Class DataPlaneAuthenticator

java.lang.Object
org.mockserver.authentication.dataplane.DataPlaneAuthenticator

public class DataPlaneAuthenticator extends Object
Opt-in, fail-closed authentication gate for the data plane (the mocked endpoints), as opposed to the control plane (/mockserver/*) which is gated separately by HttpState.controlPlaneRequestAuthenticated.

This helper holds the policy/decision so it can be unit tested in core; the Netty handler merely invokes authenticate(HttpRequest) and writes the 401/403 the result describes.

Behaviour

  • Default OFF. When dataPlaneAuthenticationRequired is false (the default) isEnabled() is false and authenticate(HttpRequest) always returns DataPlaneAuthenticator.Outcome.authenticated() — behaviour is byte-identical to a server with no data-plane auth.
  • Multi-scheme = accept-any. When more than one scheme (Basic / Bearer / API-key) is configured a request is accepted if it satisfies any one of them (logical OR). This keeps configuration predictable: adding a scheme can only ever widen the set of accepted credentials, never narrow it. The WWW-Authenticate challenge on a 401 advertises the configured Basic/Bearer schemes.
  • Fail-closed when required-but-unconfigured. If dataPlaneAuthenticationRequired is true but no scheme is configured (no Basic username/password, no Bearer token, no API-key value) then isEnabled() is still true and every request is rejected (401, generic challenge). A misconfiguration can therefore never silently allow all traffic.
  • Constant-time secret comparison. Password, Bearer token and API-key value comparisons use MessageDigest.isEqual(byte[], byte[]) on UTF-8 bytes, which is documented to run in constant time, to avoid a timing side-channel. Credential values are never logged or echoed in a response body.
  • Constructor Details

    • DataPlaneAuthenticator

      public DataPlaneAuthenticator(Configuration configuration)
  • Method Details

    • isEnabled

      public boolean isEnabled()
      Returns:
      true when the gate is active (i.e. dataPlaneAuthenticationRequired is true). When false the Netty handler can skip the gate entirely and there is no change to request handling.
    • authenticate

      public DataPlaneAuthenticator.Outcome authenticate(HttpRequest request)
      Decide whether the given data-plane request is authenticated.

      When the gate is disabled this is always DataPlaneAuthenticator.Outcome.authenticated(). When enabled but no scheme is configured the request is always rejected (fail-closed). Otherwise the request is accepted if it satisfies any one configured scheme.