Class SpnegoAuthModule

java.lang.Object
org.yamcs.http.HttpHandler
org.yamcs.security.SpnegoAuthModule
All Implemented Interfaces:
AuthModule

public class SpnegoAuthModule extends HttpHandler implements AuthModule
Implements SPNEGO authentication against an external Kerberos host.

Upon succesful authentication, Kerberos issues a 'ticket' with limited lifetime. SpnegoAuthModule maps this ticket to an internally generated authorization code which can be used for repeat identity checks against the SecurityStore.

  • Constructor Details

    • SpnegoAuthModule

      public SpnegoAuthModule()
  • Method Details

    • getSpec

      public Spec getSpec()
      Description copied from interface: AuthModule
      Returns the valid configuration of the input args of this AuthModule.
      Specified by:
      getSpec in interface AuthModule
      Returns:
      the argument specification.
    • init

      public void init(YConfiguration args) throws InitException
      Description copied from interface: AuthModule
      Initialize this AuthModule.
      Specified by:
      init in interface AuthModule
      Parameters:
      args - The configured arguments for this AuthModule. If AuthModule.getSpec() is implemented then this contains the arguments after being validated (including any defaults).
      Throws:
      InitException - When something goes wrong during the execution of this method.
    • getAuthenticationInfo

      public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException
      Description copied from interface: AuthModule
      Identify the subject based on the given information.
      Specified by:
      getAuthenticationInfo in interface AuthModule
      Returns:
      an info object containing the principal of the subject, or null if the login failed
      Throws:
      AuthenticationException
    • verifyValidity

      public boolean verifyValidity(AuthenticationInfo authenticationInfo)
      Description copied from interface: AuthModule
      Verify if previously generated authentication info is (still) valid. For example, if the authentication info references an externally issued expiring ticket, this can be validated here.

      This method is called very frequently, so implementations must take care to limit external requests.

      Specified by:
      verifyValidity in interface AuthModule
      Parameters:
      authenticationInfo - information relevant to the authentication process
      Returns:
      true if the authentication info is valid, false otherwise
    • getAuthorizationInfo

      public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo)
      Description copied from interface: AuthModule
      Retrieve access control information based on the given AuthenticationInfo. This AuthenticationInfo may have been generated by a different AuthModule.
      Specified by:
      getAuthorizationInfo in interface AuthModule
      Returns:
      an info object containing role/privilege information of the subject
    • requireAuth

      public boolean requireAuth()
      Specified by:
      requireAuth in class HttpHandler
    • handle

      public void handle(HandlerContext ctx)
      Specified by:
      handle in class HttpHandler