Skip to content
Browse files

Adding getType() to AuthenticationHandler and verifying token type in…

… filter

The verification of token type in the filter is to avoid the situation where
tokens from other authenticator type are presented and interpreted as valid.
This could be the case when a HTTP service protected with Alfredo changes
its authentication handler and restarts using the the same secret to sign
the tokens, in this case, tokens from the previous authentication type
are not rejected as invalid.
  • Loading branch information...
1 parent 6c1b282 commit d876fe1e7fba99b509349f38f461d15cbc988dd2 @tucu00 tucu00 committed Jan 31, 2011
View
1 CHANGES.txt
@@ -1,5 +1,6 @@
-- Alfredo 0.1.4 release
+- Adding getType() to AuthenticationHandler and verifying token type in filter
- Changing token attribute separator from ',' to '&'
- Changing not to set Cookie version
View
3 alfredo/src/main/java/com/cloudera/alfredo/server/AuthenticationFilter.java
@@ -307,6 +307,9 @@ protected AuthenticationToken getToken(HttpServletRequest request) throws IOExce
}
if (tokenStr != null) {
token = AuthenticationToken.parse(tokenStr);
+ if (!token.getType().equals(authHandler.getType())) {
+ throw new AuthenticationException("Invalid AuthenticationToken type");
+ }
if (token.isExpired()) {
throw new AuthenticationException("AuthenticationToken expired");
}
View
10 alfredo/src/main/java/com/cloudera/alfredo/server/AuthenticationHandler.java
@@ -35,6 +35,16 @@
public interface AuthenticationHandler {
/**
+ * Returns the authentication type of the authentication handler.
+ * <p/>
+ * This should be a name that uniquely identifies the authentication type.
+ * For example 'simple' or 'kerberos'.
+ *
+ * @return the authentication type of the authentication handler.
+ */
+ public String getType();
+
+ /**
* Initializes the authentication handler instance.
* <p/>
* This method is invoked by the {@link AuthenticationFilter#init} method.
View
11 alfredo/src/main/java/com/cloudera/alfredo/server/KerberosAuthenticationHandler.java
@@ -195,6 +195,17 @@ public void destroy() {
}
/**
+ * Returns the authentication type of the authentication handler, 'kerberos'.
+ * <p/>
+ *
+ * @return the authentication type of the authentication handler, 'kerberos'.
+ */
+ @Override
+ public String getType() {
+ return TYPE;
+ }
+
+ /**
* Returns the Kerberos principal used by the authentication handler.
*
* @return the Kerberos principal used by the authentication handler.
View
11 alfredo/src/main/java/com/cloudera/alfredo/server/PseudoAuthenticationHandler.java
@@ -87,6 +87,17 @@ public void destroy() {
}
/**
+ * Returns the authentication type of the authentication handler, 'simple'.
+ * <p/>
+ *
+ * @return the authentication type of the authentication handler, 'simple'.
+ */
+ @Override
+ public String getType() {
+ return TYPE;
+ }
+
+ /**
* Authenticates an HTTP client request.
* <p/>
* It extract the {@link PseudoAuthenticator#USER_NAME} parameter from the query string and creates
View
144 alfredo/src/test/java/com/cloudera/alfredo/server/TestAuthenticationFilter.java
@@ -82,6 +82,8 @@ public void testInitEmpty() throws Exception {
public static boolean init;
public static boolean destroy;
+ public static final String TYPE = "dummy";
+
public static void reset() {
init = false;
destroy = false;
@@ -98,6 +100,11 @@ public void destroy() {
}
@Override
+ public String getType() {
+ return TYPE;
+ }
+
+ @Override
public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response)
throws IOException, AuthenticationException {
AuthenticationToken token = null;
@@ -238,7 +245,7 @@ public void testGetToken() throws Exception {
AuthenticationFilter.SIGNATURE_SECRET)).elements());
filter.init(config);
- AuthenticationToken token = new AuthenticationToken("u", "p", "t");
+ AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() + 1000);
Signer signer = new Signer("secret".getBytes());
String tokenSigned = signer.sign(token.toString());
@@ -256,6 +263,78 @@ public void testGetToken() throws Exception {
}
}
+ public void testGetTokenExpired() throws Exception {
+ AuthenticationFilter filter = new AuthenticationFilter();
+ try {
+ FilterConfig config = Mockito.mock(FilterConfig.class);
+ Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
+ DummyAuthenticationHandler.class.getName());
+ Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
+ Mockito.when(config.getInitParameterNames()).thenReturn(
+ new Vector(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
+ AuthenticationFilter.SIGNATURE_SECRET)).elements());
+ filter.init(config);
+
+ AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
+ token.setExpires(System.currentTimeMillis() - 1000);
+ Signer signer = new Signer("secret".getBytes());
+ String tokenSigned = signer.sign(token.toString());
