure authentication and authorization, the geode cache must 
> be configured with either the {{security-client-auth-init}} or 
> {{security-peer-auth-init}} properties.
> The implementation of the {{AuthInitialize}} interface is supposed to obtain 
> credentials for a client or peer and, in practice, it should be able to 
> connect to an external data source or use some extra configuration as to know 
> where to retrieve the actual credentials from. The 
> {{AuthInitialize.getCredentials()}} method receives all gemfire properties 
> configured with the prefix {{security-}} and its expected to use them in 
> order to configure itself.
> The {{AbstractCache}} class, however, prevents the user from configuring any 
> property not returned by the {{AbstractDistributionConfig._getAttNames()}} 
> method, and this does not include those properties starting with 
> {{security-}}:
> {noformat}
>   public void setProperty(String name, String value) {
>     // TODO Look at fake attributes
>     if (name.equals("className")) {
>       return;
>     }
>     // Determine the validity of the input property
>     boolean validProperty = false;
>     // TODO: AbstractDistributionConfig is internal and _getAttNames is 
> designed for testing.
>     for (String gemfireProperty : AbstractDistributionConfig._getAttNames()) {
>       if (name.equals(gemfireProperty)) {
>         validProperty = true;
>         break;
>       }
>     }
> ...
> }
> {noformat}
> The above, in turn, makes almost impossible for users  to correctly implement 
> {{AuthInitialize}} without leveraging system properties or hardcoded paths 
> for external configuration.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to