Example 1 with NegTokenInit
use of org.alfresco.jlan.server.auth.spnego.NegTokenInit in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method init.
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#init()
*/
@Override
protected void init() throws ServletException {
super.init();
if (m_krbRealm == null) {
throw new ServletException("Kerberos realm not specified");
}
if (m_password == null) {
throw new ServletException("HTTP service account password not specified");
}
if (m_loginEntryName == null) {
throw new ServletException("Invalid login entry specified");
}
// Get the local host name
String localName = null;
try {
localName = InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException ex) {
throw new ServletException("Failed to get local host name");
}
try {
// Login the HTTP server service
m_loginContext = new LoginContext(m_loginEntryName, this);
m_loginContext.login();
if (getLogger().isDebugEnabled())
getLogger().debug("HTTP Kerberos login successful");
} catch (LoginException ex) {
if (getLogger().isErrorEnabled())
getLogger().error("HTTP Kerberos web filter error", ex);
throw new ServletException("Failed to login HTTP server service");
}
// Get the HTTP service account name from the subject
Subject subj = m_loginContext.getSubject();
Principal princ = subj.getPrincipals().iterator().next();
m_accountName = princ.getName();
if (getLogger().isDebugEnabled())
getLogger().debug("Logged on using principal " + m_accountName);
// Create the Oid list for the SPNEGO NegTokenInit, include NTLMSSP for fallback
Vector<Oid> mechTypes = new Vector<Oid>();
mechTypes.add(OID.KERBEROS5);
mechTypes.add(OID.MSKERBEROS5);
try {
// Build the mechListMIC principle
//
// Note: This field is not as specified
String mecListMIC = null;
StringBuilder mic = new StringBuilder();
mic.append(localName);
mic.append("$@");
mic.append(m_krbRealm);
mecListMIC = mic.toString();
// Build the SPNEGO NegTokenInit that contains the authentication types that the HTTP server accepts
NegTokenInit negTokenInit = new NegTokenInit(mechTypes, mecListMIC);
// Encode the NegTokenInit blob
negTokenInit.encode();
} catch (IOException ex) {
if (getLogger().isErrorEnabled())
getLogger().error("Error creating SPNEGO NegTokenInit blob", ex);
throw new ServletException("Failed to create SPNEGO NegTokenInit blob");
}
}
Also used :
UnknownHostException(java.net.UnknownHostException)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
ServletException(javax.servlet.ServletException)
LoginContext(javax.security.auth.login.LoginContext)
LoginException(javax.security.auth.login.LoginException)
NegTokenInit(org.alfresco.jlan.server.auth.spnego.NegTokenInit)
Vector(java.util.Vector)
Principal(java.security.Principal)
Example 2 with NegTokenInit
use of org.alfresco.jlan.server.auth.spnego.NegTokenInit in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method authenticateRequest.
public boolean authenticateRequest(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
// Check if there is an authorization header with an SPNEGO security blob
String authHdr = req.getHeader("Authorization");
boolean reqAuth = false;
if (authHdr != null) {
if (authHdr.startsWith("Negotiate"))
reqAuth = true;
else if (authHdr.startsWith("NTLM")) {
if (getLogger().isDebugEnabled())
getLogger().debug("Received NTLM logon from client");
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
} else if (isFallbackEnabled()) {
return performFallbackAuthentication(context, req, resp);
}
}
// Check if the user is already authenticated
SessionUser user = getSessionUser(context, req, resp, true);
HttpSession httpSess = req.getSession(true);
if (user == null) {
user = (SessionUser) httpSess.getAttribute("_alfAuthTicket");
// MNT-13191 Opening /alfresco/webdav from a Kerberos-authenticated IE11 browser causes HTTP error 500
if (user != null) {
String userName = user.getUserName();
AuthenticationUtil.setFullyAuthenticatedUser(userName);
}
}
// the next filter
if (user != null && reqAuth == false) {
// Filter validate hook
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
if (getLogger().isDebugEnabled())
getLogger().debug("Authentication not required (user), chaining ...");
return true;
}
// Check if the login page is being accessed, do not intercept the login page
if (checkLoginPage(req, resp)) {
