ISSUE:569: Support Kerberos credentials based Basic Authentication #567
Conversation
|
@guruchai: Can you create an ISSUE for this and explain what is being done in this PR? |
guruchai
changed the title
Done. Thanks! |
guruchai
changed the title
| @@ -0,0 +1,204 @@ | |||
| package com.hortonworks.registries.auth.server; | |||
There was a problem hiding this comment.
license is missing. Add license for all the newly added files.
| public static final String AUTHORIZATION_HEADER = "Authorization"; | ||
| public static final String BASIC_AUTHENTICATION = "Basic"; | ||
|
|
||
| private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticationHandler.class); |
There was a problem hiding this comment.
Update the class name in the logger.
| } | ||
|
|
||
| if (LOG.isDebugEnabled()) { | ||
| LOG.debug("Ran provider.authenticate() and returned authentication for " + |
There was a problem hiding this comment.
Whether to check authentication is null before printing the log?
| } | ||
|
|
||
| @Test | ||
| public void testRequestWithInvalidAuthorization() throws Exception { |
There was a problem hiding this comment.
testRequestWithInvalidAuthorization and testRequestWithInvalidCredentials looks similar.
There was a problem hiding this comment.
Not exactly. testRequestWithInvalidAuthorization tests the invalidity of Authorization header. testRequestWithInvalidCredentials tests the invalidity of the credentials after validating the Authorization header. They are like 2 steps in parsing step.
| AuthenticationToken authToken = handler.authenticate(request, response); | ||
|
|
||
| if (authToken != null) { | ||
| Assert.fail("AuthToken should have been null if the SPNEGO is disabled in KerberosAuthenticationLoginHandler."); |
There was a problem hiding this comment.
KerberosAuthenticationLoginHandler -> KerberosBasicAuthenticationHandler
|
Thanks for the review, @kamalcph!! made the changes suggested. |
| @@ -0,0 +1,302 @@ | |||
| package com.hortonworks.registries.auth.server; | |||
| } | ||
|
|
||
| @Test | ||
| public void testRequestWithInvalidAuthorization() throws Exception { |
| } | ||
| } | ||
| return true; | ||
| } else { |
There was a problem hiding this comment.
else block can be removed.
| */ | ||
| public class KerberosBasicAuthenticationHandler extends KerberosAuthenticationHandler { | ||
|
|
||
| public static final String LOGIN_ENABLED_CONFIG = "login.enabled"; |
There was a problem hiding this comment.
Can you mention these props in the registry .yaml under the "servletFilters" section?
| public static final String BASIC_AUTHENTICATION = "Basic"; | ||
|
|
||
| private static final Logger LOG = LoggerFactory.getLogger(KerberosBasicAuthenticationHandler.class); | ||
| private static final String METHOD = "POST"; |
There was a problem hiding this comment.
Can we rename this to "HTTP_LOGIN_METHOD" or more something meaningful?
| try { | ||
| provider = new KerberosAuthenticationProvider(); | ||
| SunJaasKerberosClient client = new SunJaasKerberosClient(); | ||
| client.setDebug(true); |
There was a problem hiding this comment.
I am not sure how much logs the client will generate in debug mode. Can we enable this if debug mode is enabled for LOG?
| } | ||
| String credentials = authorization.split(BASIC_AUTHENTICATION)[1].trim(); | ||
| byte[] credentialsArray = Base64.getDecoder().decode(credentials); | ||
| String[] userPassword = new String(credentialsArray, StandardCharsets.UTF_8).split(":"); |
There was a problem hiding this comment.
Can we rename this to "principalAndPassword"? I was bit confused when rawPrincipal was extracted from "userPassword".
| return identity; | ||
| } | ||
|
|
||
| static class KerberosUserDetailsService implements UserDetailsService { |
There was a problem hiding this comment.
Do we need static keyword here?
There was a problem hiding this comment.
static nested classes are usually preferred if the class is not using any of the fields from the enclosing class.
There was a problem hiding this comment.
Agreed. I hurried up. Did not pay much attention. Considering no access to enclosing class, static should have been finer for this case!
| * <li>login.enabled: a boolean string to indicate whether the enabling of Kerberos login.</li> | ||
| * </ul> | ||
| */ | ||
| public class KerberosBasicAuthenticationHandler extends KerberosAuthenticationHandler { |
There was a problem hiding this comment.
Can you talk about this authentication method in security.rst under docs pacakge ?
|
Made the changes. |
Fixes #569