SEC-8: Removed custom interface and provider as the specialized authenticator should be sufficient.
This commit is contained in:
Luke Taylor
parent
870f10cc77
commit
0b152a6df2
|
|
@ -1,108 +0,0 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package org.acegisecurity.ui.ntlm.ldap.authenticator;
|
||||
|
||||
import org.acegisecurity.*;
|
||||
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
|
||||
import org.acegisecurity.providers.ldap.LdapAuthenticationProvider;
|
||||
import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
|
||||
import org.acegisecurity.ui.ntlm.NtlmUsernamePasswordAuthenticationToken;
|
||||
import org.acegisecurity.userdetails.UserDetails;
|
||||
import org.acegisecurity.userdetails.ldap.LdapUserDetails;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.dao.DataAccessException;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
|
||||
/**
|
||||
* This provider implements specialized behaviour if the supplied {@link Authentication} object is
|
||||
* from NTLM. In other cases calls the parent implementation.
|
||||
*
|
||||
* @author sylvain.mougenot
|
||||
*
|
||||
*/
|
||||
public class NtlmAwareLdapAuthenticationProvider extends LdapAuthenticationProvider {
|
||||
private static final Log logger = LogFactory.getLog(NtlmAwareLdapAuthenticationProvider.class);
|
||||
|
||||
/**
|
||||
* NTLM aware authenticator
|
||||
*/
|
||||
private NtlmAwareLdapAuthenticator authenticator;
|
||||
|
||||
/**
|
||||
* @param authenticator
|
||||
* @param authoritiesPopulator
|
||||
*/
|
||||
public NtlmAwareLdapAuthenticationProvider(NtlmAwareLdapAuthenticator authenticator,
|
||||
LdapAuthoritiesPopulator authoritiesPopulator) {
|
||||
super(authenticator, authoritiesPopulator);
|
||||
this.authenticator = authenticator;
|
||||
}
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see org.acegisecurity.providers.ldap.LdapAuthenticationProvider#retrieveUser(java.lang.String,
|
||||
* org.acegisecurity.providers.UsernamePasswordAuthenticationToken)
|
||||
*/
|
||||
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
|
||||
throws AuthenticationException {
|
||||
final UserDetails myDetails;
|
||||
|
||||
if (authentication instanceof NtlmUsernamePasswordAuthenticationToken) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Ntlm Token for Authentication"); //$NON-NLS-1$
|
||||
}
|
||||
|
||||
// Only loads LDAP data
|
||||
myDetails = retrieveUser(username, (NtlmUsernamePasswordAuthenticationToken) authentication);
|
||||
} else {
|
||||
// calls parent implementation
|
||||
myDetails = super.retrieveUser(username, authentication);
|
||||
}
|
||||
|
||||
return myDetails;
|
||||
}
|
||||
|
||||
/**
|
||||
* Authentication has already been done. We need a particular behviour
|
||||
* because the parent check password consistency. But we do not have the
|
||||
* password (even if the user is authenticated).
|
||||
*
|
||||
* @see NtlmUsernamePasswordAuthenticationToken#DEFAULT_PASSWORD
|
||||
* @param username
|
||||
* @param authentication
|
||||
* @return
|
||||
* @throws AuthenticationException
|
||||
*/
|
||||
protected UserDetails retrieveUser(String username, NtlmUsernamePasswordAuthenticationToken authentication)
|
||||
throws AuthenticationException {
|
||||
// identifiant obligatoire
|
||||
if (!StringUtils.hasLength(username)) {
|
||||
throw new BadCredentialsException(messages.getMessage(
|
||||
"LdapAuthenticationProvider.emptyUsername",
|
||||
"Empty Username"));
|
||||
}
|
||||
|
||||
// NB: password is just the default value
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Retrieving user " + username);
|
||||
}
|
||||
|
||||
try {
|
||||
// Complies with our lack of password (can't bind)
|
||||
DirContextOperations ldapUser = authenticator.authenticate(authentication);
|
||||
|
||||
GrantedAuthority[] extraAuthorities = getAuthoritiesPopulator().getGrantedAuthorities(ldapUser, username);
|
||||
|
||||
return getUserDetailsContextMapper().mapUserFromContext(ldapUser, username, extraAuthorities);
|
||||
|
||||
} catch (DataAccessException ldapAccessFailure) {
|
||||
throw new AuthenticationServiceException(ldapAccessFailure
|
||||
.getMessage(), ldapAccessFailure);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package org.acegisecurity.ui.ntlm.ldap.authenticator;
|
||||
|
||||
import org.acegisecurity.providers.ldap.LdapAuthenticator;
|
||||
import org.acegisecurity.ui.ntlm.NtlmUsernamePasswordAuthenticationToken;
|
||||
import org.springframework.ldap.core.DirContextOperations;
|
||||
|
||||
/**
|
||||
* Authenticator compliant with NTLM part done previously (for authentication).
