Is a collection of examples that show how to use the security features of Coherence in order to provide access control.
These examples are simplified to show only the security features of Coherence. They are not examples of security best practices:
Password Example - Shows how a Coherence Proxy can require a password to access a cache.
Password Identity Transformer - creates a custom security token that contains the required password and then adds a list of Principal names.
Password Identity Asserter - asserts that the security token contains the required password and then constructs a Subject based on a list of Principal names.
Second, review the information on the Driver implementation found here:
The Driver
Has a static main method that executes all the security examples in the following order:
PasswordExample
AccessControlExample.accessCache()
AccessControlExample.accessInvocationService()
Is implemented in each of the three programming languages supported by Coherence:
Language
Implementation Class
Java
com.tangosol.examples.security.Driver in java/src
.NET
Driver in namespace Tangosol.Examples.Security in dotnet/src/security
CPP
Driver in namespace coherence::examples in cpp/security
Please refer to this example set's example source for more details on each of the examples outlined below.
Password Example
This example shows how a Coherence Proxy can require a password to get a reference to a cache.
Implementation Class:
com.tangosol.examples.security.PasswordExample in java/src
The code logs in to get a Subject, and then tries to get a cache reference running in the context of the Subject.
The PasswordIdentityTransformer will generate a security token that contains the password. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password. The token generation and
validation occurs automatically when a connection to the proxy is made.
Implementation Class:
PasswordExample in namespace Tangosol.Example.Security in dotnet/src/security
The code logs in to get a Principal, and then tries to get a cache reference running in the context of the Principal by
making the Principal the Thread's current principal.
The PasswordIdentityTransformer will generate a security token that contains the password. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password. The token generation and
validation occurs automatically when a connection to the proxy is made.
Implementation Class:
AccessExample in namespace coherence::examples in cpp/security
The code logs in to get a Subject, and then tries to get a cache reference running in the context of the Subject.
The PasswordIdentityTransformer will generate a security token that contains the password. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password. The token generation and
validation occurs automatically when a connection to the proxy is made.
The example Output:
------password example begins------
------password example succeeded------
------password example completed------
Access Control Example
This example shows simplified role based access control.
Implementation Class:
com.tangosol.examples.security.AccessControlExample in java/src
The code logs in to get a Subject with a user-id with a particular role, gets a cache reference running in the context of the Subject,
and then tries cache operations. Depending on the role granted to the user, the cache operation is allowed or denied.
Someone with a "writer" role is allowed to put and get. Someone with a "reader" role can get but not put. Someone with a "writer" role
cannot destroy a cache. Someone with an "admin" role can destroy a cache.
Then a user with a particular role tries to use the invocation service. A "reader" is not allowed to invoke, but a "writer" is allowed.
Note that once the cache or invocation service reference is created in the context of a Subject, that identity is permanently associated
with that reference. Any use of that cache or service reference is on behalf of that identity.
The PasswordIdentityTransformer will generate a security token that contains the password, the user-id, and the roles. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password, and construct a Subject with the proper user-id and roles.
The production and assertion of the security token happens automatically.
AccessControlExample in namespace Tangosol.Example.Security in dotnet/src/security
The code logs in to get a Principal with a user-id with a particular role, gets a cache reference running in the context of the Principal,
and then tries cache operations. Depending on the role granted to the user, the cache operation is allowed or denied.
Someone with a "writer" role is allowed to put and get. Someone with a "reader" role can get but not put. Someone with a "writer" role
cannot destroy a cache. Someone with an "admin" role can destroy a cache.
Then a user with a particular role tries to use the invocation service. A "reader" is not allowed to invoke, but a "writer" is allowed.
Note that once the cache or invocation service reference is created in the context of a Principal, that identity is permanently associated
with that reference. Any use of that cache or service reference is on behalf of that identity.
The PasswordIdentityTransformer will generate a security token that contains the password, the user-id, and the roles. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password, and construct a Subject with the proper user-id and roles.
The production and assertion of the security token happens automatically.
AccessControlExample in namespace coherence::examples in cpp/security
The code logs in to get a Subject with a user-id with a particular role, gets a cache reference running in the context of the Subject,
and then tries cache operations. Depending on the role granted to the user, the cache operation is allowed or denied.
Someone with a "writer" role is allowed to put and get. Someone with a "reader" role can get but not put. Someone with a "writer" role
cannot destroy a cache. Someone with an "admin" role can destroy a cache.
