List of usage examples for org.apache.hadoop.security.authentication.client KerberosAuthenticator NEGOTIATE
String NEGOTIATE
To view the source code for org.apache.hadoop.security.authentication.client KerberosAuthenticator NEGOTIATE.
Click Source Link
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
/** * It enforces the the Kerberos SPNEGO authentication sequence returning an * {@link AuthenticationToken} only after the Kerberos SPNEGO sequence has * completed successfully.// w w w . ja v a 2 s . co m * * @param request the HTTP client request. * @param response the HTTP client response. * @return an authentication token if the Kerberos SPNEGO sequence is complete * and valid, <code>null</code> if it is in progress (in this case the handler * handles the response to the client). * @throws IOException thrown if an IO error occurred. * @throws AuthenticationException thrown if Kerberos SPNEGO sequence failed. */ public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null; String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) { response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); if (authorization == null) { LOG.trace("SPNEGO starting for url: {}", request.getRequestURL()); } else { LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '" + KerberosAuthenticator.NEGOTIATE + "' : {}", authorization); } } else { authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); try { final String serverPrincipal = KerberosUtil.getTokenServerName(clientToken); if (!serverPrincipal.startsWith("HTTP/")) { throw new IllegalArgumentException( "Invalid server principal " + serverPrincipal + "decoded from client request"); } token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { return runWithPrincipal(serverPrincipal, clientToken, base64, response); } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } catch (Exception ex) { throw new AuthenticationException(ex); } } return token; }
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, GSSException { GSSContext gssContext = null; GSSCredential gssCreds = null; AuthenticationToken token = null;//from ww w.j a v a2s .co m try { LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal); gssCreds = this.gssManager.createCredential( this.gssManager.createName(serverPrincipal, KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.GSS_SPNEGO_MECH_OID, KerberosUtil.GSS_KRB5_MECH_OID }, GSSCredential.ACCEPT_ONLY); gssContext = this.gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = base64.encodeToString(serverToken); response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); LOG.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, TYPE); response.setStatus(HttpServletResponse.SC_OK); LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; }
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
/** * A parallel implementation to getTokenFromCookies, this handles * javax.ws.rs.core.HttpHeaders.Cookies kind. * * Used in {@link org.apache.zeppelin.rest.LoginRestApi}::getLogin() * * @param cookies - Cookie(s) map read from HttpHeaders * @return {@link KerberosToken} if available in AUTHORIZATION cookie * * @throws org.apache.shiro.authc.AuthenticationException *//* www . j a va 2s.co m*/ public static KerberosToken getKerberosTokenFromCookies(Map<String, javax.ws.rs.core.Cookie> cookies) throws org.apache.shiro.authc.AuthenticationException { KerberosToken kerberosToken = null; String tokenStr = null; if (cookies != null) { for (javax.ws.rs.core.Cookie cookie : cookies.values()) { if (cookie.getName().equals(KerberosAuthenticator.AUTHORIZATION)) { tokenStr = cookie.getValue(); if (tokenStr.isEmpty()) { throw new org.apache.shiro.authc.AuthenticationException("Empty token"); } try { tokenStr = tokenStr.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); } catch (Exception ex) { throw new org.apache.shiro.authc.AuthenticationException(ex); } break; } } } if (tokenStr != null) { try { AuthenticationToken authToken = AuthenticationToken.parse(tokenStr); boolean match = verifyTokenType(authToken); if (!match) { throw new org.apache.shiro.authc.AuthenticationException("Invalid AuthenticationToken type"); } if (authToken.isExpired()) { throw new org.apache.shiro.authc.AuthenticationException("AuthenticationToken expired"); } kerberosToken = new KerberosToken(authToken.getUserName(), tokenStr); } catch (AuthenticationException ex) { throw new org.apache.shiro.authc.AuthenticationException(ex); } } return kerberosToken; }