net.sourceforge.spnego
Class SpnegoFilterConfig

java.lang.Object
  extended by net.sourceforge.spnego.SpnegoFilterConfig

final class SpnegoFilterConfig
extends Object

Class that applies/enforces web.xml init params.

These properties are set in the servlet's init params in the web.xml file.

This class also validates if a keyTab should be used and if all of the LoginModule options have been set.

To see a working example and instructions on how to use a keytab, take a look at the creating a server keytab example.

The class should be used as a Singleton:
SpnegoFilterConfig config = SpnegoFilterConfig.getInstance(filter);

See an example web.xml configuration in the installing on tomcat documentation.

Author:
Darwin V. Felix

Field Summary
private  boolean allowBasic
          true if Basic auth should be offered.
private  boolean allowDelegation
          true if server should support credential delegation requests.
private  boolean allowLocalhost
          true if request from localhost should not be authenticated.
private  boolean allowUnsecure
          true if non-ssl for basic auth is allowed.
private  boolean canUseKeyTab
          true if all req.
private  String clientLoginModule
          name of the client login module.
private static SpnegoFilterConfig instance
           
private static Logger LOGGER
           
private static String MISSING_PROPERTY
           
private  String password
          password to domain account.
private  boolean promptNtlm
          true if instead of err on ntlm token, prompt for username/pass.
private  String serverLoginModule
          name of the server login module.
private  String username
          domain account to use for pre-authentication.
 
Constructor Summary
private SpnegoFilterConfig()
           
private SpnegoFilterConfig(javax.servlet.FilterConfig config)
          Class is a Singleton.
 
Method Summary
private  void doClientModule(String moduleName)
           
private  void doServerModule(String moduleName)
          Set the canUseKeyTab flag by determining if all LoginModule options have been set.
(package private)  boolean downgradeNtlm()
          Returns true if a client sends an NTLM token and the filter should ask client for a Basic Auth token instead.
(package private)  String getClientLoginModule()
          Return the value defined in the servlet's init params in the web.xml file.
(package private) static SpnegoFilterConfig getInstance(javax.servlet.FilterConfig config)
          Returns the instance of the servlet's config parameters.
(package private)  String getPreauthPassword()
          Return the password to the pre-authentication domain account.
(package private)  String getPreauthUsername()
          Return the name of the pre-authentication domain account.
(package private)  String getServerLoginModule()
          Return the value defined in the servlet's init params in the web.xml file.
(package private)  boolean isBasicAllowed()
          Returns true if Basic Authentication is allowed.
(package private)  boolean isDelegationAllowed()
          Returns true if the server should support credential delegation requests.
(package private)  boolean isLocalhostAllowed()
          Returns true if requests from localhost are allowed.
(package private)  boolean isUnsecureAllowed()
          Returns true if SSL/TLS is required.
private  boolean loginConfExists(String loginconf)
           
private  boolean moduleExists(String side, String moduleName)
           
private  void setBasicSupport(String basic, String unsecure)
          Specify if Basic authentication is allowed and if un-secure/non-ssl Basic should be allowed.
private  void setLogLevel(String level)
          Specify the logging level.
private  void setNtlmSupport(String ntlm)
          If request contains NTLM token, specify if a 401 should be sent back to client with Basic Auth as the only available authentication scheme.
private  void setUsernamePassword(String usr, String psswrd)
          Set the username and password if specified in web.xml's init params.
 String toString()
           
(package private)  boolean useKeyTab()
          Returns true if LoginContext should use keyTab.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

LOGGER

private static final Logger LOGGER

MISSING_PROPERTY

private static final String MISSING_PROPERTY
See Also:
Constant Field Values

instance

private static transient SpnegoFilterConfig instance

allowBasic

private transient boolean allowBasic
true if Basic auth should be offered.


allowDelegation

private transient boolean allowDelegation
true if server should support credential delegation requests.


allowLocalhost

private transient boolean allowLocalhost
true if request from localhost should not be authenticated.


allowUnsecure

private transient boolean allowUnsecure
true if non-ssl for basic auth is allowed.


canUseKeyTab

private transient boolean canUseKeyTab
true if all req. login module options set.


clientLoginModule

private transient String clientLoginModule
name of the client login module.


password

private transient String password
password to domain account.


promptNtlm

private transient boolean promptNtlm
true if instead of err on ntlm token, prompt for username/pass.


serverLoginModule

private transient String serverLoginModule
name of the server login module.


username

private transient String username
domain account to use for pre-authentication.

