Class SPNEGOAuthnController
- java.lang.Object
-
- net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController
-
@Controller @RequestMapping("%{idp.authn.spnego.externalAuthnPath:/Authn/SPNEGO}") public class SPNEGOAuthnController extends Object
MVC controller for managing the SPNEGO exchanges implemented as anExternalAuthenticationmechanism.The handler methods either return contents back to the browser by returning an appropriate ResponseEntity<String> object, or they return back to the flow by calling
ExternalAuthentication.finishExternalAuthentication(String, HttpServletRequest, HttpServletResponse)and returning null. On unrecoverable errors, an exception is thrown.
-
-
Field Summary
Fields Modifier and Type Field Description private org.slf4j.LoggerlogClass logger.static StringNTLM_UNSUPPORTEDEvent ID indicating that NTLM was attempted by the client.static StringSPNEGO_NOT_AVAILABLEEvent ID indicating that SPNEGO is not supported by the client or is not available for other reasons.
-
Constructor Summary
Constructors Constructor Description SPNEGOAuthnController()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description ModelAndViewcontinueSPNEGO(String conversationKey, String authorizationHeader, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse)Process an input GSS token from the client and attempt to complete the context establishment process.protected GSSContextAcceptorcreateGSSContextAcceptor(SPNEGOContext spnegoCtx)Create a newGSSContextAcceptorobject.private ModelAndViewcreateModelAndView(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse)Create aModelAndViewobject to return.private voidfinishWithError(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, String error)Finish the authentication process with an error.private voidfinishWithException(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, Exception ex)Finish the authentication process with an exception.private voidfinishWithSuccess(String key, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, KerberosPrincipal kerberosPrincipal)Finish the authentication process successfully.private SPNEGOContextgetSPNEGOContext(ProfileRequestContext prc)Navigate to theSPNEGOContextin the context tree.voidhandleError(String conversationKey, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse)Respond to a user signaling that an error occurred.private booleanisNTLMMechanism(byte[] token)Check if the GSS-API data represents an NTLM mechanism request.private ModelAndViewreplyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse)Send back an empty Negotiate challenge.private ModelAndViewreplyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, String base64Token)Send back a Negotiate challenge token.ModelAndViewstartSPNEGO(String conversationKey, javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse)Handle initial request that starts SPNEGO.
-
-
-
Field Detail
-
SPNEGO_NOT_AVAILABLE
@Nonnull @NotEmpty public static final String SPNEGO_NOT_AVAILABLE
Event ID indicating that SPNEGO is not supported by the client or is not available for other reasons.- See Also:
- Constant Field Values
-
NTLM_UNSUPPORTED
@Nonnull @NotEmpty public static final String NTLM_UNSUPPORTED
Event ID indicating that NTLM was attempted by the client.- See Also:
- Constant Field Values
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
-
Method Detail
-
startSPNEGO
@RequestMapping(value="/{conversationKey}", method=GET) @Nullable public ModelAndView startSPNEGO(@PathVariable @Nonnull @NotEmpty String conversationKey, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException
Handle initial request that starts SPNEGO.- Parameters:
conversationKey- the SWF conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTPÂ response- Returns:
- the response view
- Throws:
IOException- ...ExternalAuthenticationException- ...
-
continueSPNEGO
@RequestMapping(value="/{conversationKey}", method=GET, headers="Authorization") @Nullable public ModelAndView continueSPNEGO(@PathVariable @Nonnull @NotEmpty String conversationKey, @RequestHeader("Authorization") @Nonnull @NotEmpty String authorizationHeader, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException
Process an input GSS token from the client and attempt to complete the context establishment process.- Parameters:
conversationKey- the conversation keyauthorizationHeader- the token from the clienthttpRequest- the HTTP requesthttpResponse- the HTTP response- Returns:
- the response view
- Throws:
ExternalAuthenticationException- ...IOException- ...
-
handleError
@RequestMapping(value="/{conversationKey}/error", method=GET) public void handleError(@PathVariable String conversationKey, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException
Respond to a user signaling that an error occurred.- Parameters:
conversationKey- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP response- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithSuccess
private void finishWithSuccess(@Nonnull @NotEmpty String key, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse, @Nonnull KerberosPrincipal kerberosPrincipal) throws ExternalAuthenticationException, IOException
Finish the authentication process successfully.Sets the attribute
ExternalAuthentication.SUBJECT_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responsekerberosPrincipal- the Kerberos principal to return- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithError
private void finishWithError(@Nonnull @NotEmpty String key, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse, @Nonnull @NotEmpty String error) throws ExternalAuthenticationException, IOException
Finish the authentication process with an error.Sets the attribute
ExternalAuthentication.AUTHENTICATION_ERROR_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responseerror- the error string/event to return- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithException
private void finishWithException(@Nonnull @NotEmpty String key, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse, @Nonnull Exception ex) throws ExternalAuthenticationException, IOException
Finish the authentication process with an exception.Sets the attribute
ExternalAuthentication.AUTHENTICATION_EXCEPTION_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responseex- the exception that has been thrown- Throws:
IOException- ...ExternalAuthenticationException- ...
-
getSPNEGOContext
@Nullable private SPNEGOContext getSPNEGOContext(@Nonnull ProfileRequestContext prc)
Navigate to theSPNEGOContextin the context tree.- Parameters:
prc- profile request context- Returns:
- the child context, or null
-
createGSSContextAcceptor
@Nonnull protected GSSContextAcceptor createGSSContextAcceptor(@Nonnull SPNEGOContext spnegoCtx) throws GSSException
Create a newGSSContextAcceptorobject. (Created in a separate method to support unit testing.)- Parameters:
spnegoCtx- theSPNEGOContextconteining theKerberosSettings- Returns:
- a new
GSSContextAcceptor - Throws:
GSSException- if an error occurs while creating theGSSContextAcceptor.
-
replyUnauthorizedNegotiate
@Nonnull private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse)
Send back an empty Negotiate challenge.- Parameters:
profileRequestContext- profile request contexthttpRequest- servlet requesthttpResponse- servlet response- Returns:
- a
ModelAndViewwrapping the response
-
replyUnauthorizedNegotiate
@Nonnull private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse, @Nonnull String base64Token)
Send back a Negotiate challenge token.- Parameters:
profileRequestContext- profile request contexthttpRequest- servlet requesthttpResponse- servlet responsebase64Token- challenge token to send back- Returns:
- a
ModelAndViewwrapping the response
-
createModelAndView
@Nonnull private ModelAndView createModelAndView(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull javax.servlet.http.HttpServletRequest httpRequest, @Nonnull javax.servlet.http.HttpServletResponse httpResponse)
Create aModelAndViewobject to return.- Parameters:
profileRequestContext- profile request contexthttpRequest- the HTTP requesthttpResponse- the HTTP response- Returns:
- the ModelAndView object
-
isNTLMMechanism
private boolean isNTLMMechanism(@Nonnull byte[] token)Check if the GSS-API data represents an NTLM mechanism request.- Parameters:
token- token retrieved from the Authorization header.- Returns:
- true iff it represents a NTLM mechanism
-
-