The authentication callback and the authorization callback that implement the SecurityManager
interface are specified with the security-manager
property. When this property is defined, authentication and authorization are enabled. The definition of the security-manager
property is the fully qualified name of the class that implements the SecurityManager
interface. For example:
security-manager = com.example.security.MySecurityManager
To ensure that the security-manager
property is applied consistently across a cluster, follow these guidelines:
Specify the security-manager
property in a properties file, such as gemfire.properties
, not in a cluster configuration file (such as cluster.properties
).
Specify the properties file when you start the first locator for the cluster.
The next steps in applying the security-manager
property across the cluster depend on whether cluster management is enabled. Cluster management is enabled when two conditions are met:
Every locator in the cluster sets --enable-cluster-configuration=true
.
Every server in the cluster sets --use-cluster-configuration=true
.
These are the default settings, so unless you have changed them, cluster management is probably enabled for your system, but be sure and confirm before proceeding. Some systems that implement cluster management for most members might include a few servers that do not participate (for which --use-cluster-configuration=false
). See Using the Cluster Configuration Service for details.
If cluster management is enabled (the default), the locator will propagate the security-manager
setting to all members (locators and servers) that are subsequently started.
If cluster management is enabled but some servers do not participate in cluster management (that is, servers for which --use-cluster-configuration=false
), you must specify the security-manager
property for those non-participating servers. Make sure its value is exactly identical to that specified for the first locator.
If cluster management is not enabled, you must specify the security-manager
property for all servers. Make sure its value is exactly identical to that specified for the first locator.
All components of the system invoke the same callbacks. Here are descriptions of the components and the connections that they make with the system.
SecurityManager
interface for that server.authenticate
callback defined for that locator.SecurityManager
interface for that locator. Both gfsh
and Pulse
use this form of communication.The PostProcessor
interface allows the definition of a set of callbacks that are invoked after operations that get data, but before the data is returned. This permits the callback to intervene and format the data that is to be returned. The callbacks do not modify the region data, only the data to be returned.
Enable the post processing of data by defining the security-post-processor
property with the path to the definition of the interface. For example,
security-post-processor = com.example.security.MySecurityPostProcessing