Authentication Provider which validates Kerberos Service Tickets
+ *
Authentication Provider which validates Kerberos Service Tickets
* or SPNEGO Tokens (which includes Kerberos Service Tickets).
- *
+ *
*
It needs a KerberosTicketValidator, which contains the
* code to validate the ticket, as this code is different between
* SUN and IBM JRE.
* It also needs an UserDetailsService to load the user properties
* and the GrantedAuthorities, as we only get back the username
* from Kerbeos
- *
+ *
* You can see an example configuration in SpnegoAuthenticationProcessingFilter.
- *
+ *
* @author Mike Wiesner
* @since 1.0
* @version $Id$
@@ -51,76 +51,76 @@ import org.springframework.util.Assert;
* @see SpnegoAuthenticationProcessingFilter
*/
public class KerberosServiceAuthenticationProvider implements
- AuthenticationProvider, InitializingBean {
-
- private static final Log LOG = LogFactory.getLog(KerberosServiceAuthenticationProvider.class);
-
- private KerberosTicketValidator ticketValidator;
- private UserDetailsService userDetailsService;
- private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
-
-
- /** The UserDetailsService to use, for loading the user properties
- * and the GrantedAuthorities.
- */
- public void setUserDetailsService(UserDetailsService userDetailsService) {
- this.userDetailsService = userDetailsService;
- }
+ AuthenticationProvider, InitializingBean {
- /** The KerberosTicketValidator to use, for validating
- * the Kerberos/SPNEGO tickets.
- */
- public void setTicketValidator(KerberosTicketValidator ticketValidator) {
- this.ticketValidator = ticketValidator;
- }
+ private static final Log LOG = LogFactory.getLog(KerberosServiceAuthenticationProvider.class);
- /* (non-Javadoc)
- * @see org.springframework.security.authentication.AuthenticationProvider#authenticate(org.springframework.security.core.Authentication)
- */
- @Override
- public Authentication authenticate(Authentication authentication)
- throws AuthenticationException {
- KerberosServiceRequestToken auth = (KerberosServiceRequestToken) authentication;
- byte[] token = auth.getToken();
- LOG.debug("Try to validate Kerberos Token");
- String username = this.ticketValidator.validateTicket(token);
- LOG.debug("Succesfully validated " + username);
- UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
- userDetailsChecker.check(userDetails);
- additionalAuthenticationChecks(userDetails, auth);
- return new KerberosServiceRequestToken(userDetails, userDetails.getAuthorities(), token);
- }
-
-
- /**
- * Allows subclasses to perform any additional checks of a returned UserDetails
- * for a given authentication request.
- *
- * @param userDetails as retrieved from the {@link UserDetailsService}
- * @param authentication validated {@link KerberosServiceRequestToken}
- * @throws AuthenticationException AuthenticationException if the credentials could not be validated (generally a
- * BadCredentialsException, an AuthenticationServiceException)
- */
- protected void additionalAuthenticationChecks(UserDetails userDetails, KerberosServiceRequestToken authentication)
- throws AuthenticationException {
-
+ private KerberosTicketValidator ticketValidator;
+ private UserDetailsService userDetailsService;
+ private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
+
+
+ /** The UserDetailsService to use, for loading the user properties
+ * and the GrantedAuthorities.
+ */
+ public void setUserDetailsService(UserDetailsService userDetailsService) {
+ this.userDetailsService = userDetailsService;
}
- /* (non-Javadoc)
- * @see org.springframework.security.authentication.AuthenticationProvider#supports(java.lang.Class)
- */
- @Override
- public boolean supports(Class extends Object> auth) {
- return KerberosServiceRequestToken.class.isAssignableFrom(auth);
- }
+ /** The KerberosTicketValidator to use, for validating
+ * the Kerberos/SPNEGO tickets.
