GemFireAuthentication.java example

Explorer
geode-master
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
 * agreements. See the NOTICE file distributed with this work for additional information regarding
 * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the License. You may obtain a
 * copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the License
 * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the License for the specific language governing permissions and limitations under
 * the License.
 */

package org.apache.geode.tools.pulse.internal.security;

import java.util.ArrayList;
import java.util.Collection;
import javax.management.MBeanServerConnection;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;

import org.apache.geode.tools.pulse.internal.data.PulseConstants;
import org.apache.geode.tools.pulse.internal.log.PulseLogWriter;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/**
 * Spring security authentication object for GemFire
 * <p>
 * To use GemFire Integrated Security Model set Spring Application Profile to
 * pulse.authentication.gemfire
 * <p>
 * 1. Authentication : 1.a GemFire profile creates JMX connection with given credentials at the
 * login time. 1.b Successful connect is considered as Successful Authentication for Pulse WebApp
 * <p>
 * <p>
 * 2. Authorization : 2.a Using newly created authenticated connection AccessControlMXBean is called
 * to get authentication levels. See @See {@link #populateAuthorities(JMXConnector)}. This sets
 * Spring Security Authorities 2.b DataBrowser end-points are required to be authorized against
 * Spring Granted Authority
 * 
 * @since GemFire version 9.0
 */
public class GemFireAuthentication extends UsernamePasswordAuthenticationToken {

  private final static PulseLogWriter logger = PulseLogWriter.getLogger();

  private JMXConnector jmxc = null;

  public GemFireAuthentication(Object principal, Object credentials,
      Collection<GrantedAuthority> list, JMXConnector jmxc) {
    super(principal, credentials, list);
    this.jmxc = jmxc;
  }

  private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

  public static ArrayList<GrantedAuthority> populateAuthorities(JMXConnector jmxc) {
    ObjectName name;
    ArrayList<GrantedAuthority> authorities = new ArrayList<>();
    try {
      name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN);
      MBeanServerConnection mbeanServer = jmxc.getMBeanServerConnection();

      for (String role : PulseConstants.PULSE_ROLES) {
        Object[] params = role.split(":");
        String[] signature =
            new String[] {String.class.getCanonicalName(), String.class.getCanonicalName()};
        boolean result = (Boolean) mbeanServer.invoke(name, "authorize", params, signature);
        if (result) {
          authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
        }
      }
    } catch (Exception e) {
      throw new RuntimeException(e.getMessage(), e);
    }

    return authorities;

  }

  public JMXConnector getJmxc() {
    return jmxc;
  }

}