Example usage for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION

List of usage examples for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION

  1. HOME
  2. Java
  3. org.apache.hadoop
  4. org.apache.hadoop.security.authentication.client.*
  5. KerberosAuthenticator
  6. AUTHORIZATION

Introduction

In this page you can find the example usage for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION.

Prototype

String AUTHORIZATION

To view the source code for org.apache.hadoop.security.authentication.client KerberosAuthenticator AUTHORIZATION.

Click Source Link

Document

HTTP header used by the SPNEGO client endpoint during an authentication sequence.

Usage

From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java

License:Apache License

/**
 * It enforces the the Kerberos SPNEGO authentication sequence returning an
 * {@link AuthenticationToken} only after the Kerberos SPNEGO sequence has
 * completed successfully.//from  www.  ja  v  a 2  s . c o m
 *
 * @param request  the HTTP client request.
 * @param response the HTTP client response.
 * @return an authentication token if the Kerberos SPNEGO sequence is complete
 * and valid, <code>null</code> if it is in progress (in this case the handler
 * handles the response to the client).
 * @throws IOException             thrown if an IO error occurred.
 * @throws AuthenticationException thrown if Kerberos SPNEGO sequence failed.
 */
public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response)
        throws IOException, AuthenticationException {
    AuthenticationToken token = null;
    String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION);

    if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) {
        response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        if (authorization == null) {
            LOG.trace("SPNEGO starting for url: {}", request.getRequestURL());
        } else {
            LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '"
                    + KerberosAuthenticator.NEGOTIATE + "' :  {}", authorization);
        }
    } else {
        authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
        final Base64 base64 = new Base64(0);
        final byte[] clientToken = base64.decode(authorization);
        try {
            final String serverPrincipal = KerberosUtil.getTokenServerName(clientToken);
            if (!serverPrincipal.startsWith("HTTP/")) {
                throw new IllegalArgumentException(
                        "Invalid server principal " + serverPrincipal + "decoded from client request");
            }
            token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() {
                @Override
                public AuthenticationToken run() throws Exception {
                    return runWithPrincipal(serverPrincipal, clientToken, base64, response);
                }
            });
        } catch (PrivilegedActionException ex) {
            if (ex.getException() instanceof IOException) {
                throw (IOException) ex.getException();
            } else {
                throw new AuthenticationException(ex.getException());
            }
        } catch (Exception ex) {
            throw new AuthenticationException(ex);
        }
    }
    return token;
}

From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java

License:Apache License

/**
 * A parallel implementation to getTokenFromCookies, this handles
 * javax.ws.rs.core.HttpHeaders.Cookies kind.
 *
 * Used in {@link org.apache.zeppelin.rest.LoginRestApi}::getLogin()
 *
 * @param cookies - Cookie(s) map read from HttpHeaders
 * @return {@link KerberosToken} if available in AUTHORIZATION cookie
 *
 * @throws org.apache.shiro.authc.AuthenticationException
 *///from  w w  w.java  2  s.co  m
public static KerberosToken getKerberosTokenFromCookies(Map<String, javax.ws.rs.core.Cookie> cookies)
        throws org.apache.shiro.authc.AuthenticationException {
    KerberosToken kerberosToken = null;
    String tokenStr = null;
    if (cookies != null) {
        for (javax.ws.rs.core.Cookie cookie : cookies.values()) {
            if (cookie.getName().equals(KerberosAuthenticator.AUTHORIZATION)) {
                tokenStr = cookie.getValue();
                if (tokenStr.isEmpty()) {
                    throw new org.apache.shiro.authc.AuthenticationException("Empty token");
                }
                try {
                    tokenStr = tokenStr.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
                } catch (Exception ex) {
                    throw new org.apache.shiro.authc.AuthenticationException(ex);
                }
                break;
            }
        }
    }
    if (tokenStr != null) {
        try {
            AuthenticationToken authToken = AuthenticationToken.parse(tokenStr);
            boolean match = verifyTokenType(authToken);
            if (!match) {
                throw new org.apache.shiro.authc.AuthenticationException("Invalid AuthenticationToken type");
            }
            if (authToken.isExpired()) {
                throw new org.apache.shiro.authc.AuthenticationException("AuthenticationToken expired");
            }
            kerberosToken = new KerberosToken(authToken.getUserName(), tokenStr);
        } catch (AuthenticationException ex) {
            throw new org.apache.shiro.authc.AuthenticationException(ex);
        }
    }
    return kerberosToken;
}