+ */
+ public void setTicketValidator(KerberosTicketValidator ticketValidator) {
+ this.ticketValidator = ticketValidator;
+ }
- /* (non-Javadoc)
- * @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
- */
- @Override
- public void afterPropertiesSet() throws Exception {
- Assert.notNull(this.ticketValidator, "ticketValidator must be specified");
- Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
- }
+ /* (non-Javadoc)
+ * @see org.springframework.security.authentication.AuthenticationProvider#authenticate(org.springframework.security.core.Authentication)
+ */
+ @Override
+ public Authentication authenticate(Authentication authentication)
+ throws AuthenticationException {
+ KerberosServiceRequestToken auth = (KerberosServiceRequestToken) authentication;
+ byte[] token = auth.getToken();
+ LOG.debug("Try to validate Kerberos Token");
+ String username = this.ticketValidator.validateTicket(token);
+ LOG.debug("Succesfully validated " + username);
+ UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
+ userDetailsChecker.check(userDetails);
+ additionalAuthenticationChecks(userDetails, auth);
+ return new KerberosServiceRequestToken(userDetails, userDetails.getAuthorities(), token);
+ }
+
+
+ /**
+ * Allows subclasses to perform any additional checks of a returned UserDetails
+ * for a given authentication request.
+ *
+ * @param userDetails as retrieved from the {@link UserDetailsService}
+ * @param authentication validated {@link KerberosServiceRequestToken}
+ * @throws AuthenticationException AuthenticationException if the credentials could not be validated (generally a
+ * BadCredentialsException, an AuthenticationServiceException)
+ */
+ protected void additionalAuthenticationChecks(UserDetails userDetails, KerberosServiceRequestToken authentication)
+ throws AuthenticationException {
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.springframework.security.authentication.AuthenticationProvider#supports(java.lang.Class)
+ */
+ @Override
+ public boolean supports(Class extends Object> auth) {
+ return KerberosServiceRequestToken.class.isAssignableFrom(auth);
+ }
+
+ /* (non-Javadoc)
+ * @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
+ */
+ @Override
+ public void afterPropertiesSet() throws Exception {
+ Assert.notNull(this.ticketValidator, "ticketValidator must be specified");
+ Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
+ }
}
diff --git a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosServiceRequestToken.java b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosServiceRequestToken.java
index dcaaee7..9a6c38c 100644
--- a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosServiceRequestToken.java
+++ b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosServiceRequestToken.java
@@ -27,11 +27,11 @@ import org.springframework.security.extensions.kerberos.web.SpnegoAuthentication
/**
* Holds the Kerberos/SPNEGO token for requesting a kerberized service
* and is also the output of KerberosServiceAuthenticationProvider.
- * Will mostly be created in SpnegoAuthenticationProcessingFilter
+ * Will mostly be created in SpnegoAuthenticationProcessingFilter
* and authenticated in KerberosServiceAuthenticationProvider.
- *
+ *
* This token cannot be re-authenticated, as you will get a Kerberos Reply error.
- *
+ *
* @author Mike Wiesner
* @since 1.0
* @version $Id$
@@ -41,84 +41,84 @@ import org.springframework.security.extensions.kerberos.web.SpnegoAuthentication
public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
- private static final long serialVersionUID = 395488921064775014L;
- private final byte[] token;
- private final Object principal;
-
- /** Creates an authenticated token, normally used as an output of an authentication provider.
- * @param principal the user principal (mostly of instance UserDetails
- * @param authorities the authorities which are granted to the user
- * @param token the Kerberos/SPNEGO token
- * @see UserDetails
- */
- public KerberosServiceRequestToken(Object principal, List authorities, byte[] token) {
- super(authorities);
- this.token = token;
- this.principal = principal;
- super.setAuthenticated(true);
- }
+ private static final long serialVersionUID = 395488921064775014L;
+ private final byte[] token;
+ private final Object principal;
- /**
- * Creates an unauthenticated instance which should then be authenticated by
- * KerberosServiceAuthenticationProvider/code>
- *
- * @param token Kerberos/SPNEGO token
- * @see KerberosServiceAuthenticationProvider
- */
- public KerberosServiceRequestToken(byte[] token) {
- super(null);
- this.token = token;
- this.principal = null;
- }
+ /** Creates an authenticated token, normally used as an output of an authentication provider.
