From bca7671f852192275b412d9f62ff90f4d1e943f5 Mon Sep 17 00:00:00 2001 From: Abraham Elmahrek Date: Mon, 12 Jan 2015 10:11:34 -0800 Subject: [PATCH] SQOOP-2002: Sqoop2: Refactor existing security component (Richard Zhou via Abraham Elmahrek) --- .../sqoop/security/AuthenticationManager.java | 6 ++-- ...nConstants.java => SecurityConstants.java} | 33 +++++++++-------- ...nticationError.java => SecurityError.java} | 4 +-- ...ndlerFactory.java => SecurityFactory.java} | 6 ++-- dist/src/main/server/conf/sqoop.properties | 26 +++++++------- .../src/site/sphinx/SecurityGuideOnSqoop2.rst | 6 ++-- .../KerberosAuthenticationHandler.java | 21 ++++++----- .../SimpleAuthenticationHandler.java | 6 ++-- .../filter/SqoopAuthenticationFilter.java | 35 +++++++++---------- 9 files changed, 76 insertions(+), 67 deletions(-) rename core/src/main/java/org/apache/sqoop/security/{AuthenticationConstants.java => SecurityConstants.java} (75%) rename core/src/main/java/org/apache/sqoop/security/{AuthenticationError.java => SecurityError.java} (95%) rename core/src/main/java/org/apache/sqoop/security/{AuthenticationHandlerFactory.java => SecurityFactory.java} (90%) rename security/src/main/java/org/apache/sqoop/security/{ => Authentication}/KerberosAuthenticationHandler.java (77%) rename security/src/main/java/org/apache/sqoop/security/{ => Authentication}/SimpleAuthenticationHandler.java (87%) diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java b/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java index a014ab30..228b9e73 100644 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java +++ b/core/src/main/java/org/apache/sqoop/security/AuthenticationManager.java @@ -31,7 +31,7 @@ public class AuthenticationManager implements Reconfigurable { /** * Default authentication handler */ - public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.SimpleAuthenticationHandler"; + public static final String DEFAULT_AUTHENTICATION_HANDLER = "org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler"; /** @@ -92,9 +92,9 @@ public synchronized void initialize() throws ClassNotFoundException, IllegalAcce } String handler = SqoopConfiguration.getInstance().getContext().getString( - AuthenticationConstants.AUTHENTICATION_HANDLER, + SecurityConstants.AUTHENTICATION_HANDLER, DEFAULT_AUTHENTICATION_HANDLER).trim(); - authenticationHandler = AuthenticationHandlerFactory.getAuthenticationHandler(handler); + authenticationHandler = SecurityFactory.getAuthenticationHandler(handler); authenticationHandler.doInitialize(); authenticationHandler.secureLogin(); diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java b/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java similarity index 75% rename from core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java rename to core/src/main/java/org/apache/sqoop/security/SecurityConstants.java index ec2f32d5..a00573ae 100644 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationConstants.java +++ b/core/src/main/java/org/apache/sqoop/security/SecurityConstants.java @@ -22,19 +22,24 @@ /** * Constants that are used in authentication module. */ -public final class AuthenticationConstants { - +public final class SecurityConstants { + /** + * All security related configuration is prefixed with this: + * org.apache.sqoop.security. + */ + public static final String PREFIX_SECURITY_CONFIG = + ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "security."; /** * All authentication related configuration is prefixed with this: - * org.apache.sqoop.authentication. + * org.apache.sqoop.security.authentication. */ public static final String PREFIX_AUTHENTICATION_CONFIG = - ConfigurationConstants.PREFIX_GLOBAL_CONFIG + "authentication."; + PREFIX_SECURITY_CONFIG + "authentication."; /** * The config specifies the sqoop authentication type (SIMPLE, KERBEROS). * The default type is SIMPLE - * org.apache.sqoop.authentication.type. + * org.apache.sqoop.security.authentication.type. */ public static final String AUTHENTICATION_TYPE = PREFIX_AUTHENTICATION_CONFIG + "type"; @@ -42,56 +47,56 @@ public final class AuthenticationConstants { /** * The config specifies the sqoop authentication handler class. * The default type is org.apache.sqoop.security.SimpleAuthenticationHandler - * org.apache.sqoop.authentication.handler. + * org.apache.sqoop.security.authentication.handler. */ public static final String AUTHENTICATION_HANDLER = PREFIX_AUTHENTICATION_CONFIG + "handler"; /** * The config enables or disables anonymous authentication. - * org.apache.sqoop.authentication.anonymous. + * org.apache.sqoop.security.authentication.anonymous. */ public static final String AUTHENTICATION_ANONYMOUS = PREFIX_AUTHENTICATION_CONFIG + "anonymous"; /** * All kerberos authentication related configuration is prefixed with this: - * org.apache.sqoop.authentication.kerberos. + * org.apache.security.sqoop.authentication.kerberos. */ public static final String PREFIX_AUTHENTICATION_KERBEROS_CONFIG = PREFIX_AUTHENTICATION_CONFIG + "kerberos."; /** * The config specifies the kerberos principal. - * org.apache.sqoop.authentication.kerberos.principal. + * org.apache.sqoop.security.authentication.kerberos.principal. */ public static final String AUTHENTICATION_KERBEROS_PRINCIPAL = PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "principal"; /** * The config specifies the kerberos keytab. - * org.apache.sqoop.authentication.kerberos.principal. + * org.apache.sqoop.security.authentication.kerberos.principal. */ public static final String AUTHENTICATION_KERBEROS_KEYTAB = PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "keytab"; /** * All kerberos authentication for http related configuration is prefixed with this: - * org.apache.sqoop.authentication.kerberos.http. + * org.apache.sqoop.security.authentication.kerberos.http. */ public static final String PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG = PREFIX_AUTHENTICATION_KERBEROS_CONFIG + "http."; /** * The config specifies the kerberos principal for http. - * org.apache.sqoop.authentication.kerberos.http.principal. + * org.apache.sqoop.security.authentication.kerberos.http.principal. */ public static final String AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL = PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "principal"; /** * The config specifies the kerberos keytab for http. - * org.apache.sqoop.authentication.kerberos.http.principal. + * org.apache.sqoop.security.authentication.kerberos.http.principal. */ public static final String AUTHENTICATION_KERBEROS_HTTP_KEYTAB = PREFIX_AUTHENTICATION_KERBEROS_HTTP_CONFIG + "keytab"; @@ -103,7 +108,7 @@ public final class AuthenticationConstants { public static enum TYPE {SIMPLE, KERBEROS} - private AuthenticationConstants() { + private SecurityConstants() { // Instantiation of this class is prohibited } } diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java b/core/src/main/java/org/apache/sqoop/security/SecurityError.java similarity index 95% rename from core/src/main/java/org/apache/sqoop/security/AuthenticationError.java rename to core/src/main/java/org/apache/sqoop/security/SecurityError.java index abb5c90d..e4ba2212 100644 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationError.java +++ b/core/src/main/java/org/apache/sqoop/security/SecurityError.java @@ -19,7 +19,7 @@ import org.apache.sqoop.common.ErrorCode; -public enum AuthenticationError implements ErrorCode { +public enum SecurityError implements ErrorCode { /** An unknown error has occurred. */ AUTH_0000("An unknown error has occurred"), @@ -44,7 +44,7 @@ public enum AuthenticationError implements ErrorCode { private final String message; - private AuthenticationError(String message) { + private SecurityError(String message) { this.message = message; } diff --git a/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java b/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java similarity index 90% rename from core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java rename to core/src/main/java/org/apache/sqoop/security/SecurityFactory.java index b62fe184..3e6df672 100644 --- a/core/src/main/java/org/apache/sqoop/security/AuthenticationHandlerFactory.java +++ b/core/src/main/java/org/apache/sqoop/security/SecurityFactory.java @@ -23,14 +23,14 @@ /** * Create authentication manager. */ -public class AuthenticationHandlerFactory { +public class SecurityFactory { public static AuthenticationHandler getAuthenticationHandler(String handler) throws ClassNotFoundException, IllegalAccessException, InstantiationException { Class handlerClass = ClassUtils.loadClass(handler); if (handlerClass == null) { - throw new SqoopException(AuthenticationError.AUTH_0004, + throw new SqoopException(SecurityError.AUTH_0004, "Authentication Handler Class: " + handler); } @@ -38,7 +38,7 @@ public static AuthenticationHandler getAuthenticationHandler(String handler) thr try { newHandler = (AuthenticationHandler) handlerClass.newInstance(); } catch (Exception ex) { - throw new SqoopException(AuthenticationError.AUTH_0004, + throw new SqoopException(SecurityError.AUTH_0004, "Authentication Handler Class: " + handler, ex); } return newHandler; diff --git a/dist/src/main/server/conf/sqoop.properties b/dist/src/main/server/conf/sqoop.properties index 2ae1aba6..e22e8b06 100755 --- a/dist/src/main/server/conf/sqoop.properties +++ b/dist/src/main/server/conf/sqoop.properties @@ -144,16 +144,16 @@ org.apache.sqoop.execution.engine=org.apache.sqoop.execution.mapreduce.Mapreduce # # Authentication configuration # -#org.apache.sqoop.authentication.type=SIMPLE -#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler -#org.apache.sqoop.authentication.anonymous=true -#org.apache.sqoop.authentication.type=KERBEROS -#org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler -#org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL -#org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab -#org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL -#org.apache.sqoop.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab -#org.apache.sqoop.authentication.enable.doAs=true -#org.apache.sqoop.authentication.proxyuser.#USER#.users=* -#org.apache.sqoop.authentication.proxyuser.#USER#.groups=* -#org.apache.sqoop.authentication.proxyuser.