Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.security.authentication.server
Class AltKerberosAuthenticationHandler

java.lang.Object
  extended by org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
      extended by org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler
All Implemented Interfaces:
AuthenticationHandler
public abstract class AltKerberosAuthenticationHandler
extends KerberosAuthenticationHandler

The AltKerberosAuthenticationHandler behaves exactly the same way as the KerberosAuthenticationHandler, except that it allows for an alternative form of authentication for browsers while still using Kerberos for Java access. This is an abstract class that should be subclassed to allow a developer to implement their own custom authentication for browser access. The alternateAuthenticate method will be called whenever a request comes from a browser.

Field Summary
static String NON_BROWSER_USER_AGENTS
          Constant for the configuration property that indicates which user agents are not considered browsers (comma separated)
static String TYPE
          Constant that identifies the authentication mechanism.
 
Fields inherited from class org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
KEYTAB, NAME_RULES, PRINCIPAL
 
Constructor Summary
AltKerberosAuthenticationHandler()
           
 
Method Summary
abstract  AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Subclasses should implement this method to provide the custom authentication to be used for browsers.
 AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully (in the case of Java access) and only after the custom authentication implemented by the subclass in alternateAuthenticate has completed successfully (in the case of browser access).
 String getType()
          Returns the authentication type of the authentication handler, 'alt-kerberos'.
 void init(Properties config)
          Initializes the authentication handler instance.
protected  boolean isBrowser(String userAgent)
          This method parses the User-Agent String and returns whether or not it refers to a browser.
 
Methods inherited from class org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
destroy, getKeytab, getPrincipal, managementOperation
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

TYPE

public static final String TYPE
Constant that identifies the authentication mechanism.

See Also:
Constant Field Values

NON_BROWSER_USER_AGENTS

public static final String NON_BROWSER_USER_AGENTS
Constant for the configuration property that indicates which user agents are not considered browsers (comma separated)

See Also:
Constant Field Values
Constructor Detail

AltKerberosAuthenticationHandler

public AltKerberosAuthenticationHandler()
Method Detail

getType

public String getType()
Returns the authentication type of the authentication handler, 'alt-kerberos'.

Specified by:
getType in interface AuthenticationHandler
Overrides:
getType in class KerberosAuthenticationHandler
Returns:
the authentication type of the authentication handler, 'alt-kerberos'.

init

public void init(Properties config)
          throws javax.servlet.ServletException
Description copied from class: KerberosAuthenticationHandler
Initializes the authentication handler instance.

It creates a Kerberos context using the principal and keytab specified in the configuration.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:
init in interface AuthenticationHandler
Overrides:
init in class KerberosAuthenticationHandler
Parameters:
config - configuration properties to initialize the handler.
Throws:
javax.servlet.ServletException - thrown if the handler could not be initialized.

authenticate

public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response)
                                 throws IOException,
                                        AuthenticationException
It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully (in the case of Java access) and only after the custom authentication implemented by the subclass in alternateAuthenticate has completed successfully (in the case of browser access).

Specified by:
authenticate in interface AuthenticationHandler
Overrides:
authenticate in class KerberosAuthenticationHandler
Parameters:
request - the HTTP client request.
response - the HTTP client response.
Returns:
an authentication token if the request is authorized or null
Throws:
IOException - thrown if an IO error occurred
AuthenticationException - thrown if an authentication error occurred

isBrowser

protected boolean isBrowser(String userAgent)
This method parses the User-Agent String and returns whether or not it refers to a browser. If its not a browser, then Kerberos authentication will be used; if it is a browser, alternateAuthenticate from the subclass will be used.

A User-Agent String is considered to be a browser if it does not contain any of the values from alt-kerberos.non-browser.user-agents; the default behavior is to consider everything a browser unless it contains one of: "java", "curl", "wget", or "perl". Subclasses can optionally override this method to use different behavior.

Parameters:
userAgent - The User-Agent String, or null if there isn't one
Returns:
true if the User-Agent String refers to a browser, false if not

alternateAuthenticate

public abstract AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request,
                                                          javax.servlet.http.HttpServletResponse response)
                                                   throws IOException,
                                                          AuthenticationException
Subclasses should implement this method to provide the custom authentication to be used for browsers.

Parameters:
request - the HTTP client request.
response - the HTTP client response.
Returns:
an authentication token if the request is authorized, or null
Throws:
IOException - thrown if an IO error occurs
AuthenticationException - thrown if an authentication error occurs
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2013 Apache Software Foundation. All Rights Reserved.