org.apache.hadoop.security.authentication.client.AuthenticatedURL Java Examples

The following examples show how to use org.apache.hadoop.security.authentication.client.AuthenticatedURL. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: URLConnectionFactory.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Opens a url with read and connect timeouts
 *
 * @param url
 *          URL to open
 * @param isSpnego
 *          whether the url should be authenticated via SPNEGO
 * @return URLConnection
 * @throws IOException
 * @throws AuthenticationException
 */
public URLConnection openConnection(URL url, boolean isSpnego)
    throws IOException, AuthenticationException {
  if (isSpnego) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("open AuthenticatedURL connection" + url);
    }
    UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
    final AuthenticatedURL.Token authToken = new AuthenticatedURL.Token();
    return new AuthenticatedURL(new KerberosUgiAuthenticator(),
        connConfigurator).openConnection(url, authToken);
  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("open URL connection");
    }
    URLConnection connection = url.openConnection();
    if (connection instanceof HttpURLConnection) {
      connConfigurator.configure((HttpURLConnection) connection);
    }
    return connection;
  }
}
 
Example #2
Source File: TestHttpFSWithKerberos.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
@TestDir
@TestJetty
@TestHdfs
public void testValidHttpFSAccess() throws Exception {
  createHttpFSServer();

  KerberosTestUtils.doAsClient(new Callable<Void>() {
    @Override
    public Void call() throws Exception {
      URL url = new URL(TestJettyHelper.getJettyURL(),
                        "/webhdfs/v1/?op=GETHOMEDIRECTORY");
      AuthenticatedURL aUrl = new AuthenticatedURL();
      AuthenticatedURL.Token aToken = new AuthenticatedURL.Token();
      HttpURLConnection conn = aUrl.openConnection(url, aToken);
      Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
      return null;
    }
  });
}
 
Example #3
Source File: PseudoWebHDFSConnection.java    From Transwarp-Sample-Code with MIT License 6 votes vote down vote up
public static synchronized Token generateToken(String srvUrl, String princ,
                                               String passwd) {
    AuthenticatedURL.Token newToken = new AuthenticatedURL.Token();
    Authenticator authenticator = new PseudoAuthenticator(princ);
    try {
        String spec = MessageFormat.format(
                "/webhdfs/v1/?op=GETHOMEDIRECTORY&user.name={0}", princ);
        HttpURLConnection conn = new AuthenticatedURL(authenticator)
                .openConnection(new URL(new URL(srvUrl), spec), newToken);

        conn.connect();
        conn.disconnect();
    } catch (Exception ex) {
        logger.error(ex.getMessage());
        logger.error("[" + princ + ":" + passwd + "]@" + srvUrl, ex);
    }

    return newToken;
}
 
Example #4
Source File: KerberosAuthenticator2.java    From Transwarp-Sample-Code with MIT License 6 votes vote down vote up
/**
 * Performs SPNEGO authentication against the specified URL.
 * <p/>
 * If a token is given it does a NOP and returns the given token.
 * <p/>
 * If no token is given, it will perform the SPNEGO authentication sequence
 * using an HTTP <code>OPTIONS</code> request.
 *
 * @param url the URl to authenticate against.
 * @param token the authentication token being used for the user.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication error occurred.
 */
public void authenticate(URL url, AuthenticatedURL.Token token)
        throws IOException, AuthenticationException {
    if (!token.isSet()) {
        this.url = url;
        base64 = new Base64(0);
        conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod(AUTH_HTTP_METHOD);
        conn.connect();
        if (isNegotiate()) {
            doSpnegoSequence(token);
        } else {
            getFallBackAuthenticator().authenticate(url, token);
        }
    }
}
 
Example #5
Source File: KerberosWebHDFSConnection2.java    From Transwarp-Sample-Code with MIT License 6 votes vote down vote up
public KerberosWebHDFSConnection2(String httpfsUrl, String principal, String password)  {
        this.httpfsUrl = httpfsUrl;
        this.principal = principal;
        this.password = password;

        Configuration conf = new Configuration();
        conf.addResource("conf/hdfs-site.xml");
        conf.addResource("conf/core-site.xml");
        newToken = new AuthenticatedURL.Token();

