net.shibboleth.idp.authn.spnego.impl

Class SPNEGOAuthnController

java.lang.Object

net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController

public class SPNEGOAuthnController
extends Object

MVC controller for managing the SPNEGO exchanges implemented as an ExternalAuthentication mechanism. The handler methods either return contents back to the browser by returning an appropriate ResponseEntity object, or they return back to the flow by calling ExternalAuthentication.finishExternalAuthentication(String, HttpServletRequest, HttpServletResponse) and returning null. On unrecoverable errors, an exception is thrown.

Field Summary

Fields

Modifier and Type	Field and Description
private org.slf4j.Logger	log Class logger.
static String	NTLM_UNSUPPORTED Event ID indicating that NTLM was attempted by the client.
static String	SPNEGO_NOT_AVAILABLE Event ID indicating that SPNEGO is not supported by the client or is not available for other reasons.

Constructor Summary

Constructors

Constructor and Description
SPNEGOAuthnController()

Method Summary

Methods

Modifier and Type	Method and Description
org.springframework.web.servlet.ModelAndView	continueSPNEGO(String conversationKey, String authorizationHeader, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Process an input GSS token from the client and attempt to complete the context establishment process.
protected GSSContextAcceptor	createGSSContextAcceptor(SPNEGOContext spnegoCtx) Create a new GSSContextAcceptor object.
private org.springframework.web.servlet.ModelAndView	createModelAndView(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Create a ModelAndView object to return.
private void	finishWithError(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, String error) Finish the authentication process with an error.
private void	finishWithException(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, Exception ex) Finish the authentication process with an exception.
private void	finishWithSuccess(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, KerberosPrincipal kerberosPrincipal) Finish the authentication process successfully.
private SPNEGOContext	getSPNEGOContext(ProfileRequestContext prc) Navigate to the SPNEGOContext in the context tree.
void	handleError(String conversationKey, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Respond to a user signaling that an error occurred.
private boolean	isNTLMMechanism(byte[] token) Check if the GSS-API data represents an NTLM mechanism request.
private org.springframework.web.servlet.ModelAndView	replyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Send back an empty Negotiate challenge.
private org.springframework.web.servlet.ModelAndView	replyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, String base64Token) Send back a Negotiate challenge token.
org.springframework.web.servlet.ModelAndView	startSPNEGO(String conversationKey, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Handle initial request that starts SPNEGO.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SPNEGO_NOT_AVAILABLE

@Nonnull
@NotEmpty
public static final String SPNEGO_NOT_AVAILABLE

Event ID indicating that SPNEGO is not supported by the client or is not available for other reasons.

See Also:

Constant Field Values

NTLM_UNSUPPORTED

@Nonnull
@NotEmpty
public static final String NTLM_UNSUPPORTED

Event ID indicating that NTLM was attempted by the client.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

Constructor Detail

SPNEGOAuthnController

public SPNEGOAuthnController()

Method Detail

startSPNEGO

@RequestMapping(value="/{conversationKey}",
                method=GET)
@Nullable
public org.springframework.web.servlet.ModelAndView startSPNEGO(@PathVariable@Nonnull@NotEmpty
                                                                               String conversationKey,
                                                                               @Nonnull
                                                                               javax.servlet.http.HttpServletRequest httpRequest,
                                                                               @Nonnull
                                                                               javax.servlet.http.HttpServletResponse httpResponse)
                                                         throws ExternalAuthenticationException,
                                                                IOException

Handle initial request that starts SPNEGO.

Parameters:

conversationKey - the SWF conversation key

httpRequest - the HTTP request

httpResponse - the HTTP response

Returns:

the response view

Throws:

IOException

ExternalAuthenticationException

continueSPNEGO

@RequestMapping(value="/{conversationKey}",
                method=GET,
                headers="Authorization")
@Nullable
public org.springframework.web.servlet.ModelAndView continueSPNEGO(@PathVariable@Nonnull@NotEmpty
                                                                                  String conversationKey,
                                                                                  @RequestHeader(value="Authorization")@Nonnull@NotEmpty
                                                                                  String authorizationHeader,
                                                                                  @Nonnull
                                                                                  javax.servlet.http.HttpServletRequest httpRequest,
                                                                                  @Nonnull
                                                                                  javax.servlet.http.HttpServletResponse httpResponse)
                                                            throws ExternalAuthenticationException,
                                                                   IOException

Process an input GSS token from the client and attempt to complete the context establishment process.

Parameters:

conversationKey - the conversation key

authorizationHeader - the token from the client

httpRequest - the HTTP request

httpResponse - the HTTP response

Returns:

the response view

Throws:

ExternalAuthenticationException

IOException

handleError

@RequestMapping(value="/{conversationKey}/error",
                method=GET)
public void handleError(@PathVariable
                              String conversationKey,
                              @Nonnull
                              javax.servlet.http.HttpServletRequest httpRequest,
                              @Nonnull
                              javax.servlet.http.HttpServletResponse httpResponse)
                 throws ExternalAuthenticationException,
                        IOException

Respond to a user signaling that an error occurred.

