Class X509AuthenticationProvider

  • All Implemented Interfaces:
    AuthenticationProvider

    public class X509AuthenticationProvider
    extends java.lang.Object
    implements AuthenticationProvider
    An AuthenticationProvider backed by an X509TrustManager and an X509KeyManager to perform remote host certificate authentication. The default algorithm is SunX509 and a JKS KeyStore. To specify the locations of the key store and trust store, set the following system properties:
    zookeeper.ssl.keyStore.location
    zookeeper.ssl.trustStore.location
    To specify store passwords, set the following system properties:
    zookeeper.ssl.keyStore.password
    zookeeper.ssl.trustStore.password
    Alternatively, the passwords can be specified by the following password file path properties:
    zookeeper.ssl.keyStore.passwordPath
    zookeeper.ssl.trustStore.passwordPath
    Alternatively, this can be plugged with any X509TrustManager and X509KeyManager implementation.
    • Constructor Summary

      Constructors 
      Constructor Description
      X509AuthenticationProvider()
      Initialize the X509AuthenticationProvider with a JKS KeyStore and JKS TrustStore according to the following system properties:
      zookeeper.ssl.keyStore.location
      zookeeper.ssl.trustStore.location
      zookeeper.ssl.keyStore.password
      zookeeper.ssl.keyStore.passwordPath
      zookeeper.ssl.trustStore.password
      zookeeper.ssl.trustStore.passwordPath
      X509AuthenticationProvider​(javax.net.ssl.X509TrustManager trustManager, javax.net.ssl.X509KeyManager keyManager)
      Initialize the X509AuthenticationProvider with the provided X509TrustManager and X509KeyManager.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected java.lang.String getClientId​(java.security.cert.X509Certificate clientCert)
      Determine the string to be used as the remote host session Id for authorization purposes.
      javax.net.ssl.X509KeyManager getKeyManager()
      Get the X509KeyManager implementation used for certificate management.
      java.lang.String getScheme()
      The String used to represent this provider.
      javax.net.ssl.X509TrustManager getTrustManager()
      Get the X509TrustManager implementation used for remote host authentication.
      KeeperException.Code handleAuthentication​(ServerCnxn cnxn, byte[] authData)
      This method is called when a client passes authentication data for this scheme.
      boolean isAuthenticated()
      This method is used to check if the authentication done by this provider should be used to identify the creator of a node.
      boolean isValid​(java.lang.String id)
      Validates the syntax of an id.
      boolean matches​(java.lang.String id, java.lang.String aclExpr)
      This method is called to see if the given id matches the given id expression in the ACL.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • X509AuthenticationProvider

        public X509AuthenticationProvider()
                                   throws X509Exception
        Initialize the X509AuthenticationProvider with a JKS KeyStore and JKS TrustStore according to the following system properties:
        zookeeper.ssl.keyStore.location
        zookeeper.ssl.trustStore.location
        zookeeper.ssl.keyStore.password
        zookeeper.ssl.keyStore.passwordPath
        zookeeper.ssl.trustStore.password
        zookeeper.ssl.trustStore.passwordPath
        Throws:
        X509Exception
      • X509AuthenticationProvider

        public X509AuthenticationProvider​(javax.net.ssl.X509TrustManager trustManager,
                                          javax.net.ssl.X509KeyManager keyManager)
        Initialize the X509AuthenticationProvider with the provided X509TrustManager and X509KeyManager.
        Parameters:
        trustManager - X509TrustManager implementation to use for remote host authentication.
        keyManager - X509KeyManager implementation to use for certificate management.
    • Method Detail

      • getScheme

        public java.lang.String getScheme()
        Description copied from interface: AuthenticationProvider
        The String used to represent this provider. This will correspond to the scheme field of an Id.
        Specified by:
        getScheme in interface AuthenticationProvider
        Returns:
        the scheme of this provider.
      • handleAuthentication

        public KeeperException.Code handleAuthentication​(ServerCnxn cnxn,
                                                         byte[] authData)
        Description copied from interface: AuthenticationProvider
        This method is called when a client passes authentication data for this scheme. The authData is directly from the authentication packet. The implementor may attach new ids to the authInfo field of cnxn or may use cnxn to send packets back to the client.
        Specified by:
        handleAuthentication in interface AuthenticationProvider
        Parameters:
        cnxn - the cnxn that received the authentication information.
        authData - the authentication data received.
        Returns:
        TODO
      • getClientId

        protected java.lang.String getClientId​(java.security.cert.X509Certificate clientCert)
        Determine the string to be used as the remote host session Id for authorization purposes. Associate this client identifier with a ServerCnxn that has been authenticated over SSL, and any ACLs that refer to the authenticated client.
        Parameters:
        clientCert - Authenticated X509Certificate associated with the remote host.
        Returns:
        Identifier string to be associated with the client.
      • matches

        public boolean matches​(java.lang.String id,
                               java.lang.String aclExpr)
        Description copied from interface: AuthenticationProvider
        This method is called to see if the given id matches the given id expression in the ACL. This allows schemes to use application specific wild cards.
        Specified by:
        matches in interface AuthenticationProvider
        Parameters:
        id - the id to check.
        aclExpr - the expression to match ids against.
        Returns:
        true if the id can be matched by the expression.
      • isAuthenticated

        public boolean isAuthenticated()
        Description copied from interface: AuthenticationProvider
        This method is used to check if the authentication done by this provider should be used to identify the creator of a node. Some ids such as hosts and ip addresses are rather transient and in general don't really identify a client even though sometimes they do.
        Specified by:
        isAuthenticated in interface AuthenticationProvider
        Returns:
        true if this provider identifies creators.
      • isValid

        public boolean isValid​(java.lang.String id)
        Description copied from interface: AuthenticationProvider
        Validates the syntax of an id.
        Specified by:
        isValid in interface AuthenticationProvider
        Parameters:
        id - the id to validate.
        Returns:
        true if id is well formed.