Package org.apache.zookeeper.server.auth
Class X509AuthenticationProvider
java.lang.Object
org.apache.zookeeper.server.auth.X509AuthenticationProvider
- All Implemented Interfaces:
AuthenticationProvider
An AuthenticationProvider backed by an X509TrustManager and an X509KeyManager
to perform remote host certificate authentication. The default algorithm is
SunX509 and a JKS KeyStore. To specify the locations of the key store and
trust store, set the following system properties:
To specify store passwords, set the following system properties:
Alternatively, the passwords can be specified by the following password file path properties:
Alternatively, this can be plugged with any X509TrustManager and X509KeyManager implementation.
zookeeper.ssl.keyStore.location
zookeeper.ssl.trustStore.location
To specify store passwords, set the following system properties:
zookeeper.ssl.keyStore.password
zookeeper.ssl.trustStore.password
Alternatively, the passwords can be specified by the following password file path properties:
zookeeper.ssl.keyStore.passwordPath
zookeeper.ssl.trustStore.passwordPath
Alternatively, this can be plugged with any X509TrustManager and X509KeyManager implementation.
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionInitialize the X509AuthenticationProvider with a JKS KeyStore and JKS TrustStore according to the following system properties:zookeeper.ssl.keyStore.location
zookeeper.ssl.trustStore.location
zookeeper.ssl.keyStore.password
zookeeper.ssl.keyStore.passwordPath
zookeeper.ssl.trustStore.password
zookeeper.ssl.trustStore.passwordPath
X509AuthenticationProvider
(X509TrustManager trustManager, X509KeyManager keyManager) Initialize the X509AuthenticationProvider with the provided X509TrustManager and X509KeyManager. -
Method Summary
Modifier and TypeMethodDescriptionprotected String
getClientId
(X509Certificate clientCert) Determine the string to be used as the remote host session Id for authorization purposes.Get the X509KeyManager implementation used for certificate management.The String used to represent this provider.Get the X509TrustManager implementation used for remote host authentication.handleAuthentication
(javax.servlet.http.HttpServletRequest request, byte[] authData) This method is called when admin server command passes authentication data for this scheme.handleAuthentication
(ServerCnxn cnxn, byte[] authData) This method is called when a client passes authentication data for this scheme.boolean
This method is used to check if the authentication done by this provider should be used to identify the creator of a node.boolean
Validates the syntax of an id.boolean
This method is called to see if the given id matches the given id expression in the ACL.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apache.zookeeper.server.auth.AuthenticationProvider
getUserName
-
Field Details
-
X509_CERTIFICATE_ATTRIBUTE_NAME
- See Also:
-
-
Constructor Details
-
X509AuthenticationProvider
Initialize the X509AuthenticationProvider with a JKS KeyStore and JKS TrustStore according to the following system properties:zookeeper.ssl.keyStore.location
zookeeper.ssl.trustStore.location
zookeeper.ssl.keyStore.password
zookeeper.ssl.keyStore.passwordPath
zookeeper.ssl.trustStore.password
zookeeper.ssl.trustStore.passwordPath
- Throws:
X509Exception
-
X509AuthenticationProvider
Initialize the X509AuthenticationProvider with the provided X509TrustManager and X509KeyManager.- Parameters:
trustManager
- X509TrustManager implementation to use for remote host authentication.keyManager
- X509KeyManager implementation to use for certificate management.
-
-
Method Details
-
getScheme
Description copied from interface:AuthenticationProvider
The String used to represent this provider. This will correspond to the scheme field of an Id.- Specified by:
getScheme
in interfaceAuthenticationProvider
- Returns:
- the scheme of this provider.
-
handleAuthentication
Description copied from interface:AuthenticationProvider
This method is called when a client passes authentication data for this scheme. The authData is directly from the authentication packet. The implementor may attach new ids to the authInfo field of cnxn or may use cnxn to send packets back to the client.- Specified by:
handleAuthentication
in interfaceAuthenticationProvider
- Parameters:
cnxn
- the cnxn that received the authentication information.authData
- the authentication data received.- Returns:
- TODO
-
handleAuthentication
public List<Id> handleAuthentication(javax.servlet.http.HttpServletRequest request, byte[] authData) Description copied from interface:AuthenticationProvider
This method is called when admin server command passes authentication data for this scheme.- Specified by:
handleAuthentication
in interfaceAuthenticationProvider
- Parameters:
request
- the request that contains the authentication information.authData
- the authentication data received.- Returns:
- Ids the list of Id. Empty list means not authenticated
-
getClientId
Determine the string to be used as the remote host session Id for authorization purposes. Associate this client identifier with a ServerCnxn that has been authenticated over SSL, and any ACLs that refer to the authenticated client.- Parameters:
clientCert
- Authenticated X509Certificate associated with the remote host.- Returns:
- Identifier string to be associated with the client.
-
matches
Description copied from interface:AuthenticationProvider
This method is called to see if the given id matches the given id expression in the ACL. This allows schemes to use application specific wild cards.- Specified by:
matches
in interfaceAuthenticationProvider
- Parameters:
id
- the id to check.aclExpr
- the expression to match ids against.- Returns:
- true if the id can be matched by the expression.
-
isAuthenticated
public boolean isAuthenticated()Description copied from interface:AuthenticationProvider
This method is used to check if the authentication done by this provider should be used to identify the creator of a node. Some ids such as hosts and ip addresses are rather transient and in general don't really identify a client even though sometimes they do.- Specified by:
isAuthenticated
in interfaceAuthenticationProvider
- Returns:
- true if this provider identifies creators.
-
isValid
Description copied from interface:AuthenticationProvider
Validates the syntax of an id.- Specified by:
isValid
in interfaceAuthenticationProvider
- Parameters:
id
- the id to validate.- Returns:
- true if id is well formed.
-
getTrustManager
Get the X509TrustManager implementation used for remote host authentication.- Returns:
- The X509TrustManager.
- Throws:
X509Exception.TrustManagerException
- When there is no trust manager available.
-
getKeyManager
Get the X509KeyManager implementation used for certificate management.- Returns:
- The X509KeyManager.
- Throws:
X509Exception.KeyManagerException
- When there is no key manager available.
-