+
+ Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
+
+ try {
+ filter.getToken(request);
+ fail();
+ }
+ catch (AuthenticationException ex) {
+ }
+ catch (Exception ex) {
+ fail();
+ }
+ }
+ finally {
+ filter.destroy();
+ }
+ }
+
+ public void testGetTokenInvalidType() throws Exception {
+ AuthenticationFilter filter = new AuthenticationFilter();
+ try {
+ FilterConfig config = Mockito.mock(FilterConfig.class);
+ Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
+ DummyAuthenticationHandler.class.getName());
+ Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
+ Mockito.when(config.getInitParameterNames()).thenReturn(
+ new Vector(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
+ AuthenticationFilter.SIGNATURE_SECRET)).elements());
+ filter.init(config);
+
+ AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
+ token.setExpires(System.currentTimeMillis() + 1000);
+ Signer signer = new Signer("secret".getBytes());
+ String tokenSigned = signer.sign(token.toString());
+
+ Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
+
+ try {
+ filter.getToken(request);
+ fail();
+ }
+ catch (AuthenticationException ex) {
+ }
+ catch (Exception ex) {
+ fail();
+ }
+ }
+ finally {
+ filter.destroy();
+ }
+ }
+
public void testDoFilterNotAuthenticated() throws Exception {
AuthenticationFilter filter = new AuthenticationFilter();
try {
@@ -448,7 +527,7 @@ public void testDoFilterAuthenticatedExpired() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar"));
- AuthenticationToken token = new AuthenticationToken("u", "p", "t");
+ AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE);
token.setExpires(System.currentTimeMillis() - 1000);
Signer signer = new Signer("alfredo".getBytes());
String tokenSigned = signer.sign(token.toString());
@@ -495,4 +574,65 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
}
}
+
+ public void testDoFilterAuthenticatedInvalidType() throws Exception {
+ AuthenticationFilter filter = new AuthenticationFilter();
+ try {
+ FilterConfig config = Mockito.mock(FilterConfig.class);
+ Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
+ DummyAuthenticationHandler.class.getName());
+ Mockito.when(config.getInitParameterNames()).thenReturn(
+ new Vector(Arrays.asList(AuthenticationFilter.AUTH_TYPE)).elements());
+ filter.init(config);
+
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar"));
+
+ AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype");
+ token.setExpires(System.currentTimeMillis() + 1000);
+ Signer signer = new Signer("alfredo".getBytes());
+ String tokenSigned = signer.sign(token.toString());
+
+ Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
+
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+
+ FilterChain chain = Mockito.mock(FilterChain.class);
+
+ Mockito.doAnswer(
+ new Answer() {
+ @Override
+ public Object answer(InvocationOnMock invocation) throws Throwable {
+ fail();
+ return null;
+ }
+ }
+ ).when(chain).doFilter(Mockito.<ServletRequest>anyObject(), Mockito.<ServletResponse>anyObject());
+
+ final Cookie[] setCookie = new Cookie[1];
+ Mockito.doAnswer(
+ new Answer() {
+ @Override
+ public Object answer(InvocationOnMock invocation) throws Throwable {
+ Object[] args = invocation.getArguments();
+ setCookie[0] = (Cookie) args[0];
+ return null;
+ }
+ }
+ ).when(response).addCookie(Mockito.<Cookie>anyObject());
+
+ filter.doFilter(request, response, chain);
+
+ Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
+
+ assertNotNull(setCookie[0]);
+ assertEquals(AuthenticatedURL.AUTH_COOKIE, setCookie[0].getName());
+ assertEquals("", setCookie[0].getValue());
+ }
+ finally {
+ filter.destroy();
+ }
+ }
+
}
View
5 alfredo/src/test/java/com/cloudera/alfredo/server/TestKerberosAuthenticationHandler.java
@@ -70,6 +70,11 @@ public void testInit() throws Exception {
assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
}
+ public void testType() throws Exception {
+ KerberosAuthenticationHandler handler = new KerberosAuthenticationHandler();
+ assertEquals(KerberosAuthenticationHandler.TYPE, handler.getType());
+ }
+
public void testRequestWithoutAuthorization() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
View
5 alfredo/src/test/java/com/cloudera/alfredo/server/TestPseudoAuthenticationHandler.java
@@ -44,6 +44,11 @@ public void testInit() throws Exception {
}
}
+ public void testType() throws Exception {
+ PseudoAuthenticationHandler handler = new PseudoAuthenticationHandler();
+ assertEquals(PseudoAuthenticationHandler.TYPE, handler.getType());
+ }
+
public void testAnonymousOn() throws Exception {
PseudoAuthenticationHandler handler = new PseudoAuthenticationHandler();
try {

0 comments on commit d876fe1

Please sign in to comment.
Something went wrong with that request. Please try again.