Example #1
0
  /**
   * Create an authenticated connection to the Oozie server.
   *
   * <p>It uses Hadoop-auth client authentication which by default supports Kerberos HTTP SPNEGO,
   * Pseudo/Simple and anonymous.
   *
   * <p>if the Java system property {@link #USE_AUTH_TOKEN_CACHE_SYS_PROP} is set to true
   * Hadoop-auth authentication token will be cached/used in/from the '.oozie-auth-token' file in
   * the user home directory.
   *
   * @param url the URL to open a HTTP connection to.
   * @param method the HTTP method for the HTTP connection.
   * @return an authenticated connection to the Oozie server.
   * @throws IOException if an IO error occurred.
   * @throws OozieClientException if an oozie client error occurred.
   */
  @Override
  protected HttpURLConnection createConnection(URL url, String method)
      throws IOException, OozieClientException {
    boolean useAuthFile =
        System.getProperty(USE_AUTH_TOKEN_CACHE_SYS_PROP, "false").equalsIgnoreCase("true");
    AuthenticatedURL.Token readToken = new AuthenticatedURL.Token();
    AuthenticatedURL.Token currentToken = new AuthenticatedURL.Token();

    if (useAuthFile) {
      readToken = readAuthToken();
      if (readToken != null) {
        currentToken = new AuthenticatedURL.Token(readToken.toString());
      }
    }

    if (currentToken.isSet()) {
      HttpURLConnection conn = (HttpURLConnection) url.openConnection();
      conn.setRequestMethod("OPTIONS");
      AuthenticatedURL.injectToken(conn, currentToken);
      if (conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
        AUTH_TOKEN_CACHE_FILE.delete();
        currentToken = new AuthenticatedURL.Token();
      }
    }

    if (!currentToken.isSet()) {
      Authenticator authenticator = getAuthenticator();
      try {
        new AuthenticatedURL(authenticator).openConnection(url, currentToken);
      } catch (AuthenticationException ex) {
        AUTH_TOKEN_CACHE_FILE.delete();
        throw new OozieClientException(
            OozieClientException.AUTHENTICATION, "Could not authenticate, " + ex.getMessage(), ex);
      }
    }
    if (useAuthFile && !currentToken.equals(readToken)) {
      writeAuthToken(currentToken);
    }
    HttpURLConnection conn = super.createConnection(url, method);
    AuthenticatedURL.injectToken(conn, currentToken);

    return conn;
  }
  /**
   * If the request has a valid authentication token it allows the request to continue to the target
   * resource, otherwise it triggers an authentication sequence using the configured {@link
   * AuthenticationHandler}.
   *
   * @param request the request object.
   * @param response the response object.
   * @param filterChain the filter chain object.
   * @throws IOException thrown if an IO error occurred.
   * @throws ServletException thrown if a processing error occurred.
   */
  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
      throws IOException, ServletException {
    boolean unauthorizedResponse = true;
    int errCode = HttpServletResponse.SC_UNAUTHORIZED;
    AuthenticationException authenticationEx = null;
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    boolean isHttps = "https".equals(httpRequest.getScheme());
    try {
      boolean newToken = false;
      AuthenticationToken token;
      try {
        token = getToken(httpRequest);
      } catch (AuthenticationException ex) {
        LOG.warn("AuthenticationToken ignored: " + ex.getMessage());
        // will be sent back in a 401 unless filter authenticates
        authenticationEx = ex;
        token = null;
      }
      if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
        if (token == null) {
          if (LOG.isDebugEnabled()) {
            LOG.debug("Request [{}] triggering authentication", getRequestURL(httpRequest));
          }
          token = authHandler.authenticate(httpRequest, httpResponse);
          if (token != null && token.getExpires() != 0 && token != AuthenticationToken.ANONYMOUS) {
            token.setExpires(System.currentTimeMillis() + getValidity() * 1000);
          }
          newToken = true;
        }
        if (token != null) {
          unauthorizedResponse = false;
          if (LOG.isDebugEnabled()) {
            LOG.debug(
                "Request [{}] user [{}] authenticated",
                getRequestURL(httpRequest),
                token.getUserName());
          }
          final AuthenticationToken authToken = token;
          httpRequest =
              new HttpServletRequestWrapper(httpRequest) {

                @Override
                public String getAuthType() {
                  return authToken.getType();
                }

                @Override
                public String getRemoteUser() {
                  return authToken.getUserName();
                }

                @Override
                public Principal getUserPrincipal() {
                  return (authToken != AuthenticationToken.ANONYMOUS) ? authToken : null;
                }
              };
          if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS) {
            String signedToken = signer.sign(token.toString());
            createAuthCookie(
                httpResponse,
                signedToken,
                getCookieDomain(),
                getCookiePath(),
                token.getExpires(),
                isHttps);
          }
          filterChain.doFilter(httpRequest, httpResponse);
        }
      } else {
        unauthorizedResponse = false;
      }
    } catch (AuthenticationException ex) {
      // exception from the filter itself is fatal
      errCode = HttpServletResponse.SC_FORBIDDEN;
      authenticationEx = ex;
      LOG.warn("Authentication exception: " + ex.getMessage(), ex);
    }
    if (unauthorizedResponse) {
      if (!httpResponse.isCommitted()) {
        createAuthCookie(httpResponse, "", getCookieDomain(), getCookiePath(), 0, isHttps);
        if (authenticationEx == null) {
          httpResponse.sendError(errCode, "Authentication required");
        } else {
          httpResponse.sendError(errCode, authenticationEx.getMessage());
        }
      }
    }
  }