knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject [2/2] git commit: Another iteration of work toward KNOX-37 in the investigation of OAuth/OpenID for identity federation. Also fixed issues with provider resolution by name and various refactorings.
Date Wed, 10 Apr 2013 15:18:02 GMT
Another iteration of work toward KNOX-37 in the investigation of OAuth/OpenID for identity federation. Also fixed issues with provider resolution by name and various refactorings.

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/61ca72e1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/61ca72e1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/61ca72e1

Branch: refs/heads/master
Commit: 61ca72e10893fac097643aab490147408a306046
Parents: eddbe54
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Wed Apr 10 11:16:57 2013 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Wed Apr 10 11:16:57 2013 -0400

----------------------------------------------------------------------
 .../gateway/deploy/impl/DeploymentContributor.java |    2 +-
 .../gateway/filter/IdentityAssertionFilter.java    |   99 -----------
 .../filter/PseudoIdentityAssertionFilter.java      |   56 ++++++
 gateway-provider-security-jwt/pom.xml              |    5 +
 .../provider/federation/jwt/AccessToken.java       |   87 +++++++++
 .../provider/federation/jwt/JWTAuthority.java      |   67 +++++++
 .../federation/jwt/JWTProviderMessages.java        |   36 ++++
 .../gateway/provider/federation/jwt/JWTToken.java  |  138 +++++++++++++++
 .../deploy/JWTAccessTokenAssertionContributor.java |   63 +++++++
 .../deploy/JWTAuthCodeAssertionContributor.java    |   51 ++++++
 .../jwt/deploy/JWTDeploymentContributor.java       |   52 ------
 .../jwt/deploy/JWTFederationContributor.java       |   51 ++++++
 .../jwt/filter/JWTAccessTokenAssertionFilter.java  |  116 ++++++++++++
 .../jwt/filter/JWTAuthCodeAssertionFilter.java     |   35 ++++
 .../federation/jwt/filter/JWTAuthority.java        |   60 -------
 .../federation/jwt/filter/JWTFederationFilter.java |   10 +-
 .../federation/jwt/filter/JWTProviderMessages.java |   36 ----
 .../provider/federation/jwt/filter/JWTToken.java   |  138 ---------------
 ...op.gateway.deploy.ProviderDeploymentContributor |    3 +-
 .../gateway/provider/federation/JWTTokenTest.java  |    2 +-
 .../gateway/filter/PostAuthenticationFilter.java   |   74 ++++----
 .../org/apache/hadoop/gateway/GatewayServer.java   |    3 -
 .../gateway/deploy/DeploymentContextImpl.java      |    6 +-
 .../gateway/services/DefaultGatewayServices.java   |    4 -
 .../services/GatewayServicesContextListener.java   |    2 +-
 .../gateway/topology/xml/XmlTopologyRules.java     |    1 +
 .../gateway/deploy/DeploymentFactoryTest.java      |    9 +-
 .../gateway/hdfs/HdfsDeploymentContributor.java    |    3 +-
 .../deploy/ServiceDeploymentContributorBase.java   |   11 +-
 .../security/AbstractIdentityAssertionFilter.java  |   90 ++++++++++
 .../hadoop/gateway/security/GroupPrincipal.java    |   32 ++++
 .../hadoop/gateway/security/PrimaryPrincipal.java  |   33 ++++
 .../security/principal/SimplePrincipalMapper.java  |    2 +-
 .../hadoop/gateway/services/GatewayServices.java   |    4 +
 .../apache/hadoop/gateway/topology/Topology.java   |    9 +-
 .../hadoop/gateway/GatewayBasicFuncTest.java       |   10 +-
 gateway-util-common/pom.xml                        |    4 +
 .../org/apache/hadoop/gateway/util/JsonUtils.java  |   72 ++++++++
 .../apache/hadoop/gateway/util/JsonUtilsTest.java  |   49 +++++
 pom.xml                                            |   13 ++-
 40 files changed, 1086 insertions(+), 452 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
index 9140fcb..da47313 100644
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
@@ -31,7 +31,7 @@ import java.util.List;
 
