server/src/main/java/org/apache/calcite/avatica/server/AvaticaSpnegoAuthenticator.java - calcite-avatica - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to you under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.calcite.avatica.server;

 import org.apache.calcite.avatica.AvaticaUtils;

 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.security.ServerAuthException;
 import org.eclipse.jetty.security.authentication.DeferredAuthentication;
 import org.eclipse.jetty.server.Authentication;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.IOException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 /**
  * Custom SpnegoAuthenticator which will still reponse with a WWW-Authentication: Negotiate
  * header if the client provides some other kind of authentication header.
  */
 @SuppressWarnings("deprecation")
 public class AvaticaSpnegoAuthenticator extends
     org.eclipse.jetty.security.authentication.SpnegoAuthenticator {
   private static final Logger LOG = LoggerFactory.getLogger(AvaticaSpnegoAuthenticator.class);

   @Override public Authentication validateRequest(ServletRequest request,
       ServletResponse response, boolean mandatory) throws ServerAuthException {
     final Authentication computedAuth = super.validateRequest(request, response, mandatory);
     try {
       return sendChallengeIfNecessary(computedAuth, request, response);
     } catch (IOException e) {
       throw new ServerAuthException(e);
     }
   }

   /**
    * Jetty has a bug in which if there is an Authorization header sent by a client which is
    * not of the Negotiate type, Jetty does not send the challenge to negotiate. This works
    * around that issue, forcing the challenge to be sent. Will require investigation on
    * upgrade to a newer version of Jetty.
    */
   Authentication sendChallengeIfNecessary(Authentication computedAuth, ServletRequest request,
       ServletResponse response) throws IOException {
     if (computedAuth == Authentication.UNAUTHENTICATED) {
       HttpServletRequest req = (HttpServletRequest) request;
       HttpServletResponse res = (HttpServletResponse) response;

       String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
       // We have an authorization header, but it's not Negotiate
       if (header != null && !header.startsWith(HttpHeader.NEGOTIATE.asString())) {
         LOG.debug("Client sent Authorization header that was not for Negotiate,"
             + " sending challenge anyways.");
         if (DeferredAuthentication.isDeferred(res)) {
           return Authentication.UNAUTHENTICATED;
         }

         res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
         res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
         return Authentication.SEND_CONTINUE;
       }
     } else if (computedAuth == Authentication.SEND_CONTINUE) {
       // CALCITE-4196 When we need to reply back to the client with the HTTP/401 challenge
       // we must make sure that we consume all of the data that the client has written. Otherwise,
       // the client will continue to write the data on a socket which we've already closed. This
       // would ultimately result in the client receiving a TCP Reset and seeing a "Broken pipe"
       // exception in their client application.
       HttpServletRequest req = (HttpServletRequest) request;
       AvaticaUtils.skipFully(req.getInputStream());
     }
     return computedAuth;
   }
 }

 // End AvaticaSpnegoAuthenticator.java
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to you under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.calcite.avatica.server;

	import org.apache.calcite.avatica.AvaticaUtils;

	import org.eclipse.jetty.http.HttpHeader;
	import org.eclipse.jetty.security.ServerAuthException;
	import org.eclipse.jetty.security.authentication.DeferredAuthentication;
	import org.eclipse.jetty.server.Authentication;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.io.IOException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	/**
	* Custom SpnegoAuthenticator which will still reponse with a WWW-Authentication: Negotiate
	* header if the client provides some other kind of authentication header.
	*/
	@SuppressWarnings("deprecation")
	public class AvaticaSpnegoAuthenticator extends
	org.eclipse.jetty.security.authentication.SpnegoAuthenticator {
	private static final Logger LOG = LoggerFactory.getLogger(AvaticaSpnegoAuthenticator.class);

	@Override public Authentication validateRequest(ServletRequest request,
	ServletResponse response, boolean mandatory) throws ServerAuthException {
	final Authentication computedAuth = super.validateRequest(request, response, mandatory);
	try {
	return sendChallengeIfNecessary(computedAuth, request, response);
	} catch (IOException e) {
	throw new ServerAuthException(e);
	}
	}

	/**
	* Jetty has a bug in which if there is an Authorization header sent by a client which is
	* not of the Negotiate type, Jetty does not send the challenge to negotiate. This works
	* around that issue, forcing the challenge to be sent. Will require investigation on
	* upgrade to a newer version of Jetty.
	*/
	Authentication sendChallengeIfNecessary(Authentication computedAuth, ServletRequest request,
	ServletResponse response) throws IOException {
	if (computedAuth == Authentication.UNAUTHENTICATED) {
	HttpServletRequest req = (HttpServletRequest) request;
	HttpServletResponse res = (HttpServletResponse) response;

	String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
	// We have an authorization header, but it's not Negotiate
	if (header != null && !header.startsWith(HttpHeader.NEGOTIATE.asString())) {
	LOG.debug("Client sent Authorization header that was not for Negotiate,"
	+ " sending challenge anyways.");
	if (DeferredAuthentication.isDeferred(res)) {
	return Authentication.UNAUTHENTICATED;
	}

	res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
	res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
	return Authentication.SEND_CONTINUE;
	}
	} else if (computedAuth == Authentication.SEND_CONTINUE) {
	// CALCITE-4196 When we need to reply back to the client with the HTTP/401 challenge
	// we must make sure that we consume all of the data that the client has written. Otherwise,
	// the client will continue to write the data on a socket which we've already closed. This
	// would ultimately result in the client receiving a TCP Reset and seeing a "Broken pipe"
	// exception in their client application.
	HttpServletRequest req = (HttpServletRequest) request;
	AvaticaUtils.skipFully(req.getInputStream());
	}
	return computedAuth;
	}
	}

	// End AvaticaSpnegoAuthenticator.java