diff --git a/src/main/java/org/springframework/data/gemfire/config/annotation/AuthConfiguration.java b/src/main/java/org/springframework/data/gemfire/config/annotation/AuthConfiguration.java new file mode 100644 index 00000000..1c27e15f --- /dev/null +++ b/src/main/java/org/springframework/data/gemfire/config/annotation/AuthConfiguration.java @@ -0,0 +1,84 @@ +/* + * Copyright 2012 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.springframework.data.gemfire.config.annotation; + +import java.util.Map; +import java.util.Properties; + +import org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport; +import org.springframework.data.gemfire.util.PropertiesBuilder; + +/** + * The AuthConfiguration class is a Spring {@link org.springframework.context.annotation.ImportBeanDefinitionRegistrar} + * that applies additional GemFire/Geode configuration by way of GemFire/Geode System properties to configure + * GemFire/Geode Authentication and Authorization framework services. + * + * @author John Blum + * @see org.springframework.data.gemfire.config.annotation.EnableAuth + * @see org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport + * @see http://gemfire.docs.pivotal.io/docs-gemfire/managing/security/chapter_overview.html + * @since 1.9.0 + */ +public class AuthConfiguration extends EmbeddedServiceConfigurationSupport { + + public static final int DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT = 1000; + + public static final String DEFAULT_SECURITY_LOG_LEVEL = "config"; + + /* (non-Javadoc) */ + @Override + protected Class getAnnotationType() { + return EnableAuth.class; + } + + /* (non-Javadoc) */ + @Override + protected Properties toGemFireProperties(Map annotationAttributes) { + PropertiesBuilder gemfireProperties = PropertiesBuilder.create(); + + gemfireProperties.setProperty("gemfireSecurityPropertyFile", annotationAttributes.get("securityPropertiesFile")); + + gemfireProperties.setProperty("security-client-accessor", annotationAttributes.get("clientAccessor")); + + gemfireProperties.setProperty("security-client-accessor-pp", + annotationAttributes.get("clientAccessPostOperation")); + + gemfireProperties.setProperty("security-client-auth-init", + annotationAttributes.get("clientAuthenticationInitializer")); + + gemfireProperties.setProperty("security-client-authenticator", annotationAttributes.get("clientAuthenticator")); + + gemfireProperties.setProperty("security-client-dhalgo", + annotationAttributes.get("clientDiffieHellmanAlgorithm")); + + gemfireProperties.setProperty("security-peer-auth-init", + annotationAttributes.get("peerAuthenticationInitializer")); + + gemfireProperties.setProperty("security-peer-authenticator", annotationAttributes.get("peerAuthenticator")); + + gemfireProperties.setPropertyIfNotDefault("security-peer-verifymember-timeout", + annotationAttributes.get("peerVerifyMemberTimeout"), DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT); + + gemfireProperties.setProperty("security-log-file", annotationAttributes.get("securityLogFile")); + + gemfireProperties.setPropertyIfNotDefault("security-log-level", + annotationAttributes.get("securityLogLevel"), DEFAULT_SECURITY_LOG_LEVEL); + + return gemfireProperties.build(); + } +} diff --git a/src/main/java/org/springframework/data/gemfire/config/annotation/EnableAuth.java b/src/main/java/org/springframework/data/gemfire/config/annotation/EnableAuth.java new file mode 100644 index 00000000..3d744033 --- /dev/null +++ b/src/main/java/org/springframework/data/gemfire/config/annotation/EnableAuth.java @@ -0,0 +1,154 @@ +/* + * Copyright 2012 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.springframework.data.gemfire.config.annotation; + +import java.lang.annotation.Documented; +import java.lang.annotation.ElementType; +import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +import com.gemstone.gemfire.security.AccessControl; +import com.gemstone.gemfire.security.AuthInitialize; +import com.gemstone.gemfire.security.Authenticator; + +/** + * The EnableAuth annotation marks a Spring {@link org.springframework.context.annotation.Configuration @Configuration} + * annotated class to configure and enable GemFire/Geode's Authentication and Authorization framework services. + * + * @author John Blum + * @see com.gemstone.gemfire.security.AccessControl + * @see com.gemstone.gemfire.security.AuthInitialize + * @see com.gemstone.gemfire.security.Authenticator + * @see Authentication + * @see Authorization + * @since 1.9.0 + */ +@Target(ElementType.TYPE) +@Retention(RetentionPolicy.RUNTIME) +@Inherited +@Documented +@SuppressWarnings({ "deprecation", "unused" }) +public @interface EnableAuth { + + /** + * Used for authorization. Static creation method returning an {@link AccessControl} object, which determines + * authorization of client-server cache operations. This specifies the callback that should be invoked + * in the pre-operation phase, which is when the request for the operation is received from the client. + * + * Defaults to unset. + */ + String clientAccessor() default ""; + + /** + * Used for authorization. The callback that should be invoked in the post-operation phase, which is + * when the operation has completed on the server but before the result is sent to the client. + * The post-operation callback is also invoked for the updates that are sent from server to client + * through the notification channel. + * + * Defaults to unset. + */ + String clientAccessPostOperation() default ""; + + /** + * Used for authentication. Static creation method returning an {@link AuthInitialize} object, + * which obtains credentials for clients. The obtained credentials should be acceptable + * to the {@link Authenticator} specified through the {@literal security-client-authenticator} property + * on the clients. + * + * Defaults to unset. + */ + String clientAuthenticationInitializer() default ""; + + /** + * Used for authentication. Static creation method returning an {@link Authenticator} object, + * which is used by a server to verify the credentials of the connecting client. + * + * Defaults to unset. + */ + String clientAuthenticator() default ""; + + /** + * Used for authentication. For secure transmission of sensitive credentials like passwords, you can encrypt + * the credentials using the Diffie-Hellman key exchange algorithm. Do this by setting the + * {@literal security-client-dhalgo} system property on the clients to the name of a valid symmetric key cipher + * supported by the JDK. + * + * Defaults to unset. + */ + String clientDiffieHellmanAlgorithm() default ""; + + /** + * Used with authentication. Static creation method returning an {@link AuthInitialize} object, which obtains + * credentials for peers in a distributed system. The obtained credentials should be acceptable to the + * {@link Authenticator} specified through the {@literal security-peer-authenticator} property on the peers. + * + * Defaults to unset. + */ + String peerAuthenticationInitializer() default ""; + + /** + * Used with authentication. Static creation method returning an {@link Authenticator} object, which is used + * by a peer to verify the credentials of the connecting peer. + * + * Defaults to unset. + */ + String peerAuthenticator() default ""; + + /** + * Used with authentication. Timeout in milliseconds used by a peer to verify membership of an unknown + * authenticated peer requesting a secure connection. + * + * Defaults to {@literal 1000} milliseconds. + */ + long peerVerifyMemberTimeout() default AuthConfiguration.DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT; + + /** + * Used with authentication. The log file for security log messages. If not specified, the member’s + * regular log file is used. + * + * Defaults to unset. + */ + String securityLogFile() default ""; + + /** + * Used with authentication. Logging level detail for security log messages. + * + * Valid values from lowest to highest are {@literal fine}, {@literal config}, {@literal info}, {@literal warning}, + * {@literal error}, {@literal severe}, and {@literal none}. + * + * Defaults to {@literal config}. + */ + String securityLogLevel() default AuthConfiguration.DEFAULT_SECURITY_LOG_LEVEL; + + /** + * Used for authentication. Any custom properties needed by your {@link AuthInitialize} + * or {@link Authenticator} callbacks store in an external {@link java.util.Properties} file. + * + * Any security-related (properties that begin with {@literal security-*}) configuration properties + * that are normally configured in {@literal gemfire.properties} can be moved to a separate + * {@literal gfsecurity.properties} file. Placing these configuration settings in a separate file + * allows you to restrict access to security configuration data. This way, you can still allow read + * or write access for your {@literal gemfire.properties} file. + * + * Defaults to unset. + */ + String securityPropertiesFile() default ""; + +}