From b65dfc2877a177ac052573db67e29eab6df51746 Mon Sep 17 00:00:00 2001 From: Nate Tyler Date: Thu, 27 Apr 2017 15:01:20 -0400 Subject: [PATCH] Make SpnegoAuthenticationProcessingFilter extend OncePerRequestFilter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Because Kerberos tickets can only be validated once, any attempt to execute this filter more than once will result in “KrbException: Request is a replay” Closes gh-46 --- .../SpnegoAuthenticationProcessingFilter.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/spring-security-kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java b/spring-security-kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java index 24bfc73..352a823 100644 --- a/spring-security-kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java +++ b/spring-security-kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java @@ -19,8 +19,6 @@ import java.io.IOException; import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; -import jakarta.servlet.ServletRequest; -import jakarta.servlet.ServletResponse; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; @@ -39,7 +37,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.util.Assert; -import org.springframework.web.filter.GenericFilterBean; +import org.springframework.web.filter.OncePerRequestFilter; /** * Parses the SPNEGO authentication Header, which was generated by the browser @@ -106,7 +104,7 @@ import org.springframework.web.filter.GenericFilterBean; * @see KerberosServiceAuthenticationProvider * @see SpnegoEntryPoint */ -public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean { +public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter { private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource(); private AuthenticationManager authenticationManager; @@ -124,9 +122,8 @@ public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean { private static final String NTLMSSP_PREFIX = "Negotiate TlRMTVNTUA"; @Override - public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) + throws ServletException, IOException { if (skipIfAlreadyAuthenticated) { Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();