Package org.apache.geode.cache.query.security

Class RegExMethodAuthorizer

  • java.lang.Object
    • org.apache.geode.cache.query.security.RegExMethodAuthorizer
  • All Implemented Interfaces:
    MethodInvocationAuthorizer
    public final class RegExMethodAuthorizer
extends java.lang.Object
implements MethodInvocationAuthorizer
    An immutable and thread-safe MethodInvocationAuthorizer that only allows the execution of those methods matching the configured regular expression.

    Some known dangerous methods, like Object.getClass(), are also rejected by this authorizer implementation, no matter whether the method matches the configured regular expressions or not (see RestrictedMethodAuthorizer.isPermanentlyForbiddenMethod(Method, Object)).

    When correctly configured, this authorizer implementation addresses the four known security risks: Java Reflection, Cache Modification, Region Modification and Region Entry Modification.

    For the above statement to remain true, however, the regular expressions used must be exhaustively studied and configured so no mutator methods match. If the regular expressions are not restrictive enough, the Region Entry Modification security risk still exists: users with the DATA:READ:RegionName privileges will be able to execute methods (even those modifying the entry) on the objects stored within the region and on instances used as bind parameters of the query, so this authorizer must be used with extreme care.

    Usage of this authorizer implementation is only recommended for scenarios on which the user or operator knows exactly what code is deployed to the cluster, how and when; allowing a correct configuration of the regular expressions. It might also be used on clusters on which the entries stored are immutable.

    See Also:
    Cache, MethodInvocationAuthorizer, RestrictedMethodAuthorizer

    • Constructor Summary

      Constructors 
      Constructor Description
      RegExMethodAuthorizer​(Cache cache, java.util.Set<java.lang.String> allowedPatterns)
      Creates a RegExMethodAuthorizer object and initializes it so it can be safely used in a multi-threaded environment.
      RegExMethodAuthorizer​(RestrictedMethodAuthorizer restrictedMethodAuthorizer, java.util.Set<java.lang.String> allowedPatterns)
      Creates a RegExMethodAuthorizer object and initializes it so it can be safely used in a multi-threaded environment.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean authorize​(java.lang.reflect.Method method, java.lang.Object target)
      Executes the authorization logic to determine whether the method is allowed to be executed on the target object instance.
      java.util.Set<java.lang.String> getAllowedPatterns()
      Returns an unmodifiable view of the regular expressions used to configure this authorizer.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • RegExMethodAuthorizer

        public RegExMethodAuthorizer​(Cache cache,
                             java.util.Set<java.lang.String> allowedPatterns)
        Creates a RegExMethodAuthorizer object and initializes it so it can be safely used in a multi-threaded environment.

        Applications can use this constructor as part of the initialization for custom authorizers (see Declarable.initialize(Cache, Properties), when using a declarative approach.

        Parameters:
        cache - the Cache instance that owns this authorizer, required in order to configure the default RestrictedMethodAuthorizer.
        allowedPatterns - the regular expressions that will be used to determine whether a method is authorized or not.

      • RegExMethodAuthorizer

        public RegExMethodAuthorizer​(RestrictedMethodAuthorizer restrictedMethodAuthorizer,
                             java.util.Set<java.lang.String> allowedPatterns)
        Creates a RegExMethodAuthorizer object and initializes it so it can be safely used in a multi-threaded environment.

        Parameters:
        restrictedMethodAuthorizer - the default RestrictedMethodAuthorizer to use.
        allowedPatterns - the regular expressions that will be used to determine whether a method is authorized or not.

    • Method Detail

      • getAllowedPatterns

        public java.util.Set<java.lang.String> getAllowedPatterns()
        Returns an unmodifiable view of the regular expressions used to configure this authorizer. This method can be used to get "read-only" access to the set containing the regular expressions that will be used to determine whether a method is allowed or not.
        Returns:
        an unmodifiable view of the regular expressions used to configure this authorizer.

      • authorize

        public boolean authorize​(java.lang.reflect.Method method,
                         java.lang.Object target)
        Executes the authorization logic to determine whether the method is allowed to be executed on the target object instance. If the target object is an instance of Region, this methods also ensures that the user has the DATA:READ permission granted for the target Region.

        Specified by:
        authorize in interface MethodInvocationAuthorizer
        Parameters:
        method - the Method that should be authorized.
        target - the Object on which the Method will be executed.
        Returns:
        true if the method can be executed on on the target instance, false otherwise.
        See Also:
        MethodInvocationAuthorizer