 public class DeploymentContributor extends ProviderDeploymentContributorBase {
 
-  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.IdentityAssertionFilter";
+  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter";
   private static final String PRINCIPAL_MAPPING_PARAM_NAME = "principal.mapping";
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
deleted file mode 100644
index 7f6b474..0000000
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.security.principal.PrincipalMapper;
-import org.apache.hadoop.gateway.security.principal.PrincipalMappingException;
-import org.apache.hadoop.gateway.security.principal.SimplePrincipalMapper;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Set;
-
-public class IdentityAssertionFilter implements Filter {
-
-  private PrincipalMapper mapper = new SimplePrincipalMapper();
-
-  @Override
-  public void init( FilterConfig filterConfig ) throws ServletException {
-    // load principal mappings
-    String principalMapping = filterConfig.getServletContext().getInitParameter("principal.mapping");
-    try {
-      mapper.loadMappingTable(principalMapping);
-    }
-    catch (PrincipalMappingException pme) {
-      // TODO: log this appropriately
-      pme.printStackTrace();
-    }
-  }
-
-  public void destroy() {
-    
-  }
-
-  /**
-   * Obtain the standard javax.security.auth.Subject, retrieve the caller principal, map
-   * to the identity to be asserted as appropriate and create the provider specific
-   * assertion token. Add the assertion token to the request.
-   */
-  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
-      throws IOException, ServletException {
-//    System.out.println("+++++++++++++ Identity Assertion Filtering");
-    Subject subject = Subject.getSubject(AccessController.getContext());
-
-    String principalName = getPrincipalName(subject);
-    principalName = mapper.mapPrincipal(principalName);
-//    System.out.println("+++++++++++++ Identity Assertion Filtering with Principal: " + principalName);
-
-    IdentityAssertionHttpServletRequestWrapper wrapper = 
-        new IdentityAssertionHttpServletRequestWrapper(
-        (HttpServletRequest)request, 
-        principalName);
-    chain.doFilter( wrapper, response );
-  }
-
-
-  /**
-   * Retrieve the principal to represent the asserted identity from
-   * the provided Subject.
-   * @param subject
-   * @return principalName
-   */
-  private String getPrincipalName(Subject subject) {
-    // LJM TODO: this implementation assumes the first one found 
-    // should configure through context param based on knowledge
-    // of the authentication provider in use
-    String name = null;
-    Set<Principal> principals = subject.getPrincipals();
-    for (Principal p : principals) {
-      name = p.getName();
-      break;
-    }
-    return name;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
new file mode 100644
index 0000000..dd08a01
--- /dev/null
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.filter;
+
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+
+import java.io.IOException;
+import java.security.AccessController;
+
+public class PseudoIdentityAssertionFilter extends AbstractIdentityAssertionFilter {
+
+  /**
+   * Obtain the standard javax.security.auth.Subject, retrieve the caller principal, map
+   * to the identity to be asserted as appropriate and create the provider specific
+   * assertion token. Add the assertion token to the request.
+   */
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
+      throws IOException, ServletException {
+//    System.out.println("+++++++++++++ Identity Assertion Filtering");
+    Subject subject = Subject.getSubject(AccessController.getContext());
+
+    String principalName = getPrincipalName(subject);
+    principalName = mapper.mapPrincipal(principalName);
+//    System.out.println("+++++++++++++ Identity Assertion Filtering with Principal: " + principalName);
+
+    IdentityAssertionHttpServletRequestWrapper wrapper = 
+        new IdentityAssertionHttpServletRequestWrapper(
+        (HttpServletRequest)request, 
+        principalName);
+    chain.doFilter( wrapper, response );
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/pom.xml b/gateway-provider-security-jwt/pom.xml
index e1d2d31..7364096 100644
--- a/gateway-provider-security-jwt/pom.xml
+++ b/gateway-provider-security-jwt/pom.xml
@@ -42,6 +42,11 @@
         </dependency>
 
