XAP

Spring-Based Bridge

You may have noticed that Spring's Security AuthenticationProvider and AuthenticationManager, aren't much different from the GigaSpaces com.gigaspaces.security.SecurityManager. In Fact, they share a similar authentication method that handles authentication.

The org.openspaces.security.spring.SpringSecurityManager is a the GigaSpaces Spring Security bridge (between Spring Security and GigaSpaces Security Manager). It relies on the Spring Security XML configuration file for its context definitions. The Spring Security configuration resides in a standalone XML file.

SpringSecurityBridge.png

The Spring Security XML configuration file contains the AuthenticationManager, ProviderManager and AuthenticationProvider references. The authentication manager is discovered by the GigaSpaces Spring Security bridge (i.e. it iterates through all the types of authentication manager and plugs it in automatically).

<sec:authentication-manager>
   <sec:authentication-provider ref="ldapAuthenticationProvider"/>
</sec:authentication-manager>

Configuring the Security Manager

The Spring security configurations are loaded using Spring's FileSystemXmlApplicationContext taking the context definition files from the file system or from URLs. The location of the configuration file is set using the spring-security-config-location property; if not set, a default security-config.xml is considered (if present).

As with all GigaSpaces security configurations, they must be placed in a properties file. In order to configure the security manager to use the Spring Security bridge, we set the security-manager.class property along with the expected spring-security-config-location property.

com.gs.security.security-manager.class = org.gigaspaces.security.spring.SpringSecurityManager
spring-security-config-location = ../config/security/security-config.xml

This is all the configuration required to enable the use of the Spring-based security bridge. The restClosed REpresentational State Transfer. Application Programming Interface An API, or application programming interface, is a set of rules that define how applications or devices can connect to and communicate with each other. A REST API is an API that conforms to the design principles of the REST, or representational state transfer architectural style. is part of the Spring Security configuration XML file.

For convenience, the template properties config/security/spring-security.properties can be renamed to security.properties or referenced using a system property (see Security Configurations).

Logging

Any configurations that are applied can be seen by setting the logging level to CONFIG (see xap_logging.properties):

com.gigaspaces.security.level = CONFIG

Testing the Spring-based Security Bridge

Before launching up a whole full-blown application, you may want to test that the bridge is actually working to your satisfaction. For example, that the users, roles, and authorities are extracted correctly, etc. For this, you don't even need a GigaSpaces instance.

Here is a sample code, which sets up a GigaSpaces SpringSecurityManager instance by passing it the spring-security-config-location as an explicit property. The security manager calls the authenticate method with "username"/"password" returning (if successful) an Authentication object. This result contains the user details and the populated authorities of this user (all authorities including those extracted from the groups (roles) the user is part of).

import java.util.Arrays;
import java.util.Properties;
import com.gigaspaces.security.directory.User;
import com.gigaspaces.security.directory.UserDetails;
import org.openspaces.security.spring.SpringSecurityManager;

public class Main {
    public static void main(String[] args) {
        Properties props = new Properties();
        props.setProperty("spring-security-config-location", "my-security-config.xml");
        SpringSecurityManager securityManager = new SpringSecurityManager();
        securityManager.init(props);
        com.gigaspaces.security.Authentication authenticate = securityManager
                .authenticate(new User("username", "password"));
        UserDetails userDetails = authenticate.getUserDetails();
        System.out.println("user: " + userDetails.getUsername() + " password: "
                + userDetails.getPassword() + " authorities: "
                + Arrays.toString(userDetails.getAuthorities()));
    }
}

When running a standalone test, you will need to include the following jars in your classpath:

  • $GS_HOME/lib/optional/security/spring-security-core-*.jar

  • $GS_HOME/lib/optional/spring/*.jar , $GS_HOME/lib/required/*.jar

GigaSpaces Security Authorities

GigaSpaces provides a set of Security Authorities which can be stored as a String in any external directory. Much like the Spring's Security GrantedAuthority s which translate to and from a String.

Lets take for example a Box-Office employee which has READ privileges, for class "eg.cinema.Movie". We convert the class expression using the WildcardExpressionToFilterConverter methods. This converter takes in an expression, for example a regular expression expressing the permitted classes the employee can read.

System.out.println(new SpaceAuthority(SpacePrivilege.READ,
                WildcardExpressionToFilterConverter.convert(
                        "eg.cinema.Movie", true)));

The output result is:

"SpacePrivilege READ ClassFilter eg.cinema.Movie"

This String represents the authority which, for example, can be stored in a database.

Spring's Security authenticate method returns an Authentication object holding all GrantedAuthority s. These authorities are String based, and should equal to the GigaSpaces authority String as above. Each authority is converted back (by SpringSecurityManager) into its object instance using the GigaSpaces AuthorityFactory. Of course, all this has already been done for you - all you need is to store the appropriate authority Strings.

Not always would you need an expressions as a filter. If we would have wanted to grant full READ privileges, than the authority would be represented as:

System.out.println(new SpaceAuthority(SpacePrivilege.READ));

The output result is:

"SpacePrivilege READ"

Similar, are the GridAuthority, MonitorAuthority and SystemAuthority. For example, the Gird authority Provision PUClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity. allows to deploy, un-deploy processing unitsClosed This is the unit of packaging and deployment in the GigaSpaces Data Grid, and is essentially the main GigaSpaces service. The Processing Unit (PU) itself is typically deployed onto the Service Grid. When a Processing Unit is deployed, a Processing Unit instance is the actual runtime entity., and is represented as:

System.out.println(new GridAuthority(GridPrivilege.PROVISION_PU));

The output result is:

"GridPrivilege PROVISION_PU"