big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加认证相关注释

Browse Source
This commit is contained in:
LingZhaoHui 2024-09-21 00:23:15 +08:00
parent dfc2c04eea
commit 3b1b53b1ca
Signed by: zeekling
GPG Key ID: D96E4E75267CA2CC
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
View File

@ -307,6 +307,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
} }
AuthenticationToken token = null; AuthenticationToken token = null;
// 从请求头里面获取Token
String authorization = request.getHeader( String authorization = request.getHeader(
KerberosAuthenticator.AUTHORIZATION); KerberosAuthenticator.AUTHORIZATION);
@ -322,6 +323,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
KerberosAuthenticator.NEGOTIATE + "' : {}", authorization); KerberosAuthenticator.NEGOTIATE + "' : {}", authorization);
} }
} else { } else {
// token必须以NEGOTIATE开头
authorization = authorization.substring( authorization = authorization.substring(
KerberosAuthenticator.NEGOTIATE.length()).trim(); KerberosAuthenticator.NEGOTIATE.length()).trim();
final Base64 base64 = new Base64(0); final Base64 base64 = new Base64(0);
@ -329,6 +331,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
try { try {
final String serverPrincipal = final String serverPrincipal =
KerberosUtil.getTokenServerName(clientToken); KerberosUtil.getTokenServerName(clientToken);
// 客户端的token必须包含HTTP/
if (!serverPrincipal.startsWith("HTTP/")) { if (!serverPrincipal.startsWith("HTTP/")) {
throw new IllegalArgumentException( throw new IllegalArgumentException(
"Invalid server principal " + serverPrincipal + "Invalid server principal " + serverPrincipal +
@ -338,6 +341,7 @@ public AuthenticationToken authenticate(HttpServletRequest request,
new PrivilegedExceptionAction<AuthenticationToken>() { new PrivilegedExceptionAction<AuthenticationToken>() {
@Override @Override
public AuthenticationToken run() throws Exception { public AuthenticationToken run() throws Exception {
// 开始校验token
return runWithPrincipal(serverPrincipal, clientToken, return runWithPrincipal(serverPrincipal, clientToken,
base64, response); base64, response);
} }
@ -381,9 +385,11 @@ private AuthenticationToken runWithPrincipal(String serverPrincipal,
authenticate); authenticate);
} }
if (!gssContext.isEstablished()) { if (!gssContext.isEstablished()) {
// 认证过程中可能需要多次交换Token
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
LOG.trace("SPNEGO in progress"); LOG.trace("SPNEGO in progress");
} else { } else {
// 认证完成
String clientPrincipal = gssContext.getSrcName().toString(); String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal); KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName(); String userName = kerberosName.getShortName();