apache · chaitalicod · Jun 1, 2026
diff --git a/authn/pom.xml b/authn/pom.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.atlas</groupId>
+        <artifactId>apache-atlas</artifactId>
+        <version>3.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>atlas-authn</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>9.37.3</version>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>${commons-conf2.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuth.java b/authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuth.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler;
+
+public class AtlasAuth {
+    public static enum AUTH_TYPE {
+        JWT_JWKS("JWT-JWKS");
+
+        private final String authType;
+
+        private AUTH_TYPE(String authType) {
+            this.authType = authType;
+        }
+    }
+
+    private String    userName;
+    private AUTH_TYPE type;
+    private boolean   isAuthenticated;
+
+    public AtlasAuth(final String username, AUTH_TYPE type) {
+        this.userName        = username;
+        this.isAuthenticated = true;
+        this.type            = type;
+    }
+
+    public String getUserName() {
+        return userName;
+    }
+
+    public void setUserName(String userName) {
+        this.userName = userName;
+    }
+
+    public AUTH_TYPE getType() {
+        return type;
+    }
+
+    public void setType(AUTH_TYPE type) {
+        this.type = type;
+    }
+
+    public boolean isAuthenticated() {
+        return isAuthenticated;
+    }
+
+    public void setAuthenticated(boolean authenticated) {
+        isAuthenticated = authenticated;
+    }
+}
diff --git a/authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuthHandler.java b/authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuthHandler.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler;
+
+import org.apache.commons.configuration2.Configuration;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface AtlasAuthHandler {
+    void initialize(Configuration config) throws Exception;
+
+    AtlasAuth authenticate(HttpServletRequest request);
+}
diff --git a/authn/src/main/java/org/apache/atlas/authn/handler/jwt/AtlasDefaultJwtAuthHandler.java b/authn/src/main/java/org/apache/atlas/authn/handler/jwt/AtlasDefaultJwtAuthHandler.java
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler.jwt;
+
+import com.nimbusds.jose.proc.JWSKeySelector;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
+import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
+import org.apache.atlas.authn.handler.AtlasAuth;
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+public class AtlasDefaultJwtAuthHandler extends AtlasJwtAuthHandler {
+    protected static final String AUTHORIZATION_HEADER = "Authorization";
+
+    @Override
+    public ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> keySelector) {
+        ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
+        JWTClaimsSetVerifier<SecurityContext> claimsVerifier   = new DefaultJWTClaimsVerifier<>();
+
+        jwtProcessor.setJWSKeySelector(keySelector);
+        jwtProcessor.setJWTClaimsSetVerifier(claimsVerifier);
+
+        return jwtProcessor;
+    }
+
+    @Override
+    public AtlasAuth authenticate(HttpServletRequest request) {
+        AtlasAuth atlasAuth = null;
+        String jwtAuthHeaderStr = getJwtAuthHeader(request);
+        String jwtCookieStr = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(request) : null;
+
+        String username = authenticate(jwtAuthHeaderStr, jwtCookieStr);
+        if (username != null) {
+            atlasAuth = new AtlasAuth(username, AtlasAuth.AUTH_TYPE.JWT_JWKS);
+        }
+        return atlasAuth;
+    }
+
+    public static boolean canAuthenticateRequest(final ServletRequest request) {
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        String jwtAuthHeaderStr               = getJwtAuthHeader(httpServletRequest);
+        String jwtCookieStr                   = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null;
+        boolean proceed                       = shouldProceedAuth(jwtAuthHeaderStr, jwtCookieStr);
+        return proceed;
+    }
+
+    public static String getJwtAuthHeader(final HttpServletRequest httpServletRequest) {
+        return httpServletRequest.getHeader(AUTHORIZATION_HEADER);
+    }
+
+    public static String getJwtCookie(final HttpServletRequest httpServletRequest) {
+        String jwtCookieStr = null;
+        Cookie[] cookies    = httpServletRequest.getCookies();
+
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                if (cookieName.equals(cookie.getName())) {
+                    jwtCookieStr = cookie.getName() + "=" + cookie.getValue();
+                    break;
+                }
+            }
+        }
+        return jwtCookieStr;
+    }
+}