Constructor Detail

SpnegoFilterConfig

private SpnegoFilterConfig()

SpnegoFilterConfig

private SpnegoFilterConfig(javax.servlet.FilterConfig config)
                    throws FileNotFoundException,
                           URISyntaxException
Class is a Singleton. Use the static getInstance() method.

Throws:
FileNotFoundException
URISyntaxException
Method Detail

doClientModule

private void doClientModule(String moduleName)

doServerModule

private void doServerModule(String moduleName)
Set the canUseKeyTab flag by determining if all LoginModule options have been set.
 my-spnego-login-module {
      com.sun.security.auth.module.Krb5LoginModule
      required
      storeKey=true
      useKeyTab=true
      keyTab="file:///C:/my_path/my_file.keytab"
      principal="my_preauth_account";
 };
 

Parameters:
moduleName -

downgradeNtlm

boolean downgradeNtlm()
Returns true if a client sends an NTLM token and the filter should ask client for a Basic Auth token instead.

Returns:
true if client should be prompted for Basic Auth

getClientLoginModule

String getClientLoginModule()
Return the value defined in the servlet's init params in the web.xml file.

Returns:
the name of the login module for the client

getPreauthPassword

String getPreauthPassword()
Return the password to the pre-authentication domain account.

Returns:
password of pre-auth domain account

getPreauthUsername

String getPreauthUsername()
Return the name of the pre-authentication domain account.

Returns:
name of pre-auth domain account

getServerLoginModule

String getServerLoginModule()
Return the value defined in the servlet's init params in the web.xml file.

Returns:
the name of the login module for the server

getInstance

static SpnegoFilterConfig getInstance(javax.servlet.FilterConfig config)
                               throws FileNotFoundException,
                                      URISyntaxException
Returns the instance of the servlet's config parameters.

Parameters:
config - FilterConfi from servlet's init method
Returns:
the instance of that represent the init params
Throws:
FileNotFoundException - if login conf file not found
URISyntaxException - if path to login conf is bad

isBasicAllowed

boolean isBasicAllowed()
Returns true if Basic Authentication is allowed.

Returns:
true if Basic Auth is allowed

isDelegationAllowed

boolean isDelegationAllowed()
Returns true if the server should support credential delegation requests.

Returns:
true if server supports credential delegation

isLocalhostAllowed

boolean isLocalhostAllowed()
Returns true if requests from localhost are allowed.

Returns:
true if requests from localhost are allowed

isUnsecureAllowed

boolean isUnsecureAllowed()
Returns true if SSL/TLS is required.

Returns:
true if SSL/TLS is required

loginConfExists

private boolean loginConfExists(String loginconf)
                         throws FileNotFoundException,
                                URISyntaxException
Throws:
FileNotFoundException
URISyntaxException

moduleExists

private boolean moduleExists(String side,
                             String moduleName)

setBasicSupport

private void setBasicSupport(String basic,
                             String unsecure)
Specify if Basic authentication is allowed and if un-secure/non-ssl Basic should be allowed.

Parameters:
basic - true if basic is allowed
unsecure - true if un-secure basic is allowed

setLogLevel

private void setLogLevel(String level)
Specify the logging level.

Parameters:
level - logging level

setNtlmSupport

private void setNtlmSupport(String ntlm)
If request contains NTLM token, specify if a 401 should be sent back to client with Basic Auth as the only available authentication scheme.

Parameters:
ntlm - true/false

setUsernamePassword

private void setUsernamePassword(String usr,
                                 String psswrd)
Set the username and password if specified in web.xml's init params.

Parameters:
usr - domain account
psswrd - the password to the domain account
Throws:
IllegalArgumentException - if user/pass AND keyTab set

useKeyTab

boolean useKeyTab()
Returns true if LoginContext should use keyTab.

Returns:
true if LoginContext should use keyTab.

toString

public String toString()
Overrides:
toString in class Object