1 /*
2 * MIT License
3 *
4 * Copyright (c) 2010-2022 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in all
14 * copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24 package waffle.shiro.negotiate;
25
26 import java.io.IOException;
27 import java.util.ArrayList;
28 import java.util.Base64;
29 import java.util.List;
30
31 /**
32 * Derived from net.skorgenes.security.jsecurity.negotiate.NegotiateAuthenticationFilter. see:
33 *
34 * https://bitbucket.org/lothor
35 *
36 * /shiro-negotiate/src/7b25efde130b9cbcacf579b3f926c532d919aa23/src/main/java/net/skorgenes/
37 *
38 * security/jsecurity/negotiate/NegotiateAuthenticationFilter.java?at=default
39 *
40 * @author Dan Rollo
41 */
42 import javax.servlet.ServletRequest;
43 import javax.servlet.ServletResponse;
44 import javax.servlet.http.HttpServletRequest;
45 import javax.servlet.http.HttpServletResponse;
46
47 import org.apache.shiro.authc.AuthenticationException;
48 import org.apache.shiro.authc.AuthenticationToken;
49 import org.apache.shiro.subject.Subject;
50 import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
51 import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
52 import org.apache.shiro.web.util.WebUtils;
53 import org.slf4j.Logger;
54 import org.slf4j.LoggerFactory;
55
56 import waffle.util.AuthorizationHeader;
57 import waffle.util.NtlmServletRequest;
58
59 /**
60 * A authentication filter that implements the HTTP Negotiate mechanism. The current user is authenticated, providing
61 * single-sign-on
62 *
63 * @author Dan Rollo
64 *
65 * @since 1.0.0
66 */
67 public class NegotiateAuthenticationFilter extends AuthenticatingFilter {
68
69 /**
70 * This class's private logger.
71 */
72 private static final Logger LOGGER = LoggerFactory.getLogger(NegotiateAuthenticationFilter.class);
73
74 // TODO things (sometimes) break, depending on what user account is running tomcat:
75 // related to setSPN and running tomcat server as NT Service account vs. as normal user account.
76 // https://waffle.codeplex.com/discussions/254748
77 // setspn -A HTTP/<server-fqdn> <user_tomcat_running_under>
78 /** The Constant PROTOCOLS. */
79 private static final List<String> PROTOCOLS = new ArrayList<>();
80
81 /** The failure key attribute. */
82 private String failureKeyAttribute = FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME;
83
84 /** The remember me param. */
85 private String rememberMeParam = FormAuthenticationFilter.DEFAULT_REMEMBER_ME_PARAM;
86
87 /**
88 * Instantiates a new negotiate authentication filter.
89 */
90 public NegotiateAuthenticationFilter() {
91 NegotiateAuthenticationFilter.PROTOCOLS.add("Negotiate");
92 NegotiateAuthenticationFilter.PROTOCOLS.add("NTLM");
93 }
94
95 /**
96 * Gets the remember me param.
97 *
98 * @return the remember me param
99 */
100 public String getRememberMeParam() {
101 return this.rememberMeParam;
102 }
103
104 /**
105 * Sets the request parameter name to look for when acquiring the rememberMe boolean value. Unless overridden by
106 * calling this method, the default is <code>rememberMe</code>. <br>
107 * <br>
108 * RememberMe will be <code>true</code> if the parameter value equals any of those supported by
109 * {@link org.apache.shiro.web.util.WebUtils#isTrue(javax.servlet.ServletRequest, String)
110 * WebUtils.isTrue(request,value)}, <code>false</code> otherwise.
111 *
112 * @param value
113 * the name of the request param to check for acquiring the rememberMe boolean value.
