GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-8: Removed from sandbox as development will continue via code drops in the JIRA task.

1.0.x
Ben Alex 19 years ago
parent
d2fb473a4e
commit
ab7816db41
7 changed files with 0 additions and 697 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 110
      sandbox/other/src/main/java/org/acegisecurity/providers/smb/AbstractSmbAuthenticationProvider.java
  2. 37
      sandbox/other/src/main/java/org/acegisecurity/providers/smb/ChallengeExpiredException.java
  3. 67
      sandbox/other/src/main/java/org/acegisecurity/providers/smb/NtlmAuthenticationToken.java
  4. 93
      sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbBasicAuthenticationProvider.java
  5. 57
      sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbNtlmAuthenticationProvider.java
  6. 287
      sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java
  7. 46
      sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java

110
sandbox/other/src/main/java/org/acegisecurity/providers/smb/AbstractSmbAuthenticationProvider.java
Unescape View File

@ -1,110 +0,0 @@ @@ -1,110 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbAuthException;
import jcifs.smb.SmbException;
import jcifs.smb.SmbSession;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationServiceException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.AuthenticationProvider;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* An {@link AuthenticationProvider} implementation that relies on <a href="http://www.jcifs.org">jcifs</a> in
* order to provide an authentication service on a Windows network. This implementation relies on a {@link
* #setAuthorizationProvider(AuthenticationProvider) delegate provider} in order for authorization information to be
* filled into the authorized {@link Authentication token}. Subclasses must implement the logic that {@link
* #getNtlmPasswordAuthentication(Authentication) extracts the jcifs }{@link NtlmPasswordAuthentication } object from
* the particular {@link Authentication } token implementation and the one that {@link
* #getDomainController(Authentication, NtlmPasswordAuthentication) extracts the domain controller address }.
*
* @author Davide Baroncelli
* @version $Id$
*/
public abstract class AbstractSmbAuthenticationProvider implements AuthenticationProvider {
//~ Instance fields ================================================================================================
private AuthenticationProvider authorizationProvider;
private Log log = LogFactory.getLog(this.getClass());
//~ Methods ========================================================================================================
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
NtlmPasswordAuthentication ntlm = getNtlmPasswordAuthentication(authentication);
UniAddress dc = getDomainController(authentication, ntlm);
return performAuthentication(dc, ntlm, authentication);
}
protected abstract UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication);
protected abstract NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication);
protected Authentication performAuthentication(UniAddress dc, NtlmPasswordAuthentication ntlm,
Authentication authentication) {
try {
// this performs authentication...
SmbSession.logon(dc, ntlm);
if (log.isDebugEnabled()) {
log.debug(ntlm + " successfully authenticated against " + dc);
}
// ...and this performs authorization.
Authentication authorizedResult = authorizationProvider.authenticate(authentication);
return authorizedResult;
} catch (SmbException se) {
log.error(ntlm.getName() + ": 0x" + jcifs.util.Hexdump.toHexString(se.getNtStatus(), 8) + ": " + se);
if (se instanceof SmbAuthException) {
SmbAuthException sae = (SmbAuthException) se;
if (se.getNtStatus() == SmbAuthException.NT_STATUS_ACCESS_VIOLATION) {
throw new ChallengeExpiredException(sae.getMessage(), sae);
} else {
throw new BadCredentialsException(sae.getMessage(), sae);
}
} else {
throw new AuthenticationServiceException(se.getMessage(), se);
}
}
}
/**
* DOCUMENT ME!
*
* @param authorizationProvider The {@link AuthenticationProvider } which will be contacted in order for it to fill
* authorization info in the (already authenticated) {@link Authentication } object that they will be
* passed.
*/
public void setAuthorizationProvider(AuthenticationProvider authorizationProvider) {
this.authorizationProvider = authorizationProvider;
}
}

37
sandbox/other/src/main/java/org/acegisecurity/providers/smb/ChallengeExpiredException.java
Unescape View File

