SGF-517 - Configure Authentication/Authorization with annotations.
(cherry picked from commit a9398d32b2d33eff660916e41faaeeda9e0367a4) Signed-off-by: John Blum <jblum@pivotal.io>
This commit is contained in:
@@ -0,0 +1,84 @@
|
||||
/*
|
||||
* Copyright 2012 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.springframework.data.gemfire.config.annotation;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport;
|
||||
import org.springframework.data.gemfire.util.PropertiesBuilder;
|
||||
|
||||
/**
|
||||
* The AuthConfiguration class is a Spring {@link org.springframework.context.annotation.ImportBeanDefinitionRegistrar}
|
||||
* that applies additional GemFire/Geode configuration by way of GemFire/Geode System properties to configure
|
||||
* GemFire/Geode Authentication and Authorization framework services.
|
||||
*
|
||||
* @author John Blum
|
||||
* @see org.springframework.data.gemfire.config.annotation.EnableAuth
|
||||
* @see org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport
|
||||
* @see <a href="Security">http://gemfire.docs.pivotal.io/docs-gemfire/managing/security/chapter_overview.html</a>
|
||||
* @since 1.9.0
|
||||
*/
|
||||
public class AuthConfiguration extends EmbeddedServiceConfigurationSupport {
|
||||
|
||||
public static final int DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT = 1000;
|
||||
|
||||
public static final String DEFAULT_SECURITY_LOG_LEVEL = "config";
|
||||
|
||||
/* (non-Javadoc) */
|
||||
@Override
|
||||
protected Class getAnnotationType() {
|
||||
return EnableAuth.class;
|
||||
}
|
||||
|
||||
/* (non-Javadoc) */
|
||||
@Override
|
||||
protected Properties toGemFireProperties(Map<String, Object> annotationAttributes) {
|
||||
PropertiesBuilder gemfireProperties = PropertiesBuilder.create();
|
||||
|
||||
gemfireProperties.setProperty("gemfireSecurityPropertyFile", annotationAttributes.get("securityPropertiesFile"));
|
||||
|
||||
gemfireProperties.setProperty("security-client-accessor", annotationAttributes.get("clientAccessor"));
|
||||
|
||||
gemfireProperties.setProperty("security-client-accessor-pp",
|
||||
annotationAttributes.get("clientAccessPostOperation"));
|
||||
|
||||
gemfireProperties.setProperty("security-client-auth-init",
|
||||
annotationAttributes.get("clientAuthenticationInitializer"));
|
||||
|
||||
gemfireProperties.setProperty("security-client-authenticator", annotationAttributes.get("clientAuthenticator"));
|
||||
|
||||
gemfireProperties.setProperty("security-client-dhalgo",
|
||||
annotationAttributes.get("clientDiffieHellmanAlgorithm"));
|
||||
|
||||
gemfireProperties.setProperty("security-peer-auth-init",
|
||||
annotationAttributes.get("peerAuthenticationInitializer"));
|
||||
|
||||
gemfireProperties.setProperty("security-peer-authenticator", annotationAttributes.get("peerAuthenticator"));
|
||||
|
||||
gemfireProperties.setPropertyIfNotDefault("security-peer-verifymember-timeout",
|
||||
annotationAttributes.get("peerVerifyMemberTimeout"), DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT);
|
||||
|
||||
gemfireProperties.setProperty("security-log-file", annotationAttributes.get("securityLogFile"));
|
||||
|
||||
gemfireProperties.setPropertyIfNotDefault("security-log-level",
|
||||
annotationAttributes.get("securityLogLevel"), DEFAULT_SECURITY_LOG_LEVEL);
|
||||
|
||||
return gemfireProperties.build();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,154 @@
|
||||
/*
|
||||
* Copyright 2012 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.springframework.data.gemfire.config.annotation;
|
||||
|
||||
import java.lang.annotation.Documented;
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Inherited;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
import com.gemstone.gemfire.security.AccessControl;
|
||||
import com.gemstone.gemfire.security.AuthInitialize;
|
||||
import com.gemstone.gemfire.security.Authenticator;
|
||||
|
||||
/**
|
||||
* The EnableAuth annotation marks a Spring {@link org.springframework.context.annotation.Configuration @Configuration}
|
||||
* annotated class to configure and enable GemFire/Geode's Authentication and Authorization framework services.
