org.apache.hadoop.security.authentication.server.AuthenticationToken Java Examples

The following examples show how to use org.apache.hadoop.security.authentication.server.AuthenticationToken. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private void testValidDelegationTokenQueryString() throws Exception {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getQueryString()).thenReturn(
      DelegationTokenAuthenticator.DELEGATION_PARAM + "=" +
      dToken.encodeToUrlString());

  AuthenticationToken token = handler.authenticate(request, response);
  Assert.assertEquals(UserGroupInformation.getCurrentUser().
          getShortUserName(), token.getUserName());
  Assert.assertEquals(0, token.getExpires());
  Assert.assertEquals(handler.getType(),
      token.getType());
  Assert.assertTrue(token.isExpired());
}
 
Example #2
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private void testValidDelegationTokenHeader() throws Exception {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getHeader(Mockito.eq(
      DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER))).thenReturn(
      dToken.encodeToUrlString());

  AuthenticationToken token = handler.authenticate(request, response);
  Assert.assertEquals(UserGroupInformation.getCurrentUser().
      getShortUserName(), token.getUserName());
  Assert.assertEquals(0, token.getExpires());
  Assert.assertEquals(handler.getType(),
      token.getType());
  Assert.assertTrue(token.isExpired());
}
 
Example #3
Source File: HttpParamDelegationTokenPlugin.java    From lucene-solr with Apache License 2.0 6 votes vote down vote up
@Override
public AuthenticationToken authenticate(HttpServletRequest request,
                                        HttpServletResponse response)
    throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String userName = getHttpParam(request, USER_PARAM);
  if (userName == null) {
    //check if this is an internal request
    userName = request.getHeader(INTERNAL_REQUEST_HEADER);
  }
  if (userName != null) {
    return new AuthenticationToken(userName, userName, "test");
  } else {
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    response.setHeader("WWW-Authenticate", "dummy");
  }
  return token;
}
 
Example #4
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From big-c with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private void testValidDelegationTokenQueryString() throws Exception {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getQueryString()).thenReturn(
      DelegationTokenAuthenticator.DELEGATION_PARAM + "=" +
      dToken.encodeToUrlString());

  AuthenticationToken token = handler.authenticate(request, response);
  Assert.assertEquals(UserGroupInformation.getCurrentUser().
          getShortUserName(), token.getUserName());
  Assert.assertEquals(0, token.getExpires());
  Assert.assertEquals(handler.getType(),
      token.getType());
  Assert.assertTrue(token.isExpired());
}
 
Example #5
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From big-c with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private void testValidDelegationTokenHeader() throws Exception {
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getHeader(Mockito.eq(
      DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER))).thenReturn(
      dToken.encodeToUrlString());

  AuthenticationToken token = handler.authenticate(request, response);
  Assert.assertEquals(UserGroupInformation.getCurrentUser().
      getShortUserName(), token.getUserName());
  Assert.assertEquals(0, token.getExpires());
  Assert.assertEquals(handler.getType(),
      token.getType());
  Assert.assertTrue(token.isExpired());
}
 
Example #6
Source File: AtlasAuthenticationFilter.java    From atlas with Apache License 2.0 5 votes vote down vote up
@Override
protected AuthenticationToken getToken(HttpServletRequest request)
        throws IOException, AuthenticationException {
    AuthenticationToken token = null;
    String tokenStr = null;
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
                tokenStr = cookie.getValue();
                try {
                    tokenStr = this.signer.verifyAndExtract(tokenStr);
                } catch (SignerException ex) {
                    throw new AuthenticationException(ex);
                }
            }
        }
    }

    if (tokenStr != null) {
        token = AuthenticationToken.parse(tokenStr);
        if (token != null) {
            AuthenticationHandler authHandler = getAuthenticationHandler();
            if (!token.getType().equals(authHandler.getType())) {
                throw new AuthenticationException("Invalid AuthenticationToken type");
            }
            if (token.isExpired()) {
                throw new AuthenticationException("AuthenticationToken expired");
            }
        }
    }
    return token;
}
 
Example #7
Source File: RangerKrbFilter.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 *
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 *
 * @throws IOException thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
        tokenStr = cookie.getValue();
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    if(token != null){
     if (!token.getType().equals(authHandler.getType())) {
      	throw new AuthenticationException("Invalid AuthenticationToken type");
     }
     if (token.isExpired()) {
      	throw new AuthenticationException("AuthenticationToken expired");
     }
    }
  }
  return token;
}
 
Example #8
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 5 votes vote down vote up
private static AuthenticationToken getTokenFromCookies(Cookie[] cookies)
    throws AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
        tokenStr = cookie.getValue();
        if (tokenStr.isEmpty()) {
          throw new AuthenticationException("Empty token");
        }
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    boolean match = verifyTokenType(token);
    if (!match) {
      throw new AuthenticationException("Invalid AuthenticationToken type");
    }
    if (token.isExpired()) {
      throw new AuthenticationException("AuthenticationToken expired");
    }
  }
  return token;
}
 