        KerberosAuthenticator ka = new KerberosAuthenticator();
        ConnectionConfigurator connectionConfigurator = new SSLFactory(SSLFactory.Mode.CLIENT,conf);
        ka.setConnectionConfigurator(connectionConfigurator);

        try{
            URL url = new URL(httpfsUrl);
            ka.authenticate(url,newToken);
        }catch(Exception e){
            e.printStackTrace();
        }


         this.authenticatedURL = new AuthenticatedURL(ka,connectionConfigurator);
//        this.authenticatedURL = new AuthenticatedURL(
//                new KerberosAuthenticator2(principal, password));
    }
 
Example #6
Source File: TimelineReaderFactory.java    From tez with Apache License 2.0 6 votes vote down vote up
@Override
public HttpURLConnection getHttpURLConnection(URL url) throws IOException {
  try {
    AuthenticatedURL authenticatedURL= ReflectionUtils.createClazzInstance(
        DELEGATION_TOKEN_AUTHENTICATED_URL_CLAZZ_NAME, new Class[] {
        delegationTokenAuthenticatorClazz,
        ConnectionConfigurator.class
    }, new Object[] {
        authenticator,
        connConfigurator
    });
    return ReflectionUtils.invokeMethod(authenticatedURL,
        delegationTokenAuthenticateURLOpenConnectionMethod, url, token, doAsUser);
  } catch (Exception e) {
    throw new IOException(e);
  }
}
 
Example #7
Source File: URLConnectionFactory.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Opens a url with read and connect timeouts
 *
 * @param url
 *          URL to open
 * @param isSpnego
 *          whether the url should be authenticated via SPNEGO
 * @return URLConnection
 * @throws IOException
 * @throws AuthenticationException
 */
public URLConnection openConnection(URL url, boolean isSpnego)
    throws IOException, AuthenticationException {
  if (isSpnego) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("open AuthenticatedURL connection" + url);
    }
    UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
    final AuthenticatedURL.Token authToken = new AuthenticatedURL.Token();
    return new AuthenticatedURL(new KerberosUgiAuthenticator(),
        connConfigurator).openConnection(url, authToken);
  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("open URL connection");
    }
    URLConnection connection = url.openConnection();
    if (connection instanceof HttpURLConnection) {
      connConfigurator.configure((HttpURLConnection) connection);
    }
    return connection;
  }
}
 
Example #8
Source File: TestHttpFSWithKerberos.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
@TestDir
@TestJetty
@TestHdfs
public void testValidHttpFSAccess() throws Exception {
  createHttpFSServer();

  KerberosTestUtils.doAsClient(new Callable<Void>() {
    @Override
    public Void call() throws Exception {
      URL url = new URL(TestJettyHelper.getJettyURL(),
                        "/webhdfs/v1/?op=GETHOMEDIRECTORY");
      AuthenticatedURL aUrl = new AuthenticatedURL();
      AuthenticatedURL.Token aToken = new AuthenticatedURL.Token();
      HttpURLConnection conn = aUrl.openConnection(url, aToken);
      Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
      return null;
    }
  });
}
 
Example #9
Source File: TestAuthenticationFilter.java    From big-c with Apache License 2.0 5 votes vote down vote up
private static void parseCookieMap(String cookieHeader, HashMap<String,
        String> cookieMap) {
  List<HttpCookie> cookies = HttpCookie.parse(cookieHeader);
  for (HttpCookie cookie : cookies) {
    if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
      cookieMap.put(cookie.getName(), cookie.getValue());
      if (cookie.getPath() != null) {
        cookieMap.put("Path", cookie.getPath());
      }
      if (cookie.getDomain() != null) {
        cookieMap.put("Domain", cookie.getDomain());
      }
    }
  }
}
 
