1 /* 2 * MIT License 3 * 4 * Copyright (c) 2010-2022 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to deal 8 * in the Software without restriction, including without limitation the rights 9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 * copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in all 14 * copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 package waffle.shiro.negotiate; 25 26 import org.apache.shiro.authc.AuthenticationInfo; 27 import org.apache.shiro.authc.AuthenticationToken; 28 import org.apache.shiro.authc.pam.AbstractAuthenticationStrategy; 29 import org.apache.shiro.realm.Realm; 30 31 /** 32 * Custom authentication strategy for the negotiate logic required for SSO/Negotiate auth realm 33 * {@link NegotiateAuthenticationRealm}. When the negotiate logic is executing, one of more round trips with the client 34 * occur. When the {@link NegotiateAuthenticationRealm} determines another handshake is needed, it throws the exception: 35 * {@link AuthenticationInProgressException}. This custom strategy detects this exception, and immediately re-throws it 36 * so classes higher up in the call stack will allow the handshake to proceed. Without this added logic, the handshake 37 * could be halted after the first connection by the existing error handling. <br> 38 * <br> 39 * This strategy is needed when using {@link NegotiateAuthenticationFilter} and more than one realm is configured in 40 * shiro.ini. If only one realm is defined, the current error handling in 41 * {@link org.apache.shiro.authc.pam.ModularRealmAuthenticator#doSingleRealmAuthentication(org.apache.shiro.realm.Realm, org.apache.shiro.authc.AuthenticationToken)} 42 * works fine without requiring this strategy. However, the current error handling in 43 * {@link org.apache.shiro.authc.pam.ModularRealmAuthenticator#doMultiRealmAuthentication(java.util.Collection, org.apache.shiro.authc.AuthenticationToken)} 44 * does require the {@link NegotiateAuthenticationStrategy} to ensure negotiate 'continue' calls will proceed. So for 45 * now, the most reliable approach is to use this strategy. 46 * 47 * @author Dan Rollo Date: 3/18/13 Time: 3:31 PM 48 * 49 * @see NegotiateAuthenticationStrategy#afterAttempt(org.apache.shiro.realm.Realm, 50 * org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo, 51 * org.apache.shiro.authc.AuthenticationInfo, Throwable) 52 */ 53 public class NegotiateAuthenticationStrategy extends AbstractAuthenticationStrategy { 54 55 /** 56 * When the negotiate logic is executing, one of more round trips with the client occur. When the 57 * {@link NegotiateAuthenticationRealm negotiate realm} determines another handshake is needed, it throws the 58 * exception: {@link AuthenticationInProgressException}. This custom strategy detects this exception, and 59 * immediately re-throws it so classes higher up in the call stack will allow the handshake to proceed. Without this 60 * added logic, the handshake would be halted after the first connection by the existing error handling. 61 * <p> 62 * {@inheritDoc} 63 */ 64 @Override 65 public AuthenticationInfo afterAttempt(final Realm realm, final AuthenticationToken token, 66 final AuthenticationInfo singleRealmInfo, final AuthenticationInfo aggregateInfo, final Throwable t) { 67 68 if (realm instanceof NegotiateAuthenticationRealm && t instanceof AuthenticationInProgressException) { 69 // propagate exception upward as is, to signal continue is needed 70 throw (AuthenticationInProgressException) t; 71 } 72 73 return super.afterAttempt(realm, token, singleRealmInfo, aggregateInfo, t); 74 } 75 76 }