geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject incubator-geode git commit: GEODE-17: pass the properties created by authInit to the security manager
Date Tue, 13 Sep 2016 15:32:41 GMT
Repository: incubator-geode
Updated Branches:
  refs/heads/develop 72e9cbe4e -> cd8187b13


GEODE-17: pass the properties created by authInit to the security manager


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/cd8187b1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/cd8187b1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/cd8187b1

Branch: refs/heads/develop
Commit: cd8187b135b269e22e9cdbf5a755cf2d97862efb
Parents: 72e9cbe
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Sun Sep 11 20:49:48 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Tue Sep 13 07:29:13 2016 -0700

----------------------------------------------------------------------
 .../membership/gms/auth/GMSAuthenticator.java   |  4 +-
 .../internal/cache/tier/sockets/HandShake.java  |  4 +-
 .../internal/security/GeodeSecurityUtil.java    | 34 ++++++++++++----
 .../security/IntegratedSecurityService.java     |  5 +++
 .../internal/security/SecurityService.java      |  1 +
 .../security/shiro/CustomAuthRealm.java         | 19 ++-------
 .../shiro/GeodeAuthenticationToken.java         | 41 ++++++++++++++++++++
 .../security/shiro/JMXShiroAuthenticator.java   | 20 ++++++----
 .../support/LoginHandlerInterceptor.java        |  7 ++--
 ...GMSAuthenticatorWithSecurityManagerTest.java |  8 ++--
 .../security/IntegratedClientAuthDUnitTest.java |  2 +-
 .../gemfire/codeAnalysis/excludedClasses.txt    |  1 +
 12 files changed, 100 insertions(+), 46 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java
b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java
index 7fc212c..9ecd2b7 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticator.java
@@ -121,9 +121,7 @@ public class GMSAuthenticator implements Authenticator {
     String failMsg = null;
     try {
       if(this.securityService.isIntegratedSecurity()){
-        String username = credentials.getProperty("security-username");
-        String password = credentials.getProperty("security-password");
-        this.securityService.login(username, password);
+        this.securityService.login(credentials);
       }
       else {
         invokeAuthenticator(secProps, member, credentials);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java
index 8dfb476..64cf1b6 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/HandShake.java
@@ -1790,9 +1790,7 @@ public class HandShake implements ClientHandShake
     Authenticator auth = null;
     try {
       if(AcceptorImpl.isIntegratedSecurity()){
-        String username = credentials.getProperty("security-username");
-        String password = credentials.getProperty("security-password");
-        return securityService.login(username, password);
+        return securityService.login(credentials);
       }
       else {
         Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
index 5fa5564..260121d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
@@ -32,11 +32,11 @@ import org.apache.geode.security.PostProcessor;
 import org.apache.geode.security.ResourcePermission;
 import org.apache.geode.security.ResourcePermission.Operation;
 import org.apache.geode.security.ResourcePermission.Resource;
+import org.apache.geode.security.SecurableComponents;
 import org.apache.geode.security.SecurityManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.ShiroException;
-import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.config.Ini.Section;
 import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.mgt.DefaultSecurityManager;
@@ -47,14 +47,15 @@ import org.apache.shiro.util.ThreadContext;
 import org.apache.shiro.util.ThreadState;
 
 import com.gemstone.gemfire.GemFireIOException;
-import org.apache.geode.security.SecurableComponents;
 import com.gemstone.gemfire.distributed.internal.DistributionConfig;
 import com.gemstone.gemfire.internal.ClassLoadUtil;
 import com.gemstone.gemfire.internal.cache.EntryEventImpl;
 import com.gemstone.gemfire.internal.logging.LogService;
 import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm;
+import com.gemstone.gemfire.internal.security.shiro.GeodeAuthenticationToken;
 import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal;
 import com.gemstone.gemfire.internal.util.BlobHelper;
+import com.gemstone.gemfire.management.internal.security.ResourceConstants;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
 import com.gemstone.gemfire.security.AuthenticationFailedException;
 import com.gemstone.gemfire.security.GemFireSecurityException;
@@ -118,27 +119,44 @@ public class GeodeSecurityUtil {
   }
 
