Class ForceProduceAuthenticationFeature

java.lang.Object
io.confluent.kafkarest.extensions.ForceProduceAuthenticationFeature
All Implemented Interfaces:
jakarta.ws.rs.container.DynamicFeature
public final class ForceProduceAuthenticationFeature extends Object implements jakarta.ws.rs.container.DynamicFeature
A feature that prevents unauthenticated users from starving Kafka REST of request handling threads via produce calls.

If user opens a stream but never writes to it, they could force us to hold the request handling thread indefinitely, since we do not authenticate until the first message is produced. In such cases, we want to at least make sure the user is who they say they are, to avoid bad actors from exploiting this failure mode.

To achieve that, this feature forces Producer to authenticate with Kafka before we start reading from the stream. If authentication fails, we can close the request immediately and release the request handling thread.

In addition, this feature currently acts as a guardrail for OAuth token validity in case OAuth authentication is being used for produce calls in Confluent Cloud. This is so because on the Kafka REST side we can easily validate only API keys. Even though OAuth authentication is not documented as supported for Kafka REST in Confluent Cloud, in practice it can be used for produce calls, and for these cases the authentication here ensures that the provided token is indeed allowed to access the specified cluster. If we remove this feature, we should make sure to provide an equivalent guardrail - e.g. in the form of in-process authentication (as opposed to the Admin API call used here).

  • Method Details

    • configure

      public void configure(jakarta.ws.rs.container.ResourceInfo resourceInfo, jakarta.ws.rs.core.FeatureContext featureContext)
      Specified by:
      configure in interface jakarta.ws.rs.container.DynamicFeature