Package org.yamcs.security

Class SpnegoAuthModule

  • All Implemented Interfaces:
    io.netty.channel.ChannelHandler, io.netty.channel.ChannelInboundHandler, AuthModule
    public class SpnegoAuthModule
extends Handler
implements AuthModule
    Implements SPNEGO authentication against an external Kerberos host.

    Upon succesful authentication, Kerberos issues a 'ticket' with limited lifetime. SpnegoAuthModule maps this ticket to an internally generated authorization code which can be used for repeat identity checks against the SecurityStore.

    • Nested Class Summary

      • Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler

        io.netty.channel.ChannelHandler.Sharable

    • Constructor Detail

      • SpnegoAuthModule

        public SpnegoAuthModule()

    • Method Detail

      • getSpec

        public Spec getSpec()
        Description copied from interface: AuthModule
        Returns the valid configuration of the input args of this AuthModule.
        Specified by:
        getSpec in interface AuthModule
        Returns:
        the argument specification.

      • init

        public void init​(YConfiguration args)
          throws InitException
        Description copied from interface: AuthModule
        Initialize this AuthModule.
        Specified by:
        init in interface AuthModule
        Parameters:
        args - The configured arguments for this AuthModule. If AuthModule.getSpec() is implemented then this contains the arguments after being validated (including any defaults).
        Throws:
        InitException - When something goes wrong during the execution of this method.

      • verifyValidity

        public boolean verifyValidity​(AuthenticationInfo authenticationInfo)
        Description copied from interface: AuthModule
        Verify if previously generated authentication info is (still) valid. For example, if the authentication info references an externally issued expiring ticket, this can be validated here.

        This method is called very frequently, so implementations must take care to limit external requests.

        Specified by:
        verifyValidity in interface AuthModule
        Parameters:
        authenticationInfo - information relevant to the authentication process
        Returns:
        true if the authentication info is valid, false otherwise

      • getAuthorizationInfo

        public AuthorizationInfo getAuthorizationInfo​(AuthenticationInfo authenticationInfo)
        Description copied from interface: AuthModule
        Retrieve access control information based on the given AuthenticationInfo. This AuthenticationInfo may have been generated by a different AuthModule.
        Specified by:
        getAuthorizationInfo in interface AuthModule
        Returns:
        an info object containing role/privilege information of the subject

      • handle

        public void handle​(io.netty.channel.ChannelHandlerContext ctx,
                   io.netty.handler.codec.http.FullHttpRequest req)
        Specified by:
        handle in class Handler