Parameters:

conversationKey - the conversation key

httpRequest - the HTTP request

httpResponse - the HTTP response

Throws:

IOException

ExternalAuthenticationException

finishWithSuccess

private void finishWithSuccess(@Nonnull@NotEmpty
                     String key,
                     @Nonnull
                     javax.servlet.http.HttpServletRequest httpRequest,
                     @Nonnull
                     javax.servlet.http.HttpServletResponse httpResponse,
                     @Nonnull
                     KerberosPrincipal kerberosPrincipal)
                        throws ExternalAuthenticationException,
                               IOException

Finish the authentication process successfully.

Sets the attribute ExternalAuthentication.SUBJECT_KEY.

Parameters:

key - the conversation key

httpRequest - the HTTP request

httpResponse - the HTTP response

kerberosPrincipal - the Kerberos principal to return

Throws:

IOException

ExternalAuthenticationException

finishWithError

private void finishWithError(@Nonnull@NotEmpty
                   String key,
                   @Nonnull
                   javax.servlet.http.HttpServletRequest httpRequest,
                   @Nonnull
                   javax.servlet.http.HttpServletResponse httpResponse,
                   @Nonnull@NotEmpty
                   String error)
                      throws ExternalAuthenticationException,
                             IOException

Finish the authentication process with an error.

Sets the attribute ExternalAuthentication.AUTHENTICATION_ERROR_KEY.

Parameters:

key - the conversation key

httpRequest - the HTTP request

httpResponse - the HTTP response

error - the error string/event to return

Throws:

IOException

ExternalAuthenticationException

finishWithException

private void finishWithException(@Nonnull@NotEmpty
                       String key,
                       @Nonnull
                       javax.servlet.http.HttpServletRequest httpRequest,
                       @Nonnull
                       javax.servlet.http.HttpServletResponse httpResponse,
                       @Nonnull
                       Exception ex)
                          throws ExternalAuthenticationException,
                                 IOException

Finish the authentication process with an exception.

Sets the attribute ExternalAuthentication.AUTHENTICATION_EXCEPTION_KEY.

Parameters:

key - the conversation key

httpRequest - the HTTP request

httpResponse - the HTTP response

ex - the exception that has been thrown

Throws:

IOException

ExternalAuthenticationException

getSPNEGOContext

@Nullable
private SPNEGOContext getSPNEGOContext(@Nonnull
                                      ProfileRequestContext prc)

Navigate to the SPNEGOContext in the context tree.

Parameters:

prc - profile request context

Returns:

the child context, or null

createGSSContextAcceptor

@Nonnull
protected GSSContextAcceptor createGSSContextAcceptor(@Nonnull
                                                  SPNEGOContext spnegoCtx)
                                               throws GSSException

Create a new GSSContextAcceptor object. (Created in a separate method to support unit testing.)

Parameters:

spnegoCtx - the SPNEGOContext conteining the KerberosSettings

Returns:

a new GSSContextAcceptor

Throws:

GSSException - if an error occurs while creating the GSSContextAcceptor.

replyUnauthorizedNegotiate

@Nonnull
private org.springframework.web.servlet.ModelAndView replyUnauthorizedNegotiate(@Nonnull
                                                                              ProfileRequestContext profileRequestContext,
                                                                              @Nonnull
                                                                              javax.servlet.http.HttpServletRequest httpRequest,
                                                                              @Nonnull
                                                                              javax.servlet.http.HttpServletResponse httpResponse)

Send back an empty Negotiate challenge.

Parameters:

profileRequestContext - profile request context

httpRequest - servlet request

httpResponse - servlet response

Returns:

a ModelAndView wrapping the response

replyUnauthorizedNegotiate

@Nonnull
private org.springframework.web.servlet.ModelAndView replyUnauthorizedNegotiate(@Nonnull
                                                                              ProfileRequestContext profileRequestContext,
                                                                              @Nonnull
                                                                              javax.servlet.http.HttpServletRequest httpRequest,
                                                                              @Nonnull
                                                                              javax.servlet.http.HttpServletResponse httpResponse,
                                                                              @Nonnull
                                                                              String base64Token)

Send back a Negotiate challenge token.

Parameters:

profileRequestContext - profile request context

httpRequest - servlet request

httpResponse - servlet response

base64Token - challenge token to send back

Returns:

a ModelAndView wrapping the response

createModelAndView

@Nonnull
private org.springframework.web.servlet.ModelAndView createModelAndView(@Nonnull
                                                                      ProfileRequestContext profileRequestContext,
                                                                      @Nonnull
                                                                      javax.servlet.http.HttpServletRequest httpRequest,
                                                                      @Nonnull
                                                                      javax.servlet.http.HttpServletResponse httpResponse)

Create a ModelAndView object to return.

Parameters:

profileRequestContext - profile request context

httpRequest - the HTTP request

httpResponse - the HTTP response

Returns:

the ModelAndView object

isNTLMMechanism

private boolean isNTLMMechanism(@Nonnull
                      byte[] token)

Check if the GSS-API data represents an NTLM mechanism request.

Parameters:

token - token retrieved from the Authorization header.

Returns:

true iff it represents a NTLM mechanism