Pivotal GemFire® v8.1

Managing RegionServices for Multiple Secure Users

Managing RegionServices for Multiple Secure Users

In a secure system, you can create clients with multiple, secure connections to the servers from each client. The most common use case is a GemFire client embedded in an application server that supports data requests from many users. Each user may be authorized to access a subset of data on the servers. For example, customer users may be allowed to see and update only their own orders and shipments.

In a single client, multiple authenticated users can all access the same ClientCache through instances of the RegionService interface. Because there are multiple users with varying authorization levels, access to cached data is done entirely through the servers, where each user’s authorization can be managed.
Follow these steps in addition to the steps in Managing a Cache in a Secure System.
  1. Create your cache and RegionService instances:
    1. Configure your client’s server pool for multiple secure user authentication. Example:
      <pool name="serverPool" multiuser-authentication="true">
      	<locator host="host1" port="44444"/>
      This enables access through the pool for the RegionService instances and disables it for the ClientCache instance.
    2. After you create your ClientCache, from your ClientCache instance, for each user call the createAuthenticatedView method, providing the user’s particular credentials. These are create method calls for two users:
      Properties properties = new Properties();
      properties.setProperty("security-username", cust1Name);
      properties.setProperty("security-password", cust1Pwd);
      RegionService regionService1 = 
      properties = new Properties();
      properties.setProperty("security-username", cust2Name);
      properties.setProperty("security-password", cust2Pwd);
      RegionService regionService2 = 	
    For each user, do all of your caching and region work through the assigned RegionService instance. Access to the server cache will be governed by the server’s configured authorization rules for each individual user.
  2. Close your cache by closing the ClientCache instance only. Do not close the RegionService instances first. This is especially important for durable clients.

Requirements and Caveats for RegionService

Once each region is created, you can perform operations on it through the ClientCache instance or the RegionService instances, but not both.

Note: You can use the ClientCache to create a region that uses a pool configured for multi-user authentication, then access and do work on the region using your RegionService instances.
To use RegionService:
  • Regions must be configured as EMPTY. Depending on your data access requirements, this configuration might affect performance, because the client goes to the server for every get.
  • If you are running durable client queues (CQs) from the RegionService instances, stop and start the offline event storage for the client as a whole. The server manages one queue for the entire client process, so you need to request the stop and start of durable CQ event messaging for the cache as a whole, through the ClientCache instance. If you closed the RegionService instances, event processing would stop, but the server would continue to send events, and those events would be lost.
    Stop with:
    Start up again in this order:
    1. Create ClientCache instance.
    2. Create all RegionService instances. Initialize CQ listeners.
    3. Call ClientCache instance readyForEvents method.