         <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-util-common</artifactId>
+        </dependency>
+
+        <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
new file mode 100644
index 0000000..219abbd
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
@@ -0,0 +1,87 @@
+  /**
+   * Licensed to the Apache Software Foundation (ASF) under one
+   * or more contributor license agreements.  See the NOTICE file
+   * distributed with this work for additional information
+   * regarding copyright ownership.  The ASF licenses this file
+   * to you under the Apache License, Version 2.0 (the
+   * "License"); you may not use this file except in compliance
+   * with the License.  You may obtain a copy of the License at
+   *
+   *     http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.security.EncryptionResult;
+
+public class AccessToken {
+  private static final String ENCRYPT_ACCESS_TOKENS = "encrypt_access_tokens";
+  private static final String GATEWAY = "__gateway";
+  
+  private CryptoService crypto = null;
+  private String tokenStr = null;
+  private String principalName;
+  private long expires;
+  
+  public AccessToken(CryptoService crypto, String principalName, long expires) {
+    this.crypto = crypto;
+    this.principalName = principalName;
+    this.expires = expires;
+  }
+  
+  public String toString() {
+    if (tokenStr != null) {
+      return tokenStr;
+    }
+    String claims = principalName + "::" + expires;
+    EncryptionResult result;
+    try {
+      result = crypto.encryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, claims.getBytes("UTF-8"));
+      tokenStr = Base64.encodeBase64URLSafeString(result.iv) + "+" + 
+          Base64.encodeBase64URLSafeString(result.salt) + "+" + 
+          Base64.encodeBase64URLSafeString(result.cipher);
+    } catch (UnsupportedEncodingException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+    return tokenStr;
+  }
+  
+  public static AccessToken parseToken(CryptoService crypto, String wireToken) {
+    AccessToken token = null;
+    String[] parts = wireToken.split("\\+");
+    byte[] bytes = crypto.decryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, Base64.decodeBase64(parts[2]), Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]));
+    
+    try {
+      String claims = new String(bytes, "UTF-8");
+      String[] claimz = claims.split("\\::");
+      token = new AccessToken(crypto, claimz[0], Long.parseLong(claimz[1]));
+      token.setTokenStr(wireToken);
+    } catch (UnsupportedEncodingException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+    return token;
+  }
+  
+  private void setTokenStr(String wireToken) {
+    this.tokenStr = wireToken;
+  }
+
+  public String getPrincipalName() {
+    return principalName;
+  }
+  
+  public long getExpires() {
+    return expires;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
new file mode 100644
index 0000000..9c34773
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
@@ -0,0 +1,67 @@
+  /**
+   * Licensed to the Apache Software Foundation (ASF) under one
+   * or more contributor license agreements.  See the NOTICE file
+   * distributed with this work for additional information
+   * regarding copyright ownership.  The ASF licenses this file
+   * to you under the Apache License, Version 2.0 (the
+   * "License"); you may not use this file except in compliance
+   * with the License.  You may obtain a copy of the License at
+   *
+   *     http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.gateway.services.security.CryptoService;
+
+public class JWTAuthority {
+  private CryptoService crypto = null;
+  
+  public JWTAuthority(CryptoService crypto) {
+    this.crypto = crypto;
+  }
+  
+  public JWTToken issueToken(Subject subject, String algorithm, byte[] secret) {
+    Principal p = (Principal) subject.getPrincipals().toArray()[0];
+    String[] claimArray = new String[4];
+    claimArray[0] = "gateway";
+    claimArray[1] = p.getName();
+    // TODO: what do we need here and how do we determine what it should be?
+    claimArray[2] = "https://login.hadoop.example.org";
+    // TODO: make the validity period configurable
+    claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+
+    JWTToken token = null;
+    if ("RS256".equals(algorithm)) {
+      new JWTToken("RS256", claimArray);
+      signToken(token);
+    }
+    else {
+      // log inappropriate alg
+    }
+    
+    return token;
+  }
+
+  private void signToken(JWTToken token) {
+    byte[] signature = null;
+    signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
+    token.setSignaturePayload(signature);
+  }
+  
+  public boolean verifyToken(JWTToken token) {
+    boolean rc = false;
+    rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
+    return rc;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
new file mode 100644
index 0000000..f2234bc
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+
+/**
+ *
+ */
+@Messages(logger="org.apache.hadoop.gateway")
+public interface JWTProviderMessages {
+
+  @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
+  void renderingJWTTokenForTheWire(String string);
+
+  @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
+  void parsingToken(String wireToken);
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
new file mode 100644
index 0000000..edc46fe
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
@@ -0,0 +1,138 @@
+  /**
+   * Licensed to the Apache Software Foundation (ASF) under one
+   * or more contributor license agreements.  See the NOTICE file
+   * distributed with this work for additional information
+   * regarding copyright ownership.  The ASF licenses this file
+   * to you under the Apache License, Version 2.0 (the
+   * "License"); you may not use this file except in compliance
+   * with the License.  You may obtain a copy of the License at
+   *
+   *     http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.io.UnsupportedEncodingException;
+import java.text.MessageFormat;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+
+import com.jayway.jsonpath.JsonPath;
+
+public class JWTToken {
+  private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
