net.sourceforge.spnego
Class SpnegoAuthenticator

java.lang.Object
  extended by net.sourceforge.spnego.SpnegoAuthenticator

public final class SpnegoAuthenticator
extends Object

Handles SPNEGO or Basic authentication.

Package scope is deliberate; this Class MUST NOT be used/referenced directly outside of this package. Be cautious about who you give a reference to.

Basic Authentication must be enabled through the filter configuration. See an example web.xml configuration in the installing on tomcat documentation or the SpnegoHttpFilter javadoc.

Localhost is supported but must be enabled through the filter configuration. Allowing requests to come from the DNS http://localhost will obviate the requirement that a service must have an SPN. Note that Kerberos authentication (if localhost) does not occur but instead simply returns the System.getProperty("user.name") or the Server's pre-authentication username.

NTLM tokens are NOT supported. However it is still possible to avoid an error being returned by downgrading the authentication from Negotiate NTLM to Basic Auth.

See the reference docs on how to configure the web.xml to prompt when if a request is being made using NTLM.

Finally, to see a working example and instructions on how to use a keytab, take a look at the creating a server keytab example.

Author:
Darwin V. Felix

Field Summary
private  boolean allowBasic
          Flag to indicate if BASIC Auth is allowed.
private  boolean allowDelegation
          Flag to indicate if credential delegation is allowed.
private  boolean allowLocalhost
          Flag to skip auth if localhost.
private  boolean allowUnsecure
          Flag to indicate if non-SSL BASIC Auth allowed.
private  String clientModuleName
          Login Context module name for client auth.
private static Lock LOCK
          GSSContext is not thread-safe.
private static Logger LOGGER
           
private  LoginContext loginContext
          Login Context server uses for pre-authentication.
private static GSSManager MANAGER
          Default GSSManager.
private  boolean promptIfNtlm
          Flag to indicate if NTLM is accepted.
private  GSSCredential serverCredentials
          Credentials server uses for authenticating requests.
private  KerberosPrincipal serverPrincipal
          Server Principal used for pre-authentication.
 
Constructor Summary
SpnegoAuthenticator(Map<String,String> config)
          Create an authenticator for SPNEGO and/or BASIC authentication.
SpnegoAuthenticator(SpnegoFilterConfig config)
          Create an authenticator for SPNEGO and/or BASIC authentication.
 
Method Summary
 SpnegoPrincipal authenticate(javax.servlet.http.HttpServletRequest req, SpnegoHttpServletResponse resp)
          Returns the KerberosPrincipal of the user/client making the HTTP request.
 void dispose()
          Logout.
private  SpnegoPrincipal doBasicAuth(SpnegoAuthScheme scheme, SpnegoHttpServletResponse resp)
          Performs authentication using the BASIC Auth mechanism.
private  SpnegoPrincipal doLocalhost()
           
private  SpnegoPrincipal doSpnegoAuth(SpnegoAuthScheme scheme, SpnegoHttpServletResponse resp)
          Performs authentication using the SPNEGO mechanism.
private  boolean isLocalhost(javax.servlet.http.HttpServletRequest req)
          Returns true if HTTP request is from the same host (localhost).
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOGGER

private static final Logger LOGGER

LOCK

private static final Lock LOCK
GSSContext is not thread-safe.


MANAGER

private static final GSSManager MANAGER
Default GSSManager.


allowBasic

private final transient boolean allowBasic
Flag to indicate if BASIC Auth is allowed.


allowDelegation

private final transient boolean allowDelegation
Flag to indicate if credential delegation is allowed.


allowLocalhost

private final transient boolean allowLocalhost
Flag to skip auth if localhost.


allowUnsecure

private final transient boolean allowUnsecure
Flag to indicate if non-SSL BASIC Auth allowed.


promptIfNtlm

private final transient boolean promptIfNtlm
Flag to indicate if NTLM is accepted.


clientModuleName

private final transient String clientModuleName
Login Context module name for client auth.


loginContext

private final transient LoginContext loginContext
Login Context server uses for pre-authentication.


serverCredentials

private final transient GSSCredential serverCredentials
Credentials server uses for authenticating requests.


serverPrincipal

private final transient KerberosPrincipal serverPrincipal
Server Principal used for pre-authentication.

Constructor Detail

SpnegoAuthenticator

public SpnegoAuthenticator(SpnegoFilterConfig config)
                    throws LoginException,
                           GSSException,
                           PrivilegedActionException
Create an authenticator for SPNEGO and/or BASIC authentication.

Parameters:
config - servlet filter initialization parameters
Throws:
LoginException
GSSException
PrivilegedActionException

SpnegoAuthenticator

public SpnegoAuthenticator(Map<String,String> config)
                    throws LoginException,
                           GSSException,
                           PrivilegedActionException,
                           FileNotFoundException,
                           URISyntaxException
Create an authenticator for SPNEGO and/or BASIC authentication. For third-party code/frameworks that want to authenticate via their own filter/valve/code/etc.

The ExampleSpnegoAuthenticatorValve.java demonstrates a working example of how to use this constructor.

Example of some Map keys and values:

 
 Map map = new HashMap();
 map.put("spnego.krb5.conf", "krb5.conf");
 map.put("spnego.allow.basic", "true");
 map.put("spnego.preauth.username", "dfelix");
 map.put("spnego.preauth.password", "myp@s5");
 ...
 
 SpnegoAuthenticator authenticator = new SpnegoAuthenticator(map);
 ...
 

Parameters:
config -
Throws:
LoginException
GSSException
PrivilegedActionException
FileNotFoundException
URISyntaxException
Method Detail

authenticate

public SpnegoPrincipal authenticate(javax.servlet.http.HttpServletRequest req,
                                    SpnegoHttpServletResponse resp)
                             throws GSSException,
                                    IOException
Returns the KerberosPrincipal of the user/client making the HTTP request.

Null may be returned if client did not provide auth info.

Method will throw UnsupportedOperationException if client authz request is NOT "Negotiate" or "Basic".

Parameters:
req - servlet request
resp - servlet response
Returns:
null if auth not complete else SpnegoPrincipal of client
Throws:
GSSException
IOException

dispose

public void dispose()
Logout. Since server uses LoginContext to login/pre-authenticate, we must also logout when we are done using this object.

Generally, instantiators of this class should be the only to call dispose() as it indicates that this class will no longer be used.


doBasicAuth

private SpnegoPrincipal doBasicAuth(SpnegoAuthScheme scheme,
                                    SpnegoHttpServletResponse resp)
                             throws IOException
Performs authentication using the BASIC Auth mechanism.

Returns null if authentication failed or if the provided the auth scheme did not contain BASIC Auth data/token.

Returns:
SpnegoPrincipal for the given auth scheme.
Throws:
IOException

doLocalhost

private SpnegoPrincipal doLocalhost()

doSpnegoAuth

private SpnegoPrincipal doSpnegoAuth(SpnegoAuthScheme scheme,
                                     SpnegoHttpServletResponse resp)
                              throws GSSException,
                                     IOException
Performs authentication using the SPNEGO mechanism.

Returns null if authentication failed or if the provided the auth scheme did not contain the SPNEGO/GSS token.

Returns:
SpnegoPrincipal for the given auth scheme.
Throws:
GSSException
IOException

isLocalhost

private boolean isLocalhost(javax.servlet.http.HttpServletRequest req)
Returns true if HTTP request is from the same host (localhost).

Parameters:
req - servlet request
Returns:
true if HTTP request is from the same host (localhost)