Gemfire JavaDocs
Class UnrestrictedMethodAuthorizer
- java.lang.Object
-
- org.apache.geode.cache.query.security.UnrestrictedMethodAuthorizer
-
- All Implemented Interfaces:
MethodInvocationAuthorizer
public final class UnrestrictedMethodAuthorizer extends java.lang.Object implements MethodInvocationAuthorizer
An immutable and thread-safeMethodInvocationAuthorizerthat allows any method execution as long as the target object does not belong to a Geode package, or does belong but it's marked as safe (seeRestrictedMethodAuthorizer.isAllowedGeodeMethod(Method, Object)).Some known dangerous methods, like
Object.getClass(), are also rejected by this authorizer implementation, no matter whether the target object belongs to Geode or not (seeRestrictedMethodAuthorizer.isPermanentlyForbiddenMethod(Method, Object)).This authorizer implementation addresses only three of the four known security risks:
Java Reflection,Cache ModificationandRegion Modification.The
Region Entry Modificationsecurity risk still exists: users with theDATA:READ:RegionNameprivilege will be able to execute ANY method (even mutators) on the objects stored within the region and on instances used as bind parameters of the OQL, so this authorizer implementation must be used with extreme care.Usage of this authorizer implementation is only recommended for secured clusters on which only trusted users and applications have access to the OQL engine. It might also be used on clusters on which the entries stored are immutable.
-
-
Constructor Summary
Constructors Constructor Description UnrestrictedMethodAuthorizer(Cache cache)Creates aUnrestrictedMethodAuthorizerobject and initializes it so it can be safely used in a multi-threaded environment.UnrestrictedMethodAuthorizer(RestrictedMethodAuthorizer restrictedMethodAuthorizer)Creates aUnrestrictedMethodAuthorizerobject and initializes it so it can be safely used in a multi-threaded environment.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanauthorize(java.lang.reflect.Method method, java.lang.Object target)Executes the authorization logic to determine whether themethodis allowed to be executed on thetargetobject instance.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.geode.cache.query.security.MethodInvocationAuthorizer
initialize
-
-
-
-
Constructor Detail
-
UnrestrictedMethodAuthorizer
public UnrestrictedMethodAuthorizer(Cache cache)
Creates aUnrestrictedMethodAuthorizerobject and initializes it so it can be safely used in a multi-threaded environment.Applications can use this constructor as part of the initialization for custom authorizers (see
Declarable.initialize(Cache, Properties)), when using a declarative approach.- Parameters:
cache- theCacheinstance that owns this authorizer, required in order to configure the defaultRestrictedMethodAuthorizer.
-
UnrestrictedMethodAuthorizer
public UnrestrictedMethodAuthorizer(RestrictedMethodAuthorizer restrictedMethodAuthorizer)
Creates aUnrestrictedMethodAuthorizerobject and initializes it so it can be safely used in a multi-threaded environment.- Parameters:
restrictedMethodAuthorizer- the defaultRestrictedMethodAuthorizerto use.
-
-
Method Detail
-
authorize
public boolean authorize(java.lang.reflect.Method method, java.lang.Object target)Executes the authorization logic to determine whether themethodis allowed to be executed on thetargetobject instance. If thetargetobject is an instance ofRegion, this methods also ensures that the user has theDATA:READpermission granted for the targetRegion.- Specified by:
authorizein interfaceMethodInvocationAuthorizer- Parameters:
method- theMethodthat should be authorized.target- theObjecton which theMethodwill be executed.- Returns:
trueif themethodcan be executed on on thetargetinstance,falseotherwise.- See Also:
MethodInvocationAuthorizer
-
-