Example usage for org.apache.hadoop.security.authentication.util KerberosUtil getTokenServerName

List of usage examples for org.apache.hadoop.security.authentication.util KerberosUtil getTokenServerName

  1. HOME
  2. Java
  3. org.apache.hadoop
  4. org.apache.hadoop.security.authentication.util.*
  5. KerberosUtil
  6. getTokenServerName

Introduction

In this page you can find the example usage for org.apache.hadoop.security.authentication.util KerberosUtil getTokenServerName.

Prototype

public static String getTokenServerName(byte[] rawToken)

Source Link

Document

Extract the TGS server principal from the given gssapi kerberos or spnego wrapped token.

Usage

From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java

License:Apache License

/**
 * It enforces the the Kerberos SPNEGO authentication sequence returning an
 * {@link AuthenticationToken} only after the Kerberos SPNEGO sequence has
 * completed successfully./*from  ww w. ja va 2  s  .  com*/
 *
 * @param request  the HTTP client request.
 * @param response the HTTP client response.
 * @return an authentication token if the Kerberos SPNEGO sequence is complete
 * and valid, <code>null</code> if it is in progress (in this case the handler
 * handles the response to the client).
 * @throws IOException             thrown if an IO error occurred.
 * @throws AuthenticationException thrown if Kerberos SPNEGO sequence failed.
 */
public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response)
        throws IOException, AuthenticationException {
    AuthenticationToken token = null;
    String authorization = request.getHeader(KerberosAuthenticator.AUTHORIZATION);

    if (authorization == null || !authorization.startsWith(KerberosAuthenticator.NEGOTIATE)) {
        response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        if (authorization == null) {
            LOG.trace("SPNEGO starting for url: {}", request.getRequestURL());
        } else {
            LOG.warn("'" + KerberosAuthenticator.AUTHORIZATION + "' does not start with '"
                    + KerberosAuthenticator.NEGOTIATE + "' :  {}", authorization);
        }
    } else {
        authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
        final Base64 base64 = new Base64(0);
        final byte[] clientToken = base64.decode(authorization);
        try {
            final String serverPrincipal = KerberosUtil.getTokenServerName(clientToken);
            if (!serverPrincipal.startsWith("HTTP/")) {
                throw new IllegalArgumentException(
                        "Invalid server principal " + serverPrincipal + "decoded from client request");
            }
            token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() {
                @Override
                public AuthenticationToken run() throws Exception {
                    return runWithPrincipal(serverPrincipal, clientToken, base64, response);
                }
            });
        } catch (PrivilegedActionException ex) {
            if (ex.getException() instanceof IOException) {
                throw (IOException) ex.getException();
            } else {
                throw new AuthenticationException(ex.getException());
            }
        } catch (Exception ex) {
            throw new AuthenticationException(ex);
        }
    }
    return token;
}