#USER#.hosts=* \ No newline at end of file +#org.apache.sqoop.security.authentication.type=SIMPLE +#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler +#org.apache.sqoop.security.authentication.anonymous=true +#org.apache.sqoop.security.authentication.type=KERBEROS +#org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler +#org.apache.sqoop.security.authentication.kerberos.principal=sqoop/_HOST@NOVALOCAL +#org.apache.sqoop.security.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab +#org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/_HOST@NOVALOCAL +#org.apache.sqoop.security.authentication.kerberos.http.keytab=/home/kerberos/sqoop.keytab +#org.apache.sqoop.security.authentication.enable.doAs=true +#org.apache.sqoop.security.authentication.proxyuser.#USER#.users=* +#org.apache.sqoop.security.authentication.proxyuser.#USER#.groups=* +#org.apache.sqoop.security.authentication.proxyuser.#USER#.hosts=* \ No newline at end of file diff --git a/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst b/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst index 8f9520e1..c38e276e 100644 --- a/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst +++ b/docs/src/site/sphinx/SecurityGuideOnSqoop2.rst @@ -30,7 +30,7 @@ Modify Sqoop configuration file, normally in /server/config/sqoop. :: org.apache.sqoop.authentication.type=SIMPLE - org.apache.sqoop.authentication.handler=org.apache.sqoop.security.SimpleAuthenticationHandler + org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.SimpleAuthenticationHandler org.apache.sqoop.anonymous=true - Simple authentication is used by default. Commenting out authentication configuration will yield the use of simple authentication. @@ -88,7 +88,7 @@ Modify Sqoop configuration file, normally in /server/config/sqoop. :: org.apache.sqoop.authentication.type=KERBEROS - org.apache.sqoop.authentication.handler=org.apache.sqoop.security.KerberosAuthenticationHandler + org.apache.sqoop.authentication.handler=org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler org.apache.sqoop.authentication.kerberos.principal=sqoop/_HOST@ org.apache.sqoop.authentication.kerberos.keytab=/home/kerberos/sqoop.keytab org.apache.sqoop.authentication.kerberos.http.principal=HTTP/_HOST@ @@ -132,7 +132,7 @@ If the Sqoop server has started successfully with Kerberos authentication, the f :: - 2014-12-04 15:02:58,038 INFO security.KerberosAuthenticationHandler [org.apache.sqoop.security.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/_HOST@HADOOP.COM] keytab [/home/kerberos/sqoop.keytab] + 2014-12-04 15:02:58,038 INFO security.KerberosAuthenticationHandler [org.apache.sqoop.security.Authentication.KerberosAuthenticationHandler.secureLogin(KerberosAuthenticationHandler.java:84)] Using Kerberos authentication, principal [sqoop/_HOST@HADOOP.COM] keytab [/home/kerberos/sqoop.keytab] If the Sqoop client was able to communicate with the Sqoop server, the following will be in /server/log/catalina.out: diff --git a/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java similarity index 77% rename from security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java rename to security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java index 57531b8a..db89a2d5 100644 --- a/security/src/main/java/org/apache/sqoop/security/KerberosAuthenticationHandler.java +++ b/security/src/main/java/org/apache/sqoop/security/Authentication/KerberosAuthenticationHandler.java @@ -15,7 +15,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.sqoop.security; +package org.apache.sqoop.security.Authentication; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.SecurityUtil; @@ -24,6 +24,9 @@ import org.apache.sqoop.common.MapContext; import org.apache.sqoop.common.SqoopException; import org.apache.sqoop.core.SqoopConfiguration; +import org.apache.sqoop.security.AuthenticationHandler; +import org.apache.sqoop.security.SecurityConstants; +import org.apache.sqoop.security.SecurityError; import java.io.IOException; @@ -56,30 +59,30 @@ public void doInitialize() { public void secureLogin() { MapContext mapContext = SqoopConfiguration.getInstance().getContext(); String keytab = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim(); if (keytab.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0001, - AuthenticationConstants.AUTHENTICATION_KERBEROS_KEYTAB); + throw new SqoopException(SecurityError.AUTH_0001, + SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB); } keytabFile = keytab; String principal = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim(); if (principal.