diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/util/SPNEGOAuthenticationTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/util/SPNEGOAuthenticationTest.java index 906a36d751a0..df8453def1b5 100644 --- a/jetty-client/src/test/java/org/eclipse/jetty/client/util/SPNEGOAuthenticationTest.java +++ b/jetty-client/src/test/java/org/eclipse/jetty/client/util/SPNEGOAuthenticationTest.java @@ -39,12 +39,12 @@ import org.eclipse.jetty.client.api.ContentResponse; import org.eclipse.jetty.client.api.Request; import org.eclipse.jetty.client.api.Response; +import org.eclipse.jetty.security.ConfigurableSpnegoLoginService; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; -import org.eclipse.jetty.security.SpnegoLoginService2; import org.eclipse.jetty.security.authentication.AuthorizationService; -import org.eclipse.jetty.security.authentication.SpnegoAuthenticator2; +import org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.session.DefaultSessionIdManager; @@ -88,7 +88,7 @@ public class SPNEGOAuthenticationTest extends AbstractHttpClientServerTest private Path serviceKeyTabPath = testDirPath.resolve("service.keytab"); private Path clientKeyTabPath = testDirPath.resolve("client.keytab"); private SimpleKdcServer kdc; - private SpnegoAuthenticator2 authenticator; + private ConfigurableSpnegoAuthenticator authenticator; @BeforeEach public void prepare() throws Exception @@ -123,7 +123,7 @@ private void startSPNEGO(Scenario scenario, Handler handler) throws Exception server = new Server(); server.setSessionIdManager(new DefaultSessionIdManager(server)); HashLoginService authorizationService = new HashLoginService(realm, realmPropsPath.toString()); - SpnegoLoginService2 loginService = new SpnegoLoginService2(realm, AuthorizationService.from(authorizationService, "")); + ConfigurableSpnegoLoginService loginService = new ConfigurableSpnegoLoginService(realm, AuthorizationService.from(authorizationService, "")); loginService.addBean(authorizationService); loginService.setKeyTabPath(serviceKeyTabPath); loginService.setServiceName(serviceName); @@ -138,7 +138,7 @@ private void startSPNEGO(Scenario scenario, Handler handler) throws Exception mapping.setPathSpec("/secure"); mapping.setConstraint(constraint); securityHandler.addConstraintMapping(mapping); - authenticator = new SpnegoAuthenticator2(); + authenticator = new ConfigurableSpnegoAuthenticator(); securityHandler.setAuthenticator(authenticator); securityHandler.setLoginService(loginService); securityHandler.setHandler(handler); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService2.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConfigurableSpnegoLoginService.java similarity index 86% rename from jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService2.java rename to jetty-security/src/main/java/org/eclipse/jetty/security/ConfigurableSpnegoLoginService.java index 84c981a18170..48e9cc880472 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService2.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConfigurableSpnegoLoginService.java @@ -46,9 +46,20 @@ import org.ietf.jgss.GSSName; import org.ietf.jgss.Oid; -public class SpnegoLoginService2 extends ContainerLifeCycle implements LoginService +/** + *

A configurable (as opposed to using system properties) SPNEGO LoginService.

+ *

At startup, this LoginService will login via JAAS the service principal, composed + * of the {@link #getServiceName() service name} and the {@link #getHostName() host name}, + * for example {@code HTTP/wonder.com}, using a {@code keyTab} file as the service principal + * credentials.

+ *

Upon receiving a HTTP request, the server tries to authenticate the client + * calling {@link #login(String, Object, ServletRequest)} where the GSS APIs are used to + * verify client tokens and (perhaps after a few round-trips) a {@code GSSContext} is + * established.

