Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-2053 Improve Geode Security Framework
  3. GEODE-2054

Do not use classpath: when looking for security-shiro-ini files

    Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      1. Hardcoding [1] the "resource path prefix" [2] (i.e. "classpath:") when the user decides to use Apache Shiro [3] to configure security for Apache Geode [4] is well, again, rather limiting.

      If a user specifies the Geode (System) property, "security-shiro-init", referencing an Apache Shiro INI configuration file, why not let the user decide the resource path source (i.e. classpath:, file:, or url of the INI file. For example...

      -Dgeode.security-shiro-init=file:/absolute/file/system/path/to/users/application/shiro.ini

      I would not arbitrarily restrict users to only the classapth for locating resources. It is unlikely the INI file will contain "sensitive" data (e.g. usernames/passwords, or even permission meta-data) in a production environment. It is more likely, that the users will be configuring 1 or more Shiro Realms declared in the [main] section of the INI file to load the security configuration meta-data from an external repository.

      Additionally, Apache Shiro has the ability to detect file changes, and dynamically reload the INI security configuration file [5] when the file: resource path (i.e. file system) is used.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jinmeiliao Jinmei Liao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: