This example demonstrates the basics of an implementation of the SecurityManager.authenticate
method. The remainder of the example may be found in the VMware Tanzu GemFire source code in the geode-core/src/main/java/org/apache/geode/examples/security
directory.
Of course, the security implementation of every installation is unique, so this example cannot be used in a production environment. Its use of the user name as a returned principal upon successful authentication is a particularly poor design choice, as any attacker that discovers the implementation can potentially spoof the system.
This example assumes that a set of user name and password pairs representing users that may be successfully authenticated has been read into a data structure upon initialization. Any component that presents the correct password for a user name successfully authenticates, and its identity is verified as that user. Therefore, the implementation of the authenticate
method checks that the user name provided within the credentials
parameter is in its data structure. If the user name is present, then the password provided within the credentials
parameter is compared to the data structure’s known password for that user name. Upon a match, the authentication is successful.
public Object authenticate(final Properties credentials)
throws AuthenticationFailedException {
String user = credentials.getProperty(ResourceConstants.USER_NAME);
String password = credentials.getProperty(ResourceConstants.PASSWORD);
User userObj = this.userNameToUser.get(user);
if (userObj == null) {
throw new AuthenticationFailedException(
"SampleSecurityManager: wrong username/password");
}
if (user != null
&& !userObj.password.equals(password)
&& !"".equals(user)) {
throw new AuthenticationFailedException(
"SampleSecurityManager: wrong username/password");
}
return user;
}
public Object authenticate(final Properties credentials)
throws AuthenticationFailedException, AuthenticationExpiredException {
String encodedToken = credentials.getProperty(ResourceConstants.TOKEN);
if (this.tokenHasExpired(encodedToken)) {
throw new AuthenticationExpiredException("SampleSecurityManager: token has expired");
}
User user = this.encodedTokenToUser.get(encodedToken);
if (user == null) {
throw new AuthenticationFailedException("SampleSecurityManager: unable to get user from token");
}
return user;
}