View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import java.io.Serializable;
22  import java.util.Map;
23  import org.apache.syncope.common.lib.AbstractLDAPConf;
24  import org.apache.syncope.common.lib.to.AuthModuleTO;
25  
26  /**
27   * SPNEGO is an authentication technology that is primarily used to provide transparent CAS authentication to browsers
28   * running on Windows running under Active Directory domain credentials. There are three actors involved: the client,
29   * the CAS server, and the Active Directory Domain Controller/KDC.
30   */
31  public class SpnegoAuthModuleConf implements LDAPDependantAuthModuleConf {
32  
33      private static final long serialVersionUID = -7775771400312303131L;
34  
35      public static class LDAP extends AbstractLDAPConf implements Serializable {
36  
37          private static final long serialVersionUID = -7274446267090678730L;
38  
39      }
40  
41      /**
42       * The Login conf.Absolute path to the jaas login configuration file.
43       * This should define the spnego authentication details.
44       * Make sure you have at least specified the JCIFS Service Principal defined.
45       */
46      private String loginConf;
47  
48      /**
49       * The Kerberos conf.
50       * As with all Kerberos installations, a Kerberos Key Distribution Center (KDC) is required.
51       * It needs to contain the user name and password you will use to be authenticated to Kerberos.
52       * As with most Kerberos installations, a Kerberos configuration file krb5.conf is
53       * consulted to determine such things as the default realm and KDC.
54       * Typically, the default realm and the KDC for that realm are indicated in
55       * the Kerberos krb5.conf configuration file.
56       * The path to the configuration file must typically be defined
57       * as an absolute path.
58       */
59      private String kerberosConf;
60  
61      /**
62       * The Kerberos kdc.
63       */
64      private String kerberosKdc = "172.10.1.10";
65  
66      /**
67       * The Jcifs service principal.
68       */
69      private String jcifsServicePrincipal;
70  
71      /**
72       * The Kerberos realm.
73       */
74      private String kerberosRealm = "EXAMPLE.COM";
75  
76      /**
77       * The Kerberos debug.
78       */
79      private boolean kerberosDebug;
80  
81      /**
82       * The Use subject creds only.
83       */
84      private boolean useSubjectCredsOnly;
85  
86      /**
87       * If specified, will create the principal by ths name on successful authentication.
88       */
89      private boolean principalWithDomainName;
90  
91      /**
92       * Allows authentication if spnego credential is marked as NTLM.
93       */
94      private boolean ntlmAllowed = true;
95  
96      /**
97       * If the authenticated principal cannot be determined from the spegno credential,
98       * will set the http status code to 401.
99       */
100     private boolean send401OnAuthenticationFailure = true;
101 
102     /**
103      * The bean id of a webflow action whose job is to evaluate the client host
104      * to see if the request is authorized for spnego.
105      * Supported strategies include {@code hostnameSpnegoClientAction} where
106      * CAS checks to see if the request’s remote hostname matches a predefine pattern.
107      * and {@code ldapSpnegoClientAction} where
108      * CAS checks an LDAP instance for the remote hostname, to locate a pre-defined attribute whose
109      * mere existence would allow the webflow to resume to SPNEGO.
110      */
111     private String hostNameClientActionStrategy = "hostnameSpnegoClientAction";
112 
113     /**
114      * LDAP settings for spnego to validate clients, etc.
115      */
116     private LDAP ldap;
117 
118     /**
119      * When validating clients, specifies the DNS timeout used to look up an address.
120      */
121     private String dnsTimeout = "PT2S";
122 
123     /**
124      * A regex pattern that indicates whether the client host name is allowed for spnego.
125      */
126     private String hostNamePatternString = ".+";
127 
128     /**
129      * A regex pattern that indicates whether the client IP is allowed for spnego.
130      */
131     private String ipsToCheckPattern = "127.+";
132 
133     /**
134      * Alternative header name to use in order to find the host address.
135      */
136     private String alternativeRemoteHostAttribute = "alternateRemoteHeader";
137 
138     /**
139      * In case LDAP is used to validate clients, this is the attribute that indicates the host.
140      */
141     private String spnegoAttributeName = "distinguishedName";
142 
143     /**
144      * Determines the header to set and the message prefix when negotiating spnego.
145      */
146     private boolean ntlm;
147 
148     /**
149      * If true, does not terminate authentication and allows CAS to resume
150      * and fallback to normal authentication means such as uid/psw via the login page.
151      * If disallowed, considers spnego authentication to be final in the event of failures.
152      */
153     private boolean mixedModeAuthentication;
154 
155     /**
156      * Begins negotiating spnego if the user-agent is one of the supported browsers.
157      */
158     private String supportedBrowsers = "MSIE,Trident,Firefox,AppleWebKit";
159 
160     /**
161      * The size of the pool used to validate SPNEGO tokens.
162      * A pool is used to provider better performance than what was previously offered by the simple Lombok
163      * {@code Synchronized} annotation.
164      */
165     private int poolSize = 10;
166 
167     /**
168      * The timeout of the pool used to validate SPNEGO tokens.
169      */
170     private String poolTimeout = "PT2S";
171 
172     /**
173      * Activated attribute repository identifiers that should be used for fetching attributes if attribute resolution is
174      * enabled.
175      * The list here may include identifiers separated by comma.
