Search in sources :

Example 1 with NegTokenTarg

use of org.alfresco.jlan.server.auth.spnego.NegTokenTarg in project alfresco-remote-api by Alfresco.

the class BaseKerberosAuthenticationFilter method authenticateRequest.

public boolean authenticateRequest(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
    // Check if there is an authorization header with an SPNEGO security blob
    String authHdr = req.getHeader("Authorization");
    boolean reqAuth = false;
    if (authHdr != null) {
        if (authHdr.startsWith("Negotiate"))
            reqAuth = true;
        else if (authHdr.startsWith("NTLM")) {
            if (getLogger().isTraceEnabled()) {
                getLogger().trace("Received NTLM logon from client");
            }
            // Restart the authentication
            restartLoginChallenge(context, req, resp);
            return false;
        } else if (isFallbackEnabled()) {
            return performFallbackAuthentication(context, req, resp);
        }
    }
    // Check if the user is already authenticated
    SessionUser user = getSessionUser(context, req, resp, true);
    HttpSession httpSess = req.getSession(true);
    if (user == null) {
        user = (SessionUser) httpSess.getAttribute("_alfAuthTicket");
        // MNT-13191 Opening /alfresco/webdav from a Kerberos-authenticated IE11 browser causes HTTP error 500
        if (user != null) {
            String userName = user.getUserName();
            AuthenticationUtil.setFullyAuthenticatedUser(userName);
        }
    }
    // the next filter
    if (user != null && reqAuth == false) {
        // Filter validate hook
        onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
        if (getLogger().isTraceEnabled()) {
            getLogger().trace("Authentication not required (user), chaining ...");
        }
        // Chain to the next filter
        return true;
    }
    // Check if the login page is being accessed, do not intercept the login page
    if (checkLoginPage(req, resp)) {
        if (getLogger().isDebugEnabled()) {
            getLogger().debug("Login page requested, chaining ...");
        }
        return true;
    }
    if (authHdr == null) {
        if (allowsTicketLogons()) {
            if (checkForTicketParameter(context, req, resp)) {
                // Filter validate hook
                if (getLogger().isTraceEnabled()) {
                    getLogger().trace("Authenticated with a ticket parameter.");
                }
                if (user == null) {
                    user = (SessionUser) httpSess.getAttribute(getUserAttributeName());
                }
                onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
                return true;
            }
        }
        if (getLogger().isTraceEnabled()) {
            getLogger().trace("New Kerberos auth request from " + req.getRemoteHost() + " (" + req.getRemoteAddr() + ":" + req.getRemotePort() + ")");
        }
        // MNT-21702 fixing Kerberos SSO fallback machanism for WebDAV
        if (req.getRequestURL().toString().contains("webdav")) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("WebDAV request, fallback");
            }
            logonStartAgain(context, req, resp, false);
        } else {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Non-WebDAV request, don't fallback");
            }
            logonStartAgain(context, req, resp, true);
        }
        return false;
    } else {
        // Decode the received SPNEGO blob and validate
        final byte[] spnegoByts = Base64.decodeBase64(authHdr.substring(10).getBytes());
        if (isNTLMSSPBlob(spnegoByts, 0)) {
            if (getLogger().isTraceEnabled()) {
                getLogger().trace("Client sent an NTLMSSP security blob");
            }
            // Restart the authentication
            restartLoginChallenge(context, req, resp);
            return false;
        }
        // Check the received SPNEGO token type
        int tokType = -1;
        try {
            tokType = SPNEGO.checkTokenType(spnegoByts, 0, spnegoByts.length);
        } catch (IOException ex) {
        }
        if (tokType == SPNEGO.NegTokenInit) {
            // Parse the SPNEGO security blob to get the Kerberos ticket
            NegTokenInit negToken = new NegTokenInit();
            try {
                // Decode the security blob
                negToken.decode(spnegoByts, 0, spnegoByts.length);
                // Determine the authentication mechanism the client is using and logon
                String oidStr = null;
                if (negToken.numberOfOids() > 0)
                    oidStr = negToken.getOidAt(0).toString();
                if (oidStr != null && (oidStr.equals(OID.ID_MSKERBEROS5) || oidStr.equals(OID.ID_KERBEROS5))) {
                    try {
                        NegTokenTarg negTokenTarg = doKerberosLogon(negToken, req, resp, httpSess);
                        if (negTokenTarg != null) {
                            // Allow the user to access the requested page
                            onValidate(context, req, resp, new KerberosCredentials(negToken, negTokenTarg));
                            if (getLogger().isTraceEnabled()) {
                                getLogger().trace("Authenticated through Kerberos.");
                            }
                            return true;
                        } else {
                            // Send back a request for SPNEGO authentication
                            if (getLogger().isDebugEnabled()) {
                                getLogger().debug("Failed SPNEGO authentication.");
                            }
                            restartLoginChallenge(context, req, resp);
                            return false;
                        }
                    } catch (AuthenticationException ex) {
                        // max user limit
                        if (getLogger().isDebugEnabled()) {
                            getLogger().debug("Validate failed.", ex);
                        }
                        WebCredentials webCredentials = user == null ? null : new TicketCredentials(user.getTicket());
                        onValidateFailed(context, req, resp, httpSess, webCredentials);
                        return false;
                    }
                } else {
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("Unsupported SPNEGO mechanism " + oidStr);
                    }
                    // Try again!
                    restartLoginChallenge(context, req, resp);
                }
            } catch (IOException ex) {
                // Log the error
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug(ex);
                }
            }
        } else {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Unknown SPNEGO token type");
            }
            // Send back a request for SPNEGO authentication
            restartLoginChallenge(context, req, resp);
        }
    }
    return false;
}
Also used : TicketCredentials(org.alfresco.repo.web.auth.TicketCredentials) NegTokenTarg(org.alfresco.jlan.server.auth.spnego.NegTokenTarg) AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException) HttpSession(javax.servlet.http.HttpSession) KerberosCredentials(org.alfresco.repo.web.auth.KerberosCredentials) IOException(java.io.IOException) SessionUser(org.alfresco.repo.SessionUser) NegTokenInit(org.alfresco.jlan.server.auth.spnego.NegTokenInit) WebCredentials(org.alfresco.repo.web.auth.WebCredentials)

