Authorization Example
Authorization Example
This topic discusses the authorization example provided in the product under templates/security using XmlAuthorization.java, XmlErrorHandler.java, and authz6_0.dtd.
XmlAuthorization provides authorization for each region at the operation level by using the permissions specified in an XML file. The sample implementation also shows the post-authorization implementation for the function execution operation. For pre-operation, all the required values are available.
You can configure authorization for all server region operations on a per-region and per-operation basis by using a role-based mechanism. A role can be provided with permissions to execute operations for each region. Each principal name can be associated with a set of roles.
Information such as the region reference, arguments, the operation being invoked, and a reference to the cache instance can be made available to the XmlAuthorization callback. If an authenticated client is not authorized to perform an operation, the operation fails with a NotAuthorizedException.
Server Settings
security-client-accessor=templates.security.XmlAuthorization.create security-authz-xml-uri=<URI of XML file>
XML File Sample Settings
The XmlAuthorization sample is configured through an XML file, which is described in the authz6_0.dtd in the security templates directory. See the dtd for documentation about the elements and attributes you use to configure XmlAuthorization. To run the example, create an XML file following the dtd specifications.
The user names you use should be the strings returned by the Principal.getName method of the Authenticator configured on the server
- reader
- writer
- cacheOps
- queryRegions
- onRegionFunctionExecutor
- The permissions for each of the roles are described in the permission tags.
- The reader, writer, and cacheOps roles have no regions mentioned, so they apply to all regions.
- The queryRegions role has permissions on Portfolios and Positions regions.
- The role of onRegionFunctionExecutor can only operate on regions secureRegion and Positions, and only with functions with ids SecureFunction or OptimizationFunction. On the functions, optimizeForWrite must be false and keySet must be KEY-0 and KEY-1.
<!DOCTYPE acl PUBLIC
"-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
"http://www.gemstone.com/dtd/authz6_0.dtd">
<acl>
<role name="reader">
<user>reader</user>
<user>admin</user>
</role>
<role name="writer">
<user>writer</user>
<user>admin</user>
</role>
<role name="cacheOps">
<user>admin</user>
</role>
<role name="queryRegions">
<user>query</user>
</role>
<role name="onRegionFunctionExecutor">
<user>admin</user>
</role>
<permission role="cacheOps">
<operation>QUERY</operation>
<operation>EXECUTE_CQ</operation>
<operation>STOP_CQ</operation>
<operation>CLOSE_CQ</operation>
<operation>REGION_CREATE</operation>
<operation>REGION_DESTROY</operation>
</permission>
<permission role="reader">
<operation>GET</operation>
<operation>REGISTER_INTEREST</operation>
<operation>UNREGISTER_INTEREST</operation>
<operation>KEY_SET</operation>
<operation>CONTAINS_KEY</operation>
</permission>
<permission role="writer">
<operation>PUT</operation>
<operation>DESTROY</operation>
<operation>REGION_CLEAR</operation>
</permission>
<permission role="queryRegions" regions="/Portfolios,Positions">
<operation>QUERY</operation>
<operation>EXECUTE_CQ</operation>
<operation>STOP_CQ</operation>
<operation>CLOSE_CQ</operation>
</permission>
<permission role="onRegionFunctionExecutor" regions="secureRegion,Positions">
<operation functionIds="SecureFunction,OptimizationFunction"
optimizeForWrite="false" keySet="KEY-0,KEY-1">EXECUTE_FUNCTION</operation>
</permission>
</acl>