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0002, - AuthenticationConstants.AUTHENTICATION_KERBEROS_PRINCIPAL); + throw new SqoopException(SecurityError.AUTH_0002, + SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL); } keytabPrincipal = principal; Configuration conf = new Configuration(); conf.set(get_hadoop_security_authentication(), - AuthenticationConstants.TYPE.KERBEROS.name()); + SecurityConstants.TYPE.KERBEROS.name()); UserGroupInformation.setConfiguration(conf); try { String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab); } catch (IOException ex) { - throw new SqoopException(AuthenticationError.AUTH_0003, ex); + throw new SqoopException(SecurityError.AUTH_0003, ex); } LOG.info("Using Kerberos authentication, principal [" + principal + "] keytab [" + keytab + "]"); diff --git a/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java b/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java similarity index 87% rename from security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java rename to security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java index c93ff89e..94f0feb9 100644 --- a/security/src/main/java/org/apache/sqoop/security/SimpleAuthenticationHandler.java +++ b/security/src/main/java/org/apache/sqoop/security/Authentication/SimpleAuthenticationHandler.java @@ -15,11 +15,13 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.sqoop.security; +package org.apache.sqoop.security.Authentication; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.log4j.Logger; +import org.apache.sqoop.security.AuthenticationHandler; +import org.apache.sqoop.security.SecurityConstants; public class SimpleAuthenticationHandler extends AuthenticationHandler { @@ -33,7 +35,7 @@ public void secureLogin() { //no secureLogin, just set configurations Configuration conf = new Configuration(); conf.set(get_hadoop_security_authentication(), - AuthenticationConstants.TYPE.SIMPLE.name()); + SecurityConstants.TYPE.SIMPLE.name()); UserGroupInformation.setConfiguration(conf); LOG.info("Using simple/pseudo authentication, principal [" + System.getProperty("user.name") + "]"); diff --git a/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java b/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java index 2b6ef348..ddca9d4e 100644 --- a/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java +++ b/server/src/main/java/org/apache/sqoop/filter/SqoopAuthenticationFilter.java @@ -19,7 +19,6 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.SecurityUtil; -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter; @@ -29,8 +28,8 @@ import org.apache.sqoop.common.MapContext; import org.apache.sqoop.common.SqoopException; import org.apache.sqoop.core.SqoopConfiguration; -import org.apache.sqoop.security.AuthenticationConstants; -import org.apache.sqoop.security.AuthenticationError; +import org.apache.sqoop.security.SecurityConstants; +import org.apache.sqoop.security.SecurityError; import javax.servlet.FilterConfig; import javax.servlet.ServletException; @@ -46,46 +45,46 @@ protected Properties getConfiguration(String configPrefix, Properties properties = new Properties(); MapContext mapContext = SqoopConfiguration.getInstance().getContext(); String type = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_TYPE, - AuthenticationConstants.TYPE.SIMPLE.name()).trim(); + SecurityConstants.AUTHENTICATION_TYPE, + SecurityConstants.TYPE.SIMPLE.name()).trim(); - if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.KERBEROS.name())) { + if (type.equalsIgnoreCase(SecurityConstants.TYPE.KERBEROS.name())) { properties.setProperty(AUTH_TYPE, KerberosDelegationTokenAuthenticationHandler.class.getName()); String keytab = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB).trim(); if (keytab.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0005, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB); + throw new SqoopException(SecurityError.AUTH_0005, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_KEYTAB); } String principal = mapContext.getString( - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim(); + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL).trim(); if (principal.length() == 0) { - throw new SqoopException(AuthenticationError.AUTH_0006, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); + throw new SqoopException(SecurityError.AUTH_0006, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); } String hostPrincipal = ""; try { hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); } catch (IOException e) { - throw new SqoopException(AuthenticationError.AUTH_0006, - AuthenticationConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); + throw new SqoopException(SecurityError.AUTH_0006, + SecurityConstants.AUTHENTICATION_KERBEROS_HTTP_PRINCIPAL); } properties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, hostPrincipal); properties.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab); - } else if (type.equalsIgnoreCase(AuthenticationConstants.TYPE.SIMPLE.name())) { + } else if (type.equalsIgnoreCase(SecurityConstants.TYPE.SIMPLE.name())) { properties.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); properties.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, - mapContext.getString(AuthenticationConstants.AUTHENTICATION_ANONYMOUS, "true").trim()); + mapContext.getString(SecurityConstants.AUTHENTICATION_ANONYMOUS, "true").trim()); } else { - throw new SqoopException(AuthenticationError.AUTH_0004, type); + throw new SqoopException(SecurityError.AUTH_0004, type); } properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, - AuthenticationConstants.TOKEN_KIND); + SecurityConstants.TOKEN_KIND); return properties; }