diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java index 61c3c6d5f5..c50a5164a5 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/AuthenticatedURL.java @@ -24,19 +24,18 @@ /** * The {@link AuthenticatedURL} class enables the use of the JDK {@link URL} class * against HTTP endpoints protected with the {@link AuthenticationFilter}. - *

+ *

* The authentication mechanisms supported by default are Hadoop Simple authentication * (also known as pseudo authentication) and Kerberos SPNEGO authentication. - *

+ *

* Additional authentication mechanisms can be supported via {@link Authenticator} implementations. - *

+ *

* The default {@link Authenticator} is the {@link KerberosAuthenticator} class which supports * automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication. - *

+ *

* AuthenticatedURL instances are not thread-safe. - *

+ *

* The usage pattern of the {@link AuthenticatedURL} is: - *

*

  *
  * // establishing an initial connection
@@ -240,7 +239,7 @@ public static void injectToken(HttpURLConnection conn, Token token) {
 
   /**
    * Helper method that extracts an authentication token received from a connection.
-   * 

+ *

* This method is used by {@link Authenticator} implementations. * * @param conn connection to extract the authentication token from. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java index e7bae4a891..6828970fdb 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/Authenticator.java @@ -19,7 +19,7 @@ /** * Interface for client authentication mechanisms. - *

+ *

* Implementations are use-once instances, they don't need to be thread safe. */ public interface Authenticator { diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java index 928866c532..323b019eb8 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java @@ -43,9 +43,9 @@ /** * The {@link KerberosAuthenticator} implements the Kerberos SPNEGO authentication sequence. - *

+ *

* It uses the default principal for the Kerberos cache (normally set via kinit). - *

+ *

* It falls back to the {@link PseudoAuthenticator} if the HTTP endpoint does not trigger an SPNEGO authentication * sequence. */ @@ -162,9 +162,9 @@ public void setConnectionConfigurator(ConnectionConfigurator configurator) { /** * Performs SPNEGO authentication against the specified URL. - *

+ *

* If a token is given it does a NOP and returns the given token. - *

+ *

* If no token is given, it will perform the SPNEGO authentication sequence using an * HTTP OPTIONS request. * @@ -211,7 +211,7 @@ public void authenticate(URL url, AuthenticatedURL.Token token) /** * If the specified URL does not support SPNEGO authentication, a fallback {@link Authenticator} will be used. - *

+ *

* This implementation returns a {@link PseudoAuthenticator}. * * @return the fallback {@link Authenticator}. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java index f534be9b20..46d94b88de 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/PseudoAuthenticator.java @@ -20,7 +20,7 @@ /** * The {@link PseudoAuthenticator} implementation provides an authentication equivalent to Hadoop's * Simple authentication, it trusts the value of the 'user.name' Java System property. - *

+ *

* The 'user.name' value is propagated using an additional query string parameter {@link #USER_NAME} ('user.name'). */ public class PseudoAuthenticator implements Authenticator { @@ -47,13 +47,13 @@ public void setConnectionConfigurator(ConnectionConfigurator configurator) { /** * Performs simple authentication against the specified URL. - *

+ *

* If a token is given it does a NOP and returns the given token. - *

+ *

* If no token is given, it will perform an HTTP OPTIONS request injecting an additional * parameter {@link #USER_NAME} in the query string with the value returned by the {@link #getUserName()} * method. - *

+ *

* If the response is successful it will update the authentication token. * * @param url the URl to authenticate against. @@ -79,7 +79,7 @@ public void authenticate(URL url, AuthenticatedURL.Token token) throws IOExcepti /** * Returns the current user name. - *

+ *

* This implementation returns the value of the Java system property 'user.name' * * @return the current user name. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java index e786e37df8..987330fa0e 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java @@ -28,7 +28,6 @@ * to allow a developer to implement their own custom authentication for browser * access. The alternateAuthenticate method will be called whenever a request * comes from a browser. - *

