use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.
the class SpnegoCredentialsAction method setResponseHeader.
/**
* Sets the response header based on the retrieved token.
*
* @param context the context
*/
private void setResponseHeader(final RequestContext context) {
val credential = WebUtils.getCredential(context);
val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
val spnegoCredentials = (SpnegoCredential) credential;
val nextToken = spnegoCredentials.getNextToken();
if (nextToken != null) {
LOGGER.debug("Obtained output token: [{}]", new String(nextToken, Charset.defaultCharset()));
response.setHeader(SpnegoConstants.HEADER_AUTHENTICATE, (this.ntlm ? SpnegoConstants.NTLM : SpnegoConstants.NEGOTIATE) + ' ' + EncodingUtils.encodeBase64(nextToken));
} else {
LOGGER.debug("Unable to obtain the output token required.");
}
if (spnegoCredentials.getPrincipal() == null && this.send401OnAuthenticationFailure) {
LOGGER.debug("Setting HTTP Status to 401");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.
the class JcifsSpnegoAuthenticationHandler method doAuthentication.
@Override
@Synchronized
protected AuthenticationHandlerExecutionResult doAuthentication(final Credential credential) throws GeneralSecurityException {
val spnegoCredential = (SpnegoCredential) credential;
if (!this.ntlmAllowed && spnegoCredential.isNtlm()) {
throw new FailedLoginException("NTLM not allowed");
}
var principal = (java.security.Principal) null;
var nextToken = (byte[]) null;
val it = this.authentications.iterator();
while (nextToken == null && it.hasNext()) {
try {
val authentication = it.next();
authentication.reset();
LOGGER.debug("Processing SPNEGO authentication");
authentication.process(spnegoCredential.getInitToken());
principal = authentication.getPrincipal();
LOGGER.debug("Authenticated SPNEGO principal [{}]. Retrieving the next token for authentication...", Optional.ofNullable(principal).map(java.security.Principal::getName).orElse(null));
nextToken = authentication.getNextToken();
} catch (final jcifs.spnego.AuthenticationException e) {
LOGGER.debug("Processing SPNEGO authentication failed with exception", e);
throw new FailedLoginException(e.getMessage());
}
}
if (nextToken != null) {
LOGGER.debug("Setting nextToken in credential");
spnegoCredential.setNextToken(nextToken);
} else {
LOGGER.debug("nextToken is null");
}
var success = false;
if (principal != null) {
if (spnegoCredential.isNtlm()) {
LOGGER.debug("NTLM Credential is valid for user [{}]", principal.getName());
} else {
LOGGER.debug("Kerberos Credential is valid for user [{}]", principal.getName());
}
spnegoCredential.setPrincipal(getPrincipal(principal.getName(), spnegoCredential.isNtlm()));
success = true;
}
if (!success) {
throw new FailedLoginException("Principal is null, the processing of the SPNEGO Token failed");
}
return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(credential), spnegoCredential.getPrincipal());
}
use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.
the class JcifsSpnegoAuthenticationHandlerTests method verifySuccessfulAuthenticationWithoutDomainName.
@Test
public void verifySuccessfulAuthenticationWithoutDomainName() throws Exception {
val credentials = new SpnegoCredential(new byte[] { 0, 1, 2 });
val authenticationHandler = new JcifsSpnegoAuthenticationHandler(StringUtils.EMPTY, null, null, CollectionUtils.wrapList(new MockJcifsAuthentication()), false, true, null);
assertNotNull(authenticationHandler.authenticate(credentials));
assertEquals("test", credentials.getPrincipal().getId());
assertNotNull(credentials.getNextToken());
}
use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.
the class NtlmAuthenticationHandler method doAuthentication.
@Override
protected AuthenticationHandlerExecutionResult doAuthentication(final Credential credential) throws GeneralSecurityException {
val ntlmCredential = (SpnegoCredential) credential;
val src = ntlmCredential.getInitToken();
var success = false;
try {
val dc = getUniAddress();
val challenge = SmbSession.getChallenge(dc);
switch(src[NTLM_TOKEN_TYPE_FIELD_INDEX]) {
case NTLM_TOKEN_TYPE_ONE:
LOGGER.debug("Type 1 received");
val type1 = new Type1Message(src);
val type2 = new Type2Message(type1, challenge, null);
LOGGER.debug("Type 2 returned. Setting next token.");
ntlmCredential.setNextToken(type2.toByteArray());
break;
case NTLM_TOKEN_TYPE_THREE:
LOGGER.debug("Type 3 received");
val type3 = new Type3Message(src);
val lmResponse = type3.getLMResponse() == null ? ArrayUtils.EMPTY_BYTE_ARRAY : type3.getLMResponse();
val ntResponse = type3.getNTResponse() == null ? ArrayUtils.EMPTY_BYTE_ARRAY : type3.getNTResponse();
val ntlm = new NtlmPasswordAuthentication(type3.getDomain(), type3.getUser(), challenge, lmResponse, ntResponse);
LOGGER.debug("Trying to authenticate [{}] with domain controller", type3.getUser());
try {
SmbSession.logon(dc, ntlm);
ntlmCredential.setPrincipal(this.principalFactory.createPrincipal(type3.getUser()));
success = true;
} catch (final SmbAuthException sae) {
throw new FailedLoginException(sae.getMessage());
}
break;
default:
LOGGER.debug("Unknown type: [{}]", src[NTLM_TOKEN_TYPE_FIELD_INDEX]);
}
} catch (final Exception e) {
throw new FailedLoginException(e.getMessage());
}
if (!success) {
throw new FailedLoginException();
}
return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(ntlmCredential), ntlmCredential.getPrincipal());
}
use of org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential in project cas by apereo.
the class SpnegoCredentialsAction method constructCredentialsFromRequest.
@Override
protected Credential constructCredentialsFromRequest(final RequestContext context) {
val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
LOGGER.debug("Available request headers are [{}]", Collections.list(request.getHeaderNames()));
val authorizationHeader = StringUtils.defaultString(request.getHeader(SpnegoConstants.HEADER_AUTHORIZATION), request.getHeader(SpnegoConstants.HEADER_AUTHORIZATION.toLowerCase()));
LOGGER.debug("SPNEGO Authorization header located as [{}]", authorizationHeader);
if (StringUtils.isBlank(authorizationHeader)) {
LOGGER.warn("SPNEGO Authorization header is not found under [{}]", SpnegoConstants.HEADER_AUTHORIZATION);
return null;
}
val authzHeaderLength = authorizationHeader.length();
val prefixLength = this.messageBeginPrefix.length();
if (authzHeaderLength > prefixLength && authorizationHeader.startsWith(this.messageBeginPrefix)) {
LOGGER.debug("SPNEGO Authorization header found with [{}] bytes", authzHeaderLength - prefixLength);
val base64 = authorizationHeader.substring(prefixLength);
val token = EncodingUtils.decodeBase64(base64);
val tokenString = new String(token, Charset.defaultCharset());
LOGGER.debug("Obtained token: [{}]. Creating credential...", tokenString);
return new SpnegoCredential(token);
}
LOGGER.warn("SPNEGO Authorization header [{}] does not begin with the prefix [{}]", authorizationHeader, messageBeginPrefix);
return null;
}
Aggregations