Package org.apache.hadoop.security.authentication.server

Class LdapAuthenticationHandler

java.lang.Object
org.apache.hadoop.security.authentication.server.LdapAuthenticationHandler
All Implemented Interfaces:
AuthenticationHandler
@Private @Evolving public class LdapAuthenticationHandler extends Object implements AuthenticationHandler
The LdapAuthenticationHandler implements the BASIC authentication mechanism for HTTP using LDAP back-end. The supported configuration properties are:
  • ldap.providerurl: The url of the LDAP server. It does not have a default value.
  • ldap.basedn: the base distinguished name (DN) to be used with the LDAP server. This value is appended to the provided user id for authentication purpose. It does not have a default value.
  • ldap.binddomain: the LDAP bind domain value to be used with the LDAP server. This property is optional and useful only in case of Active Directory server.
  • ldap.enablestarttls: A boolean value used to define if the LDAP server supports 'StartTLS' extension.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    BASE_DN
    Constant for the configuration property that indicates the base distinguished name (DN) to be used with the LDAP server.
    static final String
    ENABLE_START_TLS
    Constant for the configuration property that indicates whether the LDAP server supports 'StartTLS' extension.
    static final String
    LDAP_BIND_DOMAIN
    Constant for the configuration property that indicates the LDAP bind domain value to be used with the LDAP server.
    static final String
    PROVIDER_URL
    Constant for the configuration property that indicates the url of the LDAP server.
    static final String
    SECURITY_AUTHENTICATION
    Constant that identifies the authentication mechanism to be used with the LDAP server.
    static final String
    TYPE
    Constant that identifies the authentication mechanism.

    Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

    WWW_AUTHENTICATE

  • Constructor Summary

    Constructors
    Constructor
    Description
    LdapAuthenticationHandler()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    AuthenticationToken
    authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Performs an authentication step for the given HTTP client request.
    void
    destroy()
    Destroys the authentication handler instance.
    String
    getType()
    Returns the authentication type of the authentication handler.
    void
    init(Properties config)
    Initializes the authentication handler instance.
    boolean
    managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Performs an authentication management operation.
    void
    setDisableHostNameVerification(Boolean disableHostNameVerification)
    Configure the Host name verification for this handler.
    void
    setEnableStartTls(Boolean enableStartTls)
    Configure StartTLS LDAP extension for this handler.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • TYPE

      public static final String TYPE
      Constant that identifies the authentication mechanism.
      See Also:

    • SECURITY_AUTHENTICATION

      public static final String SECURITY_AUTHENTICATION
      Constant that identifies the authentication mechanism to be used with the LDAP server.
      See Also:

    • PROVIDER_URL

      public static final String PROVIDER_URL
      Constant for the configuration property that indicates the url of the LDAP server.
      See Also:

    • BASE_DN

      public static final String BASE_DN
      Constant for the configuration property that indicates the base distinguished name (DN) to be used with the LDAP server. This value is appended to the provided user id for authentication purpose.
      See Also:

    • LDAP_BIND_DOMAIN

      public static final String LDAP_BIND_DOMAIN
      Constant for the configuration property that indicates the LDAP bind domain value to be used with the LDAP server.
      See Also:

    • ENABLE_START_TLS

      public static final String ENABLE_START_TLS
      Constant for the configuration property that indicates whether the LDAP server supports 'StartTLS' extension.
      See Also:

  • Constructor Details

    • LdapAuthenticationHandler

      public LdapAuthenticationHandler()

  • Method Details

    • setEnableStartTls

      @VisibleForTesting public void setEnableStartTls(Boolean enableStartTls)
      Configure StartTLS LDAP extension for this handler.
      Parameters:
      enableStartTls - true If the StartTLS LDAP extension is to be enabled false otherwise

    • setDisableHostNameVerification

      @VisibleForTesting public void setDisableHostNameVerification(Boolean disableHostNameVerification)
      Configure the Host name verification for this handler. This method is introduced only for unit testing and should never be used in production.
      Parameters:
      disableHostNameVerification - true to disable host-name verification false otherwise

    • getType

      public String getType()
      Description copied from interface: AuthenticationHandler
      Returns the authentication type of the authentication handler. This should be a name that uniquely identifies the authentication type. For example 'simple' or 'kerberos'.
      Specified by:
      getType in interface AuthenticationHandler
      Returns:
      the authentication type of the authentication handler.

    • init

      public void init(Properties config) throws javax.servlet.ServletException
      Description copied from interface: AuthenticationHandler
      Initializes the authentication handler instance.

      This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

      Specified by:
      init in interface AuthenticationHandler
      Parameters:
      config - configuration properties to initialize the handler.
      Throws:
      javax.servlet.ServletException - thrown if the handler could not be initialized.

    • destroy

      public void destroy()
      Description copied from interface: AuthenticationHandler
      Destroys the authentication handler instance.

      This method is invoked by the AuthenticationFilter.destroy() method.

      Specified by:
      destroy in interface AuthenticationHandler

    • managementOperation

      public boolean managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      Description copied from interface: AuthenticationHandler
      Performs an authentication management operation.

      This is useful for handling operations like get/renew/cancel delegation tokens which are being handled as operations of the service end-point.

      If the method returns TRUE the request will continue normal processing, this means the method has not produced any HTTP response.

      If the method returns FALSE the request will end, this means the method has produced the corresponding HTTP response.

      Specified by:
      managementOperation in interface AuthenticationHandler
      Parameters:
      token - the authentication token if any, otherwise NULL.
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      TRUE if the request should be processed as a regular request, FALSE otherwise.
      Throws:
      IOException - thrown if an IO error occurred.
      AuthenticationException - thrown if an Authentication error occurred.

    • authenticate

      public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      Description copied from interface: AuthenticationHandler
      Performs an authentication step for the given HTTP client request.

      This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.

      Depending upon the authentication mechanism being implemented, a particular HTTP client may end up making a sequence of invocations before authentication is successfully established (this is the case of Kerberos SPNEGO).

      This method must return an AuthenticationToken only if the the HTTP client request has been successfully and fully authenticated.

      If the HTTP client request has not been completely authenticated, this method must take over the corresponding HTTP response and it must return null.

      Specified by:
      authenticate in interface AuthenticationHandler
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      an AuthenticationToken if the HTTP client request has been authenticated, null otherwise (in this case it must take care of the response).
      Throws:
      IOException - thrown if an IO error occurred.
      AuthenticationException - thrown if an Authentication error occurred.