MapSecurityInterceptor.java

import com.hazelcast.client.HazelcastClient;
import com.hazelcast.client.config.ClientConfig;
import com.hazelcast.config.Config;
import com.hazelcast.config.PermissionConfig;
import com.hazelcast.config.SecurityConfig;
import com.hazelcast.config.SecurityInterceptorConfig;
import com.hazelcast.core.Hazelcast;
import com.hazelcast.core.HazelcastInstance;
import com.hazelcast.core.IMap;
import com.hazelcast.security.Credentials;
import com.hazelcast.security.Parameters;
import com.hazelcast.security.SecurityInterceptor;
import com.hazelcast.util.EmptyStatement;

import java.security.AccessControlException;

import static com.hazelcast.examples.helper.LicenseUtils.ENTERPRISE_LICENSE_KEY;

/**
 * SecurityInterceptor for filtering individual methods.
 *
 * You have to set your Hazelcast Enterprise license key to make this code sample work.
 * Please have a look at {@link com.hazelcast.examples.helper.LicenseUtils} for details.
 */
public class MapSecurityInterceptor {

    private static final String ACCEPTED_MAP_NAME = "accepted_map";
    private static final String DENIED_MAP_NAME = "denied_map";

    private static final String ACCEPTED_KEY = "accepted_key";
    private static final String DENIED_KEY = "denied_key";

    private static final String ACCEPTED_VALUE = "accepted_value";
    private static final String DENIED_VALUE = "denied_value";

    private static final String DENIED_METHOD = "replace";

    public static void main(String[] args) {
        Config config = createConfig();
        Hazelcast.newHazelcastInstance(config);

        ClientConfig clientConfig = new ClientConfig();
        clientConfig.setLicenseKey(ENTERPRISE_LICENSE_KEY);

        HazelcastInstance client = HazelcastClient.newHazelcastClient(clientConfig);
        IMap<Object, Object> acceptedMap = client.getMap(ACCEPTED_MAP_NAME);
        IMap<Object, Object> deniedMap = client.getMap(DENIED_MAP_NAME);

        acceptedMap.put(ACCEPTED_KEY, ACCEPTED_VALUE);

        try {
            deniedMap.put(ACCEPTED_KEY, ACCEPTED_VALUE);
            System.err.println("Should be denied!!!!");
        } catch (Exception expected) {
            EmptyStatement.ignore(expected);
        }

        try {
            acceptedMap.put(ACCEPTED_KEY, DENIED_VALUE);
            System.err.println("Should be denied!!!!");
        } catch (Exception expected) {
            EmptyStatement.ignore(expected);
        }

        try {
            acceptedMap.put(DENIED_KEY, ACCEPTED_VALUE);
            System.err.println("Should be denied!!!!");
        } catch (Exception expected) {
            EmptyStatement.ignore(expected);
        }

        try {
            acceptedMap.replace(ACCEPTED_KEY, ACCEPTED_VALUE);
            System.err.println("Should be denied!!!!");
        } catch (Exception expected) {
            EmptyStatement.ignore(expected);
        }

        HazelcastClient.shutdownAll();
        Hazelcast.shutdownAll();
    }

    private static Config createConfig() {
        Config config = new Config();
        config.setLicenseKey(ENTERPRISE_LICENSE_KEY);
        config.setProperty("hazelcast.wait.seconds.before.join", "0");

        SecurityInterceptorConfig securityInterceptorConfig = new SecurityInterceptorConfig();
        securityInterceptorConfig.setClassName(MySecurityInterceptor.class.getName());
        SecurityConfig securityConfig = config.getSecurityConfig();
        securityConfig.setEnabled(true).addSecurityInterceptorConfig(securityInterceptorConfig);

        // when you enable security all client requests are denied, so we need to give permission first
        // security-interceptor will be run after checking this permission
        PermissionConfig permissionConfig = new PermissionConfig(PermissionConfig.PermissionType.ALL, "", null);
        securityConfig.addClientPermissionConfig(permissionConfig);
        return config;
    }

    private static class MySecurityInterceptor implements SecurityInterceptor {

        @Override
        public void before(Credentials credentials, String objectType, String objectName, String methodName,
                           Parameters parameters) throws AccessControlException {
            if (objectName.equals(DENIED_MAP_NAME)) {
                throw new RuntimeException("Denied Map!!!");
            }
            if (methodName.equals(DENIED_METHOD)) {
                throw new RuntimeException("Denied Method!!!");
            }
            Object firstParam = parameters.get(0);
            Object secondParam = parameters.get(1);
            if (firstParam.equals(DENIED_KEY)) {
                throw new RuntimeException("Denied Key!!!");
            }
            if (secondParam.equals(DENIED_VALUE)) {
                throw new RuntimeException("Denied Value!!!");
            }
        }

        @Override
        public void after(Credentials credentials, String objectType, String objectName, String methodName,
                          Parameters parameters) {
            System.err.println("qwe c: " + credentials + "\t\tt: " + objectType + "\t\tn: " + objectName
                    + "\t\tm: " + methodName + "\t\tp1: " + parameters.get(0) + "\t\tp2: " + parameters.get(1));
        }
    }
}