Sample code for Hazelcast Client Login Security implemented with JAAS. There are 3 classes.
This example simulates a back-end security authorisation and authentication process for a client connecting into a Hazelcast cluster and manipulating a map.
Sets a UserNamePasswordCredentials class on the Client Config and then connects to the Member.
In this class it will create 2 independent client connections to the running Member. One will connect as an admin user and perform a PUT operation on an "ImportantMap" and the second client connection will be set-up as a read-onluy user and try to perform the same PUT operation, this operation will throw an exception.
This is a Hazelcast Cluster member that is initialised with the hazelcast.xml file
Within the hazelcast.xml we have defined some security properties.
- We have defined our own LoginModule to be executed when a client first connects. Called ClientLoginModule
- We have defined some permissions on the map importantMap for 2 different groups, readOnlyGroup and adminGroup. These groups are assigned to the client session in the LoginModule. You'll see that adminGroup has PUT rights on the map whilst readOnlyGroup does not.
<security enabled="true"> <client-login-modules> <login-module class-name="com.craftedbytes.hazelcast.security.ClientLoginModule" usage="required"> <properties> <property name="lookupFilePath">value3</property> </properties> </login-module> </client-login-modules> <client-permissions> <map-permission name="importantMap" principal="readOnlyGroup"> <actions> <action>create</action> <action>read</action> </actions> </map-permission> <map-permission name="importantMap" principal="adminGroup"> <actions> <action>create</action> <action>destroy</action> <action>put</action> <action>read</action> </actions> </map-permission> </client-permissions> </security> <map name="importantMap"/>
Be sure to start this up with the Enterprise key as described in the Requirements section below.
This is executed on the Member when the Client connects. This class implements the javax.security.auth.spi.LoginModule
This class is an example of what you should implement yourself to perform authentication operations against your security back-end of choice (KERBEROS, LDAP, ACTIVE DIRECTORY etc)
The examples requires an Enterprise Hazelcast key as we are using JAAS Security features that are only available in the Enterprise version of Hazelcast. You can obtain this key via an Enterprise Agreement or by using a 30 day trial key which can apply for here...
Once you have the key you will need to start the MEMBER Java Process with the following VM switch...
It is recommended to read the following guide to Authentication using JAAS...
Also please take a look at the Hazelcast Documentation on JAAS Security...