   /**
+   * convenient method for testing
+   * @param username
+   * @param password
+   * @return
+   */
+  public static Subject login(String username, String password){
+    if(StringUtils.isBlank(username) || StringUtils.isBlank(password))
+      return null;
+
+    Properties credentials = new Properties();
+    credentials.setProperty(ResourceConstants.USER_NAME, username);
+    credentials.setProperty(ResourceConstants.PASSWORD, password);
+    return login(credentials);
+  }
+
+  /**
    * @return null if security is not enabled, otherwise return a shiro subject
    */
-  public static Subject login(String username, String password) {
+  public static Subject login(Properties credentials) {
     if (!isIntegratedSecurity) {
       return null;
     }
 
+    if(credentials == null)
+      return null;
+
     // this makes sure it starts with a clean user object
     ThreadContext.remove();
 
     Subject currentUser = SecurityUtils.getSubject();
-
-    UsernamePasswordToken token =
-      new UsernamePasswordToken(username, password);
+    GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials);
     try {
-      logger.info("Logging in " + username);
+      logger.info("Logging in " + token.getPrincipal());
       currentUser.login(token);
     }
     catch (ShiroException e) {
       logger.info(e.getMessage(), e);
-      throw new AuthenticationFailedException("Authentication error. Please check your username/password.",
e);
+      throw new AuthenticationFailedException("Authentication error. Please check your credentials.",
e);
     }
 
     return currentUser;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java
index a6ec7fa..d294859 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java
@@ -60,6 +60,11 @@ public class IntegratedSecurityService implements SecurityService, Serializable
   }
 
   @Override
+  public Subject login(final Properties credentials) {
+    return GeodeSecurityUtil.login(credentials);
+  }
+
+  @Override
   public Subject login(final String username, final String password) {
     return GeodeSecurityUtil.login(username, password);
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java
index dd8c69b..c975751 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java
@@ -31,6 +31,7 @@ public interface SecurityService {
 
   ThreadState bindSubject(Subject subject);
   Subject getSubject();
+  Subject login(Properties credentials);
   Subject login(String username, String password);
   void logout();
   Callable associateWith(Callable callable);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java
index 09b8d5f..ad27ec3 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java
@@ -25,14 +25,12 @@ import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
-import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.Permission;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 
 import com.gemstone.gemfire.internal.security.SecurityService;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
 
 public class CustomAuthRealm extends AuthorizingRealm {
 
@@ -63,21 +61,10 @@ public class CustomAuthRealm extends AuthorizingRealm {
 
   @Override
   protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws
AuthenticationException {
-    UsernamePasswordToken authToken = (UsernamePasswordToken) token;
-    String username = authToken.getUsername();
-    String password = new String(authToken.getPassword());
+    GeodeAuthenticationToken authToken = (GeodeAuthenticationToken) token;
+    Object principal  = securityManager.authenticate(authToken.getProperties());
+    return new SimpleAuthenticationInfo(principal, authToken.getCredentials(), REALM_NAME);
 
-    Properties credentialProps = new Properties();
-    credentialProps.put(ResourceConstants.USER_NAME, username);
-    credentialProps.put(ResourceConstants.PASSWORD, password);
-
-    Object principal  = securityManager.authenticate(credentialProps);
-
-    try {
-      return new SimpleAuthenticationInfo(principal, authToken.getPassword(), REALM_NAME);
-    } catch (IllegalArgumentException e) {
-      throw new IllegalArgumentException("failed for " + username + " " + password, e);
-    }
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java
new file mode 100644
index 0000000..cbee995
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.gemstone.gemfire.internal.security.shiro;
+
+import java.util.Properties;
+
+import org.apache.shiro.authc.UsernamePasswordToken;
+
+import com.gemstone.gemfire.management.internal.security.ResourceConstants;
+
+public class GeodeAuthenticationToken extends UsernamePasswordToken {
+
+  Properties properties;
+
+  public GeodeAuthenticationToken(Properties properties){
+    super(
+      properties.getProperty(ResourceConstants.USER_NAME),
+      properties.getProperty(ResourceConstants.PASSWORD)
+    );
+    this.properties = properties;
+  }
+
+  public Properties getProperties(){
+    return properties;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java
index fe895d4..064044e 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/JMXShiroAuthenticator.java
@@ -43,19 +43,23 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList
 
