Apache Geode CHANGELOG

Authentication Example

This example demonstrates the basics of an implementation of the SecurityManager.authenticate method. The remainder of the example may be found in the Apache Geode source code in the geode-core/src/main/java/org/apache/geode/examples/security directory.

Of course, the security implementation of every installation is unique, so this example cannot be used in a production environment. Its use of the user name as a returned principal upon successful authentication is a particularly poor design choice, as any attacker that discovers the implementation can potentially spoof the system.

This example assumes that a set of user name and password pairs representing users that may be successfully authenticated has been read into a data structure upon initialization. Any component that presents the correct password for a user name successfully authenticates, and its identity is verified as that user. Therefore, the implementation of the authenticate method checks that the user name provided within the credentials parameter is in its data structure. If the user name is present, then the password provided within the credentials parameter is compared to the data structure’s known password for that user name. Upon a match, the authentication is successful.

public Object authenticate(final Properties credentials)
         throws AuthenticationFailedException {
    String user = credentials.getProperty(ResourceConstants.USER_NAME);
    String password = credentials.getProperty(ResourceConstants.PASSWORD);

    User userObj = this.userNameToUser.get(user);
    if (userObj == null) {
        throw new AuthenticationFailedException(
                      "SampleSecurityManager: wrong username/password");
    }

    if (user != null 
        && !userObj.password.equals(password) 
        && !"".equals(user)) {
        throw new AuthenticationFailedException(
                      "SampleSecurityManager: wrong username/password");
    }

    return user;
}