Package org.apache.hadoop.security.authentication.server

Class LdapAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.LdapAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

@Private
@Evolving
public class LdapAuthenticationHandler
extends java.lang.Object
implements AuthenticationHandler

The LdapAuthenticationHandler implements the BASIC authentication mechanism for HTTP using LDAP back-end. The supported configuration properties are:

• ldap.providerurl: The url of the LDAP server. It does not have a default value.
• ldap.basedn: the base distinguished name (DN) to be used with the LDAP server. This value is appended to the provided user id for authentication purpose. It does not have a default value.
• ldap.binddomain: the LDAP bind domain value to be used with the LDAP server. This property is optional and useful only in case of Active Directory server.
• ldap.enablestarttls: A boolean value used to define if the LDAP server supports 'StartTLS' extension.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	BASE_DN	Constant for the configuration property that indicates the base distinguished name (DN) to be used with the LDAP server.
static java.lang.String	ENABLE_START_TLS	Constant for the configuration property that indicates whether the LDAP server supports 'StartTLS' extension.
static java.lang.String	LDAP_BIND_DOMAIN	Constant for the configuration property that indicates the LDAP bind domain value to be used with the LDAP server.
static java.lang.String	PROVIDER_URL	Constant for the configuration property that indicates the url of the LDAP server.
static java.lang.String	SECURITY_AUTHENTICATION	Constant that identifies the authentication mechanism to be used with the LDAP server.
static java.lang.String	TYPE	Constant that identifies the authentication mechanism.

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
LdapAuthenticationHandler()

Method Summary

Modifier and Type	Method	Description
AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Performs an authentication step for the given HTTP client request.
void	destroy()	Destroys the authentication handler instance.
java.lang.String	getType()	Returns the authentication type of the authentication handler.
void	init(java.util.Properties config)	Initializes the authentication handler instance.
boolean	managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Performs an authentication management operation.
void	setDisableHostNameVerification(java.lang.Boolean disableHostNameVerification)	Configure the Host name verification for this handler.
void	setEnableStartTls(java.lang.Boolean enableStartTls)	Configure StartTLS LDAP extension for this handler.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TYPE

public static final java.lang.String TYPE

Constant that identifies the authentication mechanism.

See Also:

Constant Field Values

SECURITY_AUTHENTICATION

public static final java.lang.String SECURITY_AUTHENTICATION

Constant that identifies the authentication mechanism to be used with the LDAP server.

See Also:

Constant Field Values

PROVIDER_URL

public static final java.lang.String PROVIDER_URL

Constant for the configuration property that indicates the url of the LDAP server.

See Also:

Constant Field Values

BASE_DN

public static final java.lang.String BASE_DN

Constant for the configuration property that indicates the base distinguished name (DN) to be used with the LDAP server. This value is appended to the provided user id for authentication purpose.

See Also:

Constant Field Values

LDAP_BIND_DOMAIN

public static final java.lang.String LDAP_BIND_DOMAIN

Constant for the configuration property that indicates the LDAP bind domain value to be used with the LDAP server.

See Also:

Constant Field Values

ENABLE_START_TLS

public static final java.lang.String ENABLE_START_TLS

Constant for the configuration property that indicates whether the LDAP server supports 'StartTLS' extension.

See Also:

Constant Field Values

Constructor Detail

LdapAuthenticationHandler

public LdapAuthenticationHandler()

Method Detail

setEnableStartTls

@VisibleForTesting
public void setEnableStartTls(java.lang.Boolean enableStartTls)

Configure StartTLS LDAP extension for this handler.

Parameters:

enableStartTls - true If the StartTLS LDAP extension is to be enabled false otherwise

setDisableHostNameVerification

@VisibleForTesting
public void setDisableHostNameVerification(java.lang.Boolean disableHostNameVerification)

Configure the Host name verification for this handler. This method is introduced only for unit testing and should never be used in production.

Parameters:

disableHostNameVerification - true to disable host-name verification false otherwise

getType

public java.lang.String getType()

Description copied from interface: AuthenticationHandler

Returns the authentication type of the authentication handler. This should be a name that uniquely identifies the authentication type. For example 'simple' or 'kerberos'.

Specified by:

getType in interface AuthenticationHandler

Returns:

the authentication type of the authentication handler.

init

public void init(java.util.Properties config)
          throws javax.servlet.ServletException

Description copied from interface: AuthenticationHandler

Initializes the authentication handler instance.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

destroy

public void destroy()

Description copied from interface: AuthenticationHandler

Destroys the authentication handler instance.

This method is invoked by the AuthenticationFilter.destroy() method.

Specified by:

destroy in interface AuthenticationHandler

managementOperation

public boolean managementOperation(AuthenticationToken token,
                                   javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)
                            throws java.io.IOException,
                                   AuthenticationException

Description copied from interface: AuthenticationHandler

Performs an authentication management operation.

This is useful for handling operations like get/renew/cancel delegation tokens which are being handled as operations of the service end-point.

If the method returns TRUE the request will continue normal processing, this means the method has not produced any HTTP response.

If the method returns FALSE the request will end, this means the method has produced the corresponding HTTP response.

Specified by:

managementOperation in interface AuthenticationHandler

Parameters:

token - the authentication token if any, otherwise NULL.

request - the HTTP client request.

response - the HTTP client response.

Returns:

TRUE if the request should be processed as a regular request, FALSE otherwise.

Throws:

java.io.IOException - thrown if an IO error occurred.

AuthenticationException - thrown if an Authentication error occurred.

authenticate

public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response)
                                 throws java.io.IOException,
                                        AuthenticationException

Description copied from interface: AuthenticationHandler

Performs an authentication step for the given HTTP client request.

This method is invoked by the AuthenticationFilter only if the HTTP client request is not yet authenticated.

Depending upon the authentication mechanism being implemented, a particular HTTP client may end up making a sequence of invocations before authentication is successfully established (this is the case of Kerberos SPNEGO).

This method must return an AuthenticationToken only if the the HTTP client request has been successfully and fully authenticated.

If the HTTP client request has not been completely authenticated, this method must take over the corresponding HTTP response and it must return null.

Specified by:

authenticate in interface AuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

an AuthenticationToken if the HTTP client request has been authenticated, null otherwise (in this case it must take care of the response).

Throws:

java.io.IOException - thrown if an IO error occurred.

AuthenticationException - thrown if an Authentication error occurred.