+  private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
+  public static final String PRINCIPAL = "prn";
+  public static final String ISSUER = "iss";
+  public static final String AUDIENCE = "aud";
+  public static final String EXPIRES = "exp";
+  private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
+
+  public String header = null;
+  public String claims = null;
+  
+  byte[] payload = null;
+  
+  public JWTToken(byte[] header, byte[] claims, byte[] signature) {
+    try {
+      this.header = new String(header, "UTF-8");
+      this.claims = new String(claims, "UTF-8");
+      this.payload = signature;
+    } catch (UnsupportedEncodingException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+  }
+
+  public JWTToken(String alg, String[] claimsArray) {
+    MessageFormat headerFormatter = new MessageFormat(headerTemplate);
+    String[] algArray = new String[1];
+    algArray[0] = alg;
+    header = headerFormatter.format(algArray);
+
+    MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
+    claims = claimsFormatter.format(claimsArray);
+  }
+  
+  public String getPayloadToSign() {
+    StringBuffer sb = new StringBuffer();
+    try {
+      sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+      sb.append(".");
+      sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+    } catch (UnsupportedEncodingException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+    
+    return sb.toString();
+  }
+
+  public String toString() {
+    StringBuffer sb = new StringBuffer();
+    try {
+      sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+      sb.append(".");
+      sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+      sb.append(".");
+      sb.append(Base64.encodeBase64URLSafeString(payload));
+    } catch (UnsupportedEncodingException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+    
+    log.renderingJWTTokenForTheWire(sb.toString());
+
+    return sb.toString();
+  }
+  
+  public void setSignaturePayload(byte[] payload) {
+    this.payload = payload;
+  }
+  
+  public byte[] getSignaturePayload() {
+    return this.payload;
+  }
+
+  public static JWTToken parseToken(String wireToken) {
+    JWTToken token = null;
+    log.parsingToken(wireToken);
+    String[] parts = wireToken.split("\\.");
+    token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
+//    System.out.println("header: " + token.header);
+//    System.out.println("claims: " + token.claims);
+//    System.out.println("payload: " + new String(token.payload));
+    
+    return token;
+  }
+  
+  public String getClaim(String claimName) {
+    String claim = null;
+    
+    claim = JsonPath.read(claims, "$." + claimName);
+    
+    return claim;
+  }
+
+  public String getPrincipal() {
+    return getClaim(JWTToken.PRINCIPAL);
+  }
+
+  public String getIssuer() {
+    return getClaim(JWTToken.ISSUER);
+  }
+
+  public String getAudience() {
+    return getClaim(JWTToken.AUDIENCE);
+  }
+
+  public String getExpires() {
+    return getClaim(JWTToken.EXPIRES);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
new file mode 100644
index 0000000..3920225
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import java.util.List;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class JWTAccessTokenAssertionContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ENCRYPT_ACCESS_TOKENS = "encrypt_access_tokens";
+  private static final String GATEWAY = "__gateway";
+  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTAccessTokenAssertionFilter";
+  private CryptoService crypto;
+
+  @Override
+  public String getRole() {
+    return "identity-assertion";
+  }
+
+  @Override
+  public String getName() {
+    return "JWTAccessTokenAsserter";
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    // TODO Auto-generated method stub
+    super.initializeContribution(context);
+    crypto.createAndStoreEncryptionKeyForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+  }
+  
+  public void setCryptoService(CryptoService crypto) {
+    this.crypto = crypto;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
new file mode 100644
index 0000000..72e8f1c
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.util.List;
+
+public class JWTAuthCodeAssertionContributor extends ProviderDeploymentContributorBase {
+
+  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTAuthCodeAssertionFilter";
+
+  @Override
+  public String getRole() {
+    return "identity-assertion";
+  }
+
+  @Override
+  public String getName() {
+    return "JWTAuthCodeAsserter";
+  }
+
+  @Override
+  public void contributeProvider( DeploymentContext context, Provider provider ) {
+  }
+
+  @Override
+  public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
deleted file mode 100644
index 32ac572..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-import org.jboss.shrinkwrap.api.asset.StringAsset;
-
-import java.util.List;
-
-public class JWTDeploymentContributor extends ProviderDeploymentContributorBase {
-
-  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.authn.jwt.filter.JWTFederationFilter";
-
-  @Override
-  public String getRole() {
-    return "federation";
-  }
-
-  @Override
-  public String getName() {
-    return "JWTProvider";
-  }
-
-  @Override
-  public void contributeProvider( DeploymentContext context, Provider provider ) {
-  }
-
-  @Override
-  public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
-    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
new file mode 100644
index 0000000..466ae6b
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.util.List;
+
+public class JWTFederationContributor extends ProviderDeploymentContributorBase {
+
+  private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTFederationFilter";
+
+  @Override
+  public String getRole() {
+    return "federation";
+  }
+
+  @Override
+  public String getName() {
+    return "JWTProvider";
+  }
+
+  @Override
+  public void contributeProvider( DeploymentContext context, Provider provider ) {
+  }
+
+  @Override
+  public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+    resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
new file mode 100644