+ * @param principal the user principal (mostly of instance UserDetails
+ * @param authorities the authorities which are granted to the user
+ * @param token the Kerberos/SPNEGO token
+ * @see UserDetails
+ */
+ public KerberosServiceRequestToken(Object principal, List authorities, byte[] token) {
+ super(authorities);
+ this.token = token;
+ this.principal = principal;
+ super.setAuthenticated(true);
+ }
- /**
- * Calculates hashcode based on the Kerberos token
- */
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = super.hashCode();
- result = prime * result + Arrays.hashCode(token);
- return result;
- }
+ /**
+ * Creates an unauthenticated instance which should then be authenticated by
+ * KerberosServiceAuthenticationProvider/code>
+ *
+ * @param token Kerberos/SPNEGO token
+ * @see KerberosServiceAuthenticationProvider
+ */
+ public KerberosServiceRequestToken(byte[] token) {
+ super(null);
+ this.token = token;
+ this.principal = null;
+ }
- /**
- * equals() is based only on the Kerberos token
- */
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (!super.equals(obj))
- return false;
- if (getClass() != obj.getClass())
- return false;
- KerberosServiceRequestToken other = (KerberosServiceRequestToken) obj;
- if (!Arrays.equals(token, other.token))
- return false;
- return true;
- }
+ /**
+ * Calculates hashcode based on the Kerberos token
+ */
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = super.hashCode();
+ result = prime * result + Arrays.hashCode(token);
+ return result;
+ }
- /* (non-Javadoc)
- * @see org.springframework.security.core.Authentication#getCredentials()
- */
- @Override
- public Object getCredentials() {
- return null;
- }
+ /**
+ * equals() is based only on the Kerberos token
+ */
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (!super.equals(obj))
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ KerberosServiceRequestToken other = (KerberosServiceRequestToken) obj;
+ if (!Arrays.equals(token, other.token))
+ return false;
+ return true;
+ }
- /* (non-Javadoc)
- * @see org.springframework.security.core.Authentication#getPrincipal()
- */
- @Override
- public Object getPrincipal() {
- return this.principal;
- }
+ /* (non-Javadoc)
+ * @see org.springframework.security.core.Authentication#getCredentials()
+ */
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
- /** Returns the Kerberos token
- */
- public byte[] getToken() {
- return this.token;
- }
+ /* (non-Javadoc)
+ * @see org.springframework.security.core.Authentication#getPrincipal()
+ */
+ @Override
+ public Object getPrincipal() {
+ return this.principal;
+ }
+
+ /** Returns the Kerberos token
+ */
+ public byte[] getToken() {
+ return this.token;
+ }
}
diff --git a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosTicketValidator.java b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosTicketValidator.java
index 9dd9551..9d72d7a 100644
--- a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosTicketValidator.java
+++ b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/KerberosTicketValidator.java
@@ -21,7 +21,7 @@ import org.springframework.security.authentication.BadCredentialsException;
/**
* Implementations of this interface are used in
* {@link KerberosServiceAuthenticationProvider} to validate a Kerberos/SPNEGO Ticket.
- *
+ *
* @author Mike Wiesner
* @since 1.0
* @version $Id$
@@ -29,11 +29,11 @@ import org.springframework.security.authentication.BadCredentialsException;
*/
public interface KerberosTicketValidator {
- /** Validates a Kerberos/SPNEGO ticket.
- * @param token Kerbeos/SPNEGO ticket
- * @return authenticated kerberos principal
- * @throws BadCredentialsException if the ticket is not valid
- */
- public String validateTicket(byte[] token) throws BadCredentialsException;
+ /** Validates a Kerberos/SPNEGO ticket.
+ * @param token Kerbeos/SPNEGO ticket
+ * @return authenticated kerberos principal
+ * @throws BadCredentialsException if the ticket is not valid
+ */
+ public String validateTicket(byte[] token) throws BadCredentialsException;
}
\ No newline at end of file
diff --git a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/SunJaasKerberosTicketValidator.java b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/SunJaasKerberosTicketValidator.java
index d7914f2..b65ce7b 100644
--- a/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/SunJaasKerberosTicketValidator.java
+++ b/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/SunJaasKerberosTicketValidator.java
@@ -39,142 +39,142 @@ import org.springframework.util.Assert;
/**
* Implementation of {@link KerberosTicketValidator} which uses the SUN JAAS
- * login module, which is included in the SUN JRE, it will not work with an IBM JRE.
