[fix][broker] Continue using the next provider for http authentication if one fails

[nodece]

Motivation

When using Pulsar admin version 2.10.x with JWT authentication and a broker running 3.0.x (forked from Apache Pulsar) configured with both Kerberos and JWT authentication providers, we encounter the following issue:

ERROR org.apache.pulsar.broker.web.AuthenticationFilter - [172.19.0.17] Error performing authentication for HTTP
2024-12-30 09:52:32 java.lang.IllegalStateException: Header token should exist if no role token.
2024-12-30 09:52:32     at com.google.common.base.Preconditions.checkState(Preconditions.java:512) ~[com.google.guava-guava-32.1.1-jre.jar:?]
2024-12-30 09:52:32     at org.apache.pulsar.broker.authentication.AuthenticationProviderSasl.authenticateHttpRequest(AuthenticationProviderSasl.java:275) ~[com.ascentstream.pulsar-pulsar-broker-auth-sasl-3.0.8.1.jar:3.0.8.1]
2024-12-30 09:52:32     at org.apache.pulsar.broker.authentication.AuthenticationService.authenticateHttpRequest(AuthenticationService.java:133) ~[com.ascentstream.pulsar-pulsar-broker-common-3.0.8.1.jar:3.0.8.1]
2024-12-30 09:52:32     at org.apache.pulsar.broker.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:59) ~[com.ascentstream.pulsar-pulsar-broker-common-3.0.8.1.jar:3.0.8.1]
2024-12-30 09:52:32     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]
2024-12-30 09:52:32     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]
2024-12-30 09:52:32     at org.apache.pulsar.broker.intercept.BrokerInterceptor.onFilter(BrokerInterceptor.java:224) ~[com.ascentstream.pulsar-pulsar-broker-3.0.8.1.jar:3.0.8.1]
2024-12-30 09:52:32     at org.apache.pulsar.broker.web.ProcessHandlerFilter.doFilter(ProcessHandlerFilter.java:46) ~[com.ascentstream.pulsar-pulsar-broker-3.0.8.1.jar:3.0.8.1]
2024-12-30 09:52:32     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]

When a request is without the authentication method name in the HTTP header(#14044 improves that), the broker iterates through each authentication provider to authenticate the request, if authentication data is valid, the broker acts on the request. In this scenario, I ensured that the JWT provider was configured correctly and the token was valid. However, I still encountered an authentication error.

The root cause is that the org.apache.pulsar.broker.authentication.AuthenticationService#authenticateHttpRequest(javax.servlet.http.HttpServletRequest, org.apache.pulsar.broker.authentication.AuthenticationDataSource) and org.apache.pulsar.broker.authentication.AuthenticationService#authenticateHttpRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) only catches the AuthenticationExecption, if one provider throws an exception of a different type, the authentication process will be terminated.

Related to #23797, which fixes the pulsar chain authentication, not HTTP authentication.

Modifications

• Use LinkedHashMap instead of HasMap for provider ordering.
• Catch type Exception, which can catch any exceptions.

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[dao-jun]

lgtm