@ -1,37 +0,0 @@ @@ -1,37 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import org.acegisecurity.AuthenticationException;
/**
* Thrown if
*
* @author Davide Baroncelli
* @version $Id$
*/
public class ChallengeExpiredException extends AuthenticationException {
//~ Constructors ===================================================================================================
public ChallengeExpiredException(String msg) {
super(msg);
}
public ChallengeExpiredException(String msg, Throwable t) {
super(msg, t);
}
}

67
sandbox/other/src/main/java/org/acegisecurity/providers/smb/NtlmAuthenticationToken.java
Unescape View File

@ -1,67 +0,0 @@ @@ -1,67 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.providers.AbstractAuthenticationToken;
/**
* {@link Authentication } implementation for NTLM smb authentication.
*
* @author Davide Baroncelli
* @version $Id$
*
* @see org.acegisecurity.ui.ntlm.NtlmProcessingFilter
* @see org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider
*/
public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
//~ Instance fields ================================================================================================
private NtlmPasswordAuthentication ntlmPasswordAuthentication;
private transient UniAddress domainController;
//~ Constructors ===================================================================================================
public NtlmAuthenticationToken(NtlmPasswordAuthentication ntlmPasswordAuthentication, UniAddress domainController) {
super(null);
this.ntlmPasswordAuthentication = ntlmPasswordAuthentication;
this.domainController = domainController;
}
//~ Methods ========================================================================================================
public Object getCredentials() {
return ntlmPasswordAuthentication.getPassword();
}
public UniAddress getDomainController() {
return domainController;
}
public NtlmPasswordAuthentication getNtlmPasswordAuthentication() {
return ntlmPasswordAuthentication;
}
public Object getPrincipal() {
return ntlmPasswordAuthentication.getUsername();
}
}

93
sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbBasicAuthenticationProvider.java
Unescape View File

@ -1,93 +0,0 @@ @@ -1,93 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.Config;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import java.net.UnknownHostException;
/**
* Provides authentication of a basic {@link UsernamePasswordAuthenticationToken } on a ntlm domain via smb/cifs.
*
* @author Davide Baroncelli
* @version $Id$
*/
public class SmbBasicAuthenticationProvider extends AbstractSmbAuthenticationProvider {
//~ Instance fields ================================================================================================
String domainController;
//~ Methods ========================================================================================================
protected UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication) {
try {
if (domainController == null) {
domainController = Config.getProperty("jcifs.smb.client.domain");
}
String domain = domainController;
if (domain == null) {
domain = ntlmAuthentication.getDomain();
}
UniAddress dc = UniAddress.getByName(domain, true);
return dc;
} catch (UnknownHostException uhe) {
throw new BadCredentialsException("no host could be found for the name " + ntlmAuthentication.getDomain(),
uhe);
}
}
protected NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication) {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
String username = token.getPrincipal().toString();
String password = (String) token.getCredentials();
int index = username.indexOf('\\');
if (index == -1) {
index = username.indexOf('/');
}
// if domain is null then the jcifs default is used
// (this is set through the "jcifs.smb.client.domain" Config property)
String domain = (index != -1) ? username.substring(0, index) : null;
username = (index != -1) ? username.substring(index + 1) : username;
NtlmPasswordAuthentication ntlm = new NtlmPasswordAuthentication(domain, username, password);
return ntlm;
}
public void setDomainController(String domainController) {
this.domainController = domainController;
}
public boolean supports(Class authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}

57
sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbNtlmAuthenticationProvider.java
Unescape View File

