增加认证相关注释

2024-09-21 00:23:15 +08:00 · 2024-09-21 00:23:15 +08:00 · 3b1b53b1ca
commit 3b1b53b1ca
parent dfc2c04eea
1 changed files with 6 additions and 0 deletions
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
@ -307,6 +307,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
    }

    AuthenticationToken token = null;
+    // 从请求头里面获取Token。
    String authorization = request.getHeader(
        KerberosAuthenticator.AUTHORIZATION);

@ -322,6 +323,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
            KerberosAuthenticator.NEGOTIATE + "' :  {}", authorization);
      }
    } else {
+      // token必须以NEGOTIATE开头。
      authorization = authorization.substring(
          KerberosAuthenticator.NEGOTIATE.length()).trim();
      final Base64 base64 = new Base64(0);
@ -329,6 +331,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
      try {
        final String serverPrincipal =
            KerberosUtil.getTokenServerName(clientToken);
+        // 客户端的token必须包含HTTP/
        if (!serverPrincipal.startsWith("HTTP/")) {
          throw new IllegalArgumentException(
              "Invalid server principal " + serverPrincipal +
@ -338,6 +341,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
            new PrivilegedExceptionAction<AuthenticationToken>() {
              @Override
              public AuthenticationToken run() throws Exception {
+                // 开始校验token
                return runWithPrincipal(serverPrincipal, clientToken,
                      base64, response);
              }
@ -381,9 +385,11 @@ private AuthenticationToken runWithPrincipal(String serverPrincipal,
                           authenticate);
      }
      if (!gssContext.isEstablished()) {
+        // 认证过程中。可能需要多次交换Token
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        LOG.trace("SPNEGO in progress");
      } else {
+        // 认证完成。
        String clientPrincipal = gssContext.getSrcName().toString();
        KerberosName kerberosName = new KerberosName(clientPrincipal);
        String userName = kerberosName.getShortName();