diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/HttpFilter.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/HttpFilter.java index 6c257dbc89..503a1539df 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/HttpFilter.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/HttpFilter.java @@ -58,4 +58,4 @@ public abstract class HttpFilter implements Filter { response.sendRedirect(response.encodeRedirectURL(url)); } -} // End HttpFilter +} diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBaseException.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBaseException.java index e9948fd070..ca5c694f0f 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBaseException.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBaseException.java @@ -31,4 +31,4 @@ public abstract class NtlmBaseException extends AuthenticationException { super(msg); } -} // End NtlmBaseException +} diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBeginHandshakeException.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBeginHandshakeException.java index 7ec54e2937..37f0e6f2ac 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBeginHandshakeException.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmBeginHandshakeException.java @@ -28,4 +28,4 @@ public class NtlmBeginHandshakeException extends NtlmBaseException { super("NTLM"); } -} // End NtlmBeginHandshakeException +} diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java index b9f6102ade..e3910f31b3 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java @@ -72,7 +72,7 @@ import org.springframework.util.Assert; * server to automatcially discover the username of a browser client when that * client is logged into a Windows domain and is using an NTLM-aware browser. * A web application can then reuse the user's Windows credentials without - * having to ask for them again. + * having to ask for them again. *

* Because NTLM only provides the username of the Windows client, an Acegi * Security NTLM deployment must have a UserDetailsService that @@ -83,7 +83,7 @@ import org.springframework.util.Assert; * The Acegi Security bean configuration file must also place the * ExceptionTranslationFilter before this filter in the * FilterChainProxy definition. - * + * * @author Davide Baroncelli * @author Edward Smith * @version $Id$ @@ -102,16 +102,16 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean //~ Instance fields ================================================================================================ - /** Shoud the filter load balance among multiple domain controllers, default false */ + /** Should the filter load balance among multiple domain controllers, default false */ private boolean loadBalance; - /** Shoud the domain name be stripped from the username, default true */ + /** Should the domain name be stripped from the username, default true */ private boolean stripDomain = true; - /** Should the filter initiate NTLM negotiations, default true */ + /** Should the filter initiate NTLM negotiations, default true */ private boolean forceIdentification = true; - /** Shoud the filter retry NTLM on authorization failure, default false */ + /** Should the filter retry NTLM on authorization failure, default false */ private boolean retryOnAuthFailure; private String soTimeout; @@ -120,7 +120,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean private String domainController; private AuthenticationManager authenticationManager; - //~ Public Methods ================================================================================================= + //~ Methods ======================================================================================================== /** * Ensures an AuthenticationManager and authentication failure @@ -130,9 +130,9 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean Assert.notNull(this.authenticationManager, "An AuthenticationManager is required"); // Default to 5 minutes if not already specified - Config.setProperty("jcifs.smb.client.soTimeout", (soTimeout == null) ? "300000" : soTimeout); + Config.setProperty("jcifs.smb.client.soTimeout", soTimeout == null ? "300000" : soTimeout); // Default to 20 minutes if not already specified - Config.setProperty("jcifs.netbios.cachePolicy", (cachePolicy == null) ? "1200" : cachePolicy); + Config.setProperty("jcifs.netbios.cachePolicy", cachePolicy == null ? "1200" : cachePolicy); if (domainController == null) { domainController = defaultDomain; @@ -141,7 +141,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Sets the AuthenticationManager to use. - * + * * @param authenticationManager the AuthenticationManager to use. */ public void setAuthenticationManager(AuthenticationManager authenticationManager) { @@ -153,7 +153,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * client username and password are also set, then preauthentication will * be used which is necessary to initialize the SMB signing digest. SMB * signatures are required by default on Windows 2003 domain controllers. - * + * * @param defaultDomain The name of the default domain. */ public void setDefaultDomain(String defaultDomain) { @@ -163,7 +163,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Sets the SMB client username. - * + * * @param smbClientUsername The SMB client username. */ public void setSmbClientUsername(String smbClientUsername) { @@ -172,7 +172,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Sets the SMB client password. - * + * * @param smbClientPassword The SMB client password. */ public void setSmbClientPassword(String smbClientPassword) { @@ -184,8 +184,8 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * authentication is forced to use a separate transport. This effectively * ignores SMB signing requirements, however at the expense of reducing * scalability. Preauthentication with a domain, username, and password is - * the preferred method for working with servers that require signatures. - * + * the preferred method for working with servers that require signatures. + * * @param smbClientSSNLimit The SMB client SSN limit. */ public void setSmbClientSSNLimit(String smbClientSSNLimit) { @@ -196,17 +196,17 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * Configures JCIFS to use a WINS server. It is preferred to use a WINS * server over a specific domain controller. Set this