Example #10
Source File: ThreadContextMR2.java    From dr-elephant with Apache License 2.0 5 votes vote down vote up
@Override
public AuthenticatedURL.Token initialValue() {
    _LOCAL_LAST_UPDATED.set(System.currentTimeMillis());
    // Random an interval for each executor to avoid update token at the same time
    _LOCAL_UPDATE_INTERVAL.set(Statistics.MINUTE_IN_MS * 30 + RANDOM_GENERATOR.nextLong()
            % (3 * Statistics.MINUTE_IN_MS));
    logger.info("Executor " + _LOCAL_THREAD_ID.get() + " update interval " + _LOCAL_UPDATE_INTERVAL.get() * 1.0
            / Statistics.MINUTE_IN_MS);
    return new AuthenticatedURL.Token();
}
 
Example #11
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 5 votes vote down vote up
private static AuthenticationToken getTokenFromCookies(Cookie[] cookies)
    throws AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
        tokenStr = cookie.getValue();
        if (tokenStr.isEmpty()) {
          throw new AuthenticationException("Empty token");
        }
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    boolean match = verifyTokenType(token);
    if (!match) {
      throw new AuthenticationException("Invalid AuthenticationToken type");
    }
    if (token.isExpired()) {
      throw new AuthenticationException("AuthenticationToken expired");
    }
  }
  return token;
}
 
Example #12
Source File: Client.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Helper method that injects an authentication token to send with the method.
 * @param method method to inject the authentication token into.
 * @param token authentication token to inject.
 */
private void injectToken(HttpUriRequest method, AuthenticatedURL.Token token) {
  String t = token.toString();
  if (t != null) {
    if (!t.startsWith("\"")) {
      t = "\"" + t + "\"";
    }
    method.addHeader(COOKIE, AUTH_COOKIE_EQ + t);
  }
}
 
Example #13
Source File: Client.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Initiate client side Kerberos negotiation with the server.
 * @param method method to inject the authentication token into.
 * @param uri the String to parse as a URL.
 * @throws IOException if unknown protocol is found.
 */
private void negotiate(HttpUriRequest method, String uri) throws IOException {
  try {
    AuthenticatedURL.Token token = new AuthenticatedURL.Token();
    KerberosAuthenticator authenticator = new KerberosAuthenticator();
    authenticator.authenticate(new URL(uri), token);
    // Inject the obtained negotiated token in the method cookie
    injectToken(method, token);
  } catch (AuthenticationException e) {
    LOG.error("Failed to negotiate with the server.", e);
    throw new IOException(e);
  }
}
 
Example #14
Source File: RangerKrbFilter.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Creates the Hadoop authentication HTTP cookie.
 *
 * @param token authentication token for the cookie.
 * @param expires UNIX timestamp that indicates the expire date of the
 *                cookie. It has no effect if its value &lt; 0.
 *
 * XXX the following code duplicate some logic in Jetty / Servlet API,
 * because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6
 * right now.
 */
public static void createAuthCookie(HttpServletResponse resp, String token,
                                    String domain, String path, long expires,
                                    boolean isSecure) {
  StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE)
                         .append("=");
  if (token != null && token.length() > 0) {
    sb.append("\"").append(token).append("\"");
  }

  if (path != null) {
    sb.append("; Path=").append(path);
  }

  if (domain != null) {
    sb.append("; Domain=").append(domain);
  }

  if (expires >= 0) {
    Date date = new Date(expires);
    SimpleDateFormat df = new SimpleDateFormat("EEE, " +
            "dd-MMM-yyyy HH:mm:ss zzz");
    df.setTimeZone(TimeZone.getTimeZone("GMT"));
    sb.append("; Expires=").append(df.format(date));
  }

  if (isSecure) {
    sb.append("; Secure");
  }

  sb.append("; HttpOnly");
  resp.addHeader("Set-Cookie", sb.toString());
}
 
Example #15
Source File: RangerKrbFilter.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 *
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 *
 * @throws IOException thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
        tokenStr = cookie.getValue();
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    if(token != null){
     if (!token.getType().equals(authHandler.getType())) {
      	throw new AuthenticationException("Invalid AuthenticationToken type");
     }
     if (token.isExpired()) {
      	throw new AuthenticationException("AuthenticationToken expired");
     }
    }
  }
  return token;
}
 