Example #9
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 5 votes vote down vote up
/**
 * This is called when Kerberos authentication is done and a {@link KerberosToken} has
 * been acquired.
 * This function returns a Shiro {@link SimpleAccount} based on the {@link KerberosToken}
 * provided. Null otherwise.
 */
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
    org.apache.shiro.authc.AuthenticationToken authenticationToken)
    throws org.apache.shiro.authc.AuthenticationException {
  if (null != authenticationToken) {
    KerberosToken kerberosToken = (KerberosToken) authenticationToken;
    SimpleAccount account = new SimpleAccount(kerberosToken.getPrincipal(),
        kerberosToken.getCredentials(), kerberosToken.getClass().getName());
    account.addRole(mapGroupPrincipals((String)kerberosToken.getPrincipal()));
    return account;
  }
  return null;
}
 
Example #10
Source File: AtlasAuthenticationFilter.java    From incubator-atlas with Apache License 2.0 5 votes vote down vote up
@Override
protected AuthenticationToken getToken(HttpServletRequest request)
        throws IOException, AuthenticationException {
    AuthenticationToken token = null;
    String tokenStr = null;
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
                tokenStr = cookie.getValue();
                try {
                    tokenStr = this.signer.verifyAndExtract(tokenStr);
                } catch (SignerException ex) {
                    throw new AuthenticationException(ex);
                }
            }
        }
    }

    if (tokenStr != null) {
        token = AuthenticationToken.parse(tokenStr);
        if (token != null) {
            AuthenticationHandler authHandler = getAuthenticationHandler();
            if (!token.getType().equals(authHandler.getType())) {
                throw new AuthenticationException("Invalid AuthenticationToken type");
            }
            if (token.isExpired()) {
                throw new AuthenticationException("AuthenticationToken expired");
            }
        }
    }
    return token;
}
 
Example #11
Source File: RequestContinuesRecorderAuthenticationHandler.java    From lucene-solr with Apache License 2.0 5 votes vote down vote up
public boolean managementOperation(AuthenticationToken token,
                                   HttpServletRequest request,
                                   HttpServletResponse response)
    throws IOException, AuthenticationException {
  boolean result = authHandler.managementOperation(token, request, response);
  request.setAttribute(RequestContinuesRecorderAuthenticationHandler.REQUEST_CONTINUES_ATTR, Boolean.toString(result));
  return result;
}
 
Example #12
Source File: LogsearchKrbFilter.java    From ambari-logsearch with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 *
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 *
 * @throws IOException thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
  AuthenticationToken token = null;
  String tokenStr = null;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
    for (Cookie cookie : cookies) {
      if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
        tokenStr = cookie.getValue();
        try {
          tokenStr = signer.verifyAndExtract(tokenStr);
        } catch (SignerException ex) {
          throw new AuthenticationException(ex);
        }
        break;
      }
    }
  }
  if (tokenStr != null) {
    token = AuthenticationToken.parse(tokenStr);
    if(token != null){
      if (!token.getType().equals(authHandler.getType())) {
        throw new AuthenticationException("Invalid AuthenticationToken type");
      }
      if (token.isExpired()) {
        throw new AuthenticationException("AuthenticationToken expired"); 
      }
    }
  }
  return token;
}
 
Example #13
Source File: RequestContinuesRecorderAuthenticationHandler.java    From lucene-solr with Apache License 2.0 4 votes vote down vote up
public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response)
    throws IOException, AuthenticationException {
  return authHandler.authenticate(request, response);
}
 
Example #14
Source File: HttpParamDelegationTokenPlugin.java    From lucene-solr with Apache License 2.0 4 votes vote down vote up
@Override
public boolean managementOperation(AuthenticationToken token,
                                   HttpServletRequest request, HttpServletResponse response)
    throws IOException, AuthenticationException {
  return false;
}
 
Example #15
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From big-c with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("unchecked")
private void testRenewToken() throws Exception {
  DelegationTokenAuthenticator.DelegationTokenOperation op =
      DelegationTokenAuthenticator.DelegationTokenOperation.
          RENEWDELEGATIONTOKEN;
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Mockito.when(request.getQueryString()).
      thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString());
  Mockito.when(request.getMethod()).
      thenReturn(op.getHttpMethod());

  Assert.assertFalse(handler.managementOperation(null, request, response));
  Mockito.verify(response).setStatus(
      Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED));
  Mockito.verify(response).setHeader(Mockito.eq(
          KerberosAuthenticator.WWW_AUTHENTICATE),
      Mockito.eq("mock")
  );

  Mockito.reset(response);
  AuthenticationToken token = Mockito.mock(AuthenticationToken.class);
  Mockito.when(token.getUserName()).thenReturn("user");
  Assert.assertFalse(handler.managementOperation(token, request, response));
  Mockito.verify(response).sendError(
      Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
      Mockito.contains("requires the parameter [token]"));

