Package org.yamcs.security
Class SpnegoAuthModule
- java.lang.Object
-
- io.netty.channel.ChannelHandlerAdapter
-
- io.netty.channel.ChannelInboundHandlerAdapter
-
- io.netty.channel.SimpleChannelInboundHandler<io.netty.handler.codec.http.FullHttpRequest>
-
- org.yamcs.http.Handler
-
- org.yamcs.security.SpnegoAuthModule
-
- All Implemented Interfaces:
io.netty.channel.ChannelHandler
,io.netty.channel.ChannelInboundHandler
,AuthModule
public class SpnegoAuthModule extends Handler implements AuthModule
Implements SPNEGO authentication against an external Kerberos host.Upon succesful authentication, Kerberos issues a 'ticket' with limited lifetime.
SpnegoAuthModule
maps this ticket to an internally generated authorization code which can be used for repeat identity checks against theSecurityStore
.
-
-
Constructor Summary
Constructors Constructor Description SpnegoAuthModule()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description AuthenticationInfo
getAuthenticationInfo(AuthenticationToken token)
Identify the subject based on the given information.AuthorizationInfo
getAuthorizationInfo(AuthenticationInfo authenticationInfo)
Retrieve access control information based on the given AuthenticationInfo.Spec
getSpec()
Returns the valid configuration of the input args of this AuthModule.void
handle(io.netty.channel.ChannelHandlerContext ctx, io.netty.handler.codec.http.FullHttpRequest req)
void
init(YConfiguration args)
Initialize this AuthModule.boolean
verifyValidity(AuthenticationInfo authenticationInfo)
Verify if previously generated authentication info is (still) valid.-
Methods inherited from class org.yamcs.http.Handler
channelRead0
-
Methods inherited from class io.netty.channel.SimpleChannelInboundHandler
acceptInboundMessage, channelRead
-
Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter
channelActive, channelInactive, channelReadComplete, channelRegistered, channelUnregistered, channelWritabilityChanged, exceptionCaught, userEventTriggered
-
Methods inherited from class io.netty.channel.ChannelHandlerAdapter
ensureNotSharable, handlerAdded, handlerRemoved, isSharable
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.yamcs.security.AuthModule
authenticationSucceeded
-
-
-
-
Method Detail
-
getSpec
public Spec getSpec()
Description copied from interface:AuthModule
Returns the valid configuration of the input args of this AuthModule.- Specified by:
getSpec
in interfaceAuthModule
- Returns:
- the argument specification.
-
init
public void init(YConfiguration args) throws InitException
Description copied from interface:AuthModule
Initialize this AuthModule.- Specified by:
init
in interfaceAuthModule
- Parameters:
args
- The configured arguments for this AuthModule. IfAuthModule.getSpec()
is implemented then this contains the arguments after being validated (including any defaults).- Throws:
InitException
- When something goes wrong during the execution of this method.
-
getAuthenticationInfo
public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException
Description copied from interface:AuthModule
Identify the subject based on the given information.- Specified by:
getAuthenticationInfo
in interfaceAuthModule
- Returns:
- an info object containing the principal of the subject, or null if the login failed
- Throws:
AuthenticationException
-
verifyValidity
public boolean verifyValidity(AuthenticationInfo authenticationInfo)
Description copied from interface:AuthModule
Verify if previously generated authentication info is (still) valid. For example, if the authentication info references an externally issued expiring ticket, this can be validated here.This method is called very frequently, so implementations must take care to limit external requests.
- Specified by:
verifyValidity
in interfaceAuthModule
- Parameters:
authenticationInfo
- information relevant to the authentication process- Returns:
- true if the authentication info is valid, false otherwise
-
getAuthorizationInfo
public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo)
Description copied from interface:AuthModule
Retrieve access control information based on the given AuthenticationInfo. This AuthenticationInfo may have been generated by a different AuthModule.- Specified by:
getAuthorizationInfo
in interfaceAuthModule
- Returns:
- an info object containing role/privilege information of the subject
-
-