Example #16
Source File: SecurityCatalogResource.java    From streamline with Apache License 2.0 5 votes vote down vote up
@POST
@Path("/users/current/logout")
@Timed
public Response logoutCurrentUser(@Context UriInfo uriInfo,
                                  @Context SecurityContext securityContext) throws Exception {
    User currentUser = getCurrentUser(securityContext);
    // Set-Cookie	hadoop.auth=deleted;Version=1;Path=/;Max-Age=0;HttpOnly;Expires=Thu, 01 Jan 1970 00:00:00 GMT
    Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, "deleted", "/", null);
    NewCookie newCookie = new NewCookie(cookie, null, 0, new Date(0), securityContext.isSecure(), true);
    return Response.status(OK)
            .entity(currentUser)
            .cookie(newCookie)
            .build();
}
 
Example #17
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 5 votes vote down vote up
/**
 * Creates the Hadoop authentication HTTP cookie.
 *
 * @param resp               the response object.
 * @param token              authentication token for the cookie.
 * @param domain             the cookie domain.
 * @param path               the cookie path.
 * @param expires            UNIX timestamp that indicates the expire date of the
 *                           cookie. It has no effect if its value &lt; 0.
 * @param isSecure           is the cookie secure?
 * @param isCookiePersistent whether the cookie is persistent or not.
 *                           <p>
 *                           XXX the following code duplicate some logic in Jetty / Servlet API,
 *                           because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6
 *                           right now.
 */
public static void createAuthCookie(HttpServletResponse resp, String token,
                                    String domain, String path, long expires,
                                    boolean isCookiePersistent,
                                    boolean isSecure) {
  StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE)
      .append("=");
  if (token != null && token.length() > 0) {
    sb.append("\"").append(token).append("\"");
  }

  if (path != null) {
    sb.append("; Path=").append(path);
  }

  if (domain != null) {
    sb.append("; Domain=").append(domain);
  }

  if (expires >= 0 && isCookiePersistent) {
    Date date = new Date(expires);
    SimpleDateFormat df = new SimpleDateFormat("EEE, " +
        "dd-MMM-yyyy HH:mm:ss zzz");
    df.setTimeZone(TimeZone.getTimeZone("GMT"));
    sb.append("; Expires=").append(df.format(date));
  }

  if (isSecure) {
    sb.append("; Secure");
  }

  sb.append("; HttpOnly");
  resp.addHeader("Set-Cookie", sb.toString());
}
 
Example #18
Source File: AtlasAuthenticationFilter.java    From incubator-atlas with Apache License 2.0 5 votes vote down vote up
private static String readUserFromCookie(HttpServletResponse response1) {
    String userName = null;
    boolean isCookieSet = response1.containsHeader("Set-Cookie");
    if (isCookieSet) {
        Collection<String> authUserName = response1.getHeaders("Set-Cookie");
        if (authUserName != null) {
            for (String cookie : authUserName) {
                if (!StringUtils.isEmpty(cookie)) {
                    if (cookie.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase()) && cookie.contains("u=")) {
                        String[] split = cookie.split(";");
                        if (split != null) {
                            for (String s : split) {
                                if (!StringUtils.isEmpty(s) && s.toLowerCase().startsWith(AuthenticatedURL.AUTH_COOKIE.toLowerCase())) {
                                    int ustr = s.indexOf("u=");
                                    if (ustr != -1) {
                                        int andStr = s.indexOf("&", ustr);
                                        if (andStr != -1) {
                                            try {
                                                userName = s.substring(ustr + 2, andStr);
                                                break;
                                            } catch (Exception e) {
                                                userName = null;
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    return userName;
}
 
Example #19
Source File: TestAuthenticationFilter.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testGetToken() throws Exception {
  AuthenticationFilter filter = new AuthenticationFilter();

  try {
    FilterConfig config = Mockito.mock(FilterConfig.class);
    Mockito.when(config.getInitParameter("management.operation.return")).
      thenReturn("true");
    Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
      DummyAuthenticationHandler.class.getName());
    Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
    Mockito.when(config.getInitParameterNames()).thenReturn(
      new Vector<String>(
        Arrays.asList(AuthenticationFilter.AUTH_TYPE,
                      AuthenticationFilter.SIGNATURE_SECRET,
                      "management.operation.return")).elements());
    SignerSecretProvider secretProvider =
        getMockedServletContextWithStringSigner(config);
    filter.init(config);

    AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
    token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC);

    Signer signer = new Signer(secretProvider);
    String tokenSigned = signer.sign(token.toString());

    Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});

    AuthenticationToken newToken = filter.getToken(request);

    Assert.assertEquals(token.toString(), newToken.toString());
  } finally {
    filter.destroy();
  }
}
 
Example #20
Source File: AuthenticationFilter.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Creates the Hadoop authentication HTTP cookie.
 *
 * @param token authentication token for the cookie.
 * @param expires UNIX timestamp that indicates the expire date of the
 *                cookie. It has no effect if its value &lt; 0.
 *
 * XXX the following code duplicate some logic in Jetty / Servlet API,
 * because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6
 * right now.
 */
public static void createAuthCookie(HttpServletResponse resp, String token,
                                    String domain, String path, long expires,
                                    boolean isSecure) {
  StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE)
                         .append("=");
  if (token != null && token.length() > 0) {
    sb.append("\"").append(token).append("\"");
  }

  if (path != null) {
    sb.append("; Path=").append(path);
  }

  if (domain != null) {
    sb.append("; Domain=").append(domain);
  }

  if (expires >= 0) {
    Date date = new Date(expires);
    SimpleDateFormat df = new SimpleDateFormat("EEE, " +
            "dd-MMM-yyyy HH:mm:ss zzz");
    df.setTimeZone(TimeZone.getTimeZone("GMT"));
    sb.append("; Expires=").append(df.format(date));
  }

  if (isSecure) {
    sb.append("; Secure");
  }

  sb.append("; HttpOnly");
  resp.addHeader("Set-Cookie", sb.toString());
}
 
Example #21
Source File: AuthenticationFilter.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 *
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 *
 * @throws IOException thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
        tokenStr = cookie.getValue();
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    if (!token.getType().equals(authHandler.getType())) {
      throw new AuthenticationException("Invalid AuthenticationToken type");
    }
    if (token.isExpired()) {
      throw new AuthenticationException("AuthenticationToken expired");
    }
  }
  return token;
}
 
Example #22
Source File: DelegationTokenAuthenticator.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Cancels a delegation token from the server end-point. It does not require
 * being authenticated by the configured <code>Authenticator</code>.
 *
 * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
 * are supported.
 * @param token the authentication token with the Delegation Token to cancel.
 * @param doAsUser the user to do as, which will be the token owner.
 * @throws IOException if an IO error occurred.
 */
public void cancelDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
    throws IOException {
  try {
    doDelegationTokenOperation(url, token,
        DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false,
        doAsUser);
  } catch (AuthenticationException ex) {
    throw new IOException("This should not happen: " + ex.getMessage(), ex);
  }
}
 
Example #23
Source File: LogsearchKrbFilter.java    From ambari-logsearch with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 *
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 *
 * @throws IOException thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
        tokenStr = cookie.getValue();
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    if(token != null){
      if (!token.getType().equals(authHandler.getType())) {
        throw new AuthenticationException("Invalid AuthenticationToken type");
      }
      if (token.isExpired()) {
        throw new AuthenticationException("AuthenticationToken expired"); 
      }
    }
  }
  return token;
}
 
Example #24
Source File: DelegationTokenAuthenticator.java    From big-c with Apache License 2.0 5 votes vote down vote up
private boolean hasDelegationToken(URL url, AuthenticatedURL.Token token) {
  boolean hasDt = false;
  if (token instanceof DelegationTokenAuthenticatedURL.Token) {
    hasDt = ((DelegationTokenAuthenticatedURL.Token) token).
        getDelegationToken() != null;
  }
  if (!hasDt) {
    String queryStr = url.getQuery();
    hasDt = (queryStr != null) && queryStr.contains(DELEGATION_PARAM + "=");
  }
  return hasDt;
}
 
