use of org.alfresco.jlan.server.auth.spnego.NegTokenTarg in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method authenticateRequest.
public boolean authenticateRequest(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
// Check if there is an authorization header with an SPNEGO security blob
String authHdr = req.getHeader("Authorization");
boolean reqAuth = false;
if (authHdr != null) {
if (authHdr.startsWith("Negotiate"))
reqAuth = true;
else if (authHdr.startsWith("NTLM")) {
if (getLogger().isTraceEnabled()) {
getLogger().trace("Received NTLM logon from client");
}
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
} else if (isFallbackEnabled()) {
return performFallbackAuthentication(context, req, resp);
}
}
// Check if the user is already authenticated
SessionUser user = getSessionUser(context, req, resp, true);
HttpSession httpSess = req.getSession(true);
if (user == null) {
user = (SessionUser) httpSess.getAttribute("_alfAuthTicket");
// MNT-13191 Opening /alfresco/webdav from a Kerberos-authenticated IE11 browser causes HTTP error 500
if (user != null) {
String userName = user.getUserName();
AuthenticationUtil.setFullyAuthenticatedUser(userName);
}
}
// the next filter
if (user != null && reqAuth == false) {
// Filter validate hook
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
if (getLogger().isTraceEnabled()) {
getLogger().trace("Authentication not required (user), chaining ...");
}
// Chain to the next filter
return true;
}
// Check if the login page is being accessed, do not intercept the login page
if (checkLoginPage(req, resp)) {
if (getLogger().isDebugEnabled()) {
getLogger().debug("Login page requested, chaining ...");
}
return true;
}
if (authHdr == null) {
if (allowsTicketLogons()) {
if (checkForTicketParameter(context, req, resp)) {
// Filter validate hook
if (getLogger().isTraceEnabled()) {
getLogger().trace("Authenticated with a ticket parameter.");
}
if (user == null) {
user = (SessionUser) httpSess.getAttribute(getUserAttributeName());
}
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
return true;
}
}
if (getLogger().isTraceEnabled()) {
getLogger().trace("New Kerberos auth request from " + req.getRemoteHost() + " (" + req.getRemoteAddr() + ":" + req.getRemotePort() + ")");
}
// MNT-21702 fixing Kerberos SSO fallback machanism for WebDAV
if (req.getRequestURL().toString().contains("webdav")) {
if (getLogger().isDebugEnabled()) {
getLogger().debug("WebDAV request, fallback");
}
logonStartAgain(context, req, resp, false);
} else {
if (getLogger().isDebugEnabled()) {
getLogger().debug("Non-WebDAV request, don't fallback");
}
logonStartAgain(context, req, resp, true);
}
return false;
} else {
// Decode the received SPNEGO blob and validate
final byte[] spnegoByts = Base64.decodeBase64(authHdr.substring(10).getBytes());
if (isNTLMSSPBlob(spnegoByts, 0)) {
if (getLogger().isTraceEnabled()) {
getLogger().trace("Client sent an NTLMSSP security blob");
}
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
}
// Check the received SPNEGO token type
int tokType = -1;
try {
tokType = SPNEGO.checkTokenType(spnegoByts, 0, spnegoByts.length);
} catch (IOException ex) {
}
if (tokType == SPNEGO.NegTokenInit) {
// Parse the SPNEGO security blob to get the Kerberos ticket
NegTokenInit negToken = new NegTokenInit();
try {
// Decode the security blob
negToken.decode(spnegoByts, 0, spnegoByts.length);
// Determine the authentication mechanism the client is using and logon
String oidStr = null;
if (negToken.numberOfOids() > 0)
oidStr = negToken.getOidAt(0).toString();
if (oidStr != null && (oidStr.equals(OID.ID_MSKERBEROS5) || oidStr.equals(OID.ID_KERBEROS5))) {
try {
NegTokenTarg negTokenTarg = doKerberosLogon(negToken, req, resp, httpSess);
if (negTokenTarg != null) {
// Allow the user to access the requested page
onValidate(context, req, resp, new KerberosCredentials(negToken, negTokenTarg));
if (getLogger().isTraceEnabled()) {
getLogger().trace("Authenticated through Kerberos.");
}
return true;
} else {
// Send back a request for SPNEGO authentication
if (getLogger().isDebugEnabled()) {
getLogger().debug("Failed SPNEGO authentication.");
}
restartLoginChallenge(context, req, resp);
return false;
}
} catch (AuthenticationException ex) {
// max user limit
if (getLogger().isDebugEnabled()) {
getLogger().debug("Validate failed.", ex);
}
WebCredentials webCredentials = user == null ? null : new TicketCredentials(user.getTicket());
onValidateFailed(context, req, resp, httpSess, webCredentials);
return false;
}
} else {
if (getLogger().isDebugEnabled()) {
getLogger().debug("Unsupported SPNEGO mechanism " + oidStr);
}
// Try again!
restartLoginChallenge(context, req, resp);
}
} catch (IOException ex) {
// Log the error
if (getLogger().isDebugEnabled()) {
getLogger().debug(ex);
}
}
} else {
if (getLogger().isDebugEnabled()) {
getLogger().debug("Unknown SPNEGO token type");
}
// Send back a request for SPNEGO authentication
restartLoginChallenge(context, req, resp);
}
}
return false;
}
use of org.alfresco.jlan.server.auth.spnego.NegTokenTarg in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method doKerberosLogon.
/**
* Perform a Kerberos login and return an SPNEGO response
*
* @param negToken NegTokenInit
* @param req HttpServletRequest
* @param resp HttpServletResponse
* @param httpSess HttpSession
* @return NegTokenTarg
*/
private final NegTokenTarg doKerberosLogon(NegTokenInit negToken, HttpServletRequest req, HttpServletResponse resp, HttpSession httpSess) {
// Authenticate the user
KerberosDetails krbDetails = null;
String userName = null;
NegTokenTarg negTokenTarg = null;
try {
// Run the session setup as a privileged action
SessionSetupPrivilegedAction sessSetupAction = new SessionSetupPrivilegedAction(m_accountName, negToken.getMechtoken());
Object result = Subject.doAs(m_loginContext.getSubject(), sessSetupAction);
if (result != null) {
// Access the Kerberos response
krbDetails = (KerberosDetails) result;
userName = m_stripKerberosUsernameSuffix ? krbDetails.getUserName() : krbDetails.getSourceName();
// Create the NegTokenTarg response blob
negTokenTarg = new NegTokenTarg(SPNEGO.AcceptCompleted, OID.KERBEROS5, krbDetails.getResponseToken());
if (negTokenTarg != null) {
// Create and store the user authentication context
SessionUser user = createUserEnvironment(httpSess, userName);
if (getLogger().isTraceEnabled()) {
getLogger().trace("User " + AuthenticationUtil.maskUsername(user.getUserName()) + " logged on via Kerberos");
}
}
} else {
if (getLogger().isDebugEnabled()) {
getLogger().debug("No SPNEGO response, Kerberos logon failed");
}
}
} catch (AuthenticationException ex) {
// Pass on validation failures
if (getLogger().isDebugEnabled()) {
getLogger().debug("Failed to validate user " + AuthenticationUtil.maskUsername(userName), ex);
}
throw ex;
} catch (Exception ex) {
// Log the error
if (getLogger().isDebugEnabled()) {
getLogger().debug("Kerberos logon error", ex);
}
}
return negTokenTarg;
}
Aggregations