/// <summary> /// Implements the SPNEGO authentication sequence interaction using the current default principal /// in the Kerberos cache (normally set via kinit). /// </summary> /// <param name="token">the authentication token being used for the user.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="AuthenticationException">if an authentication error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// "/> private void DoSpnegoSequence(AuthenticatedURL.Token token) { try { AccessControlContext context = AccessController.GetContext(); Subject subject = Subject.GetSubject(context); if (subject == null || (subject.GetPrivateCredentials <KerberosKey>().IsEmpty() && subject.GetPrivateCredentials <KerberosTicket>().IsEmpty())) { Log.Debug("No subject in context, logging in"); subject = new Subject(); LoginContext login = new LoginContext(string.Empty, subject, null, new KerberosAuthenticator.KerberosConfiguration ()); login.Login(); } if (Log.IsDebugEnabled()) { Log.Debug("Using subject: " + subject); } Subject.DoAs(subject, new _PrivilegedExceptionAction_287(this)); } catch (PrivilegedActionException ex) { // Loop while the context is still not established throw new AuthenticationException(ex.GetException()); } catch (LoginException ex) { throw new AuthenticationException(ex); } AuthenticatedURL.ExtractToken(conn, token); }
public virtual void TestExtractTokenFail() { HttpURLConnection conn = Org.Mockito.Mockito.Mock <HttpURLConnection>(); Org.Mockito.Mockito.When(conn.GetResponseCode()).ThenReturn(HttpURLConnection.HttpUnauthorized ); string tokenStr = "foo"; IDictionary <string, IList <string> > headers = new Dictionary <string, IList <string> >(); IList <string> cookies = new AList <string>(); cookies.AddItem(AuthenticatedURL.AuthCookie + "=" + tokenStr); headers["Set-Cookie"] = cookies; Org.Mockito.Mockito.When(conn.GetHeaderFields()).ThenReturn(headers); AuthenticatedURL.Token token = new AuthenticatedURL.Token(); token.Set("bar"); try { AuthenticatedURL.ExtractToken(conn, token); NUnit.Framework.Assert.Fail(); } catch (AuthenticationException) { // Expected NUnit.Framework.Assert.IsFalse(token.IsSet()); } catch (Exception) { NUnit.Framework.Assert.Fail(); } }
/// <summary>Performs simple authentication against the specified URL.</summary> /// <remarks> /// Performs simple authentication against the specified URL. /// <p> /// If a token is given it does a NOP and returns the given token. /// <p> /// If no token is given, it will perform an HTTP <code>OPTIONS</code> request injecting an additional /// parameter /// <see cref="UserName"/> /// in the query string with the value returned by the /// <see cref="GetUserName()"/> /// method. /// <p> /// If the response is successful it will update the authentication token. /// </remarks> /// <param name="url">the URl to authenticate against.</param> /// <param name="token">the authencation token being used for the user.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="AuthenticationException">if an authentication error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// "/> public virtual void Authenticate(Uri url, AuthenticatedURL.Token token) { string strUrl = url.ToString(); string paramSeparator = (strUrl.Contains("?")) ? "&" : "?"; strUrl += paramSeparator + UserNameEq + GetUserName(); url = new Uri(strUrl); HttpURLConnection conn = (HttpURLConnection)url.OpenConnection(); if (connConfigurator != null) { conn = connConfigurator.Configure(conn); } conn.SetRequestMethod("OPTIONS"); conn.Connect(); AuthenticatedURL.ExtractToken(conn, token); }
public virtual void TestExtractTokenOK() { HttpURLConnection conn = Org.Mockito.Mockito.Mock <HttpURLConnection>(); Org.Mockito.Mockito.When(conn.GetResponseCode()).ThenReturn(HttpURLConnection.HttpOk ); string tokenStr = "foo"; IDictionary <string, IList <string> > headers = new Dictionary <string, IList <string> >(); IList <string> cookies = new AList <string>(); cookies.AddItem(AuthenticatedURL.AuthCookie + "=" + tokenStr); headers["Set-Cookie"] = cookies; Org.Mockito.Mockito.When(conn.GetHeaderFields()).ThenReturn(headers); AuthenticatedURL.Token token = new AuthenticatedURL.Token(); AuthenticatedURL.ExtractToken(conn, token); Assert.Equal(tokenStr, token.ToString()); }
/// <summary>Performs SPNEGO authentication against the specified URL.</summary> /// <remarks> /// Performs SPNEGO authentication against the specified URL. /// <p> /// If a token is given it does a NOP and returns the given token. /// <p> /// If no token is given, it will perform the SPNEGO authentication sequence using an /// HTTP <code>OPTIONS</code> request. /// </remarks> /// <param name="url">the URl to authenticate against.</param> /// <param name="token">the authentication token being used for the user.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="AuthenticationException">if an authentication error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// "/> public virtual void Authenticate(Uri url, AuthenticatedURL.Token token) { if (!token.IsSet()) { this.url = url; base64 = new Base64(0); conn = (HttpURLConnection)url.OpenConnection(); if (connConfigurator != null) { conn = connConfigurator.Configure(conn); } conn.SetRequestMethod(AuthHttpMethod); conn.Connect(); bool needFallback = false; if (conn.GetResponseCode() == HttpURLConnection.HttpOk) { Log.Debug("JDK performed authentication on our behalf."); // If the JDK already did the SPNEGO back-and-forth for // us, just pull out the token. AuthenticatedURL.ExtractToken(conn, token); if (IsTokenKerberos(token)) { return; } needFallback = true; } if (!needFallback && IsNegotiate()) { Log.Debug("Performing our own SPNEGO sequence."); DoSpnegoSequence(token); } else { Log.Debug("Using fallback authenticator sequence."); Authenticator auth = GetFallBackAuthenticator(); // Make sure that the fall back authenticator have the same // ConnectionConfigurator, since the method might be overridden. // Otherwise the fall back authenticator might not have the information // to make the connection (e.g., SSL certificates) auth.SetConnectionConfigurator(connConfigurator); auth.Authenticate(url, token); } } }