114 */
115 public void setRememberMeParam(final String value) {
116 this.rememberMeParam = value;
117 }
118
119 @Override
120 protected boolean isRememberMe(final ServletRequest request) {
121 return WebUtils.isTrue(request, this.getRememberMeParam());
122 }
123
124 @Override
125 protected AuthenticationToken createToken(final ServletRequest request, final ServletResponse response) {
126 final String authorization = this.getAuthzHeader(request);
127 final String[] elements = authorization.split(" ", -1);
128 final byte[] inToken = Base64.getDecoder().decode(elements[1]);
129
130 // maintain a connection-based session for NTLM tokens
131 // TODO see about changing this parameter to ServletRequest in waffle
132 final String connectionId = NtlmServletRequest.getConnectionId((HttpServletRequest) request);
133 final String securityPackage = elements[0];
134
135 // TODO see about changing this parameter to ServletRequest in waffle
136 final AuthorizationHeader authorizationHeader = new AuthorizationHeader((HttpServletRequest) request);
137 final boolean ntlmPost = authorizationHeader.isNtlmType1PostAuthorizationHeader();
138
139 NegotiateAuthenticationFilter.LOGGER.debug("security package: {}, connection id: {}, ntlmPost: {}",
140 securityPackage, connectionId, Boolean.valueOf(ntlmPost));
141
142 final boolean rememberMe = this.isRememberMe(request);
143 final String host = this.getHost(request);
144
145 return new NegotiateToken(inToken, new byte[0], connectionId, securityPackage, ntlmPost, rememberMe, host);
146 }
147
148 @Override
149 protected boolean onLoginSuccess(final AuthenticationToken token, final Subject subject,
150 final ServletRequest request, final ServletResponse response) throws Exception {
151 request.setAttribute("MY_SUBJECT", ((NegotiateToken) token).getSubject());
152 return true;
153 }
154
155 @Override
156 protected boolean onLoginFailure(final AuthenticationToken token, final AuthenticationException e,
157 final ServletRequest request, final ServletResponse response) {
158 if (e instanceof AuthenticationInProgressException) {
159 // negotiate is processing
160 final String protocol = this.getAuthzHeaderProtocol(request);
161 NegotiateAuthenticationFilter.LOGGER.debug("Negotiation in progress for protocol: {}", protocol);
162 this.sendChallengeDuringNegotiate(protocol, response, ((NegotiateToken) token).getOut());
163 return false;
164 }
165 NegotiateAuthenticationFilter.LOGGER.warn("login exception: {}", e.getMessage());
166
167 // do not send token.out bytes, this was a login failure.
168 this.sendChallengeOnFailure(response);
169
170 this.setFailureAttribute(request, e);
171 return true;
172 }
173
174 /**
175 * Sets the failure attribute.
176 *
177 * @param request
178 * the request
179 * @param ae
180 * the ae
181 */
182 protected void setFailureAttribute(final ServletRequest request, final AuthenticationException ae) {
183 final String className = ae.getClass().getName();
184 request.setAttribute(this.getFailureKeyAttribute(), className);
185 }
186
187 /**
188 * Gets the failure key attribute.
189 *
190 * @return the failure key attribute
191 */
192 public String getFailureKeyAttribute() {
193 return this.failureKeyAttribute;
194 }
195
196 /**
197 * Sets the failure key attribute.
198 *
199 * @param value
200 * the new failure key attribute
201 */
202 public void setFailureKeyAttribute(final String value) {
203 this.failureKeyAttribute = value;
204 }
205
206 @Override
207 protected boolean onAccessDenied(final ServletRequest request, final ServletResponse response) throws Exception {
208 // false by default or we wouldn't be in
209 boolean loggedIn = false;
210 // this method
211 if (this.isLoginAttempt(request)) {
212 loggedIn = this.executeLogin(request, response);
213 } else {
214 NegotiateAuthenticationFilter.LOGGER.debug("authorization required, supported protocols: {}",
215 NegotiateAuthenticationFilter.PROTOCOLS);
216 this.sendChallengeInitiateNegotiate(response);
217 }
218 return loggedIn;
219 }
220
221 /**
222 * Determines whether the incoming request is an attempt to log in.
223 * <p/>
224 * The default implementation obtains the value of the request's
225 * {@link org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter#AUTHORIZATION_HEADER AUTHORIZATION_HEADER}
226 * , and if it is not <code>null</code>, delegates to
227 * {@link org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter#isLoginAttempt(String)
228 * isLoginAttempt(authzHeaderValue)}. If the header is <code>null</code>, <code>false</code> is returned.
229 *
230 * @param request
231 * incoming ServletRequest
232 *
233 * @return true if the incoming request is an attempt to log in based, false otherwise
234 */
235 private boolean isLoginAttempt(final ServletRequest request) {
236 final String authzHeader = this.getAuthzHeader(request);
237 return authzHeader != null && this.isLoginAttempt(authzHeader);
238 }
239
240 /**
241 * Returns the {@link org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter#AUTHORIZATION_HEADER
242 * AUTHORIZATION_HEADER} from the specified ServletRequest.
243 * <p/>
244 * This implementation merely casts the request to an <code>HttpServletRequest</code> and returns the header:
245 * <p/>
246 * <code>HttpServletRequest httpRequest = {@link WebUtils#toHttp(javax.servlet.ServletRequest) toHttp(reaquest)};<br/>
247 * return httpRequest.getHeader({@link org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter#AUTHORIZATION_HEADER AUTHORIZATION_HEADER});</code>
248 *
249 * @param request
250 * the incoming <code>ServletRequest</code>
251 *
252 * @return the <code>Authorization</code> header's value.
