Class DataPlaneAuthenticator
java.lang.Object
org.mockserver.authentication.dataplane.DataPlaneAuthenticator
Opt-in, fail-closed authentication gate for the data plane (the mocked
endpoints), as opposed to the control plane (
/mockserver/*) which is gated separately
by HttpState.controlPlaneRequestAuthenticated.
This helper holds the policy/decision so it can be unit tested in core; the Netty handler
merely invokes authenticate(HttpRequest) and writes the 401/403 the result describes.
Behaviour
- Default OFF. When
dataPlaneAuthenticationRequiredisfalse(the default)isEnabled()isfalseandauthenticate(HttpRequest)always returnsDataPlaneAuthenticator.Outcome.authenticated()— behaviour is byte-identical to a server with no data-plane auth. - Multi-scheme = accept-any. When more than one scheme (Basic / Bearer /
API-key) is configured a request is accepted if it satisfies any one of them
(logical OR). This keeps configuration predictable: adding a scheme can only ever widen
the set of accepted credentials, never narrow it. The
WWW-Authenticatechallenge on a 401 advertises the configured Basic/Bearer schemes. - Fail-closed when required-but-unconfigured. If
dataPlaneAuthenticationRequiredistruebut no scheme is configured (no Basic username/password, no Bearer token, no API-key value) thenisEnabled()is stilltrueand every request is rejected (401, generic challenge). A misconfiguration can therefore never silently allow all traffic. - Constant-time secret comparison. Password, Bearer token and API-key value
comparisons use
MessageDigest.isEqual(byte[], byte[])on UTF-8 bytes, which is documented to run in constant time, to avoid a timing side-channel. Credential values are never logged or echoed in a response body.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final classResult of an authentication attempt. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthenticate(HttpRequest request) Decide whether the given data-plane request is authenticated.boolean
-
Constructor Details
-
DataPlaneAuthenticator
-
-
Method Details
-
isEnabled
public boolean isEnabled()- Returns:
truewhen the gate is active (i.e.dataPlaneAuthenticationRequiredistrue). Whenfalsethe Netty handler can skip the gate entirely and there is no change to request handling.
-
authenticate
Decide whether the given data-plane request is authenticated.When the gate is disabled this is always
DataPlaneAuthenticator.Outcome.authenticated(). When enabled but no scheme is configured the request is always rejected (fail-closed). Otherwise the request is accepted if it satisfies any one configured scheme.
-