property instead of * domainController if there is a WINS server available. - * + * * @param netbiosWINS The WINS server JCIFS will use. */ public void setNetbiosWINS(String netbiosWINS) { - Config.setProperty("jcifs.netbios.wins", netbiosWINS); + Config.setProperty("jcifs.netbios.wins", netbiosWINS); } /** * The IP address of any SMB server that should be used to authenticate * HTTP clients. - * + * * @param domainController The IP address of the domain controller. */ public void setDomainController(String domainController) { @@ -218,7 +218,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * specified, then query for domain controllers by name. When load * balance is true, rotate through the list of domain * controllers when authenticating users. - * + * * @param loadBalance The load balance flag value. */ public void setLoadBalance(boolean loadBalance) { @@ -229,7 +229,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * Configures NtlmProcessingFilter to strip the Windows * domain name from the username when set to true, which * is the default value. - * + * * @param stripDomain The strip domain flag value. */ public void setStripDomain(boolean stripDomain) { @@ -240,7 +240,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * Sets the jcifs.smb.client.soTimeout property to the * timeout value specified in milliseconds. Defaults to 5 minutes * if not specified. - * + * * @param timeout The milliseconds timeout value. */ public void setSoTimeout(String timeout) { @@ -251,7 +251,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * Sets the jcifs.netbios.cachePolicy property to the * number of seconds a NetBIOS address is cached by JCIFS. Defaults to * 20 minutes if not specified. - * + * * @param numSeconds The number of seconds a NetBIOS address is cached. */ public void setCachePolicy(String numSeconds) { @@ -261,7 +261,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Loads properties starting with "jcifs" into the JCIFS configuration. * Any other properties are ignored. - * + * * @param props The JCIFS properties to set. */ public void setJcifsProperties(Properties props) { @@ -277,7 +277,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Returns true if NTLM authentication is forced. - * + * * @return true if NTLM authentication is forced. */ public boolean isForceIdentification() { @@ -286,7 +286,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Sets a flag denoting whether NTLM authentication should be forced. - * + * * @param forceIdentification the force identification flag value to set. */ public void setForceIdentification(boolean forceIdentification) { @@ -297,15 +297,13 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * Sets a flag denoting whether NTLM should retry whenever authentication * fails. Retry will only occur on an {@link AuthenticationCredentialsNotFoundException} * or {@link InsufficientAuthenticationException}. - * + * * @param retryOnFailure the retry on failure flag value to set. */ public void setRetryOnAuthFailure(boolean retryOnFailure) { this.retryOnAuthFailure = retryOnFailure; } - //~ Protected Methods ============================================================================================== - protected void doFilter(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException { final HttpSession session = request.getSession(); Integer ntlmState = (Integer) session.getAttribute(STATE_ATTR); @@ -350,8 +348,6 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean } } - //~ Private Methods ================================================================================================ - /** * Returns true if reauthentication is needed on an IE POST. */ @@ -362,7 +358,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Creates and returns a Type 2 message from the provided Type 1 message. - * + * * @param message the Type 1 message to process. * @param session the HTTPSession object. * @param dcAddress the domain controller address. @@ -379,7 +375,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Builds and returns an NtlmPasswordAuthentication object * from the provided Type 3 message. - * + * * @param message the Type 3 message to process. * @param session the HTTPSession object. * @param dcAddress the domain controller address. @@ -400,7 +396,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Checks the user credentials against the domain controller. - * + * * @param session the HTTPSession object. * @param dcAddress the domain controller address. * @param auth the NtlmPasswordAuthentication object. @@ -424,7 +420,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Authenticates the user credentials acquired from NTLM against the Acegi * Security AuthenticationManager. - * + * * @param request the HttpServletRequest object. * @param response the HttpServletResponse object. * @param session the HttpSession object. @@ -472,7 +468,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Returns the domain controller address based on the loadBalance * setting. - * + * * @param session the HttpSession object. * @return the domain controller address. * @throws UnknownHostException @@ -494,7 +490,7 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean /** * Returns the domain controller challenge based on the loadBalance * setting. - * + * * @param session the HttpSession object. * @param dcAddress the domain controller address. * @return the domain controller challenge. @@ -502,10 +498,11 @@ public class NtlmProcessingFilter extends HttpFilter implements InitializingBean * @throws SmbException */ private byte[] getChallenge(final HttpSession session, final UniAddress dcAddress) throws UnknownHostException, SmbException { - if (loadBalance) + if (loadBalance) { return ((NtlmChallenge) session.getAttribute(CHALLENGE_ATTR)).challenge; + } - return SmbSession.getChallenge(dcAddress); + return SmbSession.getChallenge(dcAddress); } } // End NtlmProcessingFilter diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java index 2d852a7e97..1f52a44647 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java @@ -45,7 +45,7 @@ import jcifs.Config; * @version $Id$ */ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean { - //~ Static fields/initializers ============================================= + //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(NtlmProcessingFilterEntryPoint.class); @@ -54,7 +54,7 @@ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint, /** Where to redirect the browser to if authentication fails */ private String authenticationFailureUrl; - //~ Methods ================================================================ + //~ Methods ======================================================================================================== /** * Ensures an authentication failure URL has been provided in the bean @@ -66,7 +66,7 @@ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint, /** * Sets the authentication failure URL. - * + * * @param authenticationFailureUrl the authentication failure URL. */ public void setAuthenticationFailureUrl(String authenticationFailureUrl) { @@ -83,11 +83,11 @@ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint, *

