Package org.apache.hadoop.security.authentication.server

Class AltKerberosAuthenticationHandler

java.lang.Object
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler
All Implemented Interfaces:
AuthenticationHandler
Direct Known Subclasses:
JWTRedirectAuthenticationHandler
public abstract class AltKerberosAuthenticationHandler extends KerberosAuthenticationHandler
The AltKerberosAuthenticationHandler behaves exactly the same way as the KerberosAuthenticationHandler, except that it allows for an alternative form of authentication for browsers while still using Kerberos for Java access. This is an abstract class that should be subclassed to allow a developer to implement their own custom authentication for browser access. The alternateAuthenticate method will be called whenever a request comes from a browser.

  • Field Details

    • TYPE

      public static final String TYPE
      Constant that identifies the authentication mechanism.
      See Also:

    • NON_BROWSER_USER_AGENTS

      public static final String NON_BROWSER_USER_AGENTS
      Constant for the configuration property that indicates which user agents are not considered browsers (comma separated)
      See Also:

  • Constructor Details

    • AltKerberosAuthenticationHandler

      public AltKerberosAuthenticationHandler()

  • Method Details

    • getType

      public String getType()
      Returns the authentication type of the authentication handler, 'alt-kerberos'.
      Specified by:
      getType in interface AuthenticationHandler
      Overrides:
      getType in class KerberosAuthenticationHandler
      Returns:
      the authentication type of the authentication handler, 'alt-kerberos'.

    • init

      public void init(Properties config) throws javax.servlet.ServletException
      Description copied from class: KerberosAuthenticationHandler
      Initializes the authentication handler instance.

      It creates a Kerberos context using the principal and keytab specified in the configuration.

      This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

      Specified by:
      init in interface AuthenticationHandler
      Overrides:
      init in class KerberosAuthenticationHandler
      Parameters:
      config - configuration properties to initialize the handler.
      Throws:
      javax.servlet.ServletException - thrown if the handler could not be initialized.

    • authenticate

      public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully (in the case of Java access) and only after the custom authentication implemented by the subclass in alternateAuthenticate has completed successfully (in the case of browser access).
      Specified by:
      authenticate in interface AuthenticationHandler
      Overrides:
      authenticate in class KerberosAuthenticationHandler
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      an authentication token if the request is authorized or null
      Throws:
      IOException - thrown if an IO error occurred
      AuthenticationException - thrown if an authentication error occurred

    • isBrowser

      protected boolean isBrowser(String userAgent)
      This method parses the User-Agent String and returns whether or not it refers to a browser. If its not a browser, then Kerberos authentication will be used; if it is a browser, alternateAuthenticate from the subclass will be used.

      A User-Agent String is considered to be a browser if it does not contain any of the values from alt-kerberos.non-browser.user-agents; the default behavior is to consider everything a browser unless it contains one of: "java", "curl", "wget", or "perl". Subclasses can optionally override this method to use different behavior.

      Parameters:
      userAgent - The User-Agent String, or null if there isn't one
      Returns:
      true if the User-Agent String refers to a browser, false if not

    • alternateAuthenticate

      public abstract AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      Subclasses should implement this method to provide the custom authentication to be used for browsers.
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      an authentication token if the request is authorized, or null
      Throws:
      IOException - thrown if an IO error occurs
      AuthenticationException - thrown if an authentication error occurs