[ Go Back ]
The AuthenticationFilter filter is Hadoop Auth's server side component.
This filter must be configured in front of all the web application resources that required authenticated requests. For example:
The Hadoop Auth and dependent JAR files must be in the web application classpath (commonly the WEB-INF/lib directory).
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define the SLF4J API dependency but it does not define the dependency on a concrete logging implementation, this must be addded explicitly to the web application. For example, if the web applicationan uses Log4j, the SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application classpath as well as the Log4j configuration file.
IMPORTANT: A KDC must be configured and running.
To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <filter-name>kerberosFilter</filter-name> <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class> <init-param> <param-name>type</param-name> <param-value>kerberos</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>cookie.domain</param-name> <param-value>.foo.com</param-value> </init-param> <init-param> <param-name>cookie.path</param-name> <param-value>/</param-value> </init-param> <init-param> <param-name>kerberos.principal</param-name> <param-value>HTTP/localhost@LOCALHOST</param-value> </init-param> <init-param> <param-name>kerberos.keytab</param-name> <param-value>/tmp/auth.keytab</param-value> </init-param> </filter> <filter-mapping> <filter-name>kerberosFilter</filter-name> <url-pattern>/kerberos/*</url-pattern> </filter-mapping> ... </web-app>
To use Pseudo/Simple as the authentication mechanism (trusting the value of the query string parameter 'user.name'), the authentication filter must be configured with the following init parameters:
Example:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> ... <filter> <filter-name>simpleFilter</filter-name> <filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class> <init-param> <param-name>type</param-name> <param-value>simple</param-value> </init-param> <init-param> <param-name>token.validity</param-name> <param-value>30</param-value> </init-param> <init-param> <param-name>cookie.domain</param-name> <param-value>.foo.com</param-value> </init-param> <init-param> <param-name>cookie.path</param-name> <param-value>/</param-value> </init-param> <init-param> <param-name>simple.anonymous.allowed</param-name> <param-value>false</param-value> </init-param> </filter> <filter-mapping> <filter-name>simpleFilter</filter-name> <url-pattern>/simple/*</url-pattern> </filter-mapping> ... </web-app>
[ Go Back ]