Search in sources :

Example 1 with SpnegoCredential

use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.

the class SpnegoCredentialsAction method setResponseHeader.

/**
 * Sets the response header based on the retrieved token.
 *
 * @param context the context
 */
private void setResponseHeader(final RequestContext context) {
    val credential = WebUtils.getCredential(context);
    val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
    val spnegoCredentials = (SpnegoCredential) credential;
    val nextToken = spnegoCredentials.getNextToken();
    if (nextToken != null) {
        LOGGER.debug("Obtained output token: [{}]", new String(nextToken, Charset.defaultCharset()));
        response.setHeader(SpnegoConstants.HEADER_AUTHENTICATE, (this.ntlm ? SpnegoConstants.NTLM : SpnegoConstants.NEGOTIATE) + ' ' + EncodingUtils.encodeBase64(nextToken));
    } else {
        LOGGER.debug("Unable to obtain the output token required.");
    }
    if (spnegoCredentials.getPrincipal() == null && this.send401OnAuthenticationFailure) {
        LOGGER.debug("Setting HTTP Status to 401");
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }
}
Also used : lombok.val(lombok.val) SpnegoCredential(org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential)

Example 2 with SpnegoCredential

use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.

the class JcifsSpnegoAuthenticationHandler method doAuthentication.

@Override
@Synchronized
protected AuthenticationHandlerExecutionResult doAuthentication(final Credential credential) throws GeneralSecurityException {
    val spnegoCredential = (SpnegoCredential) credential;
    if (!this.ntlmAllowed && spnegoCredential.isNtlm()) {
        throw new FailedLoginException("NTLM not allowed");
    }
    var principal = (java.security.Principal) null;
    var nextToken = (byte[]) null;
    val it = this.authentications.iterator();
    while (nextToken == null && it.hasNext()) {
        try {
            val authentication = it.next();
            authentication.reset();
            LOGGER.debug("Processing SPNEGO authentication");
            authentication.process(spnegoCredential.getInitToken());
            principal = authentication.getPrincipal();
            LOGGER.debug("Authenticated SPNEGO principal [{}]. Retrieving the next token for authentication...", Optional.ofNullable(principal).map(java.security.Principal::getName).orElse(null));
            nextToken = authentication.getNextToken();
        } catch (final jcifs.spnego.AuthenticationException e) {
            LOGGER.debug("Processing SPNEGO authentication failed with exception", e);
            throw new FailedLoginException(e.getMessage());
        }
    }
    if (nextToken != null) {
        LOGGER.debug("Setting nextToken in credential");
        spnegoCredential.setNextToken(nextToken);
    } else {
        LOGGER.debug("nextToken is null");
    }
    var success = false;
    if (principal != null) {
        if (spnegoCredential.isNtlm()) {
            LOGGER.debug("NTLM Credential is valid for user [{}]", principal.getName());
        } else {
            LOGGER.debug("Kerberos Credential is valid for user [{}]", principal.getName());
        }
        spnegoCredential.setPrincipal(getPrincipal(principal.getName(), spnegoCredential.isNtlm()));
        success = true;
    }
    if (!success) {
        throw new FailedLoginException("Principal is null, the processing of the SPNEGO Token failed");
    }
    return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(credential), spnegoCredential.getPrincipal());
}
Also used : lombok.val(lombok.val) SpnegoCredential(org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential) FailedLoginException(javax.security.auth.login.FailedLoginException) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) Principal(org.apereo.cas.authentication.principal.Principal) BasicCredentialMetaData(org.apereo.cas.authentication.metadata.BasicCredentialMetaData) Synchronized(lombok.Synchronized)

Example 3 with SpnegoCredential

use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.

the class JcifsSpnegoAuthenticationHandlerTests method verifySuccessfulAuthenticationWithoutDomainName.

@Test
public void verifySuccessfulAuthenticationWithoutDomainName() throws Exception {
    val credentials = new SpnegoCredential(new byte[] { 0, 1, 2 });
    val authenticationHandler = new JcifsSpnegoAuthenticationHandler(StringUtils.EMPTY, null, null, CollectionUtils.wrapList(new MockJcifsAuthentication()), false, true, null);
    assertNotNull(authenticationHandler.authenticate(credentials));
    assertEquals("test", credentials.getPrincipal().getId());
    assertNotNull(credentials.getNextToken());
}
Also used : lombok.val(lombok.val) SpnegoCredential(org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential) MockJcifsAuthentication(org.apereo.cas.support.spnego.MockJcifsAuthentication) Test(org.junit.jupiter.api.Test)

Example 4 with SpnegoCredential

use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.

the class NtlmAuthenticationHandler method doAuthentication.

