public void doKerberosAuth()

in zeppelin-server/src/main/java/org/apache/zeppelin/realm/kerberos/KerberosRealm.java [417:549]

• 114 lines of code
• 29 McCabe index (conditional complexity)

  public void doKerberosAuth(ServletRequest request,
                             ServletResponse response,
                             FilterChain filterChain)
      throws IOException, ServletException {
    boolean unauthorizedResponse = true;
    int errCode = HttpServletResponse.SC_UNAUTHORIZED;
    AuthenticationException authenticationEx = null;
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    boolean isHttps = "https".equals(httpRequest.getScheme());
    try {
      boolean newToken = false;
      AuthenticationToken token;
      try {
        token = getToken(httpRequest);
        if (LOGGER.isDebugEnabled()) {
          LOGGER.debug("Got token {} from httpRequest {}", token,
              getRequestURL(httpRequest));
          if (null != token) {
            LOGGER.debug("token.isExpired() = " + token.isExpired());
          }
        }
      } catch (AuthenticationException ex) {
        LOGGER.warn("AuthenticationToken ignored: " + ex.getMessage());
        if (!ex.getMessage().equals("Empty token")) {
          // will be sent back in a 401 unless filter authenticates
          authenticationEx = ex;
        }
        token = null;
      }
      if (managementOperation(token, httpRequest, httpResponse)) {
        if (token == null || token.isExpired()) {
          if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Request [{}] triggering authentication. handler: {}",
                getRequestURL(httpRequest), this.getClass());
          }
          token = authenticate(httpRequest, httpResponse);
          if (token != null && token != AuthenticationToken.ANONYMOUS) {
//            TODO(vr): uncomment when we move to Hadoop 2.8+
//            if (token.getMaxInactives() > 0) {
//              token.setMaxInactives(System.currentTimeMillis()
//                  + getTokenMaxInactiveInterval() * 1000);
//            }
            if (token.getExpires() != 0) {
              token.setExpires(System.currentTimeMillis()
                  + getTokenValidity() * 1000);
            }
          }
          newToken = true;
        }
        if (token != null) {
          unauthorizedResponse = false;
          if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Request [{}] user [{}] authenticated",
                getRequestURL(httpRequest), token.getUserName());
          }
          final AuthenticationToken authToken = token;
          httpRequest = new HttpServletRequestWrapper(httpRequest) {

            @Override
            public String getAuthType() {
              return authToken.getType();
            }

            @Override
            public String getRemoteUser() {
              return authToken.getUserName();
            }

            @Override
            public Principal getUserPrincipal() {
              return (authToken != AuthenticationToken.ANONYMOUS) ?
                  authToken : null;
            }
          };

          // If cookie persistence is configured to false,
          // it means the cookie will be a session cookie.
          // If the token is an old one, renew the its tokenMaxInactiveInterval.
          if (!newToken && !isCookiePersistent()
              && getTokenMaxInactiveInterval() > 0) {
//            TODO(vr): uncomment when we move to Hadoop 2.8+
//            token.setMaxInactives(System.currentTimeMillis()
//                + getTokenMaxInactiveInterval() * 1000);
            token.setExpires(token.getExpires());
            newToken = true;
          }
          if (newToken && !token.isExpired()
              && token != AuthenticationToken.ANONYMOUS) {
            String signedToken = signer.sign(token.toString());
            createAuthCookie(httpResponse, signedToken, getCookieDomain(),
                getCookiePath(), token.getExpires(),
                isCookiePersistent(), isHttps);
          }
          KerberosToken kerberosToken = new KerberosToken(token.getUserName(), token.toString());
          SecurityUtils.getSubject().login(kerberosToken);
          doFilter(filterChain, httpRequest, httpResponse);
        }
      } else {
        if (LOGGER.isDebugEnabled()) {
          LOGGER.debug("managementOperation returned false for request {}."
              + " token: {}", getRequestURL(httpRequest), token);
        }
        unauthorizedResponse = false;
      }
    } catch (AuthenticationException ex) {
      // exception from the filter itself is fatal
      errCode = HttpServletResponse.SC_FORBIDDEN;
      authenticationEx = ex;
      if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("Authentication exception: " + ex.getMessage(), ex);
      } else {
        LOGGER.warn("Authentication exception: " + ex.getMessage());
      }
    }
    if (unauthorizedResponse) {
      if (!httpResponse.isCommitted()) {
        createAuthCookie(httpResponse, "", getCookieDomain(),
            getCookiePath(), 0, isCookiePersistent(), isHttps);
        // If response code is 401. Then WWW-Authenticate Header should be
        // present.. reset to 403 if not found..
        if ((errCode == HttpServletResponse.SC_UNAUTHORIZED)
            && (!httpResponse.containsHeader(KerberosAuthenticator.WWW_AUTHENTICATE))) {
          errCode = HttpServletResponse.SC_FORBIDDEN;
        }
        if (authenticationEx == null) {
          httpResponse.sendError(errCode, "Authentication required");
        } else {
          httpResponse.sendError(errCode, authenticationEx.getMessage());
        }
      }
    }
  }