001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.hdfs.web;
019
020 import java.io.IOException;
021 import java.util.ArrayList;
022 import java.util.Enumeration;
023 import java.util.HashMap;
024 import java.util.Iterator;
025 import java.util.List;
026 import java.util.Map;
027 import java.util.Properties;
028
029 import javax.servlet.FilterChain;
030 import javax.servlet.FilterConfig;
031 import javax.servlet.ServletException;
032 import javax.servlet.ServletRequest;
033 import javax.servlet.ServletResponse;
034 import javax.servlet.http.HttpServletRequest;
035 import javax.servlet.http.HttpServletRequestWrapper;
036
037 import org.apache.hadoop.hdfs.web.resources.DelegationParam;
038 import org.apache.hadoop.security.UserGroupInformation;
039 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
040 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
041 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
042
043 /**
044 * Subclass of {@link AuthenticationFilter} that
045 * obtains Hadoop-Auth configuration for webhdfs.
046 */
047 public class AuthFilter extends AuthenticationFilter {
048 private static final String CONF_PREFIX = "dfs.web.authentication.";
049
050 /**
051 * Returns the filter configuration properties,
052 * including the ones prefixed with {@link #CONF_PREFIX}.
053 * The prefix is removed from the returned property names.
054 *
055 * @param prefix parameter not used.
056 * @param config parameter contains the initialization values.
057 * @return Hadoop-Auth configuration properties.
058 * @throws ServletException
059 */
060 @Override
061 protected Properties getConfiguration(String prefix, FilterConfig config)
062 throws ServletException {
063 final Properties p = super.getConfiguration(CONF_PREFIX, config);
064 // set authentication type
065 p.setProperty(AUTH_TYPE, UserGroupInformation.isSecurityEnabled()?
066 KerberosAuthenticationHandler.TYPE: PseudoAuthenticationHandler.TYPE);
067 // if not set, enable anonymous for pseudo authentication
068 if (p.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) {
069 p.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
070 }
071 //set cookie path
072 p.setProperty(COOKIE_PATH, "/");
073 return p;
074 }
075
076 @Override
077 public void doFilter(ServletRequest request, ServletResponse response,
078 FilterChain filterChain) throws IOException, ServletException {
079 final HttpServletRequest httpRequest = toLowerCase((HttpServletRequest)request);
080 final String tokenString = httpRequest.getParameter(DelegationParam.NAME);
081 if (tokenString != null) {
082 //Token is present in the url, therefore token will be used for
083 //authentication, bypass kerberos authentication.
084 filterChain.doFilter(httpRequest, response);
085 return;
086 }
087 super.doFilter(httpRequest, response, filterChain);
088 }
089
090 private static HttpServletRequest toLowerCase(final HttpServletRequest request) {
091 @SuppressWarnings("unchecked")
092 final Map<String, String[]> original = (Map<String, String[]>)request.getParameterMap();
093 if (!ParamFilter.containsUpperCase(original.keySet())) {
094 return request;
095 }
096
097 final Map<String, List<String>> m = new HashMap<String, List<String>>();
098 for(Map.Entry<String, String[]> entry : original.entrySet()) {
099 final String key = entry.getKey().toLowerCase();
100 List<String> strings = m.get(key);
101 if (strings == null) {
102 strings = new ArrayList<String>();
103 m.put(key, strings);
104 }
105 for(String v : entry.getValue()) {
106 strings.add(v);
107 }
108 }
109
110 return new HttpServletRequestWrapper(request) {
111 private Map<String, String[]> parameters = null;
112
113 @Override
114 public Map<String, String[]> getParameterMap() {
115 if (parameters == null) {
116 parameters = new HashMap<String, String[]>();
117 for(Map.Entry<String, List<String>> entry : m.entrySet()) {
118 final List<String> a = entry.getValue();
119 parameters.put(entry.getKey(), a.toArray(new String[a.size()]));
120 }
121 }
122 return parameters;
123 }
124
125 @Override
126 public String getParameter(String name) {
127 final List<String> a = m.get(name);
128 return a == null? null: a.get(0);
129 }
130
131 @Override
132 public String[] getParameterValues(String name) {
133 return getParameterMap().get(name);
134 }
135
136 @Override
137 public Enumeration<String> getParameterNames() {
138 final Iterator<String> i = m.keySet().iterator();
139 return new Enumeration<String>() {
140 @Override
141 public boolean hasMoreElements() {
142 return i.hasNext();
143 }
144 @Override
145 public String nextElement() {
146 return i.next();
147 }
148 };
149 }
150 };
151 }
152 }