Then a user with a particular role tries to use the invocation service. A "reader" is not allowed to invoke, but a "writer" is allowed.
Note that once the cache or invocation service reference is created in the context of a Subject, that identity is permanently associated
with that reference. Any use of that cache or service reference is on behalf of that identity.
The PasswordIdentityTransformer will generate a security token that contains the password, the user-id, and the roles. The PasswordIdentityAsserter
(running in the proxy) will validate the security token to enforce the password, and construct a Subject with the proper user-id and roles.
The production and assertion of the security token happens automatically.
------cache access control example begins------
Success: read and write allowed
Success: read allowed
Success: Correctly cannot write
Success: Correctly cannot destroy the cache
Success: Correctly allowed to destroy the cache
------cache access control example completed------
------InvocationService access control example begins------
Success: Correctly allowed to use the invocation service
Success: Correctly unable to use the invocation service
------InvocationService access control example completed------
Password Identity Transformer
This example shows how an IdentityTransformer produces a security token from an identity.
Implementation Class:
com.tangosol.examples.security.PasswordIdentityTransformer in java/src
The code produces a security token that is an array of strings. The first string is the password. The second string is the user-id and
subsequent strings are the user's roles. Arrays of strings will be serialized by Coherence*Extend without requiring a custom serializer.
This class will be invoked automatically when the Extend client connects to a proxy or a channel is opened in an existing connection.
Implementation Class:
PasswordIdentityTransformer in namespace Tangosol.Example.Security in dotnet/src/security
The code produces a security token that is an array of strings. The first string is the password. The second string is the user-id and
subsequent strings are the user's roles. Arrays of strings will be serialized by Coherence*Extend without requiring a custom serializer.
This class will be invoked automatically when the Extend client connects to a proxy or a channel is opened in an existing connection.
Implementation Class:
PasswordIdentityTranfromer in namespace coherence::examples in cpp/security
The code produces a security token that is an array of strings. The first string is the password. The second string is the user-id and
subsequent strings are the user's roles. Arrays of strings will be serialized by Coherence*Extend without requiring a custom serializer.
This class will be invoked automatically when the Extend client connects to a proxy or a channel is opened in an existing connection.
Password Identity Asserter
This example shows how an IdentityAsserter validates a security token and produces a Subject from a list of principal names.
Implementation Class:
com.tangosol.examples.security.PasswordIdentityAsserter in java/src
The code processes a security token that should be an array of strings. The first string must be the password. Subsequent strings are
principals. Any failure processing the token results in a SecurityException that will deny access to the proxy.
Implementation Class:
none
The IdentityAsserter runs only on the proxy (in Java), so it does not run in the .NET client. Therefore there is no PasswordIdentityAsserter for .NET.
Implementation Class:
none
The PasswordIdentityAsserter runs only on the proxy (in Java), so it does not run in the C++ client. Therefore there is no PasswordIdentityAsserter for C++.
Entitled Cache Service
This example shows how a remote cache service can be wrapped to provide access control.
Implementation Class:
com.tangosol.examples.security.EntitledCachService in java/src
The code instantiates an EntitledNameCache that provides access control for cache operations. The code also provides access control for the
cache service methods "release" and "destroy". The access control check is delegated to the SecurityExampleHelper.
This class will be instantiated automatically when the cache service is started on the proxy.
There is no .NET implementation. The class runs only on the proxy in Java.
There is no C++ implementation. The class runs only on the proxy in Java.
Entitled Invocation Service
This example shows how a remote invocation service can be wrapped to provide access control.
Implementation Class:
com.tangosol.examples.security.EntitledInvocationService in java/src
The code provides access control for the invocation service methods. The access control check is delegated to the SecurityExampleHelper.
This class will be instantiated automatically when the invocation service is started on the proxy.
There is no .NET implementation. The class runs only on the proxy in Java.
There is no C++ implementation. The class runs only on the proxy in Java.
Entitled Named Cache
This example shows how a remote named cache can be wrapped to provide access control.
Implementation Class:
com.tangosol.examples.security.EntitledNamedCache in java/src
The code provides access control for the NamedCache methods. The access control check is delegated to the SecurityExampleHelper.
This class will be instantiated automatically when the cache service is started on the proxy.
There is no .NET implementation. The class runs only on the proxy in Java.
There is no C++ implementation. The class runs only on the proxy in Java.