index 0000000..f179932
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.filter;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.AccessController;
+import java.util.HashMap;
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.util.JsonUtils;
+
+public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilter {
+  private static final String EXPIRES_IN = "expires_in";
+  private static final String TOKEN_TYPE = "token_type";
+  private static final String ACCESS_TOKEN = "access_token";
+  private static final String BEARER = "Bearer ";
+  private long validity;
+  private CryptoService crypto = null;
+
+  @Override
+  public void init( FilterConfig filterConfig ) throws ServletException {
+    super.init(filterConfig);
+    String validityStr = filterConfig.getInitParameter("validity");
+    if (validityStr == null) {
+      validityStr = "3600"; // 1 hr. in secs
+    }
+    validity = Long.parseLong(validityStr);
+
+    GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+    crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+  }
+  
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+    String jsonResponse = null;
+    
+    String header = ((HttpServletRequest) request).getHeader("Authorization");
+    if (header != null && header.startsWith(BEARER)) {
+      // what follows the bearer designator should be the JWT token being used to request or as an access token
+      String wireToken = header.substring(BEARER.length());
+      JWTToken token = JWTToken.parseToken(wireToken);
+      
+      // authorization of the user for the requested service (and resource?) should have been done by
+      // the JWTFederationFilter - once we get here we can assume that it is authorized and we just need
+      // to assert the identity via an access token
+
+      Subject subject = Subject.getSubject(AccessController.getContext());
+      String principalName = getPrincipalName(subject);
+      principalName = mapper.mapPrincipal(principalName);
+      
+      // calculate expiration timestamp: validity * 1000 + currentTimeInMillis
+      long expires = System.currentTimeMillis() + validity * 1000;
+      
+      String accessToken = getAccessToken(principalName, expires);
+      
+      HashMap<String, Object> map = new HashMap<String, Object>();
+      // TODO: populate map from JWT authorization code
+      map.put(ACCESS_TOKEN, accessToken);
+      map.put(TOKEN_TYPE, BEARER);
+      map.put(EXPIRES_IN, expires);
+      
+      jsonResponse = JsonUtils.renderAsJsonString(map);
+      
+      response.getWriter().write(jsonResponse);
+      response.getWriter().flush();
+      return; // break filter chain
+    }
+    else {
+      // no token provided in header
+      // something is really wrong since the JWTFederationFilter should have verified its existence already
+      // TODO: may have to check cookie and url as well before sending error
+      ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+      return; //break filter chain
+    }
+  }
+
+  private String getAccessToken(String principalName, long expires) {
+    String accessToken = null;
+
+    AccessToken token = new AccessToken(crypto, principalName, expires);
+    accessToken = token.toString();
+    
+    return accessToken;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
new file mode 100644
index 0000000..7dfacb5
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.filter;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+
+public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter {
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
deleted file mode 100644
index 8471ee0..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
+++ /dev/null
@@ -1,60 +0,0 @@
-  /**
-   * Licensed to the Apache Software Foundation (ASF) under one
-   * or more contributor license agreements.  See the NOTICE file
-   * distributed with this work for additional information
-   * regarding copyright ownership.  The ASF licenses this file
-   * to you under the Apache License, Version 2.0 (the
-   * "License"); you may not use this file except in compliance
-   * with the License.  You may obtain a copy of the License at
-   *
-   *     http://www.apache.org/licenses/LICENSE-2.0
-   *
-   * Unless required by applicable law or agreed to in writing, software
-   * distributed under the License is distributed on an "AS IS" BASIS,
-   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   * See the License for the specific language governing permissions and
-   * limitations under the License.
-   */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import java.security.Principal;
-
-import javax.security.auth.Subject;
-
-import org.apache.hadoop.gateway.services.security.CryptoService;
-
-public class JWTAuthority {
-  private CryptoService crypto = null;
-  
-  public JWTAuthority(CryptoService crypto) {
-    this.crypto = crypto;
-  }
-  
-  public JWTToken issueToken(Subject subject) {
-    Principal p = (Principal) subject.getPrincipals().toArray()[0];
-    String[] claimArray = new String[4];
-    claimArray[0] = "gateway";
-    claimArray[1] = p.getName();
-    // TODO: what do we need here and how do we determine what it should be?
-    claimArray[2] = "https://login.hadoop.example.org";
-    // TODO: make the validity period configurable
-    claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
-
-    JWTToken token = new JWTToken("RS256", claimArray);
-    signToken(token);
-    
-    return token;
-  }
-  
-  private void signToken(JWTToken token) {
-    byte[] signature = null;
-    signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
-    token.setSignaturePayload(signature);
-  }
-  
-  public boolean verifyToken(JWTToken token) {
-    boolean rc = false;
-    rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
-    return rc;
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 64d6a01..26f1d7b 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -29,6 +29,10 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+
 import java.io.IOException;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
@@ -40,14 +44,13 @@ import java.util.Set;
 public class JWTFederationFilter implements Filter {
 
