View Javadoc
1   /*
2    * MIT License
3    *
4    * Copyright (c) 2010-2026 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5    *
6    * Permission is hereby granted, free of charge, to any person obtaining a copy
7    * of this software and associated documentation files (the "Software"), to deal
8    * in the Software without restriction, including without limitation the rights
9    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10   * copies of the Software, and to permit persons to whom the Software is
11   * furnished to do so, subject to the following conditions:
12   *
13   * The above copyright notice and this permission notice shall be included in all
14   * copies or substantial portions of the Software.
15   *
16   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22   * SOFTWARE.
23   */
24  package waffle.shiro.negotiate;
25  
26  import org.apache.shiro.authc.AuthenticationInfo;
27  import org.apache.shiro.authc.AuthenticationToken;
28  import org.apache.shiro.authc.pam.AbstractAuthenticationStrategy;
29  import org.apache.shiro.realm.Realm;
30  
31  /**
32   * Custom authentication strategy for the negotiate logic required for SSO/Negotiate auth realm
33   * {@link NegotiateAuthenticationRealm}. When the negotiate logic is executing, one of more round trips with the client
34   * occur. When the {@link NegotiateAuthenticationRealm} determines another handshake is needed, it throws the exception:
35   * {@link AuthenticationInProgressException}. This custom strategy detects this exception, and immediately re-throws it
36   * so classes higher up in the call stack will allow the handshake to proceed. Without this added logic, the handshake
37   * could be halted after the first connection by the existing error handling. <br>
38   * <br>
39   * This strategy is needed when using {@link NegotiateAuthenticationFilter} and more than one realm is configured in
40   * shiro.ini. If only one realm is defined, the current error handling in
41   * {@link org.apache.shiro.authc.pam.ModularRealmAuthenticator#doSingleRealmAuthentication(org.apache.shiro.realm.Realm, org.apache.shiro.authc.AuthenticationToken)}
42   * works fine without requiring this strategy. However, the current error handling in
43   * {@link org.apache.shiro.authc.pam.ModularRealmAuthenticator#doMultiRealmAuthentication(java.util.Collection, org.apache.shiro.authc.AuthenticationToken)}
44   * does require the {@link NegotiateAuthenticationStrategy} to ensure negotiate 'continue' calls will proceed. So for
45   * now, the most reliable approach is to use this strategy.
46   *
47   * @see NegotiateAuthenticationStrategy#afterAttempt(org.apache.shiro.realm.Realm,
48   *      org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo,
49   *      org.apache.shiro.authc.AuthenticationInfo, Throwable)
50   */
51  public class NegotiateAuthenticationStrategy extends AbstractAuthenticationStrategy {
52  
53      /**
54       * When the negotiate logic is executing, one of more round trips with the client occur. When the
55       * {@link NegotiateAuthenticationRealm negotiate realm} determines another handshake is needed, it throws the
56       * exception: {@link AuthenticationInProgressException}. This custom strategy detects this exception, and
57       * immediately re-throws it so classes higher up in the call stack will allow the handshake to proceed. Without this
58       * added logic, the handshake would be halted after the first connection by the existing error handling.
59       * <p>
60       * {@inheritDoc}
61       */
62      @Override
63      public AuthenticationInfo afterAttempt(final Realm realm, final AuthenticationToken token,
64              final AuthenticationInfo singleRealmInfo, final AuthenticationInfo aggregateInfo, final Throwable t) {
65  
66          if (realm instanceof NegotiateAuthenticationRealm && t instanceof AuthenticationInProgressException) {
67              // propagate exception upward as is, to signal continue is needed
68              throw (AuthenticationInProgressException) t;
69          }
70  
71          return super.afterAttempt(realm, token, singleRealmInfo, aggregateInfo, t);
72      }
73  
74  }