*/ public abstract class AltKerberosAuthenticationHandler extends KerberosAuthenticationHandler { @@ -52,7 +51,6 @@ public abstract class AltKerberosAuthenticationHandler /** * Returns the authentication type of the authentication handler, * 'alt-kerberos'. - *

* * @return the authentication type of the authentication handler, * 'alt-kerberos'. @@ -80,7 +78,6 @@ public void init(Properties config) throws ServletException { * completed successfully (in the case of Java access) and only after the * custom authentication implemented by the subclass in alternateAuthenticate * has completed successfully (in the case of browser access). - *

* * @param request the HTTP client request. * @param response the HTTP client response. @@ -109,7 +106,7 @@ public AuthenticationToken authenticate(HttpServletRequest request, * refers to a browser. If its not a browser, then Kerberos authentication * will be used; if it is a browser, alternateAuthenticate from the subclass * will be used. - *

+ *

* A User-Agent String is considered to be a browser if it does not contain * any of the values from alt-kerberos.non-browser.user-agents; the default * behavior is to consider everything a browser unless it contains one of: diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java index 0ac352ba2d..e891ed2623 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java @@ -44,18 +44,20 @@ import java.util.*; /** - * The {@link AuthenticationFilter} enables protecting web application resources with different (pluggable) + *

The {@link AuthenticationFilter} enables protecting web application + * resources with different (pluggable) * authentication mechanisms and signer secret providers. - *

+ *

+ *

* Out of the box it provides 2 authentication mechanisms: Pseudo and Kerberos SPNEGO. - *

+ *

* Additional authentication mechanisms are supported via the {@link AuthenticationHandler} interface. - *

+ *

* This filter delegates to the configured authentication handler for authentication and once it obtains an * {@link AuthenticationToken} from it, sets a signed HTTP cookie with the token. For client requests * that provide the signed HTTP cookie, it verifies the validity of the cookie, extracts the user information * and lets the request proceed to the target resource. - *

+ *

* The supported configuration properties are: * - *

+ *

* The rest of the configuration properties are specific to the {@link AuthenticationHandler} implementation and the * {@link AuthenticationFilter} will take all the properties that start with the prefix #PREFIX#, it will remove * the prefix from it and it will pass them to the the authentication handler for initialization. Properties that do * not start with the prefix will not be passed to the authentication handler initialization. - *

+ *

+ *

* Out of the box it provides 3 signer secret provider implementations: * "string", "random", and "zookeeper" - *

+ *

* Additional signer secret providers are supported via the * {@link SignerSecretProvider} class. - *

+ *

* For the HTTP cookies mentioned above, the SignerSecretProvider is used to * determine the secret to use for signing the cookies. Different * implementations can have different behaviors. The "string" implementation @@ -94,7 +97,7 @@ * [#PREFIX#.]token.validity mentioned above. The "zookeeper" implementation * is like the "random" one, except that it synchronizes the random secret * and rollovers between multiple servers; it's meant for HA services. - *

+ *

* The relevant configuration properties are: * - *

+ *

* The "zookeeper" implementation has additional configuration properties that * must be specified; see {@link ZKSignerSecretProvider} for details. - *

+ *

* For subclasses of AuthenticationFilter that want additional control over the * SignerSecretProvider, they can use the following attribute set in the * ServletContext: @@ -190,10 +193,9 @@ public class AuthenticationFilter implements Filter { private String cookiePath; /** - * Initializes the authentication filter and signer secret provider. - *

- * It instantiates and initializes the specified {@link AuthenticationHandler}. - *

+ *

Initializes the authentication filter and signer secret provider.

