1

I've got a Geode system going with locator, server, 2 local native clients, a remote client and HTTPS REST clients.

We now require to further authenticate the REST clients to include username and password checks on REST actions, which means setting up authentication here and here. We setup a security.json and the ExampleSecurityManager handles the authenticated REST HTTPS requests fine.

Setting up the authentication means that local and remote native clients using TCP also require authentication. So I implemented the AuthInitialize example locally and got these clients to connect to the server, and they run fine too.

However, there's an issue that after a few minutes the clients (both local and remote) lose their connections to the Geode server with the (client) error:

Handshake rejected by server[#.#.#.#:40404]: A previous connection attempt from this client is still being processed: identity(0.0.0.0(MyGeodeClient:3116:loner)

I set the Server logs to finest and get the warnings that:

[finest BST GeodeServer <ServerConnection on port 40404 Thread 24> tid=0xa4] Server connection from [identity(0.0.0.0(MyGeodeClient:3116:loner):2:GFNative_k350A9imTd3116:MyGeodeClient,connection=1; port=57098] received USER_CREDENTIAL_MESSAGE with txid -1

ClientHealthMonitor: Received ping from client with member id identity(0.0.0.0(MyGeodeClient:3116:loner):2:GFNative_k350A9imTd3116:MyGeodeClient,connection=1

Then a lot of attempting to get session; create = false; session is null = true; session has id = false

and then This org.apache.shiro.mgt.DefaultSecurityManager instance does not have a [org.apache.shiro.mgt.RememberMeManager] instance configured. RememberMe services will not be performed for account [test].

and finally

A previous connection attempt from this client is still being processed: identity(0.0.0.0(MyGeodeClient:3116:loner):2:GFNative_k350A9imTd3116:MyGeodeClient,connection=1

[warning BST GeodeServer <Handshaker /#.#.#.#:40404 Thread 0> tid=0x53] CacheClientNotifier: Unsuccessfully registered client with identifier identity(0.0.0.0(MyGeodeClient:3116:loner):2:GFNative_k350A9imTd3116:MyGeodeClient,connection=1

Basically this situation is repeating itself, and then the subscription event handlers fail because they don't get event notifications.

If I reduce the Geode Server logs to info, then the warning

Unsuccessfully registered client with identifier identity(0.0.0.0(MyGeodeClient:3116:loner):2:GFNative_k350A9imTd3116:MyGeodeClient,connection=1

repeats numerous times...

Any pointers please? Is there a way to enable REST authentication without enabling the native client TCP authentication? THANKS

rupweb
  • 3,052
  • 1
  • 30
  • 57

1 Answers1

2

For your last question: "Is there a way to enable REST authentication without enabling the native client authentication", the answer is no. When you have security set up in your cluster, it should protect your data from all communication channels. If we allow you to disable one, that would leave your cluster vulnerable.

As far as the error messages you are seeing, it looks like the shiro session is timing out. Which version of Geode you are using? We have fixed the session timeout issue some time ago.

jliao
  • 121
  • 1
  • 7
  • thanks could it be there's a way to set up Shiro "remember me" and then the session wouldn't time out? The Geode version is 1.2.0 so we can upgrade to 1.2.1 and lastly while i get the point about secure all there's a bit of a difference between HTTPS rest clients outside the network and TCP native clients inside the network. We don't know all the former but we do know the latter as secured within the network. I guess can rely on network security? Hmmm – rupweb Oct 04 '17 at 22:54
  • 1
    If it's 1.2.0 you are using, it should already has that fix and this won't be a timeout issue. Something else must be going on. Have you tried with java client? – jliao Oct 05 '17 at 05:26
  • 1
    it looks like the client already has an active proxy in the server and is trying to create a new one. – jliao Oct 05 '17 at 15:49