6 Replies Latest reply: Apr 11, 2013 4:32 PM by 385089 RSS

    Authorization Interceptor Classes

    385089
      I am extending WrapperCacheService for Authentication..

      Here is the configuration of proxy scheme.. what should be the value of <param-value>?


      <proxy-scheme>
      <service-name>ExtendTcpProxyService</service-name>
      <acceptor-config>
      <tcp-acceptor>
      <local-address>
      <address>MyMachine</address>
      <port>9001</port>
      </local-address>
      </tcp-acceptor>
      </acceptor-config>
      <proxy-config>
      <!--
      <cache-service-proxy>
      <enabled>true</enabled>
      </cache-service-proxy>
      -->
      <cache-service-proxy>
                     <class-name>
                          MyWrapperCacheService
                     </class-name>
                     <init-params>
                          <init-param>
                               <param-type>com.tangosol.net.CacheService</param-type>
                               +_<param-value>distributed</param-value>+*
                          </init-param>
                     </init-params>
                </cache-service-proxy>

      <!-- <invocation-service-proxy>
      <enabled>true</enabled>
      </invocation-service-proxy>
      -->
      </proxy-config>
      <autostart>true</autostart>
      </proxy-scheme>


      Also cache-server.cmd fails with the following error..

      </cache-service-proxy>) java.lang.InstantiationException: Could not find a constructor for MyWrapperCacheService(com.tangosol.run.xml.SimpleElement)
      at com.tangosol.util.Base.ensureRuntimeException(Base.java:288)
      at com.tangosol.run.xml.XmlHelper.createInstance(XmlHelper.java:2652)

      I do not see any constructor with the parameter SimpleElement.. Any clues on what I am doing wrong?
        • 1. Re: Authorization Interceptor Classes
          Jonathan.Knight
          Hi

          If you read the documentation about security http://docs.oracle.com/cd/E24290_01/coh.371/e22841/toc.htm and specifically this bit http://docs.oracle.com/cd/E24290_01/coh.371/e22841/extend_security.htm#CDDECJIA it says that your configuration should look like this:
          <proxy-scheme>
              <service-name>ExtendTcpProxyService</service-name>
              <acceptor-config>
                  <tcp-acceptor>
                      <local-address>
                          <address>MyMachine</address>
                          <port>9001</port>
                      </local-address>
                  </tcp-acceptor>
              </acceptor-config>
              <proxy-config>
                  <!--
                  <cache-service-proxy>
                  <enabled>true</enabled>
                  </cache-service-proxy>
                  -->
                  <cache-service-proxy>
                      <class-name>
                          MyWrapperCacheService
                      </class-name>
                      <init-params>
                          <init-param>
                              <param-type>com.tangosol.net.CacheService</param-type>
                              <param-value>{service}</param-value>
                          </init-param>
                      </init-params>
                  </cache-service-proxy>
          
                  <!-- <invocation-service-proxy>
                  <enabled>true</enabled>
                  </invocation-service-proxy>
                  -->
              </proxy-config>
              <autostart>true</autostart>
          </proxy-scheme>
          Specifically you need to put the service macro {service} inside the <param-value> tag.

          JK
          • 2. Re: Authorization Interceptor Classes
            385089
            Hi JK, I am not sure what this {service} should be? That's where I need help.
            • 3. Re: Authorization Interceptor Classes
              Jonathan.Knight
              Hi,

              In certain places in the cache configuration file you can use macro values inside { } and {service} is just one of those standard macros that Coherence interprets. In this case it means that this parameter value should be the CacheService being wrapped. There are some more describe here http://docs.oracle.com/cd/E24290_01/coh.371/e22837/cache_config.htm#BABHCCHI

              You do not need to put in anything else, just {service} exactly as it says.

              JK
              • 4. Re: Authorization Interceptor Classes
                385089
                Thanks JK for your support. {service} makes it work. I do not see any errors on startup now.

                More problems here..

                I created PasswordIdentityAsserter for server side and PasswordIdentityTransformer for client side. And configured on both client and server

                <security-config>
                     <identity-transformer>
                          <class-name>com...PasswordIdentityTransformer</class-name>
                     </identity-transformer>
                     <subject-scope>true</subject-scope>
                </security-config>


                     <security-config>
                          <identity-asserter>
                               <class-name>com...PasswordIdentityAsserter</class-name>
                          </identity-asserter>
                          <subject-scope>true</subject-scope>
                     </security-config>


                Client code:

                          Subject subject= SecurityExampleHelper.login("userid");
                          System.out.println("subject:"+subject);
                          try {
                               NamedCache cache = (NamedCache) Subject.doAs(
                               subject, new PrivilegedExceptionAction()
                               {
                               public Object run()
                               throws Exception
                               {
                               NamedCache cache;
                               System.out.println("SecurityHelper.getCurrentSubject():"+SecurityHelper.getCurrentSubject());
                               cache = CacheFactory.getCache("hello-example");
                               System.out.println("------password example succeeded------");
                               return cache;
                               }
                               });
                          } catch (PrivilegedActionException e) {
                               // TODO Auto-generated catch block
                               e.printStackTrace();
                          }


                I see the flow.. my client execution flow is going through PasswordIdentityTransformer. Also printing printing value of SecurityHelper.getCurrentSubject().