+ */ +public class ConfigurableSpnegoLoginService extends ContainerLifeCycle implements LoginService { - private static final Logger LOG = Log.getLogger(SpnegoLoginService2.class); + private static final Logger LOG = Log.getLogger(ConfigurableSpnegoLoginService.class); private final GSSManager _gssManager = GSSManager.getInstance(); private final String _realm; @@ -59,43 +70,67 @@ public class SpnegoLoginService2 extends ContainerLifeCycle implements LoginServ private String _hostName; private SpnegoContext _context; - public SpnegoLoginService2(String realm, AuthorizationService authorizationService) + public ConfigurableSpnegoLoginService(String realm, AuthorizationService authorizationService) { _realm = realm; _authorizationService = authorizationService; } + /** + * @return the realm name + */ @Override public String getName() { return _realm; } + /** + * @return the path of the keyTab file containing service credentials + */ public Path getKeyTabPath() { return _keyTabPath; } + /** + * @param keyTabFile the path of the keyTab file containing service credentials + */ public void setKeyTabPath(Path keyTabFile) { _keyTabPath = keyTabFile; } + /** + * @return the service name, typically "HTTP" + * @see #getHostName() + */ public String getServiceName() { return _serviceName; } + /** + * @param serviceName the service name + * @see #setHostName(String) + */ public void setServiceName(String serviceName) { _serviceName = serviceName; } + /** + * @return the host name of the service + * @see #setServiceName(String) + */ public String getHostName() { return _hostName; } + /** + * @param hostName the host name of the service + */ public void setHostName(String hostName) { _hostName = hostName; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java index 5ea42ddb145b..41f30f0a736e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java @@ -36,6 +36,10 @@ import org.ietf.jgss.GSSName; import org.ietf.jgss.Oid; +/** + * @deprecated use {@link ConfigurableSpnegoLoginService} instead + */ +@Deprecated public class SpnegoLoginService extends AbstractLifeCycle implements LoginService { private static final Logger LOG = Log.getLogger(SpnegoLoginService.class); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator2.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ConfigurableSpnegoAuthenticator.java similarity index 91% rename from jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator2.java rename to jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ConfigurableSpnegoAuthenticator.java index 5e8bb43e8810..59e0611af14c 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator2.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ConfigurableSpnegoAuthenticator.java @@ -42,14 +42,22 @@ import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.security.Constraint; -public class SpnegoAuthenticator2 extends LoginAuthenticator +/** + *

A LoginAuthenticator that uses SPNEGO and the GSS API to authenticate requests.

+ *

A successful authentication from a client is cached for a configurable + * {@link #getAuthenticationDuration() duration} using the HTTP session; this avoids + * that the client is asked to authenticate for every request.

+ * + * @see org.eclipse.jetty.security.ConfigurableSpnegoLoginService + */ +public class ConfigurableSpnegoAuthenticator extends LoginAuthenticator { - private static final Logger LOG = Log.getLogger(SpnegoAuthenticator2.class); + private static final Logger LOG = Log.getLogger(ConfigurableSpnegoAuthenticator.class); private final String _authMethod; private Duration _authenticationDuration = Duration.ofNanos(-1); - public SpnegoAuthenticator2() + public ConfigurableSpnegoAuthenticator() { this(Constraint.__SPNEGO_AUTH); } @@ -59,7 +67,7 @@ public SpnegoAuthenticator2() * * @param authMethod the auth method */ - public SpnegoAuthenticator2(String authMethod) + public ConfigurableSpnegoAuthenticator(String authMethod) { _authMethod = authMethod; } @@ -70,6 +78,9 @@ public String getAuthMethod() return _authMethod; } + /** + * @return the authentication duration + */ public Duration getAuthenticationDuration() { return _authenticationDuration; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java index 0dfe1b6add55..8142eb7c4d88 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java @@ -35,6 +35,10 @@ import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.security.Constraint; +/** + * @deprecated use {@link ConfigurableSpnegoAuthenticator} instead. + */ +@Deprecated public class SpnegoAuthenticator extends LoginAuthenticator { private static final Logger LOG = Log.getLogger(SpnegoAuthenticator.class);