public final class SpnegoAuthenticator extends Object
Be cautious about who you give a reference to.
Basic Authentication must be enabled through the filter configuration. See
an example web.xml configuration in the installing on tomcat documentation or the
SpnegoHttpFilter javadoc.
Localhost is supported but must be enabled through the filter configuration. Allowing
requests to come from the DNS http://localhost will obviate the requirement that a
service must have an SPN. Note that Kerberos authentication (if localhost) does
not occur but instead simply returns the System.getProperty("user.name")
or the Server's pre-authentication username.
NTLM tokens are NOT supported. However it is still possible to avoid an error being returned by downgrading the authentication from Negotiate NTLM to Basic Auth.
See the reference docs on how to configure the web.xml to prompt when if a request is being made using NTLM.
Finally, to see a working example and instructions on how to use a keytab, take a look at the creating a server keytab example.
| Modifier and Type | Field and Description |
|---|---|
private boolean |
allowBasic
Flag to indicate if BASIC Auth is allowed.
|
private boolean |
allowDelegation
Flag to indicate if credential delegation is allowed.
|
private boolean |
allowLocalhost
Flag to skip auth if localhost.
|
private boolean |
allowUnsecure
Flag to indicate if non-SSL BASIC Auth allowed.
|
private String |
clientModuleName
Login Context module name for client auth.
|
private static Lock |
LOCK
GSSContext is not thread-safe.
|
private static Logger |
LOGGER |
private LoginContext |
loginContext
Login Context server uses for pre-authentication.
|
private static GSSManager |
MANAGER
Default GSSManager.
|
private boolean |
promptIfNtlm
Flag to indicate if NTLM is accepted.
|
private GSSCredential |
serverCredentials
Credentials server uses for authenticating requests.
|
private KerberosPrincipal |
serverPrincipal
Server Principal used for pre-authentication.
|
| Constructor and Description |
|---|
SpnegoAuthenticator(Map<String,String> config)
Create an authenticator for SPNEGO and/or BASIC authentication.
|
SpnegoAuthenticator(SpnegoFilterConfig config)
Create an authenticator for SPNEGO and/or BASIC authentication.
|
SpnegoAuthenticator(String loginModuleName,
SpnegoFilterConfig config)
Create an authenticator for SPNEGO and/or BASIC authentication.
|
| Modifier and Type | Method and Description |
|---|---|
SpnegoPrincipal |
authenticate(javax.servlet.http.HttpServletRequest req,
SpnegoHttpServletResponse resp)
Returns the KerberosPrincipal of the user/client making the HTTP request.
|
void |
dispose()
Logout.
|
private SpnegoPrincipal |
doBasicAuth(SpnegoAuthScheme scheme,
SpnegoHttpServletResponse resp)
Performs authentication using the BASIC Auth mechanism.
|
private SpnegoPrincipal |
doLocalhost() |
private SpnegoPrincipal |
doSpnegoAuth(SpnegoAuthScheme scheme,
SpnegoHttpServletResponse resp)
Performs authentication using the SPNEGO mechanism.
|
String |
getServerRealm() |
private boolean |
isLocalhost(javax.servlet.http.HttpServletRequest req)
Returns true if HTTP request is from the same host (localhost).
|
private static final GSSManager MANAGER
private final transient boolean allowBasic
private final transient boolean allowDelegation
private final transient boolean allowLocalhost
private final transient boolean allowUnsecure
private final transient boolean promptIfNtlm
private final transient String clientModuleName
private final transient LoginContext loginContext
private final transient GSSCredential serverCredentials
private final transient KerberosPrincipal serverPrincipal
public SpnegoAuthenticator(SpnegoFilterConfig config) throws LoginException, GSSException, PrivilegedActionException
config - servlet filter initialization parametersLoginExceptionGSSExceptionPrivilegedActionExceptionpublic SpnegoAuthenticator(Map<String,String> config) throws LoginException, GSSException, PrivilegedActionException, FileNotFoundException, URISyntaxException
The ExampleSpnegoAuthenticatorValve.java demonstrates a working example of how to use this constructor.
Example of some Map keys and values:
Map map = new HashMap();
map.put("spnego.krb5.conf", "krb5.conf");
map.put("spnego.allow.basic", "true");
map.put("spnego.preauth.username", "dfelix");
map.put("spnego.preauth.password", "myp@s5");
...
SpnegoAuthenticator authenticator = new SpnegoAuthenticator(map);
...
config - LoginExceptionGSSExceptionPrivilegedActionExceptionFileNotFoundExceptionURISyntaxExceptionpublic SpnegoAuthenticator(String loginModuleName, SpnegoFilterConfig config) throws LoginException, GSSException, PrivilegedActionException
loginModuleName - module named defined in login.confconfig - servlet filter initialization parametersLoginExceptionGSSExceptionPrivilegedActionExceptionpublic SpnegoPrincipal authenticate(javax.servlet.http.HttpServletRequest req, SpnegoHttpServletResponse resp) throws GSSException, IOException
Null may be returned if client did not provide auth info.
Method will throw UnsupportedOperationException if client authz request is NOT "Negotiate" or "Basic".
req - servlet requestresp - servlet responseGSSExceptionIOExceptionpublic void dispose()
Generally, instantiators of this class should be the only to call dispose() as it indicates that this class will no longer be used.
private SpnegoPrincipal doBasicAuth(SpnegoAuthScheme scheme, SpnegoHttpServletResponse resp) throws IOException
Returns null if authentication failed or if the provided the auth scheme did not contain BASIC Auth data/token.
IOExceptionprivate SpnegoPrincipal doLocalhost()
private SpnegoPrincipal doSpnegoAuth(SpnegoAuthScheme scheme, SpnegoHttpServletResponse resp) throws GSSException, IOException
Returns null if authentication failed or if the provided the auth scheme did not contain the SPNEGO/GSS token.
GSSExceptionIOExceptionpublic String getServerRealm()
private boolean isLocalhost(javax.servlet.http.HttpServletRequest req)
req - servlet request