Example 2 with NegTokenTarg

use of org.alfresco.jlan.server.auth.spnego.NegTokenTarg in project alfresco-remote-api by Alfresco.

the class BaseKerberosAuthenticationFilter method doKerberosLogon.

/**
 * Perform a Kerberos login and return an SPNEGO response
 *
 * @param negToken NegTokenInit
 * @param req HttpServletRequest
 * @param resp HttpServletResponse
 * @param httpSess HttpSession
 * @return NegTokenTarg
 */
private final NegTokenTarg doKerberosLogon(NegTokenInit negToken, HttpServletRequest req, HttpServletResponse resp, HttpSession httpSess) {
    // Authenticate the user
    KerberosDetails krbDetails = null;
    String userName = null;
    NegTokenTarg negTokenTarg = null;
    try {
        // Run the session setup as a privileged action
        SessionSetupPrivilegedAction sessSetupAction = new SessionSetupPrivilegedAction(m_accountName, negToken.getMechtoken());
        Object result = Subject.doAs(m_loginContext.getSubject(), sessSetupAction);
        if (result != null) {
            // Access the Kerberos response
            krbDetails = (KerberosDetails) result;
            userName = m_stripKerberosUsernameSuffix ? krbDetails.getUserName() : krbDetails.getSourceName();
            // Create the NegTokenTarg response blob
            negTokenTarg = new NegTokenTarg(SPNEGO.AcceptCompleted, OID.KERBEROS5, krbDetails.getResponseToken());
            if (negTokenTarg != null) {
                // Create and store the user authentication context
                SessionUser user = createUserEnvironment(httpSess, userName);
                if (getLogger().isTraceEnabled()) {
                    getLogger().trace("User " + AuthenticationUtil.maskUsername(user.getUserName()) + " logged on via Kerberos");
                }
            }
        } else {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("No SPNEGO response, Kerberos logon failed");
            }
        }
    } catch (AuthenticationException ex) {
        // Pass on validation failures
        if (getLogger().isDebugEnabled()) {
            getLogger().debug("Failed to validate user " + AuthenticationUtil.maskUsername(userName), ex);
        }
        throw ex;
    } catch (Exception ex) {
        // Log the error
        if (getLogger().isDebugEnabled()) {
            getLogger().debug("Kerberos logon error", ex);
        }
    }
    return negTokenTarg;
}
Also used : KerberosDetails(org.alfresco.jlan.server.auth.kerberos.KerberosDetails) SessionUser(org.alfresco.repo.SessionUser) NegTokenTarg(org.alfresco.jlan.server.auth.spnego.NegTokenTarg) AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException) SessionSetupPrivilegedAction(org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction) LoginException(javax.security.auth.login.LoginException) ServletException(javax.servlet.ServletException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException)

Aggregations

IOException (java.io.IOException)2 NegTokenTarg (org.alfresco.jlan.server.auth.spnego.NegTokenTarg)2 SessionUser (org.alfresco.repo.SessionUser)2 AuthenticationException (org.alfresco.repo.security.authentication.AuthenticationException)2 UnknownHostException (java.net.UnknownHostException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 LoginException (javax.security.auth.login.LoginException)1 ServletException (javax.servlet.ServletException)1 HttpSession (javax.servlet.http.HttpSession)1 KerberosDetails (org.alfresco.jlan.server.auth.kerberos.KerberosDetails)1 SessionSetupPrivilegedAction (org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction)1 NegTokenInit (org.alfresco.jlan.server.auth.spnego.NegTokenInit)1 KerberosCredentials (org.alfresco.repo.web.auth.KerberosCredentials)1 TicketCredentials (org.alfresco.repo.web.auth.TicketCredentials)1 WebCredentials (org.alfresco.repo.web.auth.WebCredentials)1