Example 1 with KerberosCredentials
use of org.alfresco.repo.web.auth.KerberosCredentials in project alfresco-remote-api by Alfresco.
the class BaseKerberosAuthenticationFilter method authenticateRequest.
public boolean authenticateRequest(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
// Check if there is an authorization header with an SPNEGO security blob
String authHdr = req.getHeader("Authorization");
boolean reqAuth = false;
if (authHdr != null) {
if (authHdr.startsWith("Negotiate"))
reqAuth = true;
else if (authHdr.startsWith("NTLM")) {
if (getLogger().isDebugEnabled())
getLogger().debug("Received NTLM logon from client");
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
} else if (isFallbackEnabled()) {
return performFallbackAuthentication(context, req, resp);
}
}
// Check if the user is already authenticated
SessionUser user = getSessionUser(context, req, resp, true);
HttpSession httpSess = req.getSession(true);
if (user == null) {
user = (SessionUser) httpSess.getAttribute("_alfAuthTicket");
// MNT-13191 Opening /alfresco/webdav from a Kerberos-authenticated IE11 browser causes HTTP error 500
if (user != null) {
String userName = user.getUserName();
AuthenticationUtil.setFullyAuthenticatedUser(userName);
}
}
// the next filter
if (user != null && reqAuth == false) {
// Filter validate hook
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
if (getLogger().isDebugEnabled())
getLogger().debug("Authentication not required (user), chaining ...");
return true;
}
// Check if the login page is being accessed, do not intercept the login page
if (checkLoginPage(req, resp)) {
if (getLogger().isDebugEnabled())
getLogger().debug("Login page requested, chaining ...");
return true;
}
if (authHdr == null) {
if (allowsTicketLogons()) {
if (checkForTicketParameter(context, req, resp)) {
// Filter validate hook
if (getLogger().isDebugEnabled())
getLogger().debug("Authenticated with a ticket parameter.");
if (user == null) {
user = (SessionUser) httpSess.getAttribute(getUserAttributeName());
}
onValidate(context, req, resp, new TicketCredentials(user.getTicket()));
return true;
}
}
if (getLogger().isDebugEnabled())
getLogger().debug("New Kerberos auth request from " + req.getRemoteHost() + " (" + req.getRemoteAddr() + ":" + req.getRemotePort() + ")");
// Send back a request for SPNEGO authentication
logonStartAgain(context, req, resp, true);
return false;
} else {
// Decode the received SPNEGO blob and validate
final byte[] spnegoByts = Base64.decodeBase64(authHdr.substring(10).getBytes());
if (isNTLMSSPBlob(spnegoByts, 0)) {
if (getLogger().isDebugEnabled())
getLogger().debug("Client sent an NTLMSSP security blob");
// Restart the authentication
restartLoginChallenge(context, req, resp);
return false;
}
// Check the received SPNEGO token type
int tokType = -1;
try {
tokType = SPNEGO.checkTokenType(spnegoByts, 0, spnegoByts.length);
} catch (IOException ex) {
}
if (tokType == SPNEGO.NegTokenInit) {
// Parse the SPNEGO security blob to get the Kerberos ticket
NegTokenInit negToken = new NegTokenInit();
try {
// Decode the security blob
negToken.decode(spnegoByts, 0, spnegoByts.length);
// Determine the authentication mechanism the client is using and logon
String oidStr = null;
if (negToken.numberOfOids() > 0)
oidStr = negToken.getOidAt(0).toString();
if (oidStr != null && (oidStr.equals(OID.ID_MSKERBEROS5) || oidStr.equals(OID.ID_KERBEROS5))) {
try {
NegTokenTarg negTokenTarg = doKerberosLogon(negToken, req, resp, httpSess);
if (negTokenTarg != null) {
// Allow the user to access the requested page
onValidate(context, req, resp, new KerberosCredentials(negToken, negTokenTarg));
if (getLogger().isDebugEnabled())
getLogger().debug("Authenticated through Kerberos.");
return true;
} else {
// Send back a request for SPNEGO authentication
if (getLogger().isDebugEnabled())
getLogger().debug("Failed SPNEGO authentication.");
restartLoginChallenge(context, req, resp);
return false;
}
} catch (AuthenticationException ex) {
// max user limit
if (getLogger().isDebugEnabled())
getLogger().debug("Validate failed.", ex);
onValidateFailed(context, req, resp, httpSess, new TicketCredentials(user.getTicket()));
return false;
}
} else {
if (getLogger().isDebugEnabled())
getLogger().debug("Unsupported SPNEGO mechanism " + oidStr);
// Try again!
restartLoginChallenge(context, req, resp);
}
} catch (IOException ex) {
if (getLogger().isDebugEnabled())
getLogger().debug(ex);
}
} else {
if (getLogger().isDebugEnabled())
getLogger().debug("Unknown SPNEGO token type");
// Send back a request for SPNEGO authentication
restartLoginChallenge(context, req, resp);
}
}
return false;
}
Also used :
TicketCredentials(org.alfresco.repo.web.auth.TicketCredentials)
SessionUser(org.alfresco.repo.SessionUser)
NegTokenTarg(org.alfresco.jlan.server.auth.spnego.NegTokenTarg)
AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException)
HttpSession(javax.servlet.http.HttpSession)
KerberosCredentials(org.alfresco.repo.web.auth.KerberosCredentials)
NegTokenInit(org.alfresco.jlan.server.auth.spnego.NegTokenInit)
IOException(java.io.IOException)
Aggregations
IOException (java.io.IOException)1
HttpSession (javax.servlet.http.HttpSession)1
NegTokenInit (org.alfresco.jlan.server.auth.spnego.NegTokenInit)1
NegTokenTarg (org.alfresco.jlan.server.auth.spnego.NegTokenTarg)1
SessionUser (org.alfresco.repo.SessionUser)1
AuthenticationException (org.alfresco.repo.security.authentication.AuthenticationException)1
KerberosCredentials (org.alfresco.repo.web.auth.KerberosCredentials)1
TicketCredentials (org.alfresco.repo.web.auth.TicketCredentials)1
