org.apache.hadoop.security.authentication.server

Class JWTRedirectAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler

org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class JWTRedirectAuthenticationHandler
extends AltKerberosAuthenticationHandler

The JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler to add WebSSO behavior for UIs. The expected SSO token is a JsonWebToken (JWT). The supported algorithm is RS256 which uses PKI between the token issuer and consumer. The flow requires a redirect to a configured authentication server URL and a subsequent request with the expected JWT token. This token is cryptographically verified and validated. The user identity is then extracted from the token and used to create an AuthenticationToken - as expected by the AuthenticationFilter.

The supported configuration properties are:

• authentication.provider.url: the full URL to the authentication server. This is the URL that the handler will redirect the browser to in order to authenticate the user. It does not have a default value.
• public.key.pem: This is the PEM formatted public key of the issuer of the JWT token. It is required for verifying that the issuer is a trusted party. DO NOT include the PEM header and footer portions of the PEM encoded certificate. It does not have a default value.
• expected.jwt.audiences: This is a list of strings that identify acceptable audiences for the JWT token. The audience is a way for the issuer to indicate what entity/s that the token is intended for. Default value is null which indicates that all audiences will be accepted.
• jwt.cookie.name: the name of the cookie that contains the JWT token. Default value is "hadoop-jwt".

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHENTICATION_PROVIDER_URL
static String	EXPECTED_JWT_AUDIENCES
static String	JWT_COOKIE_NAME
static String	PUBLIC_KEY_PEM

Fields inherited from class org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler

NON_BROWSER_USER_AGENTS, TYPE

Fields inherited from class org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

KEYTAB, NAME_RULES, PRINCIPAL

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor and Description
JWTRedirectAuthenticationHandler()

Method Summary

Methods

Modifier and Type	Method and Description
AuthenticationToken	alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Subclasses should implement this method to provide the custom authentication to be used for browsers.
protected String	constructLoginURL(javax.servlet.http.HttpServletRequest request) Create the URL to be used for authentication of the user in the absence of a JWT token within the incoming request.
protected String	getJWTFromCookie(javax.servlet.http.HttpServletRequest req) Encapsulate the acquisition of the JWT token from HTTP cookies within the request.
void	init(Properties config) Initializes the authentication handler instance.
void	setPublicKey(RSAPublicKey pk) Primarily for testing, this provides a way to set the publicKey for signature verification without needing to get a PEM encoded value.
protected boolean	validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken) Validate whether any of the accepted audience claims is present in the issued token claims list for audience.
protected boolean	validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken) Validate that the expiration time of the JWT token has not been violated.
protected boolean	validateSignature(com.nimbusds.jwt.SignedJWT jwtToken) Verify the signature of the JWT token in this method.
protected boolean	validateToken(com.nimbusds.jwt.SignedJWT jwtToken) This method provides a single method for validating the JWT for use in request processing.

Methods inherited from class org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler

authenticate, getType, isBrowser

Methods inherited from class org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

destroy, getKeytab, getPrincipals, managementOperation

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

AUTHENTICATION_PROVIDER_URL

public static final String AUTHENTICATION_PROVIDER_URL

See Also:

Constant Field Values

PUBLIC_KEY_PEM

public static final String PUBLIC_KEY_PEM

See Also:

Constant Field Values

EXPECTED_JWT_AUDIENCES

public static final String EXPECTED_JWT_AUDIENCES

See Also:

Constant Field Values

JWT_COOKIE_NAME

public static final String JWT_COOKIE_NAME

See Also:

Constant Field Values

Constructor Detail

JWTRedirectAuthenticationHandler

public JWTRedirectAuthenticationHandler()

Method Detail

setPublicKey

public void setPublicKey(RSAPublicKey pk)

Primarily for testing, this provides a way to set the publicKey for signature verification without needing to get a PEM encoded value.

Parameters:

pk - publicKey for the token signtature verification

init

public void init(Properties config)
          throws javax.servlet.ServletException

Initializes the authentication handler instance.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Overrides:

init in class AltKerberosAuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

alternateAuthenticate

public AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response)
                                          throws IOException,
                                                 AuthenticationException

Description copied from class: AltKerberosAuthenticationHandler

Subclasses should implement this method to provide the custom authentication to be used for browsers.

Specified by:

alternateAuthenticate in class AltKerberosAuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

an authentication token if the request is authorized, or null

Throws:

IOException - thrown if an IO error occurs

AuthenticationException - thrown if an authentication error occurs

getJWTFromCookie

protected String getJWTFromCookie(javax.servlet.http.HttpServletRequest req)

Encapsulate the acquisition of the JWT token from HTTP cookies within the request.

Parameters:

req - servlet request to get the JWT token from

Returns:

serialized JWT token

constructLoginURL

protected String constructLoginURL(javax.servlet.http.HttpServletRequest request)

Create the URL to be used for authentication of the user in the absence of a JWT token within the incoming request.

Parameters:

request - for getting the original request URL

Returns:

url to use as login url for redirect

validateToken

protected boolean validateToken(com.nimbusds.jwt.SignedJWT jwtToken)

This method provides a single method for validating the JWT for use in request processing. It provides for the override of specific aspects of this implementation through submethods used within but also allows for the override of the entire token validation algorithm.

Parameters:

jwtToken - the token to validate

Returns:

true if valid

validateSignature

protected boolean validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)

Verify the signature of the JWT token in this method. This method depends on the public key that was established during init based upon the provisioned public key. Override this method in subclasses in order to customize the signature verification behavior.

Parameters:

jwtToken - the token that contains the signature to be validated

Returns:

valid true if signature verifies successfully; false otherwise

validateAudiences

protected boolean validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)

Validate whether any of the accepted audience claims is present in the issued token claims list for audience. Override this method in subclasses in order to customize the audience validation behavior.

Parameters:

jwtToken - the JWT token where the allowed audiences will be found

Returns:

true if an expected audience is present, otherwise false

validateExpiration

protected boolean validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)

Validate that the expiration time of the JWT token has not been violated. If it has then throw an AuthenticationException. Override this method in subclasses in order to customize the expiration validation behavior.

Parameters:

jwtToken - the token that contains the expiration date to validate

Returns:

valid true if the token has not expired; false otherwise