Package org.apache.hadoop.security.authentication.server

Class JWTRedirectAuthenticationHandler

java.lang.Object
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler
org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
All Implemented Interfaces:
AuthenticationHandler
public class JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler
The JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler to add WebSSO behavior for UIs. The expected SSO token is a JsonWebToken (JWT). The supported algorithm is RS256 which uses PKI between the token issuer and consumer. The flow requires a redirect to a configured authentication server URL and a subsequent request with the expected JWT token. This token is cryptographically verified and validated. The user identity is then extracted from the token and used to create an AuthenticationToken - as expected by the AuthenticationFilter.

The supported configuration properties are:

  • authentication.provider.url: the full URL to the authentication server. This is the URL that the handler will redirect the browser to in order to authenticate the user. It does not have a default value.
  • public.key.pem: This is the PEM formatted public key of the issuer of the JWT token. It is required for verifying that the issuer is a trusted party. DO NOT include the PEM header and footer portions of the PEM encoded certificate. It does not have a default value.
  • expected.jwt.audiences: This is a list of strings that identify acceptable audiences for the JWT token. The audience is a way for the issuer to indicate what entity/s that the token is intended for. Default value is null which indicates that all audiences will be accepted.
  • jwt.cookie.name: the name of the cookie that contains the JWT token. Default value is "hadoop-jwt".

  • Field Details

  • Constructor Details

    • JWTRedirectAuthenticationHandler

      public JWTRedirectAuthenticationHandler()

  • Method Details

    • setPublicKey

      public void setPublicKey(RSAPublicKey pk)
      Primarily for testing, this provides a way to set the publicKey for signature verification without needing to get a PEM encoded value.
      Parameters:
      pk - publicKey for the token signtature verification

    • init

      public void init(Properties config) throws javax.servlet.ServletException
      Initializes the authentication handler instance.

      This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

      Specified by:
      init in interface AuthenticationHandler
      Overrides:
      init in class AltKerberosAuthenticationHandler
      Parameters:
      config - configuration properties to initialize the handler.
      Throws:
      javax.servlet.ServletException - thrown if the handler could not be initialized.

    • alternateAuthenticate

      public AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      Description copied from class: AltKerberosAuthenticationHandler
      Subclasses should implement this method to provide the custom authentication to be used for browsers.
      Specified by:
      alternateAuthenticate in class AltKerberosAuthenticationHandler
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      an authentication token if the request is authorized, or null
      Throws:
      IOException - thrown if an IO error occurs
      AuthenticationException - thrown if an authentication error occurs

    • getJWTFromCookie

      protected String getJWTFromCookie(javax.servlet.http.HttpServletRequest req)
      Encapsulate the acquisition of the JWT token from HTTP cookies within the request.
      Parameters:
      req - servlet request to get the JWT token from
      Returns:
      serialized JWT token

    • validateToken

      protected boolean validateToken(com.nimbusds.jwt.SignedJWT jwtToken)
      This method provides a single method for validating the JWT for use in request processing. It provides for the override of specific aspects of this implementation through submethods used within but also allows for the override of the entire token validation algorithm.
      Parameters:
      jwtToken - the token to validate
      Returns:
      true if valid

    • validateSignature

      protected boolean validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)
      Verify the signature of the JWT token in this method. This method depends on the public key that was established during init based upon the provisioned public key. Override this method in subclasses in order to customize the signature verification behavior.
      Parameters:
      jwtToken - the token that contains the signature to be validated
      Returns:
      valid true if signature verifies successfully; false otherwise

    • validateAudiences

      protected boolean validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)
      Validate whether any of the accepted audience claims is present in the issued token claims list for audience. Override this method in subclasses in order to customize the audience validation behavior.
      Parameters:
      jwtToken - the JWT token where the allowed audiences will be found
      Returns:
      true if an expected audience is present, otherwise false

    • validateExpiration

      protected boolean validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)
      Validate that the expiration time of the JWT token has not been violated. If it has then throw an AuthenticationException. Override this method in subclasses in order to customize the expiration validation behavior.
      Parameters:
      jwtToken - the token that contains the expiration date to validate
      Returns:
      valid true if the token has not expired; false otherwise