How to Log Client Information from the Server Side during the Authentication
search cancel

How to Log Client Information from the Server Side during the Authentication

book

Article ID: 294293

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

Sometimes, customers need to log the client's IP address information in the server side during the authentication and authorization in order to comply with the company's security policies.

Environment


Cause

GemFire 9.x authentication/authorization is leveraging Apache Shiro. It extends UsernamePasswordToken interface, but doesn't extend the HostAuthenticationToken interface which retains host information of the client from where the authentication attempt originates so far.

Resolution

Here are the steps to pass client information such as the IP Address by client's AuthInitialize module as Credentials property:

Step 1:
Adding client IP_Address as a property to the client AuthInitialize implementation's getCredentials method.

Example: 
public class ClientAuthInitialize implements AuthInitialize {
......
  private static final String USER_NAME = "security-username";
  private static final String PASSWORD = "security-password";
  private static final String CLIENTIP = "security-clientip";

  @Override
  public Properties getCredentials(Properties securityProps) throws AuthenticationFailedException {
    Properties credentials = new Properties();
    String userName = securityProps.getProperty(USER_NAME);
    String clientIPAddress = securityProps.getProperty(CLIENTIP);
......
    credentials.setProperty(USER_NAME, userName);
    credentials.setProperty(PASSWORD, INSECURE_PASSWORD_FOR_EVERY_USER);
    credentials.setProperty(CLIENTIP, clientIPAddress);
    return credentials;
  }
......
}

Step 2:
Retrieving IP property from the Security Manager's authenticate method on the server side.
Example: 
public class SimpleSecurityManager implements SecurityManager {
......
 @Override
  public Object authenticate(final Properties credentials) throws AuthenticationFailedException {
    String username = credentials.getProperty("security-username");
    String password = credentials.getProperty("security-password");
    String clientip = credentials.getProperty("security-clientip");

    logger.info("SimpleSecurityManager: successfully obtained credentials for user " + username);
    logger.info("SimpleSecurityManager: successfully obtained credentials for password " + password);
    logger.info("SimpleSecurityManager: successfully obtained credentials for clientip " + clientip);
   }
......
}

Step 3:
You can confirm if the logging look like the below from cacheserver log when GemFire client attempts to authenticate with GemFire cluster.

[info 2018/07/02 13:19:44.531 CST server1 <ServerConnection on port 7901 Thread 0> tid=0x4f] SimpleSecurityManager: successfully obtained credentials for user admin

[info 2018/07/02 13:19:44.531 CST server1 <ServerConnection on port 7901 Thread 0> tid=0x4f] SimpleSecurityManager: successfully obtained credentials for password 123

[info 2018/07/02 13:19:44.531 CST server1 <ServerConnection on port 7901 Thread 0> tid=0x4f] SimpleSecurityManager: successfully obtained credentials for clientip 172.16.196.182


Additional Information

Here is a sample implementation: 

AuthenticationExample.zip which contains the below files, just for your reference

├──client
│   ├──ClientAuthExample.java    <---Client's AuthInitialize implementation
│   └──ClientExampleAuthInit.java  <--- A simple client
└── server
      └──SimpleSecurityManager.java  <---SecurityManager implementation

Attachments

AuthenticationExample get_app
Powered by Wolken Software