   private static final String BEARER = "Bearer ";
-  private static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
   
   private JWTAuthority authority = null;
 
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
-    GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GATEWAY_SERVICES_ATTRIBUTE);
-    CryptoService crypto = (CryptoService) services.getService("CryptoService");
+    GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+    CryptoService crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
     authority = new JWTAuthority(crypto);
   }
 
@@ -65,6 +68,7 @@ public class JWTFederationFilter implements Filter {
       if (verified) {
         // TODO: validate expiration
         // TODO: confirm that audience matches intended target
+        // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
         Subject subject = createSubjectFromToken(token);
         continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
       }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
deleted file mode 100644
index 8e58c42..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-/**
- *
- */
-@Messages(logger="org.apache.hadoop.gateway")
-public interface JWTProviderMessages {
-
-  @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
-  void renderingJWTTokenForTheWire(String string);
-
-  @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
-  void parsingToken(String wireToken);
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
deleted file mode 100644
index 4da185d..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
+++ /dev/null
@@ -1,138 +0,0 @@
-  /**
-   * Licensed to the Apache Software Foundation (ASF) under one
-   * or more contributor license agreements.  See the NOTICE file
-   * distributed with this work for additional information
-   * regarding copyright ownership.  The ASF licenses this file
-   * to you under the Apache License, Version 2.0 (the
-   * "License"); you may not use this file except in compliance
-   * with the License.  You may obtain a copy of the License at
-   *
-   *     http://www.apache.org/licenses/LICENSE-2.0
-   *
-   * Unless required by applicable law or agreed to in writing, software
-   * distributed under the License is distributed on an "AS IS" BASIS,
-   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   * See the License for the specific language governing permissions and
-   * limitations under the License.
-   */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import java.io.UnsupportedEncodingException;
-import java.text.MessageFormat;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-
-import com.jayway.jsonpath.JsonPath;
-
-public class JWTToken {
-  private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
-  private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
-  public static final String PRINCIPAL = "prn";
-  public static final String ISSUER = "iss";
-  public static final String AUDIENCE = "aud";
-  public static final String EXPIRES = "exp";
-  private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
-
-  public String header = null;
-  public String claims = null;
-  
-  byte[] payload = null;
-  
-  public JWTToken(byte[] header, byte[] claims, byte[] signature) {
-    try {
-      this.header = new String(header, "UTF-8");
-      this.claims = new String(claims, "UTF-8");
-      this.payload = signature;
-    } catch (UnsupportedEncodingException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
-    }
-  }
-
-  public JWTToken(String alg, String[] claimsArray) {
-    MessageFormat headerFormatter = new MessageFormat(headerTemplate);
-    String[] algArray = new String[1];
-    algArray[0] = alg;
-    header = headerFormatter.format(algArray);
-
-    MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
-    claims = claimsFormatter.format(claimsArray);
-  }
-  
-  public String getPayloadToSign() {
-    StringBuffer sb = new StringBuffer();
-    try {
-      sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
-      sb.append(".");
-      sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
-    } catch (UnsupportedEncodingException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
-    }
-    
-    return sb.toString();
-  }
-
-  public String toString() {
-    StringBuffer sb = new StringBuffer();
-    try {
-      sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
-      sb.append(".");
-      sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
-      sb.append(".");
-      sb.append(Base64.encodeBase64URLSafeString(payload));
-    } catch (UnsupportedEncodingException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
-    }
-    
-    log.renderingJWTTokenForTheWire(sb.toString());
-
-    return sb.toString();
-  }
-  
-  public void setSignaturePayload(byte[] payload) {
-    this.payload = payload;
-  }
-  
-  public byte[] getSignaturePayload() {
-    return this.payload;
-  }
-
-  public static JWTToken parseToken(String wireToken) {
-    JWTToken token = null;
-    log.parsingToken(wireToken);
-    String[] parts = wireToken.split("\\.");
-    token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
-    System.out.println("header: " + token.header);
-    System.out.println("claims: " + token.claims);
-    System.out.println("payload: " + new String(token.payload));
-    
-    return token;
-  }
-  
-  public String getClaim(String claimName) {
-    String claim = null;
-    
-    claim = JsonPath.read(claims, "$." + claimName);
-    
-    return claim;
-  }
-
-  public String getPrincipal() {
-    return getClaim(JWTToken.PRINCIPAL);
-  }
-
-  public String getIssuer() {
-    return getClaim(JWTToken.ISSUER);
-  }
-
-  public String getAudience() {
-    return getClaim(JWTToken.AUDIENCE);
-  }
-
-  public String getExpires() {
-    return getClaim(JWTToken.EXPIRES);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
index 58c6bf7..5915713 100644
--- a/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ b/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -16,4 +16,5 @@
 # limitations under the License.
 ##########################################################################
 
-org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTDeploymentContributor
\ No newline at end of file
+org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTFederationContributor
+org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTAccessTokenAssertionContributor
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
index c651bd2..41214e2 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
@@ -18,7 +18,7 @@
 package org.apache.hadoop.gateway.provider.federation;
 
 import junit.framework.TestCase;
-import org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
 import org.junit.Test;
 
 public class JWTTokenTest extends TestCase {

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
index bdd7154..8b10c15 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
@@ -1,37 +1,39 @@
-  /**
-   * Licensed to the Apache Software Foundation (ASF) under one
-   * or more contributor license agreements.  See the NOTICE file
-   * distributed with this work for additional information
-   * regarding copyright ownership.  The ASF licenses this file
-   * to you under the Apache License, Version 2.0 (the
-   * "License"); you may not use this file except in compliance
-   * with the License.  You may obtain a copy of the License at
-   *
-   *     http://www.apache.org/licenses/LICENSE-2.0
-   *
-   * Unless required by applicable law or agreed to in writing, software
-   * distributed under the License is distributed on an "AS IS" BASIS,
-   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   * See the License for the specific language governing permissions and
-   * limitations under the License.
-   */
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.gateway.filter;
 