if (getLogger().isDebugEnabled())
getLogger().debug("Login page requested, chaining ...");
return true;
}
if (authHdr == null) {
if (allowsTicketLogons()) {
if (checkForTicketParameter(context, req, resp)) {
// Filter validate hook
if (getLogger().isDebugEnabled())
getLogger().debug("Authenticated with a ticket parameter.");
if (user == null) {
user = (SessionUser) httpSess.getAttribute(getUserAttributeName());
}
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
return true;
}
}
if (getLogger().isDebugEnabled())
getLogger().debug("New Kerberos auth request from " + req.getRemoteHost() + " (" + req.getRemoteAddr() + ":" + req.getRemotePort() + ")");
// Send back a request for SPNEGO authentication
logonStartAgain(context, req, resp, true);
return false;
} else {
// Decode the received SPNEGO blob and validate
final byte[] spnegoByts = Base64.decodeBase64(authHdr.substring(10).getBytes());
if (isNTLMSSPBlob(spnegoByts, 0)) {
if (getLogger().isDebugEnabled())
getLogger().debug("Client sent an NTLMSSP security blob");
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
}
// Check the received SPNEGO token type
int tokType = -1;
try {
tokType = SPNEGO.checkTokenType(spnegoByts, 0, spnegoByts.length);
} catch (IOException ex) {
}
if (tokType == SPNEGO.NegTokenInit) {
// Parse the SPNEGO security blob to get the Kerberos ticket
NegTokenInit negToken = new NegTokenInit();
try {
// Decode the security blob
negToken.decode(spnegoByts, 0, spnegoByts.length);
// Determine the authentication mechanism the client is using and logon
String oidStr = null;
if (negToken.numberOfOids() > 0)
oidStr = negToken.getOidAt(0).toString();
if (oidStr != null && (oidStr.equals(OID.ID_MSKERBEROS5) || oidStr.equals(OID.ID_KERBEROS5))) {
try {
NegTokenTarg negTokenTarg = doKerberosLogon(negToken, req, resp, httpSess);
if (negTokenTarg != null) {
// Allow the user to access the requested page
onValidate(context, req, resp, new KerberosCredentials(negToken, negTokenTarg));
if (getLogger().isDebugEnabled())
getLogger().debug("Authenticated through Kerberos.");
return true;
} else {
// Send back a request for SPNEGO authentication
if (getLogger().isDebugEnabled())
getLogger().debug("Failed SPNEGO authentication.");
restartLoginChallenge(context, req, resp);
return false;
}
} catch (AuthenticationException ex) {
// max user limit
if (getLogger().isDebugEnabled())
getLogger().debug("Validate failed.", ex);
onValidateFailed(context, req, resp, httpSess, new TicketCredentials(user.getTicket()));
return false;
}
} else {
if (getLogger().isDebugEnabled())
getLogger().debug("Unsupported SPNEGO mechanism " + oidStr);
// Try again!
restartLoginChallenge(context, req, resp);
}
} catch (IOException ex) {
if (getLogger().isDebugEnabled())
getLogger().debug(ex);
}
} else {
if (getLogger().isDebugEnabled())
getLogger().debug("Unknown SPNEGO token type");
// Send back a request for SPNEGO authentication
restartLoginChallenge(context, req, resp);
}
}
return false;
}
Also used :
TicketCredentials(org.alfresco.repo.web.auth.TicketCredentials)
SessionUser(org.alfresco.repo.SessionUser)
NegTokenTarg(org.alfresco.jlan.server.auth.spnego.NegTokenTarg)
AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException)
HttpSession(javax.servlet.http.HttpSession)
KerberosCredentials(org.alfresco.repo.web.auth.KerberosCredentials)
NegTokenInit(org.alfresco.jlan.server.auth.spnego.NegTokenInit)
IOException(java.io.IOException)
Aggregations
IOException (java.io.IOException)2
NegTokenInit (org.alfresco.jlan.server.auth.spnego.NegTokenInit)2
UnknownHostException (java.net.UnknownHostException)1
Principal (java.security.Principal)1
Vector (java.util.Vector)1
Subject (javax.security.auth.Subject)1
LoginContext (javax.security.auth.login.LoginContext)1
LoginException (javax.security.auth.login.LoginException)1
ServletException (javax.servlet.ServletException)1
HttpSession (javax.servlet.http.HttpSession)1
NegTokenTarg (org.alfresco.jlan.server.auth.spnego.NegTokenTarg)1
SessionUser (org.alfresco.repo.SessionUser)1
AuthenticationException (org.alfresco.repo.security.authentication.AuthenticationException)1
KerberosCredentials (org.alfresco.repo.web.auth.KerberosCredentials)1
TicketCredentials (org.alfresco.repo.web.auth.TicketCredentials)1
Oid (org.ietf.jgss.Oid)1
