Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-8: Removed from sandbox as development will continue via code drops in the JIRA task.

This commit is contained in:
Ben Alex 2006-09-29 08:13:33 +00:00
parent d2fb473a4e
commit ab7816db41
7 changed files with 0 additions and 697 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
sandbox/other/src/main/java/org/acegisecurity/providers/smb/AbstractSmbAuthenticationProvider.java
View File

@ -1,110 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbAuthException;
import jcifs.smb.SmbException;
import jcifs.smb.SmbSession;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationServiceException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.AuthenticationProvider;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* An {@link AuthenticationProvider} implementation that relies on <a href="http://www.jcifs.org">jcifs</a> in
* order to provide an authentication service on a Windows network. This implementation relies on a {@link
* #setAuthorizationProvider(AuthenticationProvider) delegate provider} in order for authorization information to be
* filled into the authorized {@link Authentication token}. Subclasses must implement the logic that {@link
* #getNtlmPasswordAuthentication(Authentication) extracts the jcifs }{@link NtlmPasswordAuthentication } object from
* the particular {@link Authentication } token implementation and the one that {@link
* #getDomainController(Authentication, NtlmPasswordAuthentication) extracts the domain controller address }.
*
* @author Davide Baroncelli
* @version $Id$
*/
public abstract class AbstractSmbAuthenticationProvider implements AuthenticationProvider {
//~ Instance fields ================================================================================================
private AuthenticationProvider authorizationProvider;
private Log log = LogFactory.getLog(this.getClass());
//~ Methods ========================================================================================================
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
NtlmPasswordAuthentication ntlm = getNtlmPasswordAuthentication(authentication);
UniAddress dc = getDomainController(authentication, ntlm);
return performAuthentication(dc, ntlm, authentication);
}
protected abstract UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication);
protected abstract NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication);
protected Authentication performAuthentication(UniAddress dc, NtlmPasswordAuthentication ntlm,
Authentication authentication) {
try {
// this performs authentication...
SmbSession.logon(dc, ntlm);
if (log.isDebugEnabled()) {
log.debug(ntlm + " successfully authenticated against " + dc);
}
// ...and this performs authorization.
Authentication authorizedResult = authorizationProvider.authenticate(authentication);
return authorizedResult;
} catch (SmbException se) {
log.error(ntlm.getName() + ": 0x" + jcifs.util.Hexdump.toHexString(se.getNtStatus(), 8) + ": " + se);
if (se instanceof SmbAuthException) {
SmbAuthException sae = (SmbAuthException) se;
if (se.getNtStatus() == SmbAuthException.NT_STATUS_ACCESS_VIOLATION) {
throw new ChallengeExpiredException(sae.getMessage(), sae);
} else {
throw new BadCredentialsException(sae.getMessage(), sae);
}
} else {
throw new AuthenticationServiceException(se.getMessage(), se);
}
}
}
/**
* DOCUMENT ME!
*
* @param authorizationProvider The {@link AuthenticationProvider } which will be contacted in order for it to fill
* authorization info in the (already authenticated) {@link Authentication } object that they will be
* passed.
*/
public void setAuthorizationProvider(AuthenticationProvider authorizationProvider) {
this.authorizationProvider = authorizationProvider;
}
}

37
sandbox/other/src/main/java/org/acegisecurity/providers/smb/ChallengeExpiredException.java
View File

@ -1,37 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import org.acegisecurity.AuthenticationException;
/**
* Thrown if
*
* @author Davide Baroncelli
* @version $Id$
*/
public class ChallengeExpiredException extends AuthenticationException {
//~ Constructors ===================================================================================================
public ChallengeExpiredException(String msg) {
super(msg);
}
public ChallengeExpiredException(String msg, Throwable t) {
super(msg, t);
}
}

67
sandbox/other/src/main/java/org/acegisecurity/providers/smb/NtlmAuthenticationToken.java
View File

