%line | %branch | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
org.apache.jetspeed.security.impl.ntlm.NtlmSecurityValve |
|
|
1 | /* |
|
2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
|
3 | * contributor license agreements. See the NOTICE file distributed with |
|
4 | * this work for additional information regarding copyright ownership. |
|
5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
|
6 | * (the "License"); you may not use this file except in compliance with |
|
7 | * the License. You may obtain a copy of the License at |
|
8 | * |
|
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
|
10 | * |
|
11 | * Unless required by applicable law or agreed to in writing, software |
|
12 | * distributed under the License is distributed on an "AS IS" BASIS, |
|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 | * See the License for the specific language governing permissions and |
|
15 | * limitations under the License. |
|
16 | */ |
|
17 | package org.apache.jetspeed.security.impl.ntlm; |
|
18 | ||
19 | import java.security.Principal; |
|
20 | import java.util.HashSet; |
|
21 | import java.util.Set; |
|
22 | ||
23 | import javax.security.auth.Subject; |
|
24 | ||
25 | import org.apache.commons.lang.StringUtils; |
|
26 | import org.apache.jetspeed.administration.PortalAuthenticationConfiguration; |
|
27 | import org.apache.jetspeed.pipeline.PipelineException; |
|
28 | import org.apache.jetspeed.request.RequestContext; |
|
29 | import org.apache.jetspeed.security.SecurityException; |
|
30 | import org.apache.jetspeed.security.SecurityHelper; |
|
31 | import org.apache.jetspeed.security.User; |
|
32 | import org.apache.jetspeed.security.UserManager; |
|
33 | import org.apache.jetspeed.security.UserPrincipal; |
|
34 | import org.apache.jetspeed.security.impl.AbstractSecurityValve; |
|
35 | import org.apache.jetspeed.security.impl.UserPrincipalImpl; |
|
36 | import org.apache.jetspeed.statistics.PortalStatistics; |
|
37 | /** |
|
38 | * NTLMSecurityValve provides Subject creation based on the |
|
39 | * NTLM provided request.getRemoteUser() user name. When request.getRemoteUser() holds |
|
40 | * a valid value, then this user is authorized. Otherwise the username is retrieved |
|
41 | * from the Principal name in the request. In this way you can use NTLM authentication, with |
|
42 | * a fallback authentication method in case the user is not properly authenticated / authorized using |
|
43 | * NTLM. |
|
44 | * |
|
45 | * There are basically three authentication scenarios: |
|
46 | * <ol> |
|
47 | * <li> |
|
48 | * <p><b>The user is successfully authenticated and authorized by Ntml authentication</b></p> |
|
49 | * <p>A Subject is created, with Principal derived from the remoteUser value from Ntlm authentication</p> |
|
50 | * </li> |
|
51 | * <li> |
|
52 | * <p><b>The user is not authenticated by Ntlm, or the authenticated (can be NTLM or any other method) user cannot be authorized by Jetspeed.</b></p> |
|
53 | * <p>An anonymous Subject is created. The user can then be redirected to a login page for example.</p> |
|
54 | * </li> |
|
55 | * <li> |
|
56 | * <p><b>The user is authenticated by a (non-NTLM) authentication method, e.g. container-based form authentication.</b></p> |
|
57 | * <p> |
|
58 | * A subject is created based on the Principal name in the request. |
|
59 | * </p> |
|
60 | * </li> |
|
61 | * </ol> |
|
62 | * @author <a href="mailto:taylor@apache.org">David Sean Taylor </a> |
|
63 | * @author <a href="mailto:rwatler@finali.com">Randy Walter </a> |
|
64 | * @author <a href="mailto:weaver@apache.org">Scott T. Weaver</a> |
|
65 | * @author <a href="mailto:d.dam@hippo.nl">Dennis Dam</a> |
|
66 | * @version $Id$ |
|
67 | */ |
|
68 | public class NtlmSecurityValve extends AbstractSecurityValve |
|
69 | { |
|
70 | private UserManager userMgr; |
|
71 | private PortalStatistics statistics; |
|
72 | private String networkDomain; |
|
73 | private boolean ntlmAuthRequired; |
|
74 | private boolean omitDomain; |
|
75 | ||
76 | ||
77 | /** |
|
78 | * @param userMgr A UserManager |
|
79 | * @param statistics Portal Statistics |
|
80 | * @param networkDomain The network domain is used in combination with the <code>omitDomain</code> flag. |
|
81 | * @param omitDomain If <code>true</code>, then the network domain is stripped from the remoteUser name. |
|
