List of usage examples for org.apache.hadoop.security.authentication.server AuthenticationToken AuthenticationToken
public AuthenticationToken(String userName, String principal, String type)
From source file:com.hortonworks.example.ui.HadoopSsoHandler.java
License:Apache License
@Override public AuthenticationToken alternateAuthenticate(HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException { String xAuthToken = Util.getAuthToken(request); if (xAuthToken == null) { Util.sendLoginRedirect(request, response); return null; } else {/*from w w w . j av a 2s . c om*/ return new AuthenticationToken(xAuthToken, xAuthToken, "keystone"); } }
From source file:com.wandisco.s3hdfs.auth.AWSAuthenticationHandler.java
License:Apache License
/** * Verifies the AWS authentication header * <p/>//from w w w . j a v a 2 s . c o m * * @param request the HTTP client request. * @param response the HTTP client response. * @return an authentication token if the AWS authentication header is correct * <code>null</code> if it is in progress (in this case the handler handles the response to the client). * @throws IOException thrown if an IO error occurred. * @throws AuthenticationException thrown if the AWS authentication header is incorrect */ @Override public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { String authorization = request.getHeader(AUTHORIZATION); LOG.debug("authenticate - authorization = " + authorization); if (authorization == null || !authorization.startsWith("AWS")) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return null; } else { if (LOG.isDebugEnabled()) LOG.debug("authenticate - returning jagane"); String[] splitAuth = authorization.split("\\s"); if (splitAuth.length < 2) { LOG.warn("authenticate - auth string does not have enough info. " + authorization); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return null; } String[] splitKey = splitAuth[1].split(":"); if (splitKey.length < 2) { LOG.warn("authenticate - auth string does not have key/signature. " + authorization); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return null; } String nameAndSecretAccessKey[] = getNameAndSecretAccessKey(splitKey[0]); if (nameAndSecretAccessKey == null || nameAndSecretAccessKey[1].length() == 0) { LOG.warn("authenticate - cannot find secretAccessKey for accessKeyId " + splitKey[0]); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return null; } String hostHeader = request.getHeader("Host"); try { verifySignature(request.getMethod(), nameAndSecretAccessKey[1], splitKey[1], "HmacSHA1", hostHeader, request.getRequestURI(), getCanonicalizedQueryString(request)); } catch (Exception ex) { LOG.warn("verifySignature threw " + ex); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return null; } return new AuthenticationToken(nameAndSecretAccessKey[0], nameAndSecretAccessKey[0], "AWS"); } }
From source file:io.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null;/*from w w w . ja v a2 s. c o m*/ String authorization = request .getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization .startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) { return null; } else { authorization = authorization.substring( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()) .trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); final String serverName = request.getServerName(); try { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = gssManager.createCredential( gssManager.createName(KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY); gssContext = gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = base64.encodeToString(serverToken); response.setHeader( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.WWW_AUTHENTICATE, org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); log.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK); log.trace("SPNEGO completed for principal [%s]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } } return token; }
From source file:org.apache.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token;//from w ww . j a va 2s .c om String authorization = request .getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization .startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) { return null; } else { authorization = authorization.substring( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()) .trim(); final byte[] clientToken = StringUtils.decodeBase64String(authorization); final String serverName = request.getServerName(); try { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = gssManager.createCredential( gssManager.createName(KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY); gssContext = gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = StringUtils.encodeBase64String(serverToken); response.setHeader( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.WWW_AUTHENTICATE, org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); log.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK); log.trace("SPNEGO completed for principal [%s]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } } return token; }
From source file:org.apache.falcon.security.RemoteUserInHeaderBasedAuthenticationHandler.java
License:Apache License
@Override public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException { String userName = request.getHeader("Remote-User"); if (StringUtils.isEmpty(userName)) { return super.authenticate(request, response); } else {// w ww . j a v a 2 s . co m return new AuthenticationToken(userName, userName, getType()); } }
From source file:org.apache.oozie.authentication.ExampleAltAuthenticationHandler.java
License:Apache License
/** * Implementation of the custom authentication. It looks for the "oozie.web.login.auth" cookie and if it exists, returns an * AuthenticationToken with the cookie's value as the username. Otherwise, it will redirect the user to the login server via * the REDIRECT_URL.//from w w w .j a va 2 s . c o m * * @param request the HTTP client request. * @param response the HTTP client response. * @return an authentication token if the request is authorized, or null * @throws IOException thrown if an IO error occurs * @throws AuthenticationException thrown if an authentication error occurs */ @Override public AuthenticationToken alternateAuthenticate(HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null; Cookie[] cookies = request.getCookies(); Cookie authCookie = verifyAndExtractAltAuth(cookies); String altAuthUserName = getAltAuthUserName(authCookie); // Authenticated if (altAuthUserName != null) { token = new AuthenticationToken(altAuthUserName, altAuthUserName, getType()); } // Not Authenticated else { StringBuffer sb = request.getRequestURL(); if (request.getQueryString() != null) { sb.append("?").append(request.getQueryString()); } String url = MessageFormat.format(redirectURL, URLEncoder.encode(sb.toString(), "ISO-8859-1")); url = response.encodeRedirectURL(url); response.sendRedirect(url); } return token; }
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, GSSException { GSSContext gssContext = null; GSSCredential gssCreds = null; AuthenticationToken token = null;/*from w ww. j a v a 2s .com*/ try { LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal); gssCreds = this.gssManager.createCredential( this.gssManager.createName(serverPrincipal, KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.GSS_SPNEGO_MECH_OID, KerberosUtil.GSS_KRB5_MECH_OID }, GSSCredential.ACCEPT_ONLY); gssContext = this.gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = base64.encodeToString(serverToken); response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); LOG.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, TYPE); response.setStatus(HttpServletResponse.SC_OK); LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; }