  Mockito.reset(response);
  StringWriter writer = new StringWriter();
  PrintWriter pwriter = new PrintWriter(writer);
  Mockito.when(response.getWriter()).thenReturn(pwriter);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getQueryString()).
      thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
          "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" +
          dToken.encodeToUrlString());
  Assert.assertFalse(handler.managementOperation(token, request, response));
  Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
  pwriter.close();
  Assert.assertTrue(writer.toString().contains("long"));
  handler.getTokenManager().verifyToken(dToken);
}
 
Example #16
Source File: TestWebDelegationToken.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
public boolean managementOperation(AuthenticationToken token,
    HttpServletRequest request, HttpServletResponse response)
    throws IOException, AuthenticationException {
  return false;
}
 
Example #17
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 4 votes vote down vote up
@Override
public boolean supports(org.apache.shiro.authc.AuthenticationToken token) {
  return token instanceof KerberosToken;
}
 
Example #18
Source File: TestDelegationTokenAuthenticationHandlerWithMocks.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("unchecked")
private void testRenewToken() throws Exception {
  DelegationTokenAuthenticator.DelegationTokenOperation op =
      DelegationTokenAuthenticator.DelegationTokenOperation.
          RENEWDELEGATIONTOKEN;
  HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
  HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
  Mockito.when(request.getQueryString()).
      thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString());
  Mockito.when(request.getMethod()).
      thenReturn(op.getHttpMethod());

  Assert.assertFalse(handler.managementOperation(null, request, response));
  Mockito.verify(response).setStatus(
      Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED));
  Mockito.verify(response).setHeader(Mockito.eq(
          KerberosAuthenticator.WWW_AUTHENTICATE),
      Mockito.eq("mock")
  );

  Mockito.reset(response);
  AuthenticationToken token = Mockito.mock(AuthenticationToken.class);
  Mockito.when(token.getUserName()).thenReturn("user");
  Assert.assertFalse(handler.managementOperation(token, request, response));
  Mockito.verify(response).sendError(
      Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
      Mockito.contains("requires the parameter [token]"));

  Mockito.reset(response);
  StringWriter writer = new StringWriter();
  PrintWriter pwriter = new PrintWriter(writer);
  Mockito.when(response.getWriter()).thenReturn(pwriter);
  Token<DelegationTokenIdentifier> dToken =
      (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
          UserGroupInformation.getCurrentUser(), "user");
  Mockito.when(request.getQueryString()).
      thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
          "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" +
          dToken.encodeToUrlString());
  Assert.assertFalse(handler.managementOperation(token, request, response));
  Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
  pwriter.close();
  Assert.assertTrue(writer.toString().contains("long"));
  handler.getTokenManager().verifyToken(dToken);
}
 
Example #19
Source File: TestWebDelegationToken.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
public boolean managementOperation(AuthenticationToken token,
    HttpServletRequest request, HttpServletResponse response)
    throws IOException, AuthenticationException {
  return false;
}
 
Example #20
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 3 votes vote down vote up
/**
 * Returns the {@link AuthenticationToken} for the request.
 * <p>
 * It looks at the received HTTP cookies and extracts the value of the
 * {@link AuthenticatedURL#AUTH_COOKIE}
 * if present. It verifies the signature and if correct it creates the
 * {@link AuthenticationToken} and returns
 * it.
 * <p>
 * If this method returns <code>null</code> the filter will invoke the configured
 * {@link AuthenticationHandler}
 * to perform user authentication.
 *
 * @param request request object.
 * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
 * @throws IOException             thrown if an IO error occurred.
 * @throws AuthenticationException thrown if the token is invalid or if it has expired.
 */
private AuthenticationToken getToken(HttpServletRequest request)
    throws AuthenticationException {
  AuthenticationToken token;
  Cookie[] cookies = request.getCookies();
  token = getTokenFromCookies(cookies);
  return token;
}
 
Example #21
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 2 votes vote down vote up
/**
 * This is an empty implementation, it always returns <code>TRUE</code>.
 *
 * @param token the authentication token if any, otherwise <code>NULL</code>.
 * @param request the HTTP client request.
 * @param response the HTTP client response.
 *
 * @return <code>TRUE</code>
 * @throws IOException it is never thrown.
 * @throws AuthenticationException it is never thrown.
 */
public boolean managementOperation(AuthenticationToken token,
                                   HttpServletRequest request,
                                   HttpServletResponse response) {
  return true;
}
 
Example #22
Source File: KerberosRealm.java    From zeppelin with Apache License 2.0 2 votes vote down vote up
/**
 * This method verifies if the specified token type matches one of the the
 * token types supported by our Authentication provider : {@link KerberosRealm}
 *
 * @param token The token whose type needs to be verified.
 * @return true   If the token type matches one of the supported token types
 * false  Otherwise
 */
protected static boolean verifyTokenType(AuthenticationToken token) {
  return TYPE.equals(token.getType());
}