+ * login module, which is included in the SUN JRE, it will not work with an IBM JRE.
* The whole configuration is done in this class, no additional JAAS configuration
* is needed.
- *
+ *
* @author Mike Wiesner
* @since 1.0
* @version $Id$
*/
public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, InitializingBean {
- private String servicePrincipal;
- private Resource keyTabLocation;
- private Subject serviceSubject;
- private boolean debug = false;
+ private String servicePrincipal;
+ private Resource keyTabLocation;
+ private Subject serviceSubject;
+ private boolean debug = false;
- /* (non-Javadoc)
- * @see org.springframework.security.extensions.kerberos.KerberosTicketValidator#validateTicket(byte[])
- */
- public String validateTicket(byte[] token) {
- String username = null;
- try {
- username = Subject.doAs(this.serviceSubject, new KerberosValidateAction(token));
- } catch (PrivilegedActionException e) {
- throw new BadCredentialsException("Kerberos validation not succesfull", e);
- }
- return username;
- }
+ /* (non-Javadoc)
+ * @see org.springframework.security.extensions.kerberos.KerberosTicketValidator#validateTicket(byte[])
+ */
+ public String validateTicket(byte[] token) {
+ String username = null;
+ try {
+ username = Subject.doAs(this.serviceSubject, new KerberosValidateAction(token));
+ } catch (PrivilegedActionException e) {
+ throw new BadCredentialsException("Kerberos validation not succesfull", e);
+ }
+ return username;
+ }
- /** The service principal of the application.
- * For web apps this is HTTP/full-qualified-domain-name@DOMAIN.
- * The keytab must contain the key for this principal.
- *
- * @param servicePrincipal service principal to use
- * @see #setKeyTabLocation(Resource)
- */
- public void setServicePrincipal(String servicePrincipal) {
- this.servicePrincipal = servicePrincipal;
- }
+ /** The service principal of the application.
+ * For web apps this is HTTP/full-qualified-domain-name@DOMAIN.
+ * The keytab must contain the key for this principal.
+ *
+ * @param servicePrincipal service principal to use
+ * @see #setKeyTabLocation(Resource)
+ */
+ public void setServicePrincipal(String servicePrincipal) {
+ this.servicePrincipal = servicePrincipal;
+ }
- /**
- * The location of the keytab. You can use the normale Spring Resource
- * prefixes like file: or classpath:, but as the
- * file is later on read by JAAS, we cannot guarantee that classpath
- * works in every environment, esp. not in Java EE application servers. You
- * should use file: there.
- *
- * @param keyTabLocation The location where the keytab resides
- */
- public void setKeyTabLocation(Resource keyTabLocation) {
- this.keyTabLocation = keyTabLocation;
- }
-
- /** Enables the debug mode of the JAAS Kerberos login module
- * @param debug default is false
- */
- public void setDebug(boolean debug) {
- this.debug = debug;
- }
+ /**
+ * The location of the keytab. You can use the normale Spring Resource
+ * prefixes like file: or classpath:, but as the
+ * file is later on read by JAAS, we cannot guarantee that classpath
+ * works in every environment, esp. not in Java EE application servers. You
+ * should use file: there.
+ *
+ * @param keyTabLocation The location where the keytab resides
+ */
+ public void setKeyTabLocation(Resource keyTabLocation) {
+ this.keyTabLocation = keyTabLocation;
+ }
- /* (non-Javadoc)
- * @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
- */
- @Override
- public void afterPropertiesSet() throws Exception {
- Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
- Assert.notNull(this.keyTabLocation, "keyTab must be specified");
- LoginConfig loginConfig = new LoginConfig(this.keyTabLocation.getURL().toExternalForm(), this.servicePrincipal,
- this.debug);
- Set princ = new HashSet(1);
- princ.add(new KerberosPrincipal(this.servicePrincipal));
- Subject sub = new Subject(false, princ, new HashSet