176      */
177     private String attributeRepoId;
178 
179     @Override
180     public AbstractLDAPConf ldapInstance() {
181         return new SpnegoAuthModuleConf.LDAP();
182     }
183 
184     public String getJcifsServicePrincipal() {
185         return jcifsServicePrincipal;
186     }
187 
188     public void setJcifsServicePrincipal(final String jcifsServicePrincipal) {
189         this.jcifsServicePrincipal = jcifsServicePrincipal;
190     }
191 
192     public String getAttributeRepoId() {
193         return attributeRepoId;
194     }
195 
196     public void setAttributeRepoId(final String attributeRepoId) {
197         this.attributeRepoId = attributeRepoId;
198     }
199 
200     public String getLoginConf() {
201         return loginConf;
202     }
203 
204     public void setLoginConf(final String loginConf) {
205         this.loginConf = loginConf;
206     }
207 
208     public String getKerberosConf() {
209         return kerberosConf;
210     }
211 
212     public void setKerberosConf(final String kerberosConf) {
213         this.kerberosConf = kerberosConf;
214     }
215 
216     public String getKerberosKdc() {
217         return kerberosKdc;
218     }
219 
220     public void setKerberosKdc(final String kerberosKdc) {
221         this.kerberosKdc = kerberosKdc;
222     }
223 
224     public String getKerberosRealm() {
225         return kerberosRealm;
226     }
227 
228     public void setKerberosRealm(final String kerberosRealm) {
229         this.kerberosRealm = kerberosRealm;
230     }
231 
232     public boolean isKerberosDebug() {
233         return kerberosDebug;
234     }
235 
236     public void setKerberosDebug(final boolean kerberosDebug) {
237         this.kerberosDebug = kerberosDebug;
238     }
239 
240     public boolean isUseSubjectCredsOnly() {
241         return useSubjectCredsOnly;
242     }
243 
244     public void setUseSubjectCredsOnly(final boolean useSubjectCredsOnly) {
245         this.useSubjectCredsOnly = useSubjectCredsOnly;
246     }
247 
248     public boolean isPrincipalWithDomainName() {
249         return principalWithDomainName;
250     }
251 
252     public void setPrincipalWithDomainName(final boolean principalWithDomainName) {
253         this.principalWithDomainName = principalWithDomainName;
254     }
255 
256     public boolean isNtlmAllowed() {
257         return ntlmAllowed;
258     }
259 
260     public void setNtlmAllowed(final boolean ntlmAllowed) {
261         this.ntlmAllowed = ntlmAllowed;
262     }
263 
264     public boolean isSend401OnAuthenticationFailure() {
265         return send401OnAuthenticationFailure;
266     }
267 
268     public void setSend401OnAuthenticationFailure(final boolean send401OnAuthenticationFailure) {
269         this.send401OnAuthenticationFailure = send401OnAuthenticationFailure;
270     }
271 
272     public String getHostNameClientActionStrategy() {
273         return hostNameClientActionStrategy;
274     }
275 
276     public void setHostNameClientActionStrategy(final String hostNameClientActionStrategy) {
277         this.hostNameClientActionStrategy = hostNameClientActionStrategy;
278     }
279 
280     public LDAP getLdap() {
281         return ldap;
282     }
283 
284     public void setLdap(final LDAP ldap) {
285         this.ldap = ldap;
286     }
287 
288     public String getDnsTimeout() {
289         return dnsTimeout;
290     }
291 
292     public void setDnsTimeout(final String dnsTimeout) {
293         this.dnsTimeout = dnsTimeout;
294     }
295 
296     public String getHostNamePatternString() {
297         return hostNamePatternString;
298     }
299 
300     public void setHostNamePatternString(final String hostNamePatternString) {
301         this.hostNamePatternString = hostNamePatternString;
302     }
303 
304     public String getIpsToCheckPattern() {
305         return ipsToCheckPattern;
306     }
307 
308     public void setIpsToCheckPattern(final String ipsToCheckPattern) {
309         this.ipsToCheckPattern = ipsToCheckPattern;
310     }
311 
312     public String getAlternativeRemoteHostAttribute() {
313         return alternativeRemoteHostAttribute;
314     }
315 
316     public void setAlternativeRemoteHostAttribute(final String alternativeRemoteHostAttribute) {
317         this.alternativeRemoteHostAttribute = alternativeRemoteHostAttribute;
318     }
319 
320     public String getSpnegoAttributeName() {
321         return spnegoAttributeName;
322     }
323 
324     public void setSpnegoAttributeName(final String spnegoAttributeName) {
325         this.spnegoAttributeName = spnegoAttributeName;
326     }
327 
328     public boolean isNtlm() {
329         return ntlm;
330     }
331 
332     public void setNtlm(final boolean ntlm) {
333         this.ntlm = ntlm;
334     }
335 
336     public boolean isMixedModeAuthentication() {
337         return mixedModeAuthentication;
338     }
339 
340     public void setMixedModeAuthentication(final boolean mixedModeAuthentication) {
341         this.mixedModeAuthentication = mixedModeAuthentication;
342     }
343 
344     public String getSupportedBrowsers() {
345         return supportedBrowsers;
346     }
347 
348     public void setSupportedBrowsers(final String supportedBrowsers) {
349         this.supportedBrowsers = supportedBrowsers;
350     }
351 
352     public int getPoolSize() {
353         return poolSize;
354     }
355 
356     public void setPoolSize(final int poolSize) {
357         this.poolSize = poolSize;
358     }
359 
360     public String getPoolTimeout() {
361         return poolTimeout;
362     }
363 
364     public void setPoolTimeout(final String poolTimeout) {
365         this.poolTimeout = poolTimeout;
366     }
367 
368     @Override
369     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
370         return mapper.map(authModule, this);
371     }
372 }