Search in sources :

Example 1 with Type3NTLMMessage

use of org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage in project alfresco-remote-api by Alfresco.

the class BaseNTLMAuthenticationFilter method authenticateRequest.

public boolean authenticateRequest(ServletContext context, HttpServletRequest sreq, HttpServletResponse sresp) throws IOException, ServletException {
    // Check if there is an authorization header with an NTLM security blob
    String authHdr = sreq.getHeader(AUTHORIZATION);
    boolean reqAuth = false;
    if (authHdr != null) {
        if (authHdr.startsWith(AUTH_NTLM))
            reqAuth = true;
        else if (authHdr.startsWith("Negotiate")) {
            if (getLogger().isDebugEnabled())
                getLogger().debug("Received 'Negotiate' from client, may be SPNEGO/Kerberos logon");
            // Restart the authentication
            restartLoginChallenge(context, sreq, sresp);
            return false;
        } else if (isFallbackEnabled()) {
            return performFallbackAuthentication(context, sreq, sresp);
        }
    }
    // Check if the user is already authenticated
    SessionUser user = getSessionUser(context, sreq, sresp, true);
    // the next filter
    if (user != null && reqAuth == false) {
        // Filter validate hook
        onValidate(context, sreq, sresp, new TicketCredentials(user.getTicket()));
        if (getLogger().isDebugEnabled())
            getLogger().debug("Authentication not required (user), chaining ...");
        // Chain to the next filter
        return true;
    }
    // Check if the login page is being accessed, do not intercept the login page
    if (hasLoginPage() && sreq.getRequestURI().endsWith(getLoginPage()) == true) {
        if (getLogger().isDebugEnabled())
            getLogger().debug("Login page requested, chaining ...");
        // Chain to the next filter
        return true;
    }
    // Check if the browser is Opera, if so then display the login page as Opera does not
    // support NTLM and displays an error page if a request to use NTLM is sent to it
    String userAgent = sreq.getHeader("user-agent");
    if (userAgent != null && userAgent.indexOf("Opera ") != -1) {
        if (getLogger().isDebugEnabled())
            getLogger().debug("Opera detected, redirecting to login page");
        if (hasLoginPage())
            redirectToLoginPage(sreq, sresp);
        else
            restartLoginChallenge(context, sreq, sresp);
        return false;
    }
    // Check the authorization header
    if (authHdr == null) {
        if (allowsTicketLogons()) {
            if (checkForTicketParameter(context, sreq, sresp)) {
                // Authentication was bypassed using a ticket parameter
                return true;
            }
        }
        if (getLogger().isDebugEnabled())
            getLogger().debug("New NTLM auth request from " + sreq.getRemoteHost() + " (" + sreq.getRemoteAddr() + ":" + sreq.getRemotePort() + ") SID:" + sreq.getSession().getId());
        // Send back a request for NTLM authentication
        restartLoginChallenge(context, sreq, sresp);
        return false;
    } else {
        HttpSession session = sreq.getSession();
        Object sessionMutex = WebUtils.getSessionMutex(session);
        // Decode the received NTLM blob and validate
        final byte[] ntlmByts = Base64.decodeBase64(authHdr.substring(5).getBytes());
        int ntlmTyp = NTLMMessage.isNTLMType(ntlmByts);
        if (ntlmTyp == NTLM.Type1) {
            // Process the type 1 NTLM message
            Type1NTLMMessage type1Msg = new Type1NTLMMessage(ntlmByts);
            synchronized (sessionMutex) {
                processType1(type1Msg, sreq, sresp);
            }
            return false;
        } else if (ntlmTyp == NTLM.Type3) {
            // Process the type 3 NTLM message
            Type3NTLMMessage type3Msg = new Type3NTLMMessage(ntlmByts);
            synchronized (sessionMutex) {
                return processType3(type3Msg, context, sreq, sresp);
            }
        } else {
            if (getLogger().isDebugEnabled())
                getLogger().debug("NTLM blob not handled, redirecting to login page.");
            if (hasLoginPage())
                redirectToLoginPage(sreq, sresp);
            else
                restartLoginChallenge(context, sreq, sresp);
            return false;
        }
    }
}
Also used : TicketCredentials(org.alfresco.repo.web.auth.TicketCredentials) Type3NTLMMessage(org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage) SessionUser(org.alfresco.repo.SessionUser) HttpSession(javax.servlet.http.HttpSession) Type1NTLMMessage(org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage)

Aggregations

HttpSession (javax.servlet.http.HttpSession)1 Type1NTLMMessage (org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage)1 Type3NTLMMessage (org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage)1 SessionUser (org.alfresco.repo.SessionUser)1 TicketCredentials (org.alfresco.repo.web.auth.TicketCredentials)1