@ -1,67 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.providers.AbstractAuthenticationToken;
/**
* {@link Authentication } implementation for NTLM smb authentication.
*
* @author Davide Baroncelli
* @version $Id$
*
* @see org.acegisecurity.ui.ntlm.NtlmProcessingFilter
* @see org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider
*/
public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
//~ Instance fields ================================================================================================
private NtlmPasswordAuthentication ntlmPasswordAuthentication;
private transient UniAddress domainController;
//~ Constructors ===================================================================================================
public NtlmAuthenticationToken(NtlmPasswordAuthentication ntlmPasswordAuthentication, UniAddress domainController) {
super(null);
this.ntlmPasswordAuthentication = ntlmPasswordAuthentication;
this.domainController = domainController;
}
//~ Methods ========================================================================================================
public Object getCredentials() {
return ntlmPasswordAuthentication.getPassword();
}
public UniAddress getDomainController() {
return domainController;
}
public NtlmPasswordAuthentication getNtlmPasswordAuthentication() {
return ntlmPasswordAuthentication;
}
public Object getPrincipal() {
return ntlmPasswordAuthentication.getUsername();
}
}

93
sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbBasicAuthenticationProvider.java
View File

@ -1,93 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.Config;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import java.net.UnknownHostException;
/**
* Provides authentication of a basic {@link UsernamePasswordAuthenticationToken } on a ntlm domain via smb/cifs.
*
* @author Davide Baroncelli
* @version $Id$
*/
public class SmbBasicAuthenticationProvider extends AbstractSmbAuthenticationProvider {
//~ Instance fields ================================================================================================
String domainController;
//~ Methods ========================================================================================================
protected UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication) {
try {
if (domainController == null) {
domainController = Config.getProperty("jcifs.smb.client.domain");
}
String domain = domainController;
if (domain == null) {
domain = ntlmAuthentication.getDomain();
}
UniAddress dc = UniAddress.getByName(domain, true);
return dc;
} catch (UnknownHostException uhe) {
throw new BadCredentialsException("no host could be found for the name " + ntlmAuthentication.getDomain(),
uhe);
}
}
protected NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication) {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
String username = token.getPrincipal().toString();
String password = (String) token.getCredentials();
int index = username.indexOf('\\');
if (index == -1) {
index = username.indexOf('/');
}
// if domain is null then the jcifs default is used
// (this is set through the "jcifs.smb.client.domain" Config property)
String domain = (index != -1) ? username.substring(0, index) : null;
username = (index != -1) ? username.substring(index + 1) : username;
NtlmPasswordAuthentication ntlm = new NtlmPasswordAuthentication(domain, username, password);
return ntlm;
}
public void setDomainController(String domainController) {
this.domainController = domainController;
}
public boolean supports(Class authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}

57
sandbox/other/src/main/java/org/acegisecurity/providers/smb/SmbNtlmAuthenticationProvider.java
View File

@ -1,57 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.providers.smb;
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import org.acegisecurity.Authentication;
import org.acegisecurity.ui.ntlm.NtlmProcessingFilter;
/**
* This class provides authentication through smb of {@link NtlmAuthenticationToken } (i.e. tokens obtained through
* the NTLM Authorization method by {@link NtlmProcessingFilter } ).
*
* @author Davide Baroncelli
* @version $Id$
*
* @see org.acegisecurity.ui.ntlm.NtlmProcessingFilter
*/
public class SmbNtlmAuthenticationProvider extends AbstractSmbAuthenticationProvider {
//~ Methods ========================================================================================================
protected UniAddress getDomainController(Authentication authentication,
NtlmPasswordAuthentication ntlmAuthentication) {
NtlmAuthenticationToken ntlmToken = (NtlmAuthenticationToken) authentication;
UniAddress dc = ntlmToken.getDomainController();
return dc;
}
protected NtlmPasswordAuthentication getNtlmPasswordAuthentication(Authentication authentication) {
NtlmAuthenticationToken ntlmToken = (NtlmAuthenticationToken) authentication;
NtlmPasswordAuthentication ntlm = ntlmToken.getNtlmPasswordAuthentication();
return ntlm;
}
public boolean supports(Class authentication) {
return NtlmAuthenticationToken.class.isAssignableFrom(authentication);
}
}