|
||||
*
|
||||
* @author sylvain.mougenot
|
||||
*
|
||||
*/
|
||||
public interface NtlmAwareLdapAuthenticator extends LdapAuthenticator {
|
||||
/**
|
||||
* Authentication was done previously by NTLM.
|
||||
* Obtains additional user informations from the directory.
|
||||
*
|
||||
* @param aUserToken Ntlm issued authentication Token
|
||||
* @return the details of the successfully authenticated user.
|
||||
*/
|
||||
DirContextOperations authenticate(NtlmUsernamePasswordAuthenticationToken aUserToken);
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
*
|
||||
*
|
||||
*/
|
||||
package org.acegisecurity.ui.ntlm.ldap.authenticator;
|
||||
|
||||
|
|
@ -16,11 +16,11 @@ import org.apache.commons.logging.LogFactory;
|
|||
import org.springframework.ldap.core.DirContextOperations;
|
||||
|
||||
/**
|
||||
* Fullfill the User details after NTLM authentication was done. Or (if no NTLM
|
||||
* authentication done) act as the parent to authenticate the user
|
||||
*
|
||||
* Loads the UserDetails if authentication was already performed by NTLM (indicated by the type of authentication
|
||||
* token submitted). Otherwise falls back to the parent class behaviour, attempting to bind as the user.
|
||||
*
|
||||
* @author sylvain.mougenot
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator {
|
||||
/**
|
||||
|
|
@ -37,7 +37,7 @@ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator {
|
|||
|
||||
/**
|
||||
* Prepare the template without bind requirements.
|
||||
*
|
||||
*
|
||||
* @param aUserDn
|
||||
* @param aUserName
|
||||
* @see #loadDetail(SpringSecurityLdapTemplate, String, String)
|
||||
|
|
@ -50,7 +50,7 @@ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator {
|
|||
|
||||
/**
|
||||
* Load datas
|
||||
*
|
||||
*
|
||||
* @param aTemplate
|
||||
* @param aUserDn
|
||||
* @param aUserName
|
||||
|
|
@ -68,20 +68,20 @@ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator {
|
|||
// exception
|
||||
// unless a subclass wishes to implement more specialized behaviour.
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Failed to bind as " + aUserDn + ": "
|
||||
+ e.getMessage(), e);
|
||||
logger.debug("Failed to bind as " + aUserDn + ": " + e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see org.acegisecurity.ui.ntlm.NtlmAwareLdapAuthenticator#authenticate(org.acegisecurity.ui.ntlm.NtlmUsernamePasswordAuthenticationToken)
|
||||
/**
|
||||
* If the supplied <tt>Authentication</tt> object is of type <tt>NtlmUsernamePasswordAuthenticationToken</tt>,
|
||||
* the information stored in the user's directory entry is loaded without attempting to authenticate them.
|
||||
* Otherwise the parent class is called to perform a bind operation to authenticate the user.
|
||||
*/
|
||||
public DirContextOperations authenticate(Authentication authentication) {
|
||||
if (!(authentication instanceof NtlmUsernamePasswordAuthenticationToken)) {
|
||||
// Not NTLM authenticated, so call the base class to authenticate the user.
|
||||
return super.authenticate(authentication);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue