/// <summary>
/// Implements the SPNEGO authentication sequence interaction using the current default principal
/// in the Kerberos cache (normally set via kinit).
/// </summary>
/// <param name="token">the authentication token being used for the user.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="AuthenticationException">if an authentication error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
private void DoSpnegoSequence(AuthenticatedURL.Token token)
{
try
{
AccessControlContext context = AccessController.GetContext();
Subject subject = Subject.GetSubject(context);
if (subject == null || (subject.GetPrivateCredentials <KerberosKey>().IsEmpty() &&
subject.GetPrivateCredentials <KerberosTicket>().IsEmpty()))
{
Log.Debug("No subject in context, logging in");
subject = new Subject();
LoginContext login = new LoginContext(string.Empty, subject, null, new KerberosAuthenticator.KerberosConfiguration
());
login.Login();
}
if (Log.IsDebugEnabled())
{
Log.Debug("Using subject: " + subject);
}
Subject.DoAs(subject, new _PrivilegedExceptionAction_287(this));
}
catch (PrivilegedActionException ex)
{
// Loop while the context is still not established
throw new AuthenticationException(ex.GetException());
}
catch (LoginException ex)
{
throw new AuthenticationException(ex);
}
AuthenticatedURL.ExtractToken(conn, token);
}
public virtual void TestExtractTokenFail()
{
HttpURLConnection conn = Org.Mockito.Mockito.Mock <HttpURLConnection>();
Org.Mockito.Mockito.When(conn.GetResponseCode()).ThenReturn(HttpURLConnection.HttpUnauthorized
);
string tokenStr = "foo";
IDictionary <string, IList <string> > headers = new Dictionary <string, IList <string>
>();
IList <string> cookies = new AList <string>();
cookies.AddItem(AuthenticatedURL.AuthCookie + "=" + tokenStr);
headers["Set-Cookie"] = cookies;
Org.Mockito.Mockito.When(conn.GetHeaderFields()).ThenReturn(headers);
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
token.Set("bar");
try
{
AuthenticatedURL.ExtractToken(conn, token);
NUnit.Framework.Assert.Fail();
}
catch (AuthenticationException)
{
// Expected
NUnit.Framework.Assert.IsFalse(token.IsSet());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail();
}
}
/// <summary>Performs simple authentication against the specified URL.</summary>
/// <remarks>
/// Performs simple authentication against the specified URL.
/// <p>
/// If a token is given it does a NOP and returns the given token.
/// <p>
/// If no token is given, it will perform an HTTP <code>OPTIONS</code> request injecting an additional
/// parameter
/// <see cref="UserName"/>
/// in the query string with the value returned by the
/// <see cref="GetUserName()"/>
/// method.
/// <p>
/// If the response is successful it will update the authentication token.
/// </remarks>
/// <param name="url">the URl to authenticate against.</param>
/// <param name="token">the authencation token being used for the user.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="AuthenticationException">if an authentication error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public virtual void Authenticate(Uri url, AuthenticatedURL.Token token)
{
string strUrl = url.ToString();
string paramSeparator = (strUrl.Contains("?")) ? "&" : "?";
strUrl += paramSeparator + UserNameEq + GetUserName();
url = new Uri(strUrl);
HttpURLConnection conn = (HttpURLConnection)url.OpenConnection();
if (connConfigurator != null)
{
conn = connConfigurator.Configure(conn);
}
conn.SetRequestMethod("OPTIONS");
conn.Connect();
AuthenticatedURL.ExtractToken(conn, token);
}
public virtual void TestExtractTokenOK()
{
HttpURLConnection conn = Org.Mockito.Mockito.Mock <HttpURLConnection>();
Org.Mockito.Mockito.When(conn.GetResponseCode()).ThenReturn(HttpURLConnection.HttpOk
);
string tokenStr = "foo";
IDictionary <string, IList <string> > headers = new Dictionary <string, IList <string>
>();
IList <string> cookies = new AList <string>();
cookies.AddItem(AuthenticatedURL.AuthCookie + "=" + tokenStr);
headers["Set-Cookie"] = cookies;
Org.Mockito.Mockito.When(conn.GetHeaderFields()).ThenReturn(headers);
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
AuthenticatedURL.ExtractToken(conn, token);
Assert.Equal(tokenStr, token.ToString());
}
/// <summary>Performs SPNEGO authentication against the specified URL.</summary>
/// <remarks>
/// Performs SPNEGO authentication against the specified URL.
/// <p>
/// If a token is given it does a NOP and returns the given token.
/// <p>
/// If no token is given, it will perform the SPNEGO authentication sequence using an
/// HTTP <code>OPTIONS</code> request.
/// </remarks>
/// <param name="url">the URl to authenticate against.</param>
/// <param name="token">the authentication token being used for the user.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="AuthenticationException">if an authentication error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public virtual void Authenticate(Uri url, AuthenticatedURL.Token token)
{
if (!token.IsSet())
{
this.url = url;
base64 = new Base64(0);
conn = (HttpURLConnection)url.OpenConnection();
if (connConfigurator != null)
{
conn = connConfigurator.Configure(conn);
}
conn.SetRequestMethod(AuthHttpMethod);
conn.Connect();
bool needFallback = false;
if (conn.GetResponseCode() == HttpURLConnection.HttpOk)
{
Log.Debug("JDK performed authentication on our behalf.");
// If the JDK already did the SPNEGO back-and-forth for
// us, just pull out the token.
AuthenticatedURL.ExtractToken(conn, token);
if (IsTokenKerberos(token))
{
return;
}
needFallback = true;
}
if (!needFallback && IsNegotiate())
{
Log.Debug("Performing our own SPNEGO sequence.");
DoSpnegoSequence(token);
}
else
{
Log.Debug("Using fallback authenticator sequence.");
Authenticator auth = GetFallBackAuthenticator();
// Make sure that the fall back authenticator have the same
// ConnectionConfigurator, since the method might be overridden.
// Otherwise the fall back authenticator might not have the information
// to make the connection (e.g., SSL certificates)
auth.SetConnectionConfigurator(connConfigurator);
auth.Authenticate(url, token);
}
}
}