failed to get the security context object

classic Classic list List threaded Threaded
3 messages Options
radha radha
Reply | Threaded
Open this post in threaded view
|

failed to get the security context object

Hi,
       Please Some one reply on this.
       I have implemented the grid security processor and setting the securityconext holder in the authenticate function as below,

public class MySecurityProcessor extends GridProcessorAdapter implements DiscoverySpiNodeAuthenticator, GridSecurityProcessor, IgnitePlugin {

................
public SecurityContext authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
       SecuritySubject secureSecuritySubject = new SecuritySubject(
            authenticationContext.subjectId(),
            authenticationContext.subjectType(),
            authenticationContext.credentials().getLogin(),
            authenticationContext.address()
    );
    SecurityContext securityContext = new MySecurityContext(secureSecuritySubject, accessToken);
    SecurityContextHolder.set(securityContext);
    return securityContext;
}
public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx) throws SecurityException {
    System.out.println(   SecurityContextHolder.get());
    System.out.println( securityCtx );
    //do some authorization 
     .....................
}
......
}

In plugin provider i am creating the component : GridSecurityProcessor.

The server starts  without throwing any error, also plugin provider also starts.
Questions:
1. When i start the visor , it is able to connect to ignite server. If i execute some commands in visor like: top , cache,etc, authorize function is getting called and always gives the  security context as NULL. How do i get the securitycontext?  . Also when visor is called authenticate function is not getting called.  
2. When rest api call is made to create a cache why the authroize function is getting called twice? one my GridRestProcessor and GridCacheProcessor? 
In this scenario: secuirty context i am getting from SecurityContextHolder.get(). So no issues.

regards
Radha
Zaheer Zaheer
Reply | Threaded
Open this post in threaded view
|

Re: failed to get the security context object

Hi,

I am also trying to develop a security plugin for Ignite. Security context
in case of visor call is null and even the SecurityContextHolder wont work.
Because,

1. *SecurityContextHolder* has a ThreadLocal variable holding the
*SecurityContext*. So if your calls of authenticate and authorize happen in
same thread like the *REST* call, it will work. Try printing
Thread.currentThread().getName() in your calls. You will understand what I
am saying.

2. When you connect visor to the grid, *authenticateNode* method is called.
And after that any call you make calls *authorize* method only , that too
if plugin was configured on visor. So *SecurityContextHolder.set()* happens
in the *authenticateNode* which is called in *tcp-dicovery-worker* thread.
And *SecurityContextHolder.get()* happens in *authorize* method which is
called in a separate thread depending on the visor call. So here
*SecurityContextHolder* will not work.



For cases of visor or any server node, thick client joining the cluster,
*SecurityContext* is passed null. To overcome this, you need to store local
nodes security context in a field in your plugin say *localSecurityContext*
representing security context of local node. You can try something like this
:

/public class MySecurityProcessor extends GridProcessorAdapter implements
DiscoverySpiNodeAuthenticator, GridSecurityProcessor, IgnitePlugin {

*private MySecurityContext localSecurityContext;*

................
public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) throws IgniteCheckedException {

 ........................
 //write your logic to authenticate node and return Security Context

 //Check if node is local, and store the security context in your local
variable before returning
* if(node.isLocal())  localSecurityContext= .......*

}

public SecurityContext authenticate(AuthenticationContext
authenticationContext) throws IgniteCheckedException {
       SecuritySubject secureSecuritySubject = new SecuritySubject(
                    authenticationContext.subjectId(),
                    authenticationContext.subjectType(),
                    authenticationContext.credentials().getLogin(),
                    authenticationContext.address()
            );
            SecurityContext securityContext = new
MySecurityContext(secureSecuritySubject, accessToken);
            SecurityContextHolder.set(securityContext);
            return securityContext;
}
public void authorize(String name, SecurityPermission perm, SecurityContext
securityCtx) throws SecurityException {
    System.out.println(   SecurityContextHolder.get());
    System.out.println( securityCtx );
    //If context is null use localSecurityContext
    *if(securityCtx==null) securityCtx=localSecurityContext;*
    //do some authorization
     .....................
}

......
}/


Note that this will work if *isGlobalNodeAuthentication* is true. Because
only then *authenticateNode* method is called on each joining node (instead
of coordinator) and you can save the context in local variable. Also the
joining node must also have the plugin configured for this to work.





--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
radha radha
Reply | Threaded
Open this post in threaded view
|

Re: failed to get the security context object

This post was updated on .
Hi,
  Sorry for the late reply.
  Thanks for the response. I am able to get the context as you mentioned.
  Also when i try to work with sqlline, while executing the command ,
  1. authorise function get securitycontext value always null.
  2. Using SecurityContextHolder.get() ,I am getting the securitycontext
some time and some time i wont get.
     As u said, authenticate function is called in one thread and authorise function is called in another thread. so i am not getting the securitycontext using SecurityConetxHolder.get().

How do i solve this for sqlline?  
  Also i dont want to set the globalauthentication to true, authentication
should happen only on the coordinator node.


Thanks
Radha



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/