org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator Maven / Gradle / Ivy
The newest version!
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to you under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.calcite.avatica.server;
import org.apache.calcite.avatica.AvaticaUtils;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Custom SpnegoAuthenticator which will still reponse with a WWW-Authentication: Negotiate
* header if the client provides some other kind of authentication header.
*/
@SuppressWarnings("deprecation")
public class AvaticaSpnegoAuthenticator extends
org.eclipse.jetty.security.authentication.SpnegoAuthenticator {
private static final Logger LOG = LoggerFactory.getLogger(AvaticaSpnegoAuthenticator.class);
@Override public Authentication validateRequest(ServletRequest request,
ServletResponse response, boolean mandatory) throws ServerAuthException {
final Authentication computedAuth = super.validateRequest(request, response, mandatory);
try {
return sendChallengeIfNecessary(computedAuth, request, response);
} catch (IOException e) {
throw new ServerAuthException(e);
}
}
/**
* Jetty has a bug in which if there is an Authorization header sent by a client which is
* not of the Negotiate type, Jetty does not send the challenge to negotiate. This works
* around that issue, forcing the challenge to be sent. Will require investigation on
* upgrade to a newer version of Jetty.
*/
Authentication sendChallengeIfNecessary(Authentication computedAuth, ServletRequest request,
ServletResponse response) throws IOException {
if (computedAuth == Authentication.UNAUTHENTICATED) {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
// We have an authorization header, but it's not Negotiate
if (header != null && !header.startsWith(HttpHeader.NEGOTIATE.asString())) {
LOG.debug("Client sent Authorization header that was not for Negotiate,"
+ " sending challenge anyways.");
if (DeferredAuthentication.isDeferred(res)) {
return Authentication.UNAUTHENTICATED;
}
res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
}
} else if (computedAuth == Authentication.SEND_CONTINUE) {
// CALCITE-4196 When we need to reply back to the client with the HTTP/401 challenge
// we must make sure that we consume all of the data that the client has written. Otherwise,
// the client will continue to write the data on a socket which we've already closed. This
// would ultimately result in the client receiving a TCP Reset and seeing a "Broken pipe"
// exception in their client application.
HttpServletRequest req = (HttpServletRequest) request;
AvaticaUtils.skipFully(req.getInputStream());
}
return computedAuth;
}
}
// End AvaticaSpnegoAuthenticator.java
© 2015 - 2024 Weber Informatics LLC | Privacy Policy