+ * It instantiates and initializes the specified {@link + * AuthenticationHandler}. * * @param filterConfig filter configuration. * @@ -375,7 +377,7 @@ protected String getCookiePath() { /** * Destroys the filter. - *

+ *

* It invokes the {@link AuthenticationHandler#destroy()} method to release any resources it may hold. */ @Override @@ -393,7 +395,7 @@ public void destroy() { * Returns the filtered configuration (only properties starting with the specified prefix). The property keys * are also trimmed from the prefix. The returned {@link Properties} object is used to initialized the * {@link AuthenticationHandler}. - *

+ *

* This method can be overriden by subclasses to obtain the configuration from other configuration source than * the web.xml file. * @@ -419,7 +421,7 @@ protected Properties getConfiguration(String configPrefix, FilterConfig filterCo /** * Returns the full URL of the request including the query string. - *

+ *

* Used as a convenience method for logging purposes. * * @param request the request object. @@ -436,11 +438,11 @@ protected String getRequestURL(HttpServletRequest request) { /** * Returns the {@link AuthenticationToken} for the request. - *

+ *

* It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE} * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns * it. - *

+ *

* If this method returns null the filter will invoke the configured {@link AuthenticationHandler} * to perform user authentication. * @@ -597,7 +599,7 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request, * * @param token authentication token for the cookie. * @param expires UNIX timestamp that indicates the expire date of the - * cookie. It has no effect if its value < 0. + * cookie. It has no effect if its value < 0. * * XXX the following code duplicate some logic in Jetty / Servlet API, * because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6 diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java index 04984be5a7..797e95a689 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java @@ -24,9 +24,7 @@ /** * Interface for server authentication mechanisms. - *

* The {@link AuthenticationFilter} manages the lifecycle of the authentication handler. - *

* Implementations must be thread-safe as one instance is initialized and used for all requests. */ public interface AuthenticationHandler { @@ -35,7 +33,6 @@ public interface AuthenticationHandler { /** * Returns the authentication type of the authentication handler. - *

* This should be a name that uniquely identifies the authentication type. * For example 'simple' or 'kerberos'. * @@ -45,7 +42,7 @@ public interface AuthenticationHandler { /** * Initializes the authentication handler instance. - *

+ *

* This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. @@ -56,21 +53,21 @@ public interface AuthenticationHandler { /** * Destroys the authentication handler instance. - *

+ *

* This method is invoked by the {@link AuthenticationFilter#destroy} method. */ public void destroy(); /** * Performs an authentication management operation. - *

+ *

* This is useful for handling operations like get/renew/cancel * delegation tokens which are being handled as operations of the * service end-point. - *

+ *

* If the method returns TRUE the request will continue normal * processing, this means the method has not produced any HTTP response. - *

+ *

* If the method returns FALSE the request will end, this means * the method has produced the corresponding HTTP response. * @@ -91,17 +88,17 @@ public boolean managementOperation(AuthenticationToken token, /** * Performs an authentication step for the given HTTP client request. - *

+ *

* This method is invoked by the {@link AuthenticationFilter} only if the HTTP client request is * not yet authenticated. - *

+ *

* Depending upon the authentication mechanism being implemented, a particular HTTP client may * end up making a sequence of invocations before authentication is successfully established (this is * the case of Kerberos SPNEGO). - *

+ *

* This method must return an {@link AuthenticationToken} only if the the HTTP client request has * been successfully and fully authenticated. - *

+ *

* If the HTTP client request has not been completely authenticated, this method must take over * the corresponding HTTP response and it must return null. * diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java index ff68847c8a..bb3e71da61 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java @@ -29,7 +29,7 @@ * The {@link AuthenticationToken} contains information about an authenticated * HTTP client and doubles as the {@link Principal} to be returned by * authenticated {@link HttpServletRequest}s - *

+ *

* The token can be serialized/deserialized to and from a string as it is sent * and received in HTTP client responses and requests as a HTTP cookie (this is * done by the {@link AuthenticationFilter}). @@ -170,7 +170,7 @@ public boolean isExpired() { /** * Returns the string representation of the token. - *

+ *

* This string representation is parseable by the {@link #parse} method. * * @return the string representation of the token. diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java index 92bc57c413..846541b162 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java @@ -51,7 +51,7 @@ /** * The {@link KerberosAuthenticationHandler} implements the Kerberos SPNEGO authentication mechanism for HTTP. - *

+ *

* The supported configuration properties are: *