@Override
protected AuthenticationHandlerExecutionResult doAuthentication(final Credential credential) throws GeneralSecurityException {
    val ntlmCredential = (SpnegoCredential) credential;
    val src = ntlmCredential.getInitToken();
    var success = false;
    try {
        val dc = getUniAddress();
        val challenge = SmbSession.getChallenge(dc);
        switch(src[NTLM_TOKEN_TYPE_FIELD_INDEX]) {
            case NTLM_TOKEN_TYPE_ONE:
                LOGGER.debug("Type 1 received");
                val type1 = new Type1Message(src);
                val type2 = new Type2Message(type1, challenge, null);
                LOGGER.debug("Type 2 returned. Setting next token.");
                ntlmCredential.setNextToken(type2.toByteArray());
                break;
            case NTLM_TOKEN_TYPE_THREE:
                LOGGER.debug("Type 3 received");
                val type3 = new Type3Message(src);
                val lmResponse = type3.getLMResponse() == null ? ArrayUtils.EMPTY_BYTE_ARRAY : type3.getLMResponse();
                val ntResponse = type3.getNTResponse() == null ? ArrayUtils.EMPTY_BYTE_ARRAY : type3.getNTResponse();
                val ntlm = new NtlmPasswordAuthentication(type3.getDomain(), type3.getUser(), challenge, lmResponse, ntResponse);
                LOGGER.debug("Trying to authenticate [{}] with domain controller", type3.getUser());
                try {
                    SmbSession.logon(dc, ntlm);
                    ntlmCredential.setPrincipal(this.principalFactory.createPrincipal(type3.getUser()));
                    success = true;
                } catch (final SmbAuthException sae) {
                    throw new FailedLoginException(sae.getMessage());
                }
                break;
            default:
                LOGGER.debug("Unknown type: [{}]", src[NTLM_TOKEN_TYPE_FIELD_INDEX]);
        }
    } catch (final Exception e) {
        throw new FailedLoginException(e.getMessage());
    }
    if (!success) {
        throw new FailedLoginException();
    }
    return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(ntlmCredential), ntlmCredential.getPrincipal());
}
Also used : lombok.val(lombok.val) Type1Message(jcifs.ntlmssp.Type1Message) SpnegoCredential(org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential) SmbAuthException(jcifs.smb.SmbAuthException) FailedLoginException(javax.security.auth.login.FailedLoginException) NtlmPasswordAuthentication(jcifs.smb.NtlmPasswordAuthentication) Type2Message(jcifs.ntlmssp.Type2Message) Type3Message(jcifs.ntlmssp.Type3Message) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) GeneralSecurityException(java.security.GeneralSecurityException) FailedLoginException(javax.security.auth.login.FailedLoginException) SmbAuthException(jcifs.smb.SmbAuthException) BasicCredentialMetaData(org.apereo.cas.authentication.metadata.BasicCredentialMetaData)

Example 5 with SpnegoCredential

use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.

the class SpnegoCredentialsAction method constructCredentialsFromRequest.

@Override
protected Credential constructCredentialsFromRequest(final RequestContext context) {
    val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
    LOGGER.debug("Available request headers are [{}]", Collections.list(request.getHeaderNames()));
    val authorizationHeader = StringUtils.defaultString(request.getHeader(SpnegoConstants.HEADER_AUTHORIZATION), request.getHeader(SpnegoConstants.HEADER_AUTHORIZATION.toLowerCase()));
    LOGGER.debug("SPNEGO Authorization header located as [{}]", authorizationHeader);
    if (StringUtils.isBlank(authorizationHeader)) {
        LOGGER.warn("SPNEGO Authorization header is not found under [{}]", SpnegoConstants.HEADER_AUTHORIZATION);
        return null;
    }
    val authzHeaderLength = authorizationHeader.length();
    val prefixLength = this.messageBeginPrefix.length();
    if (authzHeaderLength > prefixLength && authorizationHeader.startsWith(this.messageBeginPrefix)) {
        LOGGER.debug("SPNEGO Authorization header found with [{}] bytes", authzHeaderLength - prefixLength);
        val base64 = authorizationHeader.substring(prefixLength);
        val token = EncodingUtils.decodeBase64(base64);
        val tokenString = new String(token, Charset.defaultCharset());
        LOGGER.debug("Obtained token: [{}]. Creating credential...", tokenString);
        return new SpnegoCredential(token);
    }
    LOGGER.warn("SPNEGO Authorization header [{}] does not begin with the prefix [{}]", authorizationHeader, messageBeginPrefix);
    return null;
}
Also used : lombok.val(lombok.val) SpnegoCredential(org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential)

Aggregations

lombok.val (lombok.val)9 SpnegoCredential (org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential)9 Test (org.junit.jupiter.api.Test)5 MockJcifsAuthentication (org.apereo.cas.support.spnego.MockJcifsAuthentication)3 FailedLoginException (javax.security.auth.login.FailedLoginException)2 DefaultAuthenticationHandlerExecutionResult (org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)2 BasicCredentialMetaData (org.apereo.cas.authentication.metadata.BasicCredentialMetaData)2 MockUnsuccessfulJcifsAuthentication (org.apereo.cas.support.spnego.MockUnsuccessfulJcifsAuthentication)2 GeneralSecurityException (java.security.GeneralSecurityException)1 Type1Message (jcifs.ntlmssp.Type1Message)1 Type2Message (jcifs.ntlmssp.Type2Message)1 Type3Message (jcifs.ntlmssp.Type3Message)1 NtlmPasswordAuthentication (jcifs.smb.NtlmPasswordAuthentication)1 SmbAuthException (jcifs.smb.SmbAuthException)1 Synchronized (lombok.Synchronized)1 UsernamePasswordCredential (org.apereo.cas.authentication.credential.UsernamePasswordCredential)1 Principal (org.apereo.cas.authentication.principal.Principal)1