   @Override
   public Subject authenticate(Object credentials) {
-    String username = null, password = null;
-    if (credentials instanceof String[]) {
+    String username = null;
+    Properties credProps = new Properties();
+    if (credentials instanceof Properties) {
+      credProps = (Properties) credentials;
+      username = credProps.getProperty(ResourceConstants.USER_NAME);
+    }
+    else if (credentials instanceof String[]) {
       final String[] aCredentials = (String[]) credentials;
       username = aCredentials[0];
-      password = aCredentials[1];
-    } else if (credentials instanceof Properties) {
-      username = ((Properties) credentials).getProperty(ResourceConstants.USER_NAME);
-      password = ((Properties) credentials).getProperty(ResourceConstants.PASSWORD);
-    } else {
+      credProps.setProperty(ResourceConstants.USER_NAME, aCredentials[0]);
+      credProps.setProperty(ResourceConstants.PASSWORD, aCredentials[1]);
+    }
+    else {
       throw new AuthenticationFailedException(MISSING_CREDENTIALS_MESSAGE);
     }
 
-    org.apache.shiro.subject.Subject shiroSubject = this.securityService.login(username,
password);
+    org.apache.shiro.subject.Subject shiroSubject = this.securityService.login(credProps);
     Principal principal;
 
     if(shiroSubject==null){

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
index c831d0a..85f2bef 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
@@ -20,9 +20,13 @@ import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.logging.log4j.Logger;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
 import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.distributed.internal.DistributionConfig;
 import com.gemstone.gemfire.internal.logging.LogService;
@@ -33,9 +37,6 @@ import com.gemstone.gemfire.management.internal.security.ResourceConstants;
 import com.gemstone.gemfire.management.internal.web.util.UriUtils;
 import com.gemstone.gemfire.security.Authenticator;
 
-import org.apache.logging.log4j.Logger;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
 /**
  * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables
encoded in the HTTP request
  * message as request parameters.

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
index b00b3ff..d59e304 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
@@ -22,13 +22,13 @@ import static org.mockito.Mockito.*;
 
 import java.util.Properties;
 
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
 import com.gemstone.gemfire.security.GemFireSecurityException;
 import com.gemstone.gemfire.test.junit.categories.SecurityTest;
 import com.gemstone.gemfire.test.junit.categories.UnitTest;
 
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
 /**
  * Unit tests GMSAuthenticator using new integrated security.
  */
@@ -135,7 +135,7 @@ public class GMSAuthenticatorWithSecurityManagerTest extends AbstractGMSAuthenti
 
   @Test
   public void authenticateShouldReturnFailureMessageIfLoginThrows() throws Exception {
-    when(securityService.login(anyString(), anyString())).thenThrow(new GemFireSecurityException("dummy"));
+    when(securityService.login(any(Properties.class))).thenThrow(new GemFireSecurityException("dummy"));
     props.setProperty(SECURITY_MANAGER, "dummy");
     String result = authenticator.authenticate(member, props, props, member);
     assertThat(result).startsWith("Authentication failed. See coordinator");

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java
index 0f53cbc..73bfcb4 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientAuthDUnitTest.java
@@ -51,7 +51,7 @@ public class IntegratedClientAuthDUnitTest extends AbstractSecureServerDUnitTest
     IgnoredException.addIgnoredException(AuthenticationFailedException.class.getName());
 
     client2.invoke("logging in super-user with wrong password", () -> {
-      AuthenticationFailedException expected = new AuthenticationFailedException("Authentication
error. Please check your username/password.");
+      AuthenticationFailedException expected = new AuthenticationFailedException("Authentication
error. Please check your credentials.");
 
       catchException(new ClientCacheFactory(createClientProperties("super-user", "wrong")).setPoolSubscriptionEnabled(true)
                                                                                         
 .addPoolServer("localhost", serverPort))

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cd8187b1/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt
b/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt
index ddacf99..5e1a3c9 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/codeAnalysis/excludedClasses.txt
@@ -153,3 +153,4 @@ com/gemstone/gemfire/internal/cache/operations/ContainsKeyOperationContext
 org/apache/geode/security/ResourcePermission
 org/apache/geode/security/ResourcePermission$Operation
 org/apache/geode/security/ResourcePermission$Resource
+com/gemstone/gemfire/internal/security/shiro/GeodeAuthenticationToken


Mime
View raw message