List of usage examples for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION
String AUTHORIZATION
To view the source code for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION.
Click Source Link
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
/** * It enforces the the Kerberos SPNEGO authentication sequence returning an * {@link AuthenticationToken} only after the Kerberos SPNEGO sequence has * completed successfully.//from www. ja v a 2 s . c o m * * @param request the HTTP client request. * @param response the HTTP client response. * @return an authentication token if the Kerberos SPNEGO sequence is complete * and valid, <code>null</code> if it is in progress (in this case the handler * handles the response to the client). * @throws IOException thrown if an IO error occurred. * @throws AuthenticationException thrown if Kerberos SPNEGO sequence failed. */ public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null; String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) { response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); if (authorization == null) { LOG.trace("SPNEGO starting for url: {}", request.getRequestURL()); } else { LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '" + KerberosAuthenticator.NEGOTIATE + "' : {}", authorization); } } else { authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); try { final String serverPrincipal = KerberosUtil.getTokenServerName(clientToken); if (!serverPrincipal.startsWith("HTTP/")) { throw new IllegalArgumentException( "Invalid server principal " + serverPrincipal + "decoded from client request"); } token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { return runWithPrincipal(serverPrincipal, clientToken, base64, response); } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } catch (Exception ex) { throw new AuthenticationException(ex); } } return token; }
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
/** * A parallel implementation to getTokenFromCookies, this handles * javax.ws.rs.core.HttpHeaders.Cookies kind. * * Used in {@link org.apache.zeppelin.rest.LoginRestApi}::getLogin() * * @param cookies - Cookie(s) map read from HttpHeaders * @return {@link KerberosToken} if available in AUTHORIZATION cookie * * @throws org.apache.shiro.authc.AuthenticationException *///from w w w.java 2 s.co m public static KerberosToken getKerberosTokenFromCookies(Map<String, javax.ws.rs.core.Cookie> cookies) throws org.apache.shiro.authc.AuthenticationException { KerberosToken kerberosToken = null; String tokenStr = null; if (cookies != null) { for (javax.ws.rs.core.Cookie cookie : cookies.values()) { if (cookie.getName().equals(KerberosAuthenticator.AUTHORIZATION)) { tokenStr = cookie.getValue(); if (tokenStr.isEmpty()) { throw new org.apache.shiro.authc.AuthenticationException("Empty token"); } try { tokenStr = tokenStr.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); } catch (Exception ex) { throw new org.apache.shiro.authc.AuthenticationException(ex); } break; } } } if (tokenStr != null) { try { AuthenticationToken authToken = AuthenticationToken.parse(tokenStr); boolean match = verifyTokenType(authToken); if (!match) { throw new org.apache.shiro.authc.AuthenticationException("Invalid AuthenticationToken type"); } if (authToken.isExpired()) { throw new org.apache.shiro.authc.AuthenticationException("AuthenticationToken expired"); } kerberosToken = new KerberosToken(authToken.getUserName(), tokenStr); } catch (AuthenticationException ex) { throw new org.apache.shiro.authc.AuthenticationException(ex); } } return kerberosToken; }