@ -1,57 +0,0 @@ @@ -1,57 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.ui.ntlm.NtlmProcessingFilter;
/**
* This class provides authentication through smb of {@link NtlmAuthenticationToken } (i.e. tokens obtained through
* the NTLM Authorization method by {@link NtlmProcessingFilter } ).
*
* @author Davide Baroncelli
* @version $Id$
*
* @see org.acegisecurity.ui.ntlm.NtlmProcessingFilter
*/
public class SmbNtlmAuthenticationProvider extends AbstractSmbAuthenticationProvider {
//~ Methods ========================================================================================================
protected UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication) {
NtlmAuthenticationToken ntlmToken = (NtlmAuthenticationToken) authentication;
UniAddress dc = ntlmToken.getDomainController();
return dc;
}
protected NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication) {
NtlmAuthenticationToken ntlmToken = (NtlmAuthenticationToken) authentication;
NtlmPasswordAuthentication ntlm = ntlmToken.getNtlmPasswordAuthentication();
return ntlm;
}
public boolean supports(Class authentication) {
return NtlmAuthenticationToken.class.isAssignableFrom(authentication);
}
}

287
sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java
Unescape View File

@ -1,287 +0,0 @@ @@ -1,287 +0,0 @@
/*
* LICENSE IS UNKNOWN (SEE TODO COMMENT LATER IN SOURCE CODE)
*/
package org.acegisecurity.ui.ntlm;
import jcifs.Config;
import jcifs.UniAddress;
import jcifs.http.NtlmSsp;
import jcifs.smb.NtlmChallenge;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbSession;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.smb.NtlmAuthenticationToken;
import org.acegisecurity.ui.AuthenticationEntryPoint;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import java.io.IOException;
import java.util.Iterator;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* A reimplementation of the jcifs NtlmHttpFilter suitable for use with the
* Acegi Security System.
*
* <p>
* This servlet Filter can be used to negotiate password hashes with MSIE
* clients using NTLM SSP. This is similar to <code>Authentication:
* BASIC</code> but weakly encrypted and without requiring the user to
* re-supply authentication credentials.
* </p>
*
* @author Davide Baroncelli
* @version $Id$
*/
public class NtlmProcessingFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final String CHALLENGE_ATTR_NAME = "NtlmHttpChal";
//~ Instance fields ========================================================
private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
// TODO: Verify licensing, as original contributor reported that large parts of this code where taken from jCifs NtmlHttpFilter: can this be re-licensed to APL (?).
private Log log = LogFactory.getLog(this.getClass());
private String defaultDomain;
private String domainController;
private boolean loadBalance;
//~ Methods ================================================================
/**
* DOCUMENT ME!
*
* @param authenticationEntryPoint The entry point that will be called if
* the "transparent" authentication fails for some reason: don't
* use the same {@link NtlmProcessingFilterEntryPoint} that is used
* in order to commence the NTLM authentication or the user's
* browser would probably loop
*/
public void setAuthenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
}
public void setAuthenticationManager(
AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
/**
* DOCUMENT ME!
*
* @param defaultDomain The domain that will be specified as part of the
* authentication credentials if not specified by the username.
*/
public void setDefaultDomain(String defaultDomain) {
this.defaultDomain = defaultDomain;
}
/**
* DOCUMENT ME!
*
* @param domainController The domain controller address: if not set the
* default domain is used.
*/
public void setDomainController(String domainController) {
this.domainController = domainController;
}
/**
* DOCUMENT ME!
*
* @param properties A {@link Properties} object whose properties with
* names starting with "jcifs." will be set into the jCifs {@link
* Config}.
*/
public void setJCifsProperties(Properties properties) {
for (Iterator iterator = properties.keySet().iterator();
iterator.hasNext();) {
String propertyName = (String) iterator.next();
String propertyValue = properties.getProperty(propertyName);
if (propertyName.startsWith("jcifs.")) {
if (log.isInfoEnabled()) {
log.info("setting jcifs property " + propertyName + ":"
+ propertyValue);
}
Config.setProperty(propertyName, propertyValue);
} else {
if (log.isInfoEnabled()) {
log.info("ignoring non-jcifs property " + propertyName
