LATEST VERSION: 8.1.0 - CHANGELOG
Pivotal GemFire® v8.1

Implementing Authorized Access Control for the Cache

Implementing Authorized Access Control for the Cache

To use authorization for client/server systems, your client connections must be authenticated by their servers.

To set up authorized access control for the cache:
  1. Determine the degree of control you want over client access to the server cache
  2. Program and configure the authorization plug-in:
    1. Create an implementation of the GemFire com.gemstone.gemfire.security.AccessControl interface
      1. Program a public static method to return an instance of the class.
      2. Program the init method to store all properties required by the AccessControl.authorizeOperation method at the time the client makes its connection to the server.
        Note: Do as much work here as you can to save time on the individual authorizeOperation calls.
      3. Program the authorizeOperation method to perform whatever pre- and post-operation authorization activities required by your application. The OperationContext has the OperationCode and a boolean indicating whether the call is pre-operation or post-operation. For all but function calls, you can filter the post-operation results, to remove any data you do not want your clients to receive. Function calls can only be allowed or disallowed in their entirety.
    2. Set the gemfire.properties uniformly on all servers to implement the plug-in:
      • For pre-operative calls, set security-client-accessor to the fully qualified name of the static method you programmed to return an instance of the class. Example:
        //Pre-op example where myAccessControl.create returns the 
        // instance of AccessControl 
        security-client-accessor=myAuthPkg.myAccessControl.create
      • For post-operative calls, set security-client-accessor-pp to the fully qualified name of the static method you programmed to return an instance of the class.
        //Post-op example where myAccessControl.create returns the 
        // instance of AuthInitialize 
        security-client-accessor-pp=myAuthPkg.myAccessControl.create

Your authorizeOperation method will be invoked before and/or after each client operation, as configured.