Example #25
Source File: TestSentryWebServerWithKerberos.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testPing() throws Exception {
  runTestAsSubject(new TestOperation(){
    @Override
    public void runTestAsSubject() throws Exception {
      final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
      HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()).
          openConnection(url, new AuthenticatedURL.Token());
      Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
      String response = IOUtils.toString(conn.getInputStream());
      Assert.assertEquals("pong\n", response);
    }} );
}
 
Example #26
Source File: WhoClient.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static void main(String[] args) {
  try {
    if (args.length != 1) {
      System.err.println("Usage: <URL>");
      System.exit(-1);
    }
    AuthenticatedURL.Token token = new AuthenticatedURL.Token();
    URL url = new URL(args[0]);
    HttpURLConnection conn = new AuthenticatedURL().openConnection(url, token);
    System.out.println();
    System.out.println("Token value: " + token);
    System.out.println("Status code: " + conn.getResponseCode() + " " + conn.getResponseMessage());
    System.out.println();
    if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
      BufferedReader reader = new BufferedReader(
          new InputStreamReader(
              conn.getInputStream(), Charset.forName("UTF-8")));
      String line = reader.readLine();
      while (line != null) {
        System.out.println(line);
        line = reader.readLine();
      }
      reader.close();
    }
    System.out.println();
  }
  catch (Exception ex) {
    System.err.println("ERROR: " + ex.getMessage());
    System.exit(-1);
  }
}
 
Example #27
Source File: TestSentryWebServerWithKerberos.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testPingWithoutSubject() throws Exception {
  final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
  try {
    new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
    fail("Here should fail.");
  } catch (Exception e) {
    boolean isExpectError = e.getMessage().contains("No valid credentials provided");
    Assert.assertTrue("Here should fail by 'No valid credentials provided'," +
        " but the exception is:" + e, isExpectError);
  }
}
 
Example #28
Source File: TestSentryWebServerWithKerberos.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testPingWithUnauthorizedUser() throws Exception {
  // create an unauthorized User with Kerberos
  String userPrinciple = "user/" + SERVER_HOST;
  String userKerberosName = userPrinciple + "@" + REALM;
  Subject userSubject = new Subject(false, Sets.newHashSet(
      new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
  File userKeytab = new File(kdcWorkDir, "user.keytab");
  kdc.createPrincipal(userKeytab, userPrinciple);
  LoginContext userLoginContext = new LoginContext("", userSubject, null,
      KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
  userLoginContext.login();
  Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
      try {
        new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
        fail("Here should fail.");
      } catch (AuthenticationException e) {
        String expectedError = "status code: 403";
        if (!e.getMessage().contains(expectedError)) {
          LOG.error("UnexpectedError: " + e.getMessage(), e);
          fail("UnexpectedError: " + e.getMessage());
        }
      }
      return null;
    }
  });
}
 
Example #29
Source File: DelegationTokenAuthenticator.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void authenticate(URL url, AuthenticatedURL.Token token)
    throws IOException, AuthenticationException {
  if (!hasDelegationToken(url, token)) {
    authenticator.authenticate(url, token);
  }
}
 
Example #30
Source File: TestAuthenticationFilter.java    From big-c with Apache License 2.0 5 votes vote down vote up
private static void verifyUnauthorized(AuthenticationFilter filter,
                                       HttpServletRequest request,
                                       HttpServletResponse response,
                                       FilterChain chain) throws
                                                          IOException,
                                                          ServletException {
  final HashMap<String, String> cookieMap = new HashMap<String, String>();
  Mockito.doAnswer(new Answer<Object>() {
    @Override
    public Object answer(InvocationOnMock invocation) throws Throwable {
      String cookieHeader = (String) invocation.getArguments()[1];
      parseCookieMap(cookieHeader, cookieMap);
      return null;
    }
  }).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString());

  filter.doFilter(request, response, chain);

  Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse
          .SC_UNAUTHORIZED), Mockito.anyString());
  Mockito.verify(chain, Mockito.never()).doFilter(Mockito.any
          (ServletRequest.class), Mockito.any(ServletResponse.class));

  Assert.assertTrue("cookie is missing",
      cookieMap.containsKey(AuthenticatedURL.AUTH_COOKIE));
  Assert.assertEquals("", cookieMap.get(AuthenticatedURL.AUTH_COOKIE));
}