287
sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilter.java
View File

@ -1,287 +0,0 @@
/*
* LICENSE IS UNKNOWN (SEE TODO COMMENT LATER IN SOURCE CODE)
*/
package org.acegisecurity.ui.ntlm;
import jcifs.Config;
import jcifs.UniAddress;
import jcifs.http.NtlmSsp;
import jcifs.smb.NtlmChallenge;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbSession;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.smb.NtlmAuthenticationToken;
import org.acegisecurity.ui.AuthenticationEntryPoint;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import java.io.IOException;
import java.util.Iterator;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* A reimplementation of the jcifs NtlmHttpFilter suitable for use with the
* Acegi Security System.
*
* <p>
* This servlet Filter can be used to negotiate password hashes with MSIE
* clients using NTLM SSP. This is similar to <code>Authentication:
* BASIC</code> but weakly encrypted and without requiring the user to
* re-supply authentication credentials.
* </p>
*
* @author Davide Baroncelli
* @version $Id$
*/
public class NtlmProcessingFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final String CHALLENGE_ATTR_NAME = "NtlmHttpChal";
//~ Instance fields ========================================================
private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
// TODO: Verify licensing, as original contributor reported that large parts of this code where taken from jCifs NtmlHttpFilter: can this be re-licensed to APL (?).
private Log log = LogFactory.getLog(this.getClass());
private String defaultDomain;
private String domainController;
private boolean loadBalance;
//~ Methods ================================================================
/**
* DOCUMENT ME!
*
* @param authenticationEntryPoint The entry point that will be called if
* the "transparent" authentication fails for some reason: don't
* use the same {@link NtlmProcessingFilterEntryPoint} that is used
* in order to commence the NTLM authentication or the user's
* browser would probably loop
*/
public void setAuthenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
}
public void setAuthenticationManager(
AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
/**
* DOCUMENT ME!
*
* @param defaultDomain The domain that will be specified as part of the
* authentication credentials if not specified by the username.
*/
public void setDefaultDomain(String defaultDomain) {
this.defaultDomain = defaultDomain;
}
/**
* DOCUMENT ME!
*
* @param domainController The domain controller address: if not set the
* default domain is used.
*/
public void setDomainController(String domainController) {
this.domainController = domainController;
}
/**
* DOCUMENT ME!
*
* @param properties A {@link Properties} object whose properties with
* names starting with "jcifs." will be set into the jCifs {@link
* Config}.
*/
public void setJCifsProperties(Properties properties) {
for (Iterator iterator = properties.keySet().iterator();
iterator.hasNext();) {
String propertyName = (String) iterator.next();
String propertyValue = properties.getProperty(propertyName);
if (propertyName.startsWith("jcifs.")) {
if (log.isInfoEnabled()) {
log.info("setting jcifs property " + propertyName + ":"
+ propertyValue);
}
Config.setProperty(propertyName, propertyValue);
} else {
if (log.isInfoEnabled()) {
log.info("ignoring non-jcifs property " + propertyName
+ ":" + propertyValue);
}
}
}
}
public void setLoadBalance(boolean loadBalance) {
this.loadBalance = loadBalance;
}
public void afterPropertiesSet() throws Exception {
// Set jcifs properties we know we want; soTimeout and cachePolicy to 10min
Config.setProperty("jcifs.smb.client.soTimeout", "300000");
Config.setProperty("jcifs.netbios.cachePolicy", "1200");
if (domainController == null) {
domainController = defaultDomain;
}
if (defaultDomain != null) {
Config.setProperty("jcifs.smb.client.domain", defaultDomain);
}
Assert.notNull(authenticationEntryPoint,
"The authenticationEntryPoint property must be set before "