|
||||
*
|
||||
* @author John Blum
|
||||
* @see com.gemstone.gemfire.security.AccessControl
|
||||
* @see com.gemstone.gemfire.security.AuthInitialize
|
||||
* @see com.gemstone.gemfire.security.Authenticator
|
||||
* @see <a href="http://gemfire.docs.pivotal.io/docs-gemfire/latest/managing/security/authentication_overview.html">Authentication</a>
|
||||
* @see <a href="http://gemfire.docs.pivotal.io/docs-gemfire/latest/managing/security/authorization_overview.html">Authorization</a>
|
||||
* @since 1.9.0
|
||||
*/
|
||||
@Target(ElementType.TYPE)
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Inherited
|
||||
@Documented
|
||||
@SuppressWarnings({ "deprecation", "unused" })
|
||||
public @interface EnableAuth {
|
||||
|
||||
/**
|
||||
* Used for authorization. Static creation method returning an {@link AccessControl} object, which determines
|
||||
* authorization of client-server cache operations. This specifies the callback that should be invoked
|
||||
* in the pre-operation phase, which is when the request for the operation is received from the client.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String clientAccessor() default "";
|
||||
|
||||
/**
|
||||
* Used for authorization. The callback that should be invoked in the post-operation phase, which is
|
||||
* when the operation has completed on the server but before the result is sent to the client.
|
||||
* The post-operation callback is also invoked for the updates that are sent from server to client
|
||||
* through the notification channel.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String clientAccessPostOperation() default "";
|
||||
|
||||
/**
|
||||
* Used for authentication. Static creation method returning an {@link AuthInitialize} object,
|
||||
* which obtains credentials for clients. The obtained credentials should be acceptable
|
||||
* to the {@link Authenticator} specified through the {@literal security-client-authenticator} property
|
||||
* on the clients.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String clientAuthenticationInitializer() default "";
|
||||
|
||||
/**
|
||||
* Used for authentication. Static creation method returning an {@link Authenticator} object,
|
||||
* which is used by a server to verify the credentials of the connecting client.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String clientAuthenticator() default "";
|
||||
|
||||
/**
|
||||
* Used for authentication. For secure transmission of sensitive credentials like passwords, you can encrypt
|
||||
* the credentials using the Diffie-Hellman key exchange algorithm. Do this by setting the
|
||||
* {@literal security-client-dhalgo} system property on the clients to the name of a valid symmetric key cipher
|
||||
* supported by the JDK.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String clientDiffieHellmanAlgorithm() default "";
|
||||
|
||||
/**
|
||||
* Used with authentication. Static creation method returning an {@link AuthInitialize} object, which obtains
|
||||
* credentials for peers in a distributed system. The obtained credentials should be acceptable to the
|
||||
* {@link Authenticator} specified through the {@literal security-peer-authenticator} property on the peers.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String peerAuthenticationInitializer() default "";
|
||||
|
||||
/**
|
||||
* Used with authentication. Static creation method returning an {@link Authenticator} object, which is used
|
||||
* by a peer to verify the credentials of the connecting peer.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String peerAuthenticator() default "";
|
||||
|
||||
/**
|
||||
* Used with authentication. Timeout in milliseconds used by a peer to verify membership of an unknown
|
||||
* authenticated peer requesting a secure connection.
|
||||
*
|
||||
* Defaults to {@literal 1000} milliseconds.
|
||||
*/
|
||||
long peerVerifyMemberTimeout() default AuthConfiguration.DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT;
|
||||
|
||||
/**
|
||||
* Used with authentication. The log file for security log messages. If not specified, the member’s
|
||||
* regular log file is used.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String securityLogFile() default "";
|
||||
|
||||
/**
|
||||
* Used with authentication. Logging level detail for security log messages.
|
||||
*
|
||||
* Valid values from lowest to highest are {@literal fine}, {@literal config}, {@literal info}, {@literal warning},
|
||||
* {@literal error}, {@literal severe}, and {@literal none}.
|
||||
*
|
||||
* Defaults to {@literal config}.
|
||||
*/
|
||||
String securityLogLevel() default AuthConfiguration.DEFAULT_SECURITY_LOG_LEVEL;
|
||||
|
||||
/**
|
||||
* Used for authentication. Any custom properties needed by your {@link AuthInitialize}
|
||||
* or {@link Authenticator} callbacks store in an external {@link java.util.Properties} file.
|
||||
*
|
||||
* Any security-related (properties that begin with {@literal security-*}) configuration properties
|
||||
* that are normally configured in {@literal gemfire.properties} can be moved to a separate
|
||||
* {@literal gfsecurity.properties} file. Placing these configuration settings in a separate file
|
||||
* allows you to restrict access to security configuration data. This way, you can still allow read
|
||||
* or write access for your {@literal gemfire.properties} file.
|
||||
*
|
||||
* Defaults to unset.
|
||||
*/
|
||||
String securityPropertiesFile() default "";
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user