Welcome to the new Gigaspaces XAP forum. To recover your account, please follow these instructions.

Ask Your Question
0

Steps in setting up a secured space

His,

I have read [ http://www.gigaspaces.com/wiki/displa... ] section, but still confused about the order of steps involved in setting up a secured space that authorized remote clients could access. (It is envisioned that the clients are spread long distances away from the server (master space) and communicate with the space over jini)

Could you please describe the sequence of securing the space?

Am I getting it right: * Do gsc, gsm first need to be started in secure mode (config/services/services.config)? * Appropriate roles added in the Management Center (security/default-users)? * Does policy file (policy/policy.all) need to be altered, or the default suffices in most cases?

  • How can a client specify its security credentials when connecting to the space?

Thank you much.

{quote}This thread was imported from the previous forum. For your reference, the original is [available here|http://forum.openspaces.org/thread.jspa?threadID=2656]{quote}

asked 2008-10-14 08:57:23 -0500

asdfasdf gravatar image

updated 2013-08-08 09:52:00 -0500

jaissefsfex gravatar image
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

Securing the GSCs and GSM is not a must.
The policy.all should not be modified.
You should use the GS-UI users and roles UI to define relevant roles and
users. See:
http://www.gigaspaces.com/wiki/display/XAP66/GigaSpacesSecurityRoles

SecurityContext should be used at the client side to provide
user/password. See:
http://www.gigaspaces.com/wiki/display/XAP66/SpaceComponent#SpaceCompon
ent-SecurityContext

<os-core:space id="space" url="jini:////space">
    <os-core:security username="sa" password="adaw@##$" />
</os-core:space>

See more about the SecurityContext:
spaces/core/SecurityCont">http://www.gigaspaces.com/docs/JavaDoc6.6/com/jspaces/core/SecurityCont
ext.html

Shay

answered 2008-10-14 09:16:19 -0500

shay hassidim gravatar image
edit flag offensive delete link more

Comments

Thank you for your clarifying answers Shay,

There are some related issues I have faced when building a connection to the space with security filter from a client running local cache. Could you please advice as to the possible cause.

Processing unit is started with the following space configuration:

<os-core:space id="space" url="/./stockSpace"
    lookup-locators="localhost">
    <os-core:security username="gsadmin" password="gsadmin" />
    <os-core:properties>
        <props>
            <prop key="space-config.filters.DefaultSecurityFilter.enabled">true</prop>
        </props>
    </os-core:properties>
</os-core:space>
<os-core:giga-space id="gigaSpace" space="space" />

I than create 2 users in the Management Center: "feeder" for the feeder application and "client" for the client which is a simple gui application that builds remote proxy, local cache and local view. Both users have full access control (for testing purposes) defined at operational level as per http://www.gigaspaces.com/wiki/displa... .

To create space proxies I use the following code snippet: UrlSpaceConfigurer usc = new UrlSpaceConfigurer(spaceUrl) .lookupLocators(lookupLocators); if (securityConfig != null) { usc = usc.securityConfig(securityConfig); } space = usc.space();

The strange thing is that while feeder ("jini:////stockSpace&locators=localhost") would connect to the space and write there objects, exceptions are thrown on client start-up as it tries to build local cache with space url "jini:////stockSpace?useLocalCache&updateMode=2&locators=localhost": The error tells that I am using anonymous user, although I am pretty sure it's not. Using "client" (also tried with "feeder" and "gsadmin"). This problem does not arise when I use space without security filter.

Is this rather my mistake or there are special considerations when using local cache/view?

Also, Is there a sample implementation of extending DefaultSecurityFilter to read external (databased) account list?

Could you please explain what is "Secured Space" ( http://www.gigaspaces.com/wiki/displa... ) and "loading GSM and GSC in secured mode" ( http://www.gigaspaces.com/wiki/displa... ) and under what circumstances it is relevant? Doesn't DefaultSecurityFilter suffice alone?

Many Thanks.

Here are the detailed exceptions: 15.10.2008 00:19:12 INFO [com.gigaspaces.core.common]: Space <stockspace_container:stockspace_dcache> with url [jini:////stockSpace?useLocalCache&updateMode=2&locators=localhost&groups=gigaspaces-6.6.0-XAP-ga&state=started] started successfully

