This discussion is archived
6 Replies Latest reply: Apr 11, 2013 2:32 PM by 385089 RSS

Authorization Interceptor Classes

385089 Newbie
Currently Being Moderated
I am extending WrapperCacheService for Authentication..

Here is the configuration of proxy scheme.. what should be the value of <param-value>?


<proxy-scheme>
<service-name>ExtendTcpProxyService</service-name>
<acceptor-config>
<tcp-acceptor>
<local-address>
<address>MyMachine</address>
<port>9001</port>
</local-address>
</tcp-acceptor>
</acceptor-config>
<proxy-config>
<!--
<cache-service-proxy>
<enabled>true</enabled>
</cache-service-proxy>
-->
<cache-service-proxy>
               <class-name>
                    MyWrapperCacheService
               </class-name>
               <init-params>
                    <init-param>
                         <param-type>com.tangosol.net.CacheService</param-type>
                         +_<param-value>distributed</param-value>+*
                    </init-param>
               </init-params>
          </cache-service-proxy>

<!-- <invocation-service-proxy>
<enabled>true</enabled>
</invocation-service-proxy>
-->
</proxy-config>
<autostart>true</autostart>
</proxy-scheme>


Also cache-server.cmd fails with the following error..

</cache-service-proxy>) java.lang.InstantiationException: Could not find a constructor for MyWrapperCacheService(com.tangosol.run.xml.SimpleElement)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:288)
at com.tangosol.run.xml.XmlHelper.createInstance(XmlHelper.java:2652)

I do not see any constructor with the parameter SimpleElement.. Any clues on what I am doing wrong?
  • 1. Re: Authorization Interceptor Classes
    Jonathan.Knight Expert
    Currently Being Moderated
    Hi

    If you read the documentation about security http://docs.oracle.com/cd/E24290_01/coh.371/e22841/toc.htm and specifically this bit http://docs.oracle.com/cd/E24290_01/coh.371/e22841/extend_security.htm#CDDECJIA it says that your configuration should look like this:
    <proxy-scheme>
        <service-name>ExtendTcpProxyService</service-name>
        <acceptor-config>
            <tcp-acceptor>
                <local-address>
                    <address>MyMachine</address>
                    <port>9001</port>
                </local-address>
            </tcp-acceptor>
        </acceptor-config>
        <proxy-config>
            <!--
            <cache-service-proxy>
            <enabled>true</enabled>
            </cache-service-proxy>
            -->
            <cache-service-proxy>
                <class-name>
                    MyWrapperCacheService
                </class-name>
                <init-params>
                    <init-param>
                        <param-type>com.tangosol.net.CacheService</param-type>
                        <param-value>{service}</param-value>
                    </init-param>
                </init-params>
            </cache-service-proxy>
    
            <!-- <invocation-service-proxy>
            <enabled>true</enabled>
            </invocation-service-proxy>
            -->
        </proxy-config>
        <autostart>true</autostart>
    </proxy-scheme>
    Specifically you need to put the service macro {service} inside the <param-value> tag.

    JK
  • 2. Re: Authorization Interceptor Classes
    385089 Newbie
    Currently Being Moderated
    Hi JK, I am not sure what this {service} should be? That's where I need help.
  • 3. Re: Authorization Interceptor Classes
    Jonathan.Knight Expert
    Currently Being Moderated
    Hi,

    In certain places in the cache configuration file you can use macro values inside { } and {service} is just one of those standard macros that Coherence interprets. In this case it means that this parameter value should be the CacheService being wrapped. There are some more describe here http://docs.oracle.com/cd/E24290_01/coh.371/e22837/cache_config.htm#BABHCCHI

    You do not need to put in anything else, just {service} exactly as it says.

    JK
  • 4. Re: Authorization Interceptor Classes
    385089 Newbie
    Currently Being Moderated
    Thanks JK for your support. {service} makes it work. I do not see any errors on startup now.

    More problems here..

    I created PasswordIdentityAsserter for server side and PasswordIdentityTransformer for client side. And configured on both client and server

    <security-config>
         <identity-transformer>
              <class-name>com...PasswordIdentityTransformer</class-name>
         </identity-transformer>
         <subject-scope>true</subject-scope>
    </security-config>


         <security-config>
              <identity-asserter>
                   <class-name>com...PasswordIdentityAsserter</class-name>
              </identity-asserter>
              <subject-scope>true</subject-scope>
         </security-config>


    Client code:

              Subject subject= SecurityExampleHelper.login("userid");
              System.out.println("subject:"+subject);
              try {
                   NamedCache cache = (NamedCache) Subject.doAs(
                   subject, new PrivilegedExceptionAction()
                   {
                   public Object run()
                   throws Exception
                   {
                   NamedCache cache;
                   System.out.println("SecurityHelper.getCurrentSubject():"+SecurityHelper.getCurrentSubject());
                   cache = CacheFactory.getCache("hello-example");
                   System.out.println("------password example succeeded------");
                   return cache;
                   }
                   });
              } catch (PrivilegedActionException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              }


    I see the flow.. my client execution flow is going through PasswordIdentityTransformer. Also printing printing value of SecurityHelper.getCurrentSubject().

