Repository: ambari Updated Branches: refs/heads/branch-2.5 21810ccbb -> 00a9399dc
Revert "AMBARI-19389. Authentication negotiation HTTP response should be sent when Kerberos authentication is enabled (rlevas)" This reverts commit 21810ccbbd1e3a1263cd4758725e17f66eeae5b8. Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/00a9399d Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/00a9399d Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/00a9399d Branch: refs/heads/branch-2.5 Commit: 00a9399dc0f0eb09d805a455f10227010a1a5e3d Parents: 21810cc Author: Yusaku Sako <[email protected]> Authored: Fri Jan 6 17:02:29 2017 -0800 Committer: Yusaku Sako <[email protected]> Committed: Fri Jan 6 17:02:29 2017 -0800 ---------------------------------------------------------------------- .../server/security/AmbariEntryPoint.java | 31 ++------- .../webapp/WEB-INF/spring-security.xml | 1 - .../server/security/AmbariEntryPointTest.java | 70 -------------------- 3 files changed, 6 insertions(+), 96 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/00a9399d/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java index 1545f71..e37976f 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariEntryPoint.java @@ -17,45 +17,26 @@ */ package org.apache.ambari.server.security; -import org.apache.ambari.server.configuration.Configuration; -import org.apache.ambari.server.security.authentication.kerberos.AmbariKerberosAuthenticationProperties; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import java.io.IOException; public class AmbariEntryPoint implements AuthenticationEntryPoint { - - /** - * A Boolean value declaring whether Kerberos authentication has been enabled (<code>true</code>) - * or not (<code>false</code>). - * <p> - * This value determines the behavior this entry point when authentication fails. - */ - private final boolean kerberosAuthenticationEnabled; - - public AmbariEntryPoint(Configuration configuration) { - AmbariKerberosAuthenticationProperties kerberosAuthenticationProperties = (configuration == null) - ? null - : configuration.getKerberosAuthenticationProperties(); - - kerberosAuthenticationEnabled = (kerberosAuthenticationProperties != null) && kerberosAuthenticationProperties.isKerberosAuthenticationEnabled(); - } - @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { /* ***************************************************************************************** - * If Kerberos authentication is enabled (authentication.kerberos.enabled = true), respond such - * that the client is challenged to Negotiate and reissue the request with a Kerberos token. - * This response is an HTTP 401 status with the "WWW-Authenticate: Negotiate" header. + * To maintain backward compatibility and respond with the appropriate response when + * authentication is needed, by default return an HTTP 403 status. * - * If Kerberos authentication is not enabled, return an HTTP 403 status. + * However if requested by the user, respond such that the client is challenged to Negotiate + * and reissue the request with a Kerberos token. This response is an HTTP 401 status with the + * WWW-Authenticate: Negotiate" header. * ****************************************************************************************** */ - if (kerberosAuthenticationEnabled) { + if ("true".equalsIgnoreCase(request.getHeader("X-Negotiate-Authentication"))) { response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication requested"); } else { http://git-wip-us.apache.org/repos/asf/ambari/blob/00a9399d/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml index bdbf0de..9eca920 100644 --- a/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml +++ b/ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml @@ -39,7 +39,6 @@ </authentication-manager> <beans:bean id="ambariEntryPoint" class="org.apache.ambari.server.security.AmbariEntryPoint"> - <beans:constructor-arg ref="ambariConfiguration"/> </beans:bean> <beans:bean id="ambariDelegatingAuthenticationFilter" class="org.apache.ambari.server.security.authentication.AmbariDelegatingAuthenticationFilter"> http://git-wip-us.apache.org/repos/asf/ambari/blob/00a9399d/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariEntryPointTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariEntryPointTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariEntryPointTest.java deleted file mode 100644 index 6c383a7..0000000 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariEntryPointTest.java +++ /dev/null @@ -1,70 +0,0 @@ -package org.apache.ambari.server.security; - -import java.io.IOException; -import java.util.Properties; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.ambari.server.configuration.Configuration; -import org.easymock.EasyMockSupport; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; -import org.springframework.security.core.AuthenticationException; - -import static org.easymock.EasyMock.expect; -import static org.easymock.EasyMock.expectLastCall; - -public class AmbariEntryPointTest extends EasyMockSupport { - @Rule - public TemporaryFolder temporaryFolder = new TemporaryFolder(); - - @Test - public void testCommenceDefault() throws Exception { - testCommence(null); - } - - @Test - public void testCommenceKerberosAuthenticationEnabled() throws Exception { - testCommence(Boolean.TRUE); - } - - @Test - public void testCommenceKerberosAuthenticationNotEnabled() throws Exception { - testCommence(Boolean.FALSE); - } - - private void testCommence(Boolean kerberosAuthenticationEnabled) throws IOException, ServletException { - HttpServletRequest request = createStrictMock(HttpServletRequest.class); - HttpServletResponse response = createStrictMock(HttpServletResponse.class); - AuthenticationException exception = createStrictMock(AuthenticationException.class); - - if (Boolean.TRUE == kerberosAuthenticationEnabled) { - response.setHeader("WWW-Authenticate", "Negotiate"); - expectLastCall().once(); - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication requested"); - expectLastCall().once(); - } else { - expect(exception.getMessage()).andReturn("message").once(); - response.sendError(HttpServletResponse.SC_FORBIDDEN, "message"); - expectLastCall().once(); - } - - replayAll(); - - - Properties properties = new Properties(); - if (kerberosAuthenticationEnabled != null) { - properties.setProperty(Configuration.KERBEROS_AUTH_ENABLED.getKey(), kerberosAuthenticationEnabled.toString()); - properties.setProperty(Configuration.KERBEROS_AUTH_SPNEGO_KEYTAB_FILE.getKey(), temporaryFolder.newFile().getAbsolutePath()); - } - AmbariEntryPoint entryPoint = new AmbariEntryPoint(new Configuration(properties)); - entryPoint.commence(request, response, exception); - - verifyAll(); - - } - -} \ No newline at end of file
