Class SPNEGOAuthnController
java.lang.Object
net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController
@Controller
@RequestMapping("%{idp.authn.spnego.externalAuthnPath:/Authn/SPNEGO}")
public class SPNEGOAuthnController
extends Object
MVC controller for managing the SPNEGO exchanges implemented as an
ExternalAuthentication mechanism.
The handler methods either return contents back to the browser by returning an appropriate
ResponseEntity<String> object, or they return back to the flow by calling
ExternalAuthentication.finishExternalAuthentication(String, HttpServletRequest, HttpServletResponse) and
returning null. On unrecoverable errors, an exception is thrown.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate StringDigesterCSP digest computation bean.private IdentifierGenerationStrategyCSP nonce generator bean.private final org.slf4j.LoggerClass logger.static final StringEvent ID indicating that NTLM was attempted by the client.static final StringEvent ID indicating that SPNEGO is not supported by the client or is not available for other reasons. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncontinueSPNEGO(String conversationKey, String authorizationHeader, HttpServletRequest httpRequest, HttpServletResponse httpResponse) Process an input GSS token from the client and attempt to complete the context establishment process.protected GSSContextAcceptorcreateGSSContextAcceptor(SPNEGOContext spnegoCtx) Create a newGSSContextAcceptorobject.private ModelAndViewcreateModelAndView(ProfileRequestContext profileRequestContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse) Create aModelAndViewobject to return.private voidfinishWithError(String key, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String error) Finish the authentication process with an error.private voidfinishWithException(String key, HttpServletRequest httpRequest, HttpServletResponse httpResponse, Exception ex) Finish the authentication process with an exception.private voidfinishWithSuccess(String key, HttpServletRequest httpRequest, HttpServletResponse httpResponse, KerberosPrincipal kerberosPrincipal) Finish the authentication process successfully.private SPNEGOContextNavigate to theSPNEGOContextin the context tree.voidhandleError(String conversationKey, HttpServletRequest httpRequest, HttpServletResponse httpResponse) Respond to a user signaling that an error occurred.private booleanisNTLMMechanism(byte[] token) Check if the GSS-API data represents an NTLM mechanism request.private ModelAndViewreplyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse) Send back an empty Negotiate challenge.private ModelAndViewreplyUnauthorizedNegotiate(ProfileRequestContext profileRequestContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String base64Token) Send back a Negotiate challenge token.voidsetCSPDigester(StringDigester digester) Sets aStringDigesterto use in computing CSP digests in views.voidSets anIdentifierGenerationStrategyto use in computing CSP nonces in views.startSPNEGO(String conversationKey, HttpServletRequest httpRequest, HttpServletResponse httpResponse) Handle initial request that starts SPNEGO.
-
Field Details
-
SPNEGO_NOT_AVAILABLE
Event ID indicating that SPNEGO is not supported by the client or is not available for other reasons.- See Also:
-
NTLM_UNSUPPORTED
Event ID indicating that NTLM was attempted by the client.- See Also:
-
log
@Nonnull private final org.slf4j.Logger logClass logger. -
cspDigester
CSP digest computation bean. -
cspNonceGenerator
CSP nonce generator bean.
-
-
Constructor Details
-
SPNEGOAuthnController
public SPNEGOAuthnController()
-
-
Method Details
-
startSPNEGO
@RequestMapping(value="/{conversationKey}", method=GET) @Nullable public ModelAndView startSPNEGO(@PathVariable @Nonnull @NotEmpty String conversationKey, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException Handle initial request that starts SPNEGO.- Parameters:
conversationKey- the SWF conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTPÂ response- Returns:
- the response view
- Throws:
IOException- ...ExternalAuthenticationException- ...
-
continueSPNEGO
@RequestMapping(value="/{conversationKey}", method=GET, headers="Authorization") @Nullable public ModelAndView continueSPNEGO(@PathVariable @Nonnull @NotEmpty String conversationKey, @RequestHeader("Authorization") @Nonnull @NotEmpty String authorizationHeader, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException Process an input GSS token from the client and attempt to complete the context establishment process.- Parameters:
conversationKey- the conversation keyauthorizationHeader- the token from the clienthttpRequest- the HTTP requesthttpResponse- the HTTP response- Returns:
- the response view
- Throws:
ExternalAuthenticationException- ...IOException- ...
-
handleError
@RequestMapping(value="/{conversationKey}/error", method=GET) public void handleError(@PathVariable @Nonnull String conversationKey, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse) throws ExternalAuthenticationException, IOException Respond to a user signaling that an error occurred.- Parameters:
conversationKey- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP response- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithSuccess
private void finishWithSuccess(@Nonnull @NotEmpty String key, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse, @Nonnull KerberosPrincipal kerberosPrincipal) throws ExternalAuthenticationException, IOException Finish the authentication process successfully.Sets the attribute
ExternalAuthentication.SUBJECT_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responsekerberosPrincipal- the Kerberos principal to return- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithError
private void finishWithError(@Nonnull @NotEmpty String key, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse, @Nonnull @NotEmpty String error) throws ExternalAuthenticationException, IOException Finish the authentication process with an error.Sets the attribute
ExternalAuthentication.AUTHENTICATION_ERROR_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responseerror- the error string/event to return- Throws:
IOException- ...ExternalAuthenticationException- ...
-
finishWithException
private void finishWithException(@Nonnull @NotEmpty String key, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse, @Nonnull Exception ex) throws ExternalAuthenticationException, IOException Finish the authentication process with an exception.Sets the attribute
ExternalAuthentication.AUTHENTICATION_EXCEPTION_KEY.- Parameters:
key- the conversation keyhttpRequest- the HTTP requesthttpResponse- the HTTP responseex- the exception that has been thrown- Throws:
IOException- ...ExternalAuthenticationException- ...
-
getSPNEGOContext
Navigate to theSPNEGOContextin the context tree.- Parameters:
prc- profile request context- Returns:
- the child context, or null
-
createGSSContextAcceptor
@Nonnull protected GSSContextAcceptor createGSSContextAcceptor(@Nonnull SPNEGOContext spnegoCtx) throws GSSException Create a newGSSContextAcceptorobject. (Created in a separate method to support unit testing.)- Parameters:
spnegoCtx- theSPNEGOContextconteining theKerberosSettings- Returns:
- a new
GSSContextAcceptor - Throws:
GSSException- if an error occurs while creating theGSSContextAcceptor.
-
replyUnauthorizedNegotiate
@Nonnull private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse) Send back an empty Negotiate challenge.- Parameters:
profileRequestContext- profile request contexthttpRequest- servlet requesthttpResponse- servlet response- Returns:
- a
ModelAndViewwrapping the response
-
replyUnauthorizedNegotiate
@Nonnull private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse, @Nonnull String base64Token) Send back a Negotiate challenge token.- Parameters:
profileRequestContext- profile request contexthttpRequest- servlet requesthttpResponse- servlet responsebase64Token- challenge token to send back- Returns:
- a
ModelAndViewwrapping the response
-
createModelAndView
@Nonnull private ModelAndView createModelAndView(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpRequest, @Nonnull HttpServletResponse httpResponse) Create aModelAndViewobject to return.- Parameters:
profileRequestContext- profile request contexthttpRequest- the HTTP requesthttpResponse- the HTTP response- Returns:
- the ModelAndView object
-
isNTLMMechanism
private boolean isNTLMMechanism(@Nonnull byte[] token) Check if the GSS-API data represents an NTLM mechanism request.- Parameters:
token- token retrieved from the Authorization header.- Returns:
- true iff it represents a NTLM mechanism