knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject git commit: KNOX-235 - introduction of preauthenticated identity federation
Date Thu, 26 Dec 2013 20:02:10 GMT
Updated Branches:
  refs/heads/master 08625fca6 -> 79feb9364


KNOX-235 - introduction of preauthenticated identity federation

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/79feb936
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/79feb936
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/79feb936

Branch: refs/heads/master
Commit: 79feb9364755ebd4a67018fb48a100ca3333e54d
Parents: 08625fc
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Thu Dec 26 15:01:51 2013 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Thu Dec 26 15:01:51 2013 -0500

----------------------------------------------------------------------
 .../gateway/filter/AclsAuthorizationFilter.java |  79 ++++----
 gateway-provider-security-preauth/pom.xml       |  64 +++++++
 .../hadoop/gateway/preauth/PreAuthMessages.java |  26 +++
 .../deploy/HeaderPreAuthContributor.java        |  66 +++++++
 .../preauth/deploy/PreAuthContributor.java      |  66 +++++++
 .../filter/AbstractPreAuthFederationFilter.java | 156 ++++++++++++++++
 .../filter/HeaderPreAuthFederationFilter.java   |  72 ++++++++
 .../gateway/preauth/filter/IPValidator.java     |  46 +++++
 .../preauth/filter/PreAuthFederationFilter.java | 182 +++++++++++++++++++
 .../filter/PreAuthValidationException.java      |  32 ++++
 .../preauth/filter/PreAuthValidator.java        |  33 ++++
 ...gateway.deploy.ProviderDeploymentContributor |  19 ++
 .../provider/federation/PreAuthSSOTest.java     |  31 ++++
 gateway-release/pom.xml                         |   4 +-
 .../hadoop/gateway/util/IpAddressValidator.java | 116 ++++++++++++
 .../gateway/util/IpAddressValidatorTest.java    |  72 ++++++++
 pom.xml                                         |   6 +
 17 files changed, 1020 insertions(+), 50 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
index 57738fc..78ee5fa 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
@@ -31,6 +31,7 @@ import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 import org.apache.hadoop.gateway.security.GroupPrincipal;
 import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.gateway.util.IpAddressValidator;
 
 import java.io.IOException;
 import java.security.AccessController;
@@ -44,11 +45,10 @@ public class AclsAuthorizationFilter implements Filter {
   private String resourceRole = null;
   private ArrayList<String> users;
   private ArrayList<String> groups;
-  private ArrayList<String> ipaddr;
-  private ArrayList<String> wildCardIPs;
   private boolean anyUser = true;
   private boolean anyGroup = true;
-  private boolean anyIP = true;
+  private IpAddressValidator ipv = null;
+
   private String aclProcessingMode = null;
 
   
@@ -84,39 +84,40 @@ public class AclsAuthorizationFilter implements Filter {
       else {
         log.aclsFoundForResource(resourceRole);
       }
-      users = new ArrayList<String>();
-      Collections.addAll(users, parts[0].split(","));
-      if (!users.contains("*")) {
-        anyUser = false;
-      }
-      groups = new ArrayList<String>();
-      Collections.addAll(groups, parts[1].split(","));
-      if (!groups.contains("*")) {
-        anyGroup = false;
-      }
+      parseUserAcls(parts);
+      
+      parseGroupAcls(parts);
 
-      ipaddr = new ArrayList<String>();
-      wildCardIPs = new ArrayList<String>();
-      Collections.addAll(ipaddr, parts[2].split(","));
-      if (!ipaddr.contains("*")) {
-        anyIP = false;
-        // check whether there are any wildcarded ip's - example: 192.* or 192.168.* or 192.168.1.*
-        for (String addr : ipaddr) {
-          if (addr.contains("*")) {
-            wildCardIPs.add(addr);
-            break;
-          }
-        }
-      }
+      parseIpAddressAcls(parts);
     }
     else {
       log.noAclsFoundForResource(resourceRole);
       users = new ArrayList<String>();
       groups = new ArrayList<String>();
-      ipaddr = new ArrayList<String>();
+      ipv = new IpAddressValidator(null);
+    }
+  }
+
+  private void parseUserAcls(String[] parts) {
+    users = new ArrayList<String>();
+    Collections.addAll(users, parts[0].split(","));
+    if (!users.contains("*")) {
+      anyUser = false;
     }
   }
 