82 | * @param ntlmAuthRequired if <code>true</code>, then an exception is thrown when there is no valid remoteUser, |
|
83 | * or the remoteUser cannot be authorized. |
|
84 | * |
|
85 | */ |
|
86 | public NtlmSecurityValve(UserManager userMgr, String networkDomain, boolean omitDomain, class="keyword">boolean ntlmAuthRequired, |
|
87 | PortalStatistics statistics, PortalAuthenticationConfiguration authenticationConfiguration) |
|
88 | 0 | { |
89 | 0 | this.userMgr = userMgr; |
90 | 0 | this.statistics = statistics; |
91 | 0 | this.networkDomain = networkDomain; |
92 | 0 | this.ntlmAuthRequired = ntlmAuthRequired; |
93 | 0 | this.omitDomain = omitDomain; |
94 | 0 | this.authenticationConfiguration = authenticationConfiguration; |
95 | 0 | } |
96 | ||
97 | public NtlmSecurityValve(UserManager userMgr, String networkDomain, boolean omitDomain, class="keyword">boolean ntlmAuthRequired, PortalStatistics statistics) |
|
98 | { |
|
99 | 0 | this(userMgr, networkDomain, omitDomain, ntlmAuthRequired, statistics, null); |
100 | 0 | } |
101 | ||
102 | public NtlmSecurityValve(UserManager userMgr, String networkDomain, boolean omitDomain, class="keyword">boolean ntlmAuthRequired) |
|
103 | { |
|
104 | 0 | this(userMgr, networkDomain, omitDomain, ntlmAuthRequired, null); |
105 | 0 | } |
106 | ||
107 | public String toString() |
|
108 | { |
|
109 | 0 | return "NtlmSecurityValve"; |
110 | } |
|
111 | ||
112 | protected Principal getUserPrincipal(RequestContext context) throws Exception |
|
113 | { |
|
114 | 0 | Subject subject = getSubjectFromSession(context); |
115 | 0 | if (subject != null) |
116 | { |
|
117 | 0 | return SecurityHelper.getPrincipal(subject, UserPrincipal.class); |
118 | } |
|
119 | // otherwise return anonymous principal |
|
120 | 0 | return new UserPrincipalImpl(userMgr.getAnonymousUser()); |
121 | } |
|
122 | ||
123 | protected Subject getSubject(RequestContext context) throws Exception |
|
124 | { |
|
125 | 0 | Subject subject = getSubjectFromSession(context); |
126 | // Get remote user name set by web container |
|
127 | 0 | String userName = context.getRequest().getRemoteUser(); |
128 | 0 | if ( userName == null ) |
129 | { |
|
130 | 0 | if (ntlmAuthRequired){ |
131 | 0 | throw new PipelineException("Authorization failed."); |
132 | 0 | } else if (context.getRequest().getUserPrincipal() != null){ |
133 | 0 | userName = context.getRequest().getUserPrincipal().getName(); |
134 | } |
|
135 | } else { |
|
136 | 0 | if (omitDomain && networkDomain != null){ |
137 | 0 | userName = StringUtils.stripStart( userName , networkDomain+"\\"); |
138 | } |
|
139 | } |
|
140 | ||
141 | // check whether principal name stored in session subject equals the remote user name passed by the web container |
|
142 | 0 | if (subject != null) |
143 | { |
|
144 | 0 | Principal subjectUserPrincipal = SecurityHelper.getPrincipal(subject, UserPrincipal.class); |
145 | 0 | if ((subjectUserPrincipal == null) || !subjectUserPrincipal.getName().equals(userName)) |
146 | { |
|
147 | 0 | subject = null; |
148 | } |
|
149 | } |
|
150 | 0 | if ( subject == null ){ |
151 | 0 | if (userName != null){ |
152 | try |
|
153 | { |
|
154 | 0 | User user = userMgr.getUser(userName); |
155 | 0 | if ( user != null ) |
156 | { |
|
157 | 0 | subject = user.getSubject(); |
158 | } |
|
159 | 0 | } catch (SecurityException sex) |
160 | { |
|
161 | 0 | subject = null; |
162 | 0 | } |
163 | ||
164 | 0 | if (subject == null && this.ntlmAuthRequired){ |
165 | 0 | throw new PipelineException("Authorization failed for user '"+userName+"'."); |
166 | } |
|
167 | } |
|
168 | 0 | if (subject == null){ |
169 | // create anonymous user |
|
170 | 0 | Principal userPrincipal = getUserPrincipal(context); |
171 | 0 | Set principals = new HashSet(); |
172 | 0 | principals.add(userPrincipal); |
173 | 0 | subject = new Subject(true, principals, class="keyword">new HashSet(), class="keyword">new HashSet()); |
174 | } |
|
175 | ||
176 | // create a new statistics *user* session |
|
177 | 0 | if (statistics != null) |
178 | { |
|
179 | 0 | statistics.logUserLogin(context, 0); |
180 | } |
|
181 | // put IP address in session for logout |
|
182 | 0 | context.setSessionAttribute(IP_ADDRESS, context.getRequest().getRemoteAddr()); |
183 | } |
|
184 | ||
185 | 0 | return subject; |
186 | } |
|
187 | } |
This report is generated by jcoverage, Maven and Maven JCoverage Plugin. |