-  import org.apache.shiro.SecurityUtils;
-  import org.apache.shiro.subject.Subject;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
-  import javax.servlet.Filter;
-  import javax.servlet.FilterChain;
-  import javax.servlet.FilterConfig;
-  import javax.servlet.ServletException;
-  import javax.servlet.ServletRequest;
-  import javax.servlet.ServletResponse;
-  import java.io.IOException;
-  import java.security.Principal;
-  import java.security.PrivilegedExceptionAction;
-  import java.util.HashSet;
-  import java.util.Set;
-  import java.util.concurrent.Callable;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.Callable;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 public class PostAuthenticationFilter implements Filter {
 
@@ -74,15 +76,11 @@ public class PostAuthenticationFilter implements Filter {
       final String principal = (String) shiroSubject.getPrincipal();
       HashSet emptySet = new HashSet();
       Set<Principal> principals = new HashSet<Principal>();
-      Principal p = new Principal() {
-        @Override
-        public String getName() {
-          // TODO Auto-generated method stub
-          return principal;
-        }
-      };
+      Principal p = new PrimaryPrincipal(principal);
       principals.add(p);
       
+      // TODO: add groups through extended JndiLdapRealm implementation once Jira KNOX-4 is resolved
+      
 //      The newly constructed Sets check whether this Subject has been set read-only 
 //      before permitting subsequent modifications. The newly created Sets also prevent 
 //      illegal modifications by ensuring that callers have sufficient permissions.

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
index ef923da..b443040 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
@@ -59,9 +59,6 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Pattern;
 
 public class GatewayServer {
-
-  public static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
-  
   private static GatewayResources res = ResourcesFactory.get( GatewayResources.class );
   private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
   private static GatewayServer server;

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
index 7e599fd..59480ce 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
@@ -118,9 +118,9 @@ public class DeploymentContextImpl implements DeploymentContext {
       List<FilterParamDescriptor> params ) {
     ProviderDeploymentContributor contributor = DeploymentFactory.getProviderContributor( providers, role, name );
     Provider provider = getTopology().getProvider( role, name );
-    if( provider == null ) {
-      provider = getTopology().getProvider( role, null );
-    }
+//    if( provider != null ) {
+//      System.out.println("=================== provider found by name: " + name + " with actual name of: " + provider.getName());
+//    }
     if( provider == null ) {
       provider = new Provider();
       provider.setRole( role );

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
index fcd3f66..fddf865 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
@@ -42,10 +42,6 @@ import org.apache.hadoop.gateway.services.security.impl.JettySSLService;
 import org.apache.hadoop.gateway.topology.Provider;
 
 public class DefaultGatewayServices implements Service, ProviderDeploymentContributor, GatewayServices {
-  private static final String SSL_SERVICE = "SSLService";
-  public static final String CRYPTO_SERVICE = "CryptoService";
-  public static final String ALIAS_SERVICE = "AliasService";
-
   private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
 
   private Map<String,Service> services = new HashMap<String, Service>();

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
index fa08377..b313c3b 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
@@ -27,7 +27,7 @@ public class GatewayServicesContextListener implements ServletContextListener {
   @Override
   public void contextInitialized(ServletContextEvent sce) {
     GatewayServices gs = GatewayServer.getGatewayServices();
-    sce.getServletContext().setAttribute(GatewayServer.GATEWAY_SERVICES_ATTRIBUTE, gs);
+    sce.getServletContext().setAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE, gs);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
index 9f46441..c6913d3 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
@@ -47,6 +47,7 @@ public class XmlTopologyRules extends AbstractRulesModule {
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG ).createObject().ofType( Provider.class ).then().setNext( "addProvider" );
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + ROLE_TAG ).setBeanProperty();
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + ENABLED_TAG ).setBeanProperty();
+    forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + NAME_TAG ).setBeanProperty();
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG ).createObject().ofType( ProviderParam.class ).then().setNext( "addParam" );
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG + "/" + NAME_TAG ).setBeanProperty();
     forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG + "/" + VALUE_TAG ).setBeanProperty();

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
index ad0821a..e1643a6 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
@@ -82,6 +82,11 @@ public class DeploymentFactoryTest {
     param.setValue( "classpath:app-context-security.xml" );
     provider.addParam( param );
     topology.addProvider( provider );
+    Provider asserter = new Provider();
+    asserter.setRole( "identity-assertion" );
+    asserter.setName("Pseudo");
+    asserter.setEnabled( true );
+    topology.addProvider( asserter );
 
     WebArchive war = DeploymentFactory.createDeployment( config, topology );
     //File dir = new File( System.getProperty( "user.dir" ) );
@@ -113,7 +118,7 @@ public class DeploymentFactoryTest {
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter" ) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/role", equalTo( "identity-assertion" ) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter" ) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter" ) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/role", equalTo( "dispatch" ) ) );
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/name", equalTo( "http-client" ) ) );
@@ -135,7 +140,7 @@ public class DeploymentFactoryTest {
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter" ) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/role", equalTo( "identity-assertion" ) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter" ) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter" ) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/role", equalTo( "dispatch" ) ) );
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/name", equalTo( "http-client" ) ) );