+  private void parseGroupAcls(String[] parts) {
+    groups = new ArrayList<String>();
+    Collections.addAll(groups, parts[1].split(","));
+    if (!groups.contains("*")) {
+      anyGroup = false;
+    }
+  }
+
+  private void parseIpAddressAcls(String[] parts) {
+    ipv = new IpAddressValidator(parts[2]);
+  }
+
   public void destroy() {
 
   }
@@ -140,7 +141,7 @@ public class AclsAuthorizationFilter implements Filter {
     
     // before enforcing acls check whether there are no acls defined 
     // which would mean that there are no restrictions
-    if (users.size() == 0 && groups.size() == 0 && ipaddr.size() == 0) {
+    if (users.size() == 0 && groups.size() == 0 && ipv.getIPAddresses().size() == 0) {
       return true;
     }
 
@@ -187,7 +188,7 @@ public class AclsAuthorizationFilter implements Filter {
       // so, let's set each one that contains '*' to false.
       if (anyUser) userAccess = false;
       if (anyGroup) groupAccess = false;
-      if (anyIP) ipAddrAccess = false;
+      if (ipv.allowsAnyIP()) ipAddrAccess = false;
       
       return (userAccess || groupAccess || ipAddrAccess);
     }
@@ -202,25 +203,7 @@ public class AclsAuthorizationFilter implements Filter {
     if (remoteAddr == null) {
       return false;
     }
-    if (anyIP) {
-      allowed = true;
-    }
-    else {
-      if (ipaddr.contains(remoteAddr)) {
-        allowed = true;
-      }
-      else {
-        // check for wildcards if there are wildcardIP acls configured
-        if (wildCardIPs.size() > 0) {
-          for (String ipacl : wildCardIPs) {
-            if (remoteAddr.startsWith(ipacl.substring(0, ipacl.lastIndexOf('*')))) {
-              allowed = true;
-              break;
-            }
-          }
-        }
-      }
-    }
+    allowed = ipv.validateIpAddress(remoteAddr);
     return allowed;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/pom.xml b/gateway-provider-security-preauth/pom.xml
new file mode 100644
index 0000000..9a6bdb3
--- /dev/null
+++ b/gateway-provider-security-preauth/pom.xml
@@ -0,0 +1,64 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>gateway</artifactId>
+        <version>0.4.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-provider-security-preauth</artifactId>
+
+    <name>gateway-provider-security-preauth</name>
+    <description>An extension of the gateway introducing SSO of preauthenticated identities.</description>
+
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <dependencies>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>gateway-test-utils</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
new file mode 100644
index 0000000..5b2e991
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
+public interface PreAuthMessages {
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
new file mode 100644
index 0000000..52d2131
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class HeaderPreAuthContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "federation";
+  private static final String NAME = "HeaderPreAuth";
+  private static final String PREAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.preauth.filter.HeaderPreAuthFederationFilter";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    // blindly add all the provider params as filter init params
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+    resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
new file mode 100644
index 0000000..184482c
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.deploy;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class PreAuthContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "webappsec";
+  private static final String NAME = "WebAppSec";
+  private static final String CSRF_SUFFIX = "_CSRF";
+  private static final String CSRF_FILTER_CLASSNAME = "org.apache.hadoop.gateway.webappsec.filter.CSRFPreventionFilter";
+  private static final String CSRF_ENABLED = "csrf.enabled";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    
+    Provider webappsec = context.getTopology().getProvider(ROLE, NAME);
+    if (webappsec != null && webappsec.isEnabled()) {
+      Map<String,String> map = provider.getParams();
+      String csrfEnabled = map.get(CSRF_ENABLED);
+      if ( csrfEnabled != null && csrfEnabled.equals("true")) {
+        resource.addFilter().name( getName() + CSRF_SUFFIX ).role( getRole() ).impl( CSRF_FILTER_CLASSNAME ).params( params );
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
new file mode 100644
index 0000000..63855d9
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+
+/**
+ *
+ */
+public abstract class AbstractPreAuthFederationFilter implements Filter {
+
+  private static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
+  private static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
+  private static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
+  private PreAuthValidator validator = null;
+
+  /**
+   * 
+   */
+  public AbstractPreAuthFederationFilter() {
+    super();
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    String validationMethod = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
+    if (validationMethod != null) {
+      if (IP_VALIDATION_METHOD_VALUE.equals(validationMethod)) {
+        validator = new IPValidator(filterConfig.getInitParameter(IP_ADDRESSES_PARAM));
+      }
+    }
+    else {
+      validator = new DefaultValidator();