+ ":" + propertyValue);
}
}
}
}
public void setLoadBalance(boolean loadBalance) {
this.loadBalance = loadBalance;
}
public void afterPropertiesSet() throws Exception {
// Set jcifs properties we know we want; soTimeout and cachePolicy to 10min
Config.setProperty("jcifs.smb.client.soTimeout", "300000");
Config.setProperty("jcifs.netbios.cachePolicy", "1200");
if (domainController == null) {
domainController = defaultDomain;
}
if (defaultDomain != null) {
Config.setProperty("jcifs.smb.client.domain", defaultDomain);
}
Assert.notNull(authenticationEntryPoint,
"The authenticationEntryPoint property must be set before "
+ "NtlmProcessingFilter bean initialization");
Assert.notNull(authenticationManager,
"The authenticationManager property must be set before "
+ "NtlmProcessingFilter bean initialization");
}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
NtlmPasswordAuthentication ntlm = null;
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
try {
String msg = req.getHeader("Authorization");
UniAddress dc = null;
// the "basic" authentication case (both secure + insecure) originally in jcifs NtlmFilter has been
// refactored out, in order for it to be supported by the acegi BasicProcessingFilter +
// SmbNtlmAuthenticationProvider ( + SecureChannelProcessor) combination */
if ((msg != null) && (msg.startsWith("NTLM "))) {
if (log.isDebugEnabled()) {
log.debug("NTLM Authorization header received");
}
HttpSession ssn = req.getSession();
byte[] challenge;
if (loadBalance) {
NtlmChallenge chal = (NtlmChallenge) ssn.getAttribute(CHALLENGE_ATTR_NAME);
if (chal == null) {
chal = SmbSession.getChallengeForDomain();
if (log.isDebugEnabled()) {
log.debug(
"got load balanced challenge for domain: "
+ chal);
}
ssn.setAttribute(CHALLENGE_ATTR_NAME, chal);
}
dc = chal.dc;
challenge = chal.challenge;
} else {
// no challenge in session, here: the server itself keeps the challenge alive for a certain time
dc = UniAddress.getByName(domainController, true);
challenge = SmbSession.getChallenge(dc);
if (log.isDebugEnabled()) {
log.debug("domain controller is " + dc
+ ", challenge is " + challenge);
}
}
ntlm = NtlmSsp.authenticate(req, resp, challenge);
if (ntlm == null) {
if (log.isDebugEnabled()) {
log.debug(
"null ntlm authentication results: sending challenge to browser");
}
return; // this means we must send the challenge to the browser
} else {
if (log.isDebugEnabled()) {
log.debug("ntlm negotiation complete");
}
ssn.removeAttribute(CHALLENGE_ATTR_NAME); /* negotiation complete, remove the challenge object */
}
NtlmAuthenticationToken ntlmToken = newNtlmAuthenticationToken(ntlm,
dc);
Authentication authResult = authenticationManager.authenticate(ntlmToken);
if (log.isDebugEnabled()) {
log.debug("ntlm token authenticated ");
}
successfulAuthentication(req, resp, authResult);
}
} catch (AuthenticationException ae) {
unsuccessfulAuthentication(req, resp, ntlm, ae);
return;
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {}
protected NtlmAuthenticationToken newNtlmAuthenticationToken(
NtlmPasswordAuthentication ntlm, UniAddress dc) {
return new NtlmAuthenticationToken(ntlm, dc);
}
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, Authentication authResult) {
if (log.isDebugEnabled()) {
log.debug("Authentication success: " + authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
}
protected void unsuccessfulAuthentication(HttpServletRequest req,
HttpServletResponse resp, NtlmPasswordAuthentication ntlm,
AuthenticationException ae) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("Authentication request for user: " + ntlm.getUsername()
+ " failed: " + ae.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
authenticationEntryPoint.commence(req, resp,
new BadCredentialsException(ae.getMessage(), ae));
}
}

46
sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java
Unescape View File

@ -1,46 +0,0 @@ @@ -1,46 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.ui.ntlm;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.ui.AuthenticationEntryPoint;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
/**
* An entry point for the NTLM authentication process.
*
* @author Davide Baroncelli
* @version $Id$
*/
public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint {
//~ Methods ========================================================================================================
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("WWW-Authenticate", "NTLM");
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, (authException != null) ? authException.getMessage() : "");
}
}
Write Preview
Loading…
Cancel
Save