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java b/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
index 721d8f0..49a26b2 100644
--- a/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
+++ b/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
@@ -24,6 +24,7 @@ import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
 import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
 import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
 import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteMatchDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
 import org.apache.hadoop.gateway.topology.Service;
 
 import java.net.URISyntaxException;
@@ -132,7 +133,7 @@ public class HdfsDeploymentContributor extends ServiceDeploymentContributorBase
   }
 
   private void addDispatchFilter(
-      DeploymentContext context, Service service, ResourceDescriptor resource, String role, String name ) {
+    DeploymentContext context, Service service, ResourceDescriptor resource, String role, String name ) {
     context.contributeFilter( service, resource, role, name, null );
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
index 28d6db7..fbd9865 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
@@ -32,13 +32,20 @@ public abstract class ServiceDeploymentContributorBase extends DeploymentContrib
   }
 
   protected boolean topologyContainsProviderType(DeploymentContext context, String role) {
+    Provider provider = getProviderByRole(context, role);
+    return (provider != null);
+  }
+  
+  protected Provider getProviderByRole(DeploymentContext context, String role) {
+    Provider p = null;
     Collection<Provider> providers = context.getTopology().getProviders();
     for (Provider provider : providers) {
       if (role.equals(provider.getRole())) {
-        return true;
+        p = provider;
+        break;
       }
     }
-    return false;
+    return p;
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
new file mode 100644
index 0000000..4e4a5ed
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.filter.security;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.gateway.security.principal.PrincipalMapper;
+import org.apache.hadoop.gateway.security.principal.PrincipalMappingException;
+import org.apache.hadoop.gateway.security.principal.SimplePrincipalMapper;
+
+public abstract class AbstractIdentityAssertionFilter implements Filter {
+
+  protected PrincipalMapper mapper = new SimplePrincipalMapper();
+
+  public AbstractIdentityAssertionFilter() {
+    super();
+  }
+
+  protected void loadPrincipalMappings(FilterConfig filterConfig) {
+    String principalMapping = filterConfig.getServletContext().getInitParameter("principal.mapping");
+    if (principalMapping != null && !principalMapping.isEmpty()) {
+      try {
+        mapper.loadMappingTable(principalMapping);
+      }
+      catch (PrincipalMappingException pme) {
+        // TODO: log this appropriately
+        pme.printStackTrace();
+      }
+    }
+  }
+
+  /**
+   * Retrieve the principal to represent the asserted identity from
+   * the provided Subject.
+   * @param subject
+   * @return principalName
+   */
+  protected String getPrincipalName(Subject subject) {
+    // look first for the knox specific PrimaryPrincipal to use as the asserted identity
+    // if not found fallback to the first principal found
+    String name = null;
+    Set<PrimaryPrincipal> primaryPrincipals = subject.getPrincipals(PrimaryPrincipal.class);
+    if (primaryPrincipals.size() > 0) {
+      return ((PrimaryPrincipal)primaryPrincipals.toArray()[0]).getName();
+    }
+    
+    // LJM TODO: this implementation assumes the first one found 
+    // should configure through context param based on knowledge
+    // of the authentication provider in use
+    Set<Principal> principals = subject.getPrincipals();
+    for (Principal p : principals) {
+      name = p.getName();
+      break;
+    }
+    return name;
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    // load principal mappings
+    loadPrincipalMappings(filterConfig);
+  }
+
+  public void destroy() {
+    
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
new file mode 100644
index 0000000..e822269
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security;
+
+import java.security.Principal;
+
+public class GroupPrincipal implements Principal {
+  private String name = null;
+
+  public GroupPrincipal(String name) {
+    
+  }
+  
+  public String getName() {
+    return name;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
new file mode 100644
index 0000000..b6affad
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security;
+
+import java.security.Principal;
+
+public class PrimaryPrincipal implements Principal {
+  private String name = null;
+
+  public PrimaryPrincipal(String name) {
+    this.name = name;
+  }
+  
+  public String getName() {
+    return name;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
index 08a1d12..b3770e6 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
@@ -52,7 +52,7 @@ public class SimplePrincipalMapper implements PrincipalMapper {
         // do not leave table in an unknown state - clear it instead
         // no principal mapping will occur
         table.clear();
-        throw new PrincipalMappingException("Unable to load mappings from provided string - no principal mapping will be provided.");
+        throw new PrincipalMappingException("Unable to load mappings from provided string: " + principalMapping + " - no principal mapping will be provided.");
       }
     }
   }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
index c7b8640..f13fe33 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
@@ -21,6 +21,10 @@ import java.util.Collection;
 
 
 public interface GatewayServices {
+  public static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
+  public static final String SSL_SERVICE = "SSLService";
+  public static final String CRYPTO_SERVICE = "CryptoService";
+  public static final String ALIAS_SERVICE = "AliasService";
 
   public abstract Collection<String> getServiceNames();
 


Mime
View raw message