+      // TODO: log the fact that there is no verification going on to validate
+      // who is asserting the identity with the a header. Without some validation
+      // we are assuming the network security is the primary protection method.
+    }
+  }
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+      throws IOException, ServletException {
+    HttpServletRequest httpRequest = (HttpServletRequest)request;
+    String principal = getPrimaryPrincipal(httpRequest);
+    if (principal != null) {
+      if (isValid(httpRequest)) { 
+        Subject subject = new Subject();
+        subject.getPrincipals().add(new PrimaryPrincipal(principal));
+        addGroupPrincipals(httpRequest, subject.getPrincipals());
+        doAs(httpRequest, response, chain, subject);
+      }
+      else {
+        // TODO: log preauthenticated SSO validation failure
+        ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "SSO Validation Failure.");
+      }
+    } 
+    else {
+      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Missing Required Header for PreAuth SSO Federation");
+    }
+  }
+
+  /**
+   * @return
+   */
+  private boolean isValid(HttpServletRequest httpRequest) {
+    try {
+      return validator.validate(httpRequest);
+    } catch (PreAuthValidationException e) {
+      // TODO log exception
+      return false;
+    }
+  }
+
+  @Override
+  public void destroy() {
+  }
+
+  private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
+    throws IOException, ServletException {
+    try {
+      Subject.doAs(
+          subject,
+          new PrivilegedExceptionAction<Object>() {
+            public Object run() throws Exception {
+              chain.doFilter(request, response);
+              return null;
+            }
+          }
+          );
+    }
+    catch (PrivilegedActionException e) {
+      Throwable t = e.getCause();
+      if (t instanceof IOException) {
+        throw (IOException) t;
+      }
+      else if (t instanceof ServletException) {
+        throw (ServletException) t;
+      }
+      else {
+        throw new ServletException(t);
+      }
+    }
+  }
+  
+  /**
+   * @param httpRequest
+   */
+  abstract protected String getPrimaryPrincipal(HttpServletRequest httpRequest);
+
+  /**
+   * @param principals
+   */
+  abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals);
+  
+  class DefaultValidator implements PreAuthValidator {
+    /* (non-Javadoc)
+     * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String, java.lang.String)
+     */
+    @Override
+    public boolean validate(HttpServletRequest request)
+        throws PreAuthValidationException {
+      return true;
+    }
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
new file mode 100644
index 0000000..df88849
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.hadoop.gateway.security.GroupPrincipal;
+
+
+public class HeaderPreAuthFederationFilter extends AbstractPreAuthFederationFilter {
+  static final String CUSTOM_HEADER_PARAM = "preauth.custom.header";
+  static final String CUSTOM_GROUP_HEADER_PARAM = "preauth.custom.group.header";
+  String headerName = "SM_USER";
+  String groupHeaderName = null;
+  
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customHeader != null) {
+      headerName = customHeader;
+    }
+    String customGroupHeader = filterConfig.getInitParameter(CUSTOM_GROUP_HEADER_PARAM);
+    if (customGroupHeader != null) {
+      groupHeaderName = customGroupHeader;
+    }
+  }
+
+  /**
+   * @param httpRequest
+   */
+  @Override
+  protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
+    return httpRequest.getHeader(headerName);
+  }
+
+  /**
+   * @param principals
+   */
+  @Override
+  protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals) {
+    if (groupHeaderName != null) {
+      String headers = request.getHeader(groupHeaderName);
+      if (headers != null) {
+        String[] groups = headers.split(",");
+        for (int i = 0; i < groups.length; i++) {
+          principals.add(new GroupPrincipal(groups[i]));
+        }
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
new file mode 100644
index 0000000..d19ee58
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.hadoop.gateway.util.IpAddressValidator;
+
+/**
+ *
+ */
+class IPValidator implements PreAuthValidator {
+  private IpAddressValidator ipv = null;
+  
+  /**
+   * @param initParameter
+   */
+  public IPValidator(String ipParam) {
+    ipv = new IpAddressValidator(ipParam);
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String, java.lang.String)
+   */
+  @Override
+  public boolean validate(HttpServletRequest request)
+      throws PreAuthValidationException {
+    
+    return ipv.validateIpAddress(request.getRemoteAddr());
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
new file mode 100644
index 0000000..4c0bb10
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
@@ -0,0 +1,182 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+
+public class PreAuthFederationFilter implements Filter {
+  private static final String CUSTOM_HEADER_PARAM = "preauth.customHeader";
+  private static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
+  private static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
+  private static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
+  private PreAuthValidator validator = null;
+  private String  headerName = "SM_USER";
+  
+  @Override
+  public void init( FilterConfig filterConfig ) throws ServletException {
+    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customHeader != null) {
+      headerName = customHeader;
+    }
+    String validationMethod = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
+    if (validationMethod != null) {
+      if (IP_VALIDATION_METHOD_VALUE.equals(validationMethod)) {
+        validator = new IPValidator(filterConfig.getInitParameter(IP_ADDRESSES_PARAM));
+      }
+    }
+    else {
+      validator = new DefaultValidator();
+      // TODO: log the fact that there is no verification going on to validate
+      // who is asserting the identity with the a header. Without some validation
+      // we are assuming the network security is the primary protection method.
+    }
+  }
+  
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+    HttpServletRequest httpRequest = (HttpServletRequest)request;
+    if (httpRequest.getHeader(headerName) != null) {
+      if (isValid(httpRequest)) { 
+        // TODO: continue as subject
+        chain.doFilter(request, response);
+      }
+      else {
+        // TODO: log preauthenticated SSO validation failure
+        ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for SSO Validation");
+      }
+    } 
+    else {
+      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for PreAuth SSO Federation");
+    }
+  }
+
+  /**
+   * @return
+   */
+  private boolean isValid(HttpServletRequest httpRequest) {
+    try {
+      return validator.validate(httpRequest);
+    } catch (PreAuthValidationException e) {
+      // TODO log exception
+      return false;
+    }
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#destroy()
+   */
+  @Override
+  public void destroy() {
+    // TODO Auto-generated method stub
+    
+  }
+  
+  /**
+   * Recreate the current Subject based upon the provided mappedPrincipal
+   * and look for the groups that should be associated with the new Subject.
+   * Upon finding groups mapped to the principal - add them to the new Subject.
+   * @param mappedPrincipalName
+   * @throws ServletException 
+   * @throws IOException 
+   */
+  protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response, 
+      final FilterChain chain, String principal) throws IOException, ServletException {
+    Subject subject = null;
+    Principal primaryPrincipal = null;
+    
+    // do some check to ensure that the extracted identity matches any existing security context
+    // if not, there is may be someone tampering with the request - consult config to determine
+    // how we are to handle it
+    
+    // TODO: make sure that this makes sense with existing sessions or lack thereof
+    Subject currentSubject = Subject.getSubject(AccessController.getContext());
+    if (currentSubject != null) {
+      primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
+      if (primaryPrincipal != null) {
+        if (!primaryPrincipal.getName().equals(principal)) {
+        }
+      }
+    }
+    
+    subject = new Subject();
+    subject.getPrincipals().add(primaryPrincipal);
+    doAs(request, response, chain, subject);
+  }
+
+  private void doAs(final ServletRequest request,
+      final ServletResponse response, final FilterChain chain, Subject subject)
+      throws IOException, ServletException {
+    try {
+      Subject.doAs(
+          subject,
+          new PrivilegedExceptionAction<Object>() {
+            public Object run() throws Exception {
+              doFilterInternal(request, response, chain);
+              return null;
+            }
+          }
+          );
+    }
+    catch (PrivilegedActionException e) {
+      Throwable t = e.getCause();
+      if (t instanceof IOException) {
+        throw (IOException) t;
+      }
+      else if (t instanceof ServletException) {
+        throw (ServletException) t;
+      }
+      else {
+        throw new ServletException(t);
+      }
+    }
+  }
+
+  private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    chain.doFilter(request, response);
+  }
+  
+  class DefaultValidator implements PreAuthValidator {
+    /* (non-Javadoc)
+     * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String, java.lang.String)
+     */
+    @Override
+    public boolean validate(HttpServletRequest request)
+        throws PreAuthValidationException {
+      return true;
+    }
+    
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
new file mode 100644
index 0000000..e643033
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+/**
+ * @author larry
+ *
+ */
+public class PreAuthValidationException extends Exception {
+  PreAuthValidationException(String message) {
+    super(message);
+  }
+
+  PreAuthValidationException(String message, Exception e) {
+    super(message, e);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
new file mode 100644
index 0000000..7013259
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ *
+ */
+public interface PreAuthValidator {
+
+  /**
+   * @param httpRequest
+   * @return
+   * @throws PreAuthValidationException 
+   */
+  boolean validate(HttpServletRequest httpRequest) throws PreAuthValidationException;
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..1e89ee8
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.preauth.deploy.HeaderPreAuthContributor

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthSSOTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthSSOTest.java b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthSSOTest.java
new file mode 100644
index 0000000..ec57043
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthSSOTest.java
@@ -0,0 +1,31 @@
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
+import org.junit.Test;
+
+public class PreAuthSSOTest extends TestCase {
+  @Test
+  public void testPreAuth() throws Exception {
+    assertTrue(true);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index 61ad1f4..3465533 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -167,11 +167,11 @@
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
-            <artifactId>gateway-provider-security-authz-acls</artifactId>
+            <artifactId>gateway-provider-security-preauth</artifactId>
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
-            <artifactId>gateway-provider-security-webappsec</artifactId>
+            <artifactId>gateway-provider-security-authz-acls</artifactId>
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/IpAddressValidator.java
----------------------------------------------------------------------
diff --git a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/IpAddressValidator.java b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/IpAddressValidator.java
new file mode 100644
index 0000000..fd6f9ef
--- /dev/null
+++ b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/IpAddressValidator.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.util;
+
+import java.util.ArrayList;
+import java.util.Collections;
+
+/**
+ * Validate a given IP Address against a list of comma separated list of addresses.
+ */
+public class IpAddressValidator {
+  
+  /**
+   * The parsed list of ip addresses 
+   */
+  private ArrayList<String> ipaddr = new ArrayList<String>();
+  
+  /**
+   * IP addresses from the ipaddr list that contain a wildcard character '*'
+   */
+  private ArrayList<String> wildCardIPs = new ArrayList<String>();
+  
+  /**
+   * Optimization based on empty IP address list or an explicit '*' wildcard
+   */
+  private boolean anyIP = true;
+
+  /**
+   * ctor - initialize an instance with the given ip address list
+   */
+  public IpAddressValidator(String commaSeparatedIpAddresses) {
+    if (commaSeparatedIpAddresses == null) {
+      anyIP = true;
+      return;
+    }
+    
+    parseIpAddesses(commaSeparatedIpAddresses);
+  }
+
+  /**
+   * @param commaSeparatedIpAddresses
+   */
+  private void parseIpAddesses(String commaSeparatedIpAddresses) {
+    String[] ips = commaSeparatedIpAddresses.split(",");
+    ipaddr = new ArrayList<String>();
+    wildCardIPs = new ArrayList<String>();
+    Collections.addAll(ipaddr, ips);
+    if (!ipaddr.contains("*")) {
+      anyIP = false;
+      // check whether there are any wildcarded ip's - example: 192.* or 192.168.* or 192.168.1.*
+      for (String addr : ipaddr) {
+        if (addr.contains("*")) {
+          wildCardIPs.add(addr);
+        }
+      }
+    }
+  }
+  
+  public boolean validateIpAddress(String addr) {
+    boolean valid = false;
+    if (addr == null) {
+      // LJM TODO: log as possible programming error
+      return false;
+    }
+    
+    if (anyIP) {
+      valid = true;
+    }
+    else {
+      if (ipaddr.contains(addr)) {
+        valid = true;
+      }
+      else {
+        // check for wildcards if there are wildcardIP acls configured
+        if (wildCardIPs.size() > 0) {
+          for (String ip : wildCardIPs) {
+            if (addr.startsWith(ip.substring(0, ip.lastIndexOf('*')))) {
+              valid = true;
+              break;
+            }
+          }
+        }
+      }
+    }
+    return valid;
+  }
+
+  /**
+   * @return
+   */
+  public boolean allowsAnyIP() {
+    return anyIP;
+  }
+
+  /**
+   * @return
+   */
+  public ArrayList<String> getIPAddresses() {
+    return ipaddr;
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/gateway-util-common/src/test/java/org/apache/hadoop/gateway/util/IpAddressValidatorTest.java
----------------------------------------------------------------------
diff --git a/gateway-util-common/src/test/java/org/apache/hadoop/gateway/util/IpAddressValidatorTest.java b/gateway-util-common/src/test/java/org/apache/hadoop/gateway/util/IpAddressValidatorTest.java
new file mode 100644
index 0000000..5db9651
--- /dev/null
+++ b/gateway-util-common/src/test/java/org/apache/hadoop/gateway/util/IpAddressValidatorTest.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.util;
+
+import org.junit.Test;
+
+import junit.framework.TestCase;
+
+public class IpAddressValidatorTest extends TestCase {
+  String test = "127.0.0.1,193.*,192.168.1.*";
+  String testWeirdConfig = ",127.0.0.1,,193.*,192.168.1.*,29*";
+  String testNullConfig = null;
+  
+  @Test
+  public void testExplicitIpAddress() throws Exception {
+    IpAddressValidator ipv = new IpAddressValidator(test);
+    
+    assertTrue("Should have validated 127.0.0.1", ipv.validateIpAddress("127.0.0.1"));
+    assertFalse("Should not have validated 127.0.0.2", ipv.validateIpAddress("127.0.0.2"));
+
+    ipv = new IpAddressValidator(testWeirdConfig);
+    
+    assertTrue("Should have validated 127.0.0.1", ipv.validateIpAddress("127.0.0.1"));
+    assertFalse("Should not have validated 127.0.0.2", ipv.validateIpAddress("127.0.0.2"));
+  }
+  
+  @Test
+  public void testNullConfig() throws Exception {
+    IpAddressValidator ipv = new IpAddressValidator(testNullConfig);
+
+    // null config indicatest that all IPs are accepted
+    assertTrue("Should have validated 127.0.0.1", ipv.validateIpAddress("127.0.0.1"));
+  }
+  
+  @Test
+  public void testNullRemoteIP() throws Exception {
+    IpAddressValidator ipv = new IpAddressValidator(testNullConfig);
+
+    assertFalse("Should not have validated null", ipv.validateIpAddress(null));
+  }
+
+  @Test
+  public void testWildcardIpAddress() throws Exception {
+    IpAddressValidator ipv = new IpAddressValidator(test);
+    
+    assertTrue("Should have validated 192.168.1.1", ipv.validateIpAddress("192.168.1.1"));
+    assertFalse("Should not have validated 192.168.2.1", ipv.validateIpAddress("192.168.2.1"));
+
+    assertTrue("Should have validated 193.168.1.1", ipv.validateIpAddress("193.168.1.1"));
+    assertFalse("Should not have validated 194.168.2.1", ipv.validateIpAddress("194.168.2.1"));
+
+    ipv = new IpAddressValidator(testWeirdConfig);
+    
+    assertTrue("Should have validated 293.168.1.1", ipv.validateIpAddress("293.168.1.1"));
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/79feb936/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d233d2b..6012ac6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,6 +47,7 @@
         <module>gateway-provider-rewrite-step-secure-query</module>
         <module>gateway-provider-security-jwt</module>
         <module>gateway-provider-security-webappsec</module>
+        <module>gateway-provider-security-preauth</module>
         <module>gateway-provider-security-shiro</module>
         <module>gateway-provider-security-authz-acls</module>
         <module>gateway-provider-identity-assertion-pseudo</module>
@@ -360,6 +361,11 @@
             </dependency>
             <dependency>
                 <groupId>${gateway-group}</groupId>
+                <artifactId>gateway-provider-security-preauth</artifactId>
+                <version>${gateway-version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${gateway-group}</groupId>
                 <artifactId>gateway-provider-security-shiro</artifactId>
                 <version>${gateway-version}</version>
             </dependency>


Mime
View raw message