com.gemstone.gemfire.security

Interface AccessControl

All Superinterfaces:

CacheCallback

public interface AccessControl
extends CacheCallback

Specifies the interface to authorize operations at the cache or region level for clients or servers. Implementations should register name of the static creation function as the security-client-accessor system property with all the servers uniformly in the distributed system for client authorization. When the security-client-accessor-pp property is set then the callback mentioned is invoked after the operation completes successfully and when sending notifications. When the registration has been done for a client/peer then an object of this class is created for each connection from the client/peer and the authorizeOperation method invoked before/after each operation.

Since:

5.5

Method Summary

Methods

Modifier and Type	Method and Description
boolean	authorizeOperation(String regionName, OperationContext context) Check if the given operation is allowed for the cache/region.
void	init(Principal principal, DistributedMember remoteMember, Cache cache) Initialize the callback for a client/peer having the given principal.

Methods inherited from interface com.gemstone.gemfire.cache.CacheCallback

close

Method Detail

init

void init(Principal principal,
        DistributedMember remoteMember,
        Cache cache)
          throws NotAuthorizedException

Initialize the callback for a client/peer having the given principal. This is invoked when a new connection from a client/peer is created with the host. The callback is expected to store authentication information of the given principal for the different regions for maximum efficiency when invoking authorizeOperation in each operation.

Parameters:

principal - the principal associated with the authenticated client or peer; a null principal implies an unauthenticated client which should be handled properly by implementations

remoteMember - the DistributedMember object for the remote authenticated client or peer

cache - reference to the cache object

Throws:

NotAuthorizedException - if some exception condition happens during the initialization; in such a case all subsequent client operations on that connection will throw NotAuthorizedException

authorizeOperation

boolean authorizeOperation(String regionName,
                         OperationContext context)

Check if the given operation is allowed for the cache/region. This method is invoked in each cache and region level operation. It is, therefore, expected that as far as possible relevant information has been cached in the init call made when the connection was established so that this call is as quick as possible.

Parameters:

regionName - When null then it indicates a cache-level operation (i.e. one of OperationContext.OperationCode.REGION_DESTROY or OperationContext.OperationCode.QUERY, else the name of the region for the operation.

context - When invoked before the operation then the data required by the operation. When invoked as a post-process filter then it contains the result of the operation. The data in the context can be possibly modified by the method.

Returns:

true if the operation is authorized and false otherwise