Make SpnegoAuthenticationProcessingFilter extend OncePerRequestFilter
- Because Kerberos tickets can only be validated once, any attempt to execute this filter more than once will result in “KrbException: Request is a replay” Closes gh-46
This commit is contained in:
@@ -19,8 +19,6 @@ import java.io.IOException;
|
||||
|
||||
import jakarta.servlet.FilterChain;
|
||||
import jakarta.servlet.ServletException;
|
||||
import jakarta.servlet.ServletRequest;
|
||||
import jakarta.servlet.ServletResponse;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
|
||||
@@ -39,7 +37,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
|
||||
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
|
||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.filter.GenericFilterBean;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
|
||||
/**
|
||||
* Parses the SPNEGO authentication Header, which was generated by the browser
|
||||
@@ -106,7 +104,7 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
* @see KerberosServiceAuthenticationProvider
|
||||
* @see SpnegoEntryPoint
|
||||
*/
|
||||
public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean {
|
||||
public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter {
|
||||
|
||||
private AuthenticationDetailsSource<HttpServletRequest,?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
|
||||
private AuthenticationManager authenticationManager;
|
||||
@@ -124,9 +122,8 @@ public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean {
|
||||
private static final String NTLMSSP_PREFIX = "Negotiate TlRMTVNTUA";
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if (skipIfAlreadyAuthenticated) {
|
||||
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
|
||||
|
||||
Reference in New Issue
Block a user