Make SpnegoAuthenticationProcessingFilter extend OncePerRequestFilter

- Because Kerberos tickets can only be validated once, any attempt to execute this filter more than once will result in “KrbException: Request is a replay”

Closes gh-46
This commit is contained in:
Nate Tyler
2017-04-27 15:01:20 -04:00
committed by Rob Winch
parent 5e63bc6be8
commit b65dfc2877

View File

@@ -19,8 +19,6 @@ import java.io.IOException;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
@@ -39,7 +37,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
import org.springframework.web.filter.OncePerRequestFilter;
/**
* Parses the SPNEGO authentication Header, which was generated by the browser
@@ -106,7 +104,7 @@ import org.springframework.web.filter.GenericFilterBean;
* @see KerberosServiceAuthenticationProvider
* @see SpnegoEntryPoint
*/
public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean {
public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter {
private AuthenticationDetailsSource<HttpServletRequest,?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private AuthenticationManager authenticationManager;
@@ -124,9 +122,8 @@ public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean {
private static final String NTLMSSP_PREFIX = "Negotiate TlRMTVNTUA";
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
if (skipIfAlreadyAuthenticated) {
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();