  • {@link NtlmBeginHandshakeException}: NTLM *
  • {@link NtlmType2MessageException}: NTLM <base64-encoded type-2-message> * - * + * * If the {@link AuthenticationException} is not a subclass of * {@link NtlmBaseException}, then redirect the user to the authentication * failure URL. - * + * * @param request The {@link HttpServletRequest} object. * @param response Then {@link HttpServletResponse} object. * @param authException Either {@link NtlmBeginHandshakeException}, @@ -116,4 +116,4 @@ public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint, } } -} // End NtlmProcessingFilterEntryPoint +} diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmType2MessageException.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmType2MessageException.java index c1e9702240..5e4a09ed5b 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmType2MessageException.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/NtlmType2MessageException.java @@ -41,8 +41,9 @@ public class NtlmType2MessageException extends NtlmBaseException { * Internet Explorer does a POST. */ public void preserveAuthentication() { - if (auth != null) + if (auth != null) { SecurityContextHolder.getContext().setAuthentication(auth); - } + } + } -} // End NTLMType2MessageException +} diff --git a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/ldap/authenticator/NtlmAwareLdapAuthenticatorImpl.java b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/ldap/authenticator/NtlmAwareLdapAuthenticatorImpl.java index 1c9a1ce73a..954c222a5c 100755 --- a/ntlm/src/main/java/org/acegisecurity/ui/ntlm/ldap/authenticator/NtlmAwareLdapAuthenticatorImpl.java +++ b/ntlm/src/main/java/org/acegisecurity/ui/ntlm/ldap/authenticator/NtlmAwareLdapAuthenticatorImpl.java @@ -14,6 +14,7 @@ import org.acegisecurity.ui.ntlm.NtlmUsernamePasswordAuthenticationToken; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.ldap.core.DirContextOperations; +import org.springframework.ldap.NameNotFoundException; /** * Loads the UserDetails if authentication was already performed by NTLM (indicated by the type of authentication @@ -23,52 +24,34 @@ import org.springframework.ldap.core.DirContextOperations; * */ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator { - /** - * Logger for this class - */ - private static final Log logger = LogFactory.getLog(NtlmAwareLdapAuthenticatorImpl.class); + //~ Static fields/initializers ===================================================================================== + + private static final Log logger = LogFactory.getLog(NtlmAwareLdapAuthenticatorImpl.class); + + + //~ Constructors =================================================================================================== - /** - * @param initialDirContextFactory - */ public NtlmAwareLdapAuthenticatorImpl(InitialDirContextFactory initialDirContextFactory) { super(initialDirContextFactory); } - /** - * Prepare the template without bind requirements. - * - * @param aUserDn - * @param aUserName - * @see #loadDetail(SpringSecurityLdapTemplate, String, String) - * @return - */ - protected DirContextOperations bindWithoutDn(String aUserDn, String aUserName) { - SpringSecurityLdapTemplate template = new SpringSecurityLdapTemplate(getInitialDirContextFactory()); - return loadDetail(template, aUserDn, aUserName); - } + //~ Methods ======================================================================================================== - /** - * Load datas - * - * @param aTemplate - * @param aUserDn - * @param aUserName - * @return + /** + * Loads the user context information without binding. */ - protected DirContextOperations loadDetail(SpringSecurityLdapTemplate aTemplate, String aUserDn, String aUserName) { + protected DirContextOperations loadUser(String aUserDn, String aUserName) { + SpringSecurityLdapTemplate template = new SpringSecurityLdapTemplate(getInitialDirContextFactory()); + try { - DirContextOperations user = aTemplate.retrieveEntry(aUserDn, getUserAttributes()); + DirContextOperations user = template.retrieveEntry(aUserDn, getUserAttributes()); return user; - } catch (BadCredentialsException e) { - // This will be thrown if an invalid user name is used and the - // method may - // be called multiple times to try different names, so we trap the - // exception - // unless a subclass wishes to implement more specialized behaviour. + } catch (NameNotFoundException e) { + // This will be thrown if an invalid user name is used and the method may + // be called multiple times to try different names, so we trap the exception. if (logger.isDebugEnabled()) { - logger.debug("Failed to bind as " + aUserDn + ": " + e.getMessage(), e); + logger.debug("Failed to load user " + aUserDn + ": " + e.getMessage(), e); } } return null; @@ -97,7 +80,7 @@ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator { // tries them all until we found something while (myDns.hasNext() && (user == null)) { - user = bindWithoutDn((String) myDns.next(), userName); + user = loadUser((String) myDns.next(), userName); } // Otherwise use the configured locator to find the user @@ -105,7 +88,7 @@ public class NtlmAwareLdapAuthenticatorImpl extends BindAuthenticator { if ((user == null) && (getUserSearch() != null)) { DirContextOperations userFromSearch = getUserSearch().searchForUser(userName); // lancer l'identificvation - user = bindWithoutDn(userFromSearch.getDn().toString(), userName); + user = loadUser(userFromSearch.getDn().toString(), userName); } // Failed to locate the user in the LDAP directory