Implementing Authentication

Pivotal GemFire provides a flexible framework for your security authentication plug-ins. You choose the method of authentication, such as LDAP or PKCS, and program the plug-ins accordingly.

Procedure

Use the following procedure to implement authentication in your GemFire application:
  1. Determine the method of authentication, such as LDAP or PKCS, that you will use. It is assumed that you know how to use it.
    For some examples of implementing authentication, see the following code samples, included with your GemFire installation:
    • <install directory>/SampleCode/quickstart/quickstart/SecurityClient.java
    • <install directory>/SampleCode/quickstart/quickstart/SecurityServer.java
    • <install directory>/SampleCode/quickstart/quickstart/MultiuserSecurityClient.java
    • <install directory>/SampleCode/quickstart/quickstart/MultiuserSecurityServer.java

    The <install directory>/templates subdirectory also contains Java code you may find useful when implementing authentication.

  2. Determine any special properties required for your authentication's credentials initialization and decide how you will get the properties to the initialization method. Depending on how sensitive the properties are and on your application requirements, you may do a combination of these:
    • Pass the additional properties through the gemfire.properties file (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) settings or programmatically, using the set methods in the ClientCacheFactory, before the call to the create method. All properties starting with security- are automatically passed to the AuthInitialize implementation.
    • Obtain the properties dynamically in the AuthInitialize.getCredentials method.
  3. For joining members, program and configure the credentials initialization plug-in:
    1. Create an implementation of the GemFire com.gemstone.gemfire.security.AuthInitialize interface.
      1. Program a public static method to return an instance of the class.
      2. Program the getCredentials method to create all properties required by the Authorize method via the member's credentials.
    2. For peers and locators, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-peer-auth-init to the fully qualified name of the static method you programmed that returns an instance of the class. In these examples, the method is named create. Example:
      //Peer init example where myAuthInitImpl.create returns the 
      //instance of AuthInitialize 
      security-peer-auth-init=myAuthPkg.myAuthInitImpl.create
    3. For clients, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-client-auth-init to the fully qualified name of the method you programmed that returns an instance of the AuthInitialize class. Example:
      //Client/WAN init example where myAuthInitImpl.create returns 
      //the instance of AuthInitialize 
      security-client-auth-init=myAuthPkg.myAuthInitImpl.create
    4. For all members, set any additional gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-* properties required by your AuthInitialize implementation.
  4. For authorizing members, program and configure the credentials authorization plug-in:
    1. Implement the GemFire com.gemstone.gemfire.security.Authenticator interface:
      1. Program a public static, zero-argument method to return an instance of the class.
      2. Program the authenticate method to authenticate the credentials and return a java.security.Principal object.
    2. For peers and locators set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-peer-authenticator to the fully qualified name of the method that returns an instance of the Authenticator class. Example:
      //Peer auth example where myAuthenticatorImpl.create 
      //returns the instance of Authenticator
      security-peer-authenticator=myAuthPkg.myAuthenticatorImpl.create
    3. For servers, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration)security-client-authenticator to the fully qualified name of the method that returns an instance of the Authenticator class. Example:
      //Client/WAN auth example where myAuthenticatorImpl.create 
      //returns the instance of Authenticator
      security-client-authenticator=myAuthPkg.myAuthenticatorImpl.create
    4. For all members, set any additional gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration)security-* properties required by your Authenticator implementation.
  5. For all members, provide the list of authenticated locators in the gemfire.properties.

Locators That Require Authentication

Co-located locators, such as those started with the LocatorLauncher API, do not require security settings because they do not join the distributed system as individual members.

All other standalone locators, including those started with the gfsh start locator command must be configured with the correct security settings.