Geode/GemFire/PCC error - No security credentials are provided

Question

I've a springboot app hosted on PCF trying to connect to PCC(pivotal cloud cache). I've spinned up a PCC instance and binded it to my app and pushed the app to cloud foundry. I've added all the required gemfire starter dependencies to springboot and it appears like it was able to read the locator and server information from VCAP_SERVICES. But, I see the following error on spring boot app startup.

Error prefilling connections : org.apache.geode.security.AuthenticationRequiredException: No security credentials are provided
org.apache.geode.security.AuthenticationRequiredException: No security credentials are provided
at org.apache.geode.internal.cache.tier.sockets.Handshake.readMessage(Handshake.java:320)


Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.geode.cache.Region]: Failed to create Region for cache [TestRegion]; nested exception is org.apache.geode.security.AuthenticationRequiredException: No security credentials are provided

Here are my dependencies list

        <dependency>
            <groupId>org.springframework.geode</groupId>
            <artifactId>spring-gemfire-starter</artifactId>
            <version>1.2.6.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-gemfire</artifactId>
            <version>2.2.1.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>javax.cache</groupId>
            <artifactId>cache-api</artifactId>
            <scope>compile</scope>
        </dependency>

        <dependency>
            <groupId>io.pivotal.gemfire</groupId>
            <artifactId>geode-core</artifactId>
            <version>9.5.4</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>io.pivotal.gemfire</groupId>
            <artifactId>geode-common</artifactId>
            <version>9.5.4</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>io.pivotal.gemfire</groupId>
            <artifactId>geode-cq</artifactId>
            <version>9.5.4</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>io.pivotal.gemfire</groupId>
            <artifactId>geode-lucene</artifactId>
            <version>9.5.4</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>io.pivotal.gemfire</groupId>
            <artifactId>geode-wan</artifactId>
            <version>9.5.4</version>
            <scope>compile</scope>
        </dependency>

@Configuration
@ClientCacheApplication(name = "Test", logLevel = "info")
@EnableCachingDefinedRegions(
    clientRegionShortcut = ClientRegionShortcut.PROXY,
    serverRegionShortcut = RegionShortcut.REPLICATE_HEAP_LRU)
@EnableClusterAware
@EnablePdx
public class CloudConfiguration {}

I believe, Springboot gemfire starter dependency that I have is good enough to read the security creds automatically from the VCAP_SERVICES without any manual effort. But, I see its not picking up the creds, not sure why after having all the dependencies below. Can someone help? Thanks

Answer 1

Ok...

First, see my answer to your last SO post concerning your application dependencies. Properly declaring application dependencies was the central theme in my answer.

Next, nothing in Spring Data GemFire (SDG) itself is going to handle Authentication "auto-magically" in a managed environment, like PCF, when using PCC. For that, you absolutely need Spring Boot for Apache Geode or Pivotal GemFire (SBDG) and in your case, ".. for Pivotal GemFire", and technically, the org.springframework.geode:spring-gemfire-starter dependency, which is the only dependency you need. Make sure you align the versions as I instructed in the previous post.

Based on your configuration above, you explicitly "overrode" the client Security configuration, and auto-configuration provided by SBDG since you explicitly declared the @ClientCacheApplication annotation on your CloudConfiguration class.

Why?

Well, once again, this is a GemFire/Geode thing, not a Spring thing, but "Security" in all its forms involving GemFire/Geode (client/server, P2P, WAN, etc) must be properly configured and setup before the cache object is constructed and initialized.

If the cache object is provided by user/application configuration, already, then SBDG's auto-configuration for GemFire/Geode client Security will not be applied. See here (and, well, here).

Technically, this has to do with the fact that GemFire/Geode "Security configuration" is almost entirely configured via GemFire/Geode properties. These properties must be declared/set before the cache is constructed since they are passed to the cache creation on startup. If they are not provided, then the Security configuration will not apply. It does not matter if you supply the Security properties later, at runtime, either, with or without Spring (for example, by simply using the GemFire/Geode API directly), the result is the same!

GemFire/Geode has a very specific order for initializing things: Auth, TLS/SSL, memory management, this, that, which is why the SBDG auto-configuration has been carefully crafted to make sure the proper initialization sequence is followed.

Additionally, whether using SDG's configuration annotations (explicitly) or not, rather declaring explicit beans in the Spring context using JavaConfig, the effect is the same, since the SDG configuration annotations are implicitly declaring those beans for you, which results in "overriding" the auto-configuration provided by Spring Boot, and SBDG in particular.

This works the same wether it is GemFire/Geode or not. If you explicitly declare a SQL DataSource bean, then you are telling Boot to override the provided DataSource when you have an embedded database (H2 or HSQL) on your application classpath.

The concept is, "convention over configuration" (by simply declaring dependencies on your application classpath to enable features auto-magically), but also to get out of the way quickly when your application requirements diverge from the defaults and you must declare a bean definition of a specific type explicitly in order to alter the configuration per your application requirements, which necessarily disables the auto-config provided by Spring Boot, otherwise, you'd have ambiguous and/or conflicting configuration (i.e. which is it). The Spring Framework, in general, does not allow that even.

Again, remove @ClientCacheApplication and @EnablePdx. You don't need them with SBDG. However, it is the @ClientCacheApplication annotation that is causing you issues here.

In summary, all of this has been thoroughly explained in detail in the reference documentation:

1. Chapter 5 - Auto-configuration
2. Chapter 6 - Declarative Configuration
3. Chapter 7 - Externalized Configuration (with configuration meta-data reference in the Appendix).

Especially pay attention to Overriding Auto-configuration in Chapter 4.

Hope this helps!