Package org.apache.hadoop.security.authentication.server

Class JWTRedirectAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler

org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class JWTRedirectAuthenticationHandler
extends MultiMechsAuthenticationHandler

The JWTRedirectAuthenticationHandler extends MultiMechsAuthenticationHandler to add WebSSO behavior for UIs. The expected SSO token is a JsonWebToken (JWT). The supported algorithm is RS256 which uses PKI between the token issuer and consumer. The flow requires a redirect to a configured authentication server URL and a subsequent request with the expected JWT token. This token is cryptographically verified and validated. The user identity is then extracted from the token and used to create an AuthenticationToken - as expected by the AuthenticationFilter.

The supported configuration properties are:

• authentication.provider.url: the full URL to the authentication server. This is the URL that the handler will redirect the browser to in order to authenticate the user. It does not have a default value.
• expected.jwt.audiences: This is a list of strings that identify acceptable audiences for the JWT token. The audience is a way for the issuer to indicate what entity/s that the token is intended for. Default value is null which indicates that all audiences will be accepted.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler

MultiMechsAuthenticationHandler.AuthHandlerEnum

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	AUTHENTICATION_PROVIDER_URL
static java.lang.String	JWT_CLIENT_ID
static java.lang.String	JWT_CLIENT_SECRET

Fields inherited from class org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler

MTYPE

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
JWTRedirectAuthenticationHandler()

Method Summary

Modifier and Type	Method	Description
void	addHeader(javax.servlet.http.HttpServletResponse response)	Children must override this method with supplying corresponding header
java.lang.String	getAuthUrl()
java.lang.String	getJWTTokenFromCode(java.lang.String code, javax.servlet.http.HttpServletRequest request)
java.lang.String	getTokenUrl()
void	init(java.util.Properties config)	Initializes the authentication handler instance.
AuthenticationToken	postauthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Children must override this method to perform real authentication based on the information received in the request header

Methods inherited from class org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler

authenticate, destroy, getAuthBasedEntity, getAuthorizationHeaderName, getType, managementOperation

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

AUTHENTICATION_PROVIDER_URL

public static final java.lang.String AUTHENTICATION_PROVIDER_URL

See Also:

Constant Field Values

JWT_CLIENT_ID

public static final java.lang.String JWT_CLIENT_ID

See Also:

Constant Field Values

JWT_CLIENT_SECRET

public static final java.lang.String JWT_CLIENT_SECRET

See Also:

Constant Field Values

Constructor Detail

JWTRedirectAuthenticationHandler

public JWTRedirectAuthenticationHandler()

Method Detail

init

public void init(java.util.Properties config)
          throws javax.servlet.ServletException

Initializes the authentication handler instance.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Overrides:

init in class MultiMechsAuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

postauthenticate

public AuthenticationToken postauthenticate(javax.servlet.http.HttpServletRequest request,
                                            javax.servlet.http.HttpServletResponse response)
                                     throws java.io.IOException,
                                            AuthenticationException

Description copied from class: MultiMechsAuthenticationHandler

Children must override this method to perform real authentication based on the information received in the request header

Overrides:

postauthenticate in class MultiMechsAuthenticationHandler

Returns:

Throws:

java.io.IOException

AuthenticationException

getJWTTokenFromCode

public java.lang.String getJWTTokenFromCode(java.lang.String code,
                                            javax.servlet.http.HttpServletRequest request)
                                     throws java.io.IOException

Throws:

java.io.IOException

getTokenUrl

public java.lang.String getTokenUrl()

getAuthUrl

public java.lang.String getAuthUrl()

addHeader

public void addHeader(javax.servlet.http.HttpServletResponse response)

Description copied from class: MultiMechsAuthenticationHandler

Children must override this method with supplying corresponding header

Overrides:

addHeader in class MultiMechsAuthenticationHandler