                I do not see the execution flow through PasswordIdentityAsserter.


                On the server side ( cache-server.cmd), I see the following.. Connection seems to be getting established..

                2013-04-11 11:20:30.549/108.027 Oracle Coherence GE 3.7.1.0 <D6> (thread=Proxy:ExtendTcpProxyService:TcpAcceptor:TcpProcessor, member=1): Released: TcpConnection(Id=0x000
                0013DFA53D3D4AC1D073B126D5639EB57AC785C2E37A5B5B3A1740, Open=false, Member(Id=0, Timestamp=2013-04-11 11:20:30.524, Address=10.11.112.113:0, MachineId=0, Location=
                site:,machine:QZ123L91817A,process:7920, Role=CoherenceClient), LocalAddress=10.11.112.113:8011, RemoteAddress=10.11.112.113:53869)

                But on the client side, it says connection is rejected.. ( connected and errored)

                2013-04-11 11:43:40.790/1.619 Oracle Coherence GE 3.7.1.0 <Info> (thread=main, member=n/a): Connected Socket to 10.11.112.113:8011
                2013-04-11 11:43:40.839/1.668 Oracle Coherence GE 3.7.1.0 <Info> (thread=main, member=n/a): Error establishing a connection with 10.11.112.113:8011: com.tangosol.net.messaging.ConnectionException: connection rejected
                2013-04-11 11:43:40.839/1.668 Oracle Coherence GE 3.7.1.0 <D5> (thread=ExtendTcpRemoteCacheService:TcpInitiator, member=n/a): Stopped: TcpInitiator{Name=ExtendTcpRemoteCacheService:TcpInitiator, State=(SERVICE_STOPPED), ThreadCount=0, Codec=Codec(Format=POF), Serializer=com.tangosol.io.DefaultSerializer, PingInterval=0, PingTimeout=200000, RequestTimeout=200000, ConnectTimeout=200000, SocketProvider=SystemSocketProvider, RemoteAddresses=client.MyAddressProvider@24988707, SocketOptions{LingerTimeout=0, KeepAliveEnabled=true, TcpDelayEnabled=false}}
                2013-04-11 11:43:40.840/1.669 Oracle Coherence GE 3.7.1.0 <Error> (thread=main, member=n/a): Error while starting service "ExtendTcpRemoteCacheService": com.tangosol.net.messaging.ConnectionException: could not establish a connection to one of the following addresses: [10.11.112.113:8011]; make sure the "remote-addresses" configuration element contains an address and port of a running TcpAcceptor
                     at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.initiator.TcpInitiator.openConnection(TcpInitiator.CDB:120)
                     at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.Initiator.ensureConnection(Initiator.CDB:11)
                     at com.tangosol.coherence.component.net.


                Both client and server are on the same machine ( dev env). I see <autostart>true</autostart> both in <distributed-scheme> and <proxy-scheme>

                Any help is appreciated.
                • 5. Re: Authorization Interceptor Classes
                  user639604
                  I think you mixed up the "Access Controller" with "Identity Token".

                  For "Access Controller", http://docs.oracle.com/cd/E24290_01/coh.371/e22841/access_controller.htm#BGBHEDFJ

                  You'd need to configure the <access-controller> section as indicated in section 3.2 if you plan to wrap all your client request with Subject.doAs() call and use JAAS.

                  For "Identity Token", http://docs.oracle.com/cd/E24290_01/coh.371/e22841/extend_security.htm#CDDBIBDA

                  You don't need to wrap your client request within a Subject.doAs() call. You don't even need to touch the Subject object within your client side IdentityTransformer if you don't plan to use JAAS at all.
                  • 6. Re: Authorization Interceptor Classes
                    385089
                    Thanks. Removed Authorization code. Authentication works fine. I am doing Subject.doAs() though. I can see PasswordIdentityTransformer intercepting the connection. For now, I am accepting almost all the connections..

                    Let me work on Authorization code now..