+ "NtlmProcessingFilter bean initialization");
Assert.notNull(authenticationManager,
"The authenticationManager property must be set before "
+ "NtlmProcessingFilter bean initialization");
}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
NtlmPasswordAuthentication ntlm = null;
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
try {
String msg = req.getHeader("Authorization");
UniAddress dc = null;
// the "basic" authentication case (both secure + insecure) originally in jcifs NtlmFilter has been
// refactored out, in order for it to be supported by the acegi BasicProcessingFilter +
// SmbNtlmAuthenticationProvider ( + SecureChannelProcessor) combination */
if ((msg != null) && (msg.startsWith("NTLM "))) {
if (log.isDebugEnabled()) {
log.debug("NTLM Authorization header received");
}
HttpSession ssn = req.getSession();
byte[] challenge;
if (loadBalance) {
NtlmChallenge chal = (NtlmChallenge) ssn.getAttribute(CHALLENGE_ATTR_NAME);
if (chal == null) {
chal = SmbSession.getChallengeForDomain();
if (log.isDebugEnabled()) {
log.debug(
"got load balanced challenge for domain: "
+ chal);
}
ssn.setAttribute(CHALLENGE_ATTR_NAME, chal);
}
dc = chal.dc;
challenge = chal.challenge;
} else {
// no challenge in session, here: the server itself keeps the challenge alive for a certain time
dc = UniAddress.getByName(domainController, true);
challenge = SmbSession.getChallenge(dc);
if (log.isDebugEnabled()) {
log.debug("domain controller is " + dc
+ ", challenge is " + challenge);
}
}
ntlm = NtlmSsp.authenticate(req, resp, challenge);
if (ntlm == null) {
if (log.isDebugEnabled()) {
log.debug(
"null ntlm authentication results: sending challenge to browser");
}
return; // this means we must send the challenge to the browser
} else {
if (log.isDebugEnabled()) {
log.debug("ntlm negotiation complete");
}
ssn.removeAttribute(CHALLENGE_ATTR_NAME); /* negotiation complete, remove the challenge object */
}
NtlmAuthenticationToken ntlmToken = newNtlmAuthenticationToken(ntlm,
dc);
Authentication authResult = authenticationManager.authenticate(ntlmToken);
if (log.isDebugEnabled()) {
log.debug("ntlm token authenticated ");
}
successfulAuthentication(req, resp, authResult);
}
} catch (AuthenticationException ae) {
unsuccessfulAuthentication(req, resp, ntlm, ae);
return;
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {}
protected NtlmAuthenticationToken newNtlmAuthenticationToken(
NtlmPasswordAuthentication ntlm, UniAddress dc) {
return new NtlmAuthenticationToken(ntlm, dc);
}
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, Authentication authResult) {
if (log.isDebugEnabled()) {
log.debug("Authentication success: " + authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
}
protected void unsuccessfulAuthentication(HttpServletRequest req,
HttpServletResponse resp, NtlmPasswordAuthentication ntlm,
AuthenticationException ae) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("Authentication request for user: " + ntlm.getUsername()
+ " failed: " + ae.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
authenticationEntryPoint.commence(req, resp,
new BadCredentialsException(ae.getMessage(), ae));
}
}

46
sandbox/other/src/main/java/org/acegisecurity/ui/ntlm/NtlmProcessingFilterEntryPoint.java
View File

@ -1,46 +0,0 @@
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.ui.ntlm;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.ui.AuthenticationEntryPoint;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
/**
* An entry point for the NTLM authentication process.
*
* @author Davide Baroncelli
* @version $Id$
*/
public class NtlmProcessingFilterEntryPoint implements AuthenticationEntryPoint {
//~ Methods ========================================================================================================
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("WWW-Authenticate", "NTLM");
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, (authException != null) ? authException.getMessage() : "");
}
}