Package org.apache.hadoop.security.authentication.server

Class MultiSchemeAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler, CompositeAuthenticationHandler

@Private
@Evolving
public class MultiSchemeAuthenticationHandler
extends Object
implements CompositeAuthenticationHandler

The MultiSchemeAuthenticationHandler supports configuring multiple authentication mechanisms simultaneously. e.g. server can support multiple authentication mechanisms such as Kerberos (SPENGO) and LDAP. During the authentication phase, server will specify all possible authentication schemes and let client choose the appropriate scheme. Please refer to RFC-2616 and HADOOP-12082 for more details.

The supported configuration properties are:

• multi-scheme-auth-handler.schemes: A comma separated list of HTTP authentication mechanisms supported by this handler. It does not have a default value. e.g. multi-scheme-auth-handler.schemes=basic,negotiate
• multi-scheme-auth-handler.schemes.${scheme-name}.handler: The authentication handler implementation to be used for the specified authentication scheme. It does not have a default value. e.g. multi-scheme-auth-handler.schemes.negotiate.handler=kerberos

It expected that for every authentication scheme specified in multi-scheme-auth-handler.schemes property, a handler needs to be configured. Note that while scheme values in 'multi-scheme-auth-handler.schemes' property are case-insensitive, the scheme value in the handler configuration property name must be lower case. i.e. property name such as multi-scheme-auth-handler.schemes.Negotiate.handler is invalid.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	AUTH_HANDLER_PROPERTY
static final String	SCHEMES_PROPERTY
static final String	TYPE	Constant that identifies the authentication mechanism.

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
MultiSchemeAuthenticationHandler()
MultiSchemeAuthenticationHandler(String authType)

Method Summary

Modifier and Type	Method	Description
AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Performs an authentication step for the given HTTP client request.
void	destroy()	Destroys the authentication handler instance.
Collection<String>	getTokenTypes()	This method returns the token types supported by this authentication handler.
String	getType()	Returns the authentication type of the authentication handler.
void	init(Properties config)	Initializes the authentication handler instance.
protected AuthenticationHandler	initializeAuthHandler(String authHandlerClassName, Properties config)
boolean	managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Performs an authentication management operation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

SCHEMES_PROPERTY

public static final String SCHEMES_PROPERTY

See Also:

• Constant Field Values

AUTH_HANDLER_PROPERTY

public static final String AUTH_HANDLER_PROPERTY

See Also:

• Constant Field Values

TYPE

public static final String TYPE

Constant that identifies the authentication mechanism.

See Also:

• Constant Field Values

Constructor Details

MultiSchemeAuthenticationHandler

public MultiSchemeAuthenticationHandler()

MultiSchemeAuthenticationHandler

public MultiSchemeAuthenticationHandler(String authType)

Method Details

getType

public String getType()

Description copied from interface: AuthenticationHandler

Returns the authentication type of the authentication handler. This should be a name that uniquely identifies the authentication type. For example 'simple' or 'kerberos'.

Specified by:

getType in interface AuthenticationHandler

Returns:

the authentication type of the authentication handler.

getTokenTypes

public Collection<String> getTokenTypes()

This method returns the token types supported by this authentication handler.

Specified by:

getTokenTypes in interface CompositeAuthenticationHandler

Returns:

the token types supported by this authentication handler.

init

public void init(Properties config)
          throws javax.servlet.ServletException

Description copied from interface: AuthenticationHandler

Initializes the authentication handler instance.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

initializeAuthHandler

protected AuthenticationHandler initializeAuthHandler(String authHandlerClassName,
 Properties config)
                                               throws javax.servlet.ServletException

Throws:

javax.servlet.ServletException

destroy

public void destroy()

Description copied from interface: AuthenticationHandler

Destroys the authentication handler instance.

This method is invoked by the AuthenticationFilter.destroy() method.

Specified by:

destroy in interface AuthenticationHandler

managementOperation

public boolean managementOperation(AuthenticationToken token,
 javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)
                            throws IOException,
AuthenticationException

Description copied from interface: AuthenticationHandler

Performs an authentication management operation.

This is useful for handling operations like get/renew/cancel delegation tokens which are being handled as operations of the service end-point.

If the method returns TRUE the request will continue normal processing, this means the method has not produced any HTTP response.

If the method returns FALSE the request will end, this means the method has produced the corresponding HTTP response.

Specified by:

managementOperation in interface AuthenticationHandler

Parameters:

token - the authentication token if any, otherwise NULL.

request - the HTTP client request.

response - the HTTP client response.

Returns:

TRUE if the request should be processed as a regular request, FALSE otherwise.

Throws:

IOException - thrown if an IO error occurred.

AuthenticationException - thrown if an Authentication error occurred.

authenticate

public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)
                                 throws IOException,
AuthenticationException

Description copied from interface: AuthenticationHandler

Performs an authentication step for the given HTTP client request.

This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.

Depending upon the authentication mechanism being implemented, a particular HTTP client may end up making a sequence of invocations before authentication is successfully established (this is the case of Kerberos SPNEGO).

This method must return an AuthenticationToken only if the the HTTP client request has been successfully and fully authenticated.

If the HTTP client request has not been completely authenticated, this method must take over the corresponding HTTP response and it must return null.

Specified by:

authenticate in interface AuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

an AuthenticationToken if the HTTP client request has been authenticated, null otherwise (in this case it must take care of the response).

Throws:

IOException - thrown if an IO error occurred.

AuthenticationException - thrown if an Authentication error occurred.