Exception in thread "main" org.openspaces.core.space.CannotFindSpaceException: Failed to find space with url [jini:////stockSpace?useLocalCache&updateMode=2&locators=localhost&groups=gigaspaces-6.6.0-XAP-ga&state=started]; nested exception is com.j_spaces.core.client.FinderException: Failed to find: jini:////stockSpace?useLocalCache&updateMode=2&locators=localhost&groups=gigaspaces-6.6.0-XAP-ga&state=started at org.openspaces.core.space.UrlSpaceFactoryBean.doCreateSpace(UrlSpaceFactoryBean.java:315) at org.openspaces.core.space.AbstractSpaceFactoryBean.afterPropertiesSet(AbstractSpaceFactoryBean.java:146) at org.openspaces.core.space.UrlSpaceConfigurer.space(UrlSpaceConfigurer.java:237) at org.openspaces.example.stock.gigaspacesdao.GigaSpaceDataSource.connect(GigaSpaceDataSource.java:42) at org.openspaces.example.stock.gigaspacesdao.GigaSpaceDataSource.<init>(GigaSpaceDataSource.java:28) at org.openspaces.example.stock.guiclient.GuiClient.<init>(GuiClient.java:84) at org.openspaces.example.stock.guiclient.GuiClient.main(GuiClient.java:67) Caused by: com.j_spaces.core.client.FinderException: Failed to find: jini:////stockSpace?useLocalCache&updateMode=2&locators=localhost&groups=gigaspaces-6 ...(more)

asdfasdf gravatar imageasdfasdf ( 2008-10-14 18:10:28 -0500 )edit

1. Also, is it documented somewhere how GenericPrinciple should be used within the class implementing ISpaceUserAccountDriver.

In particular, in what form should the roles be passed (system and custom). I am getting

Caused by: java.lang.ClassCastException: org.openspaces.example.stock.cad.CustomUserAccountDriver cannot be cast to com.j_spaces.core.filters.MemoryRealm

whenever I try adding and defining roles to the GenericPrinciple object.
The general idea is to be able to load a preexisting user account list with adjusted fine grained roles from a database.

Is such approach actually being practiced in the community?

2. And regarding the Exception with a client of a space with DefaultSecurityFilter switched on that runs local cache. I noticed, while implementing custom user account driver class, that a client with local cache is first being identified as ANONYMOUS and then with its real credentials. If I am getting it right. Could that maybe be the cause of failure to connect to space with DefaultSecurityFilter?

Thanks again,
Denis

asdfasdf gravatar imageasdfasdf ( 2008-10-15 11:26:03 -0500 )edit

Implementing the ISpaceUserAccountDriver is doable , but there are no many users using this option. That's why this is not that mature option. It got also some limitations such as not supported by the UI.

Most of the users using the built-in mechanism and adding the users/roles via the UI without special problems.

Proxies which does not have user/pass identified as ANONYMOUS. If there is no such user defined they will not be able to access the space. You should have such a user to allow such to access the space.

You should use the following properties to set the user/pass com.gs.security.userid , com.gs.security.password at the client side or use the org.openspaces.core.space.SecurityConfig with the org.openspaces.core.space.UrlSpaceConfigurer.securityConfig(SecurityConfig securityConfig) .

Shay

shay hassidim gravatar imageshay hassidim ( 2008-10-16 01:18:52 -0500 )edit

Hi Shay,

  1. The thing is that I can connect to local space using space url "jini:////stockSpace" and username "feeder" with all system roles defined (Admin, Write, Read, Execute). Should I add ?useLocalCache to the url as in "jini:////stockSpace?useLocalCache" (nothing else changes, connecting with the same username "feeder"), there is this exception being thrown:

"Caused by: SpaceSecurityException() com.j_spaces.core.SpaceSecurityException: Unknown user name: ANONYMOUS"

I suppose it is a bug?

  1. Regarding user management. It seems to look like a bug for me that the exception

"Caused by: java.lang.ClassCastException: org.openspaces.example.stock.cad.CustomUserAccountDriver cannot be cast to com.j_spaces.core.filters.MemoryRealm"

is being thrown when trying to add roles to GenericPrincipal object as in

String[] roles = { "admin", "read", "write" }; gp.setRoles(roles);

since both MemoryRealm and CustomUserAccountDriver implement ISpaceUserAccountDriver and the cast should not be made to MemoryRealm but to the interface?

  1. Is it documented somewhere in what form the system and custom roles (with user-defined rights) should be set?

I know that it's not common practice to implement ISpaceUserAccountDriver, but we need to read users and their roles from a database.

Thanks

asdfasdf gravatar imageasdfasdf ( 2008-10-16 06:03:29 -0500 )edit

Hey Shay

I was just playing around with security filter. What should be the default password for user "anonymous" ? If I create a user anonymous and give some password it is throwing exception saying password wrong. It works fine with any user name.

Thanks venkat

venkatg gravatar imagevenkatg ( 2008-10-16 08:26:00 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2008-10-14 08:57:23 -0500

Seen: 133 times

Last updated: Oct 14 '08