    I do not see the execution flow through PasswordIdentityAsserter.


    On the server side ( cache-server.cmd), I see the following.. Connection seems to be getting established..

    2013-04-11 11:20:30.549/108.027 Oracle Coherence GE 3.7.1.0 <D6> (thread=Proxy:ExtendTcpProxyService:TcpAcceptor:TcpProcessor, member=1): Released: TcpConnection(Id=0x000
    0013DFA53D3D4AC1D073B126D5639EB57AC785C2E37A5B5B3A1740, Open=false, Member(Id=0, Timestamp=2013-04-11 11:20:30.524, Address=10.11.112.113:0, MachineId=0, Location=
    site:,machine:QZ123L91817A,process:7920, Role=CoherenceClient), LocalAddress=10.11.112.113:8011, RemoteAddress=10.11.112.113:53869)

    But on the client side, it says connection is rejected.. ( connected and errored)

    2013-04-11 11:43:40.790/1.619 Oracle Coherence GE 3.7.1.0 <Info> (thread=main, member=n/a): Connected Socket to 10.11.112.113:8011
    2013-04-11 11:43:40.839/1.668 Oracle Coherence GE 3.7.1.0 <Info> (thread=main, member=n/a): Error establishing a connection with 10.11.112.113:8011: com.tangosol.net.messaging.ConnectionException: connection rejected
    2013-04-11 11:43:40.839/1.668 Oracle Coherence GE 3.7.1.0 <D5> (thread=ExtendTcpRemoteCacheService:TcpInitiator, member=n/a): Stopped: TcpInitiator{Name=ExtendTcpRemoteCacheService:TcpInitiator, State=(SERVICE_STOPPED), ThreadCount=0, Codec=Codec(Format=POF), Serializer=com.tangosol.io.DefaultSerializer, PingInterval=0, PingTimeout=200000, RequestTimeout=200000, ConnectTimeout=200000, SocketProvider=SystemSocketProvider, RemoteAddresses=client.MyAddressProvider@24988707, SocketOptions{LingerTimeout=0, KeepAliveEnabled=true, TcpDelayEnabled=false}}
    2013-04-11 11:43:40.840/1.669 Oracle Coherence GE 3.7.1.0 <Error> (thread=main, member=n/a): Error while starting service "ExtendTcpRemoteCacheService": com.tangosol.net.messaging.ConnectionException: could not establish a connection to one of the following addresses: [10.11.112.113:8011]; make sure the "remote-addresses" configuration element contains an address and port of a running TcpAcceptor
         at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.initiator.TcpInitiator.openConnection(TcpInitiator.CDB:120)
         at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.Initiator.ensureConnection(Initiator.CDB:11)
         at com.tangosol.coherence.component.net.


    Both client and server are on the same machine ( dev env). I see <autostart>true</autostart> both in <distributed-scheme> and <proxy-scheme>

    Any help is appreciated.
  • 5. Re: Authorization Interceptor Classes
    user639604 Journeyer
    Currently Being Moderated
    I think you mixed up the "Access Controller" with "Identity Token".

    For "Access Controller", http://docs.oracle.com/cd/E24290_01/coh.371/e22841/access_controller.htm#BGBHEDFJ

    You'd need to configure the <access-controller> section as indicated in section 3.2 if you plan to wrap all your client request with Subject.doAs() call and use JAAS.

    For "Identity Token", http://docs.oracle.com/cd/E24290_01/coh.371/e22841/extend_security.htm#CDDBIBDA

    You don't need to wrap your client request within a Subject.doAs() call. You don't even need to touch the Subject object within your client side IdentityTransformer if you don't plan to use JAAS at all.
  • 6. Re: Authorization Interceptor Classes
    385089 Newbie
    Currently Being Moderated
    Thanks. Removed Authorization code. Authentication works fine. I am doing Subject.doAs() though. I can see PasswordIdentityTransformer intercepting the connection. For now, I am accepting almost all the connections..

    Let me work on Authorization code now..

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points