253 */
254 private String getAuthzHeader(final ServletRequest request) {
255 final HttpServletRequest httpRequest = WebUtils.toHttp(request);
256 return httpRequest.getHeader("Authorization");
257 }
258
259 /**
260 * Gets the authz header protocol.
261 *
262 * @param request
263 * the request
264 *
265 * @return the authz header protocol
266 */
267 private String getAuthzHeaderProtocol(final ServletRequest request) {
268 final String authzHeader = this.getAuthzHeader(request);
269 return authzHeader.substring(0, authzHeader.indexOf(' '));
270 }
271
272 /**
273 * Default implementation that returns <code>true</code> if the specified <code>authzHeader</code> starts with the
274 * same (case-insensitive) characters specified by any of the configured protocols (Negotiate or NTLM),
275 * <code>false</code> otherwise.
276 *
277 * @param authzHeader
278 * the 'Authorization' header value (guaranteed to be non-null if the
279 * {@link #isLoginAttempt(javax.servlet.ServletRequest)} method is not overriden).
280 *
281 * @return <code>true</code> if the authzHeader value matches any of the configured protocols (Negotiate or NTLM).
282 */
283 boolean isLoginAttempt(final String authzHeader) {
284 for (final String protocol : NegotiateAuthenticationFilter.PROTOCOLS) {
285 if (authzHeader.toLowerCase().startsWith(protocol.toLowerCase())) {
286 return true;
287 }
288 }
289 return false;
290 }
291
292 /**
293 * Builds the challenge for authorization by setting a HTTP <code>401</code> (Unauthorized) status as well as the
294 * response's {@link org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter#AUTHENTICATE_HEADER
295 * AUTHENTICATE_HEADER}.
296 *
297 * @param protocols
298 * protocols for which to send a challenge. In initial cases, will be all supported protocols. In the
299 * midst of negotiation, will be only the protocol being negotiated.
300 * @param response
301 * outgoing ServletResponse
302 * @param out
303 * token.out or null
304 */
305 private void sendChallenge(final List<String> protocols, final ServletResponse response, final byte[] out) {
306 final HttpServletResponse httpResponse = WebUtils.toHttp(response);
307 this.sendAuthenticateHeader(protocols, out, httpResponse);
308 httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
309 }
310
311 /**
312 * Send challenge initiate negotiate.
313 *
314 * @param response
315 * the response
316 */
317 void sendChallengeInitiateNegotiate(final ServletResponse response) {
318 this.sendChallenge(NegotiateAuthenticationFilter.PROTOCOLS, response, null);
319 }
320
321 /**
322 * Send challenge during negotiate.
323 *
324 * @param protocol
325 * the protocol
326 * @param response
327 * the response
328 * @param out
329 * the out
330 */
331 void sendChallengeDuringNegotiate(final String protocol, final ServletResponse response, final byte[] out) {
332 final List<String> protocolsList = new ArrayList<>();
333 protocolsList.add(protocol);
334 this.sendChallenge(protocolsList, response, out);
335 }
336
337 /**
338 * Send challenge on failure.
339 *
340 * @param response
341 * the response
342 */
343 void sendChallengeOnFailure(final ServletResponse response) {
344 final HttpServletResponse httpResponse = WebUtils.toHttp(response);
345 this.sendUnauthorized(NegotiateAuthenticationFilter.PROTOCOLS, null, httpResponse);
346 httpResponse.setHeader("Connection", "close");
347 try {
348 httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
349 httpResponse.flushBuffer();
350 } catch (final IOException e) {
351 throw new RuntimeException(e);
352 }
353 }
354
355 /**
356 * Send authenticate header.
357 *
358 * @param protocolsList
359 * the protocols list
360 * @param out
361 * the out
362 * @param httpResponse
363 * the http response
364 */
365 private void sendAuthenticateHeader(final List<String> protocolsList, final byte[] out,
366 final HttpServletResponse httpResponse) {
367 this.sendUnauthorized(protocolsList, out, httpResponse);
368 httpResponse.setHeader("Connection", "keep-alive");
369 }
370
371 /**
372 * Send unauthorized.
373 *
374 * @param protocols
375 * the protocols
376 * @param out
377 * the out
378 * @param response
379 * the response
380 */
381 private void sendUnauthorized(final List<String> protocols, final byte[] out, final HttpServletResponse response) {
382 for (final String protocol : protocols) {
383 if (out == null || out.length == 0) {
384 response.addHeader("WWW-Authenticate", protocol);
385 } else {
386 response.setHeader("WWW-Authenticate", protocol + " " + Base64.getEncoder().encodeToString(out));
387 }
388 }
389 }
390
391 }