Monday, June 02, 2008

Security framework for C++ *Extend clients

Before Oracle Coherence v3.4 goes live (More on Brian Oliver's blog for a review of C++ APIs), a shortcut to integrate C++ clients is through JNI. JNI solution works like any other Java application as the requests are made to the grid through a JVM spawned from a C++ thread using JNI invocation API. Even though not required but typically C++ clients use Coherence *Extend technology. If your network is not reliable and prone to failures then Extend is a perfect solution to access a data grid. Coherence Extend is also an important approach to build a transparent fail-over to a DR cluster should the primary cluster goes down in case of a catastrophic failure. Besides unreliability of the network, if the environment is not safe and prone to malicious use of the grid then it is important to integrate a Security framework as well. Oracle Coherence has a built in support for security for Grid members and Extend clients. Extend security works different from a grid member security and requires some programming effort using Coherence APIs. Coherence supports Java security model and expects to have a valid Subject before a PrivilegedAction is run on it. JAAS will be a good framework to read. Once a valid Subject has been created, it can be used to run multiple privileged actions unless logged out.
The Coherence data grid uses Java's security framework to retrieve and validate the Subject when its resource is accessed. The way it does is a bit novel as well. The grid uses an obfuscated redirection to a custom NamedCache that validates if the user is allowed to use its resource. This internal redirection is hidden from the *Extend clients. It is important to make sure that which ever way is the obfuscation done is done strongly. Even though this is not a fool proof solution and can be broken but then no security solution is. More creative you are better the obfuscation will be - at the cache and code level.

No comments: