Examples of co.cask.cdap.security.auth.AccessToken$Schemas

• co.cask.cdap.security.auth.AccessToken
  Represents a verified identity used for client authentication. The token consists of two parts:

  • the token identity - represented by the {@link AccessTokenIdentifier}, this contains the authenticated username, group memberships, and valid token lifetime,
  • the token digest - a signature computed on the token identity components plus a server-side secret key, this ensures that the token is authentic (was issued by a trusted server) and has not been modified.

  An access token is issued following successful authentication of a client by an external mechanism (such as LDAP, Kerberos, etc). The token is then provided by the client on subsequent requests to CDAP. In order to validate the token, CDAP components recompute the digest for the token identifier, based on their own knowledge of the secret key. If the recomputed digest matches that provided by the client, we know that, barring compromise of the secret keys or exposure of the token itself, the token was issued by CDAP for this client.

    long issueTime = System.currentTimeMillis();
    long expireTime = issueTime + tokenValidity;
    // Create and sign a new AccessTokenIdentifier to generate the AccessToken.
    AccessTokenIdentifier tokenIdentifier = new AccessTokenIdentifier(username, userGroups, issueTime, expireTime);
    AccessToken token = tokenManager.signIdentifier(tokenIdentifier);
    LOG.debug("Issued token for user {}", username);

    // Set response headers
    response.setContentType("application/json;charset=UTF-8");
    response.addHeader("Cache-Control", "no-store");