Implement Authentication

Authentication is done by initializing credentials in the joining member, sending the credentials to an authenticator member in the system, and receiving authentication to join. Depending on the member, the new member may in turn become an authenticator to other joining members. Members joining a system must trust that existing members are already authenticated.

GemFire provides a flexible framework for your security authentication plug-ins. You choose the method of authentication, such as LDAP or PKCS, and program the plug-ins accordingly.
  1. Determine the method of authentication that you will use. It is assumed that you know how to use it.
  2. Determine any special properties required for your authentication's credentials initialization and decide how you will get the properties to the initialization method. Depending on how sensitive the properties are and on your application requirements, you may do a combination of these:
    • Pass the additional properties through the gemfire.properties file (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) settings or programmatically, using the set methods in the ClientCacheFactory, before the call to the create method. All properties starting with security- are automatically passed to the AuthInitialize implementation.
    • Obtain the properties dynamically in the AuthInitialize.getCredentials method.
  3. For joining members, program and configure the credentials initialization plug-in:
    1. Create an implementation of the GemFire com.gemstone.gemfire.security.AuthInitialize interface.
      1. Program a public static method to return an instance of the class.
      2. Program the getCredentials method to create all properties required by the Authorize method via the member's credentials.
    2. For peers and locators, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-peer-auth-init to the fully qualified name of the static method you programmed that returns an instance of the class. In these examples, the method is named create. Example:
      //Peer init example where myAuthInitImpl.create returns the instance of AuthInitialize 
      security-peer-auth-init=myAuthPkg.myAuthInitImpl.create
    3. For clients and gateways, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-client-auth-init to the fully qualified name of the method you programmed that returns an instance of the AuthInitialize class. Example:
      //Client/WAN init example where myAuthInitImpl.create returns the instance of AuthInitialize 
      security-client-auth-init=myAuthPkg.myAuthInitImpl.create
    4. For all members, set any additional gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-* properties required by your AuthInitialize implementation.
  4. For authorizing members, program and configure the credentials authorization plug-in:
    1. Implement the GemFire com.gemstone.gemfire.security.Authenticator interface:
      1. Program a public static, zero-argument method to return an instance of the class.
      2. Program the authenticate method to authenticate the credentials and return a java.security.Principal object.
    2. For peers and locators set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration) security-peer-authenticator to the fully qualified name of the method that returns an instance of the Authenticator class. Example:
      //Peer auth example where myAuthenticatorImpl.create returns the instance of Authenticator
      security-peer-authenticator=myAuthPkg.myAuthenticatorImpl.create
    3. For servers and gateways, set the gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration)security-client-authenticator to the fully qualified name of the method that returns an instance of the Authenticator class. Example:
      //Client/WAN auth example where myAuthenticatorImpl.create returns the instance of Authenticator
                                      security-client-authenticator=myAuthPkg.myAuthenticatorImpl.create
    4. For all members, set any additional gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration)security-* properties required by your Authenticator implementation.
  5. For all members, provide the list of authenticated locators in the gemfire.properties.

Locators That Require Authentication

Collocated locators started with the com.gemstone.gemfire.distributed.Locator.startLocator methods do not require security settings because they do not join the distributed system.

All other locators, including those started with the gemfire start-locator command, those started through the AdminDistributedSystem.addLocator API and those started with com.gemstone.gemfire.distributed.Locator.startLocatorAndDS must be configured with the correct security settings.