Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $
You can buy this project and download/modify it how often you want.
waffle.servlet.NegotiateSecurityFilter Maven / Gradle / Ivy
/*
* MIT License
*
* Copyright (c) 2010-2024 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package waffle.servlet;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.security.auth.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import waffle.servlet.spi.SecurityFilterProvider;
import waffle.servlet.spi.SecurityFilterProviderCollection;
import waffle.util.AuthorizationHeader;
import waffle.util.CorsPreFlightCheck;
import waffle.windows.auth.IWindowsAuthProvider;
import waffle.windows.auth.IWindowsIdentity;
import waffle.windows.auth.IWindowsImpersonationContext;
import waffle.windows.auth.PrincipalFormat;
import waffle.windows.auth.impl.WindowsAuthProviderImpl;
/**
* A Negotiate (NTLM/Kerberos) Security Filter.
*/
public class NegotiateSecurityFilter implements Filter {
/** The Constant LOGGER. */
private static final Logger LOGGER = LoggerFactory.getLogger(NegotiateSecurityFilter.class);
/** The Constant PRINCIPALSESSIONKEY. */
private static final String PRINCIPALSESSIONKEY = NegotiateSecurityFilter.class.getName() + ".PRINCIPAL";
/** The windows flag. */
private static Boolean windows;
/** The principal format. */
private PrincipalFormat principalFormat = PrincipalFormat.FQN;
/** The role format. */
private PrincipalFormat roleFormat = PrincipalFormat.FQN;
/** The providers. */
private SecurityFilterProviderCollection providers;
/** The auth. */
private IWindowsAuthProvider auth;
/** The exclusion filter. */
private String[] excludePatterns;
/** The allow guest login. */
private boolean allowGuestLogin = true;
/** The impersonate. */
private boolean impersonate;
/** The exclusion bearer authorization. */
private boolean excludeBearerAuthorization;
/** The exclusions cors pre flight. */
private boolean excludeCorsPreflight;
/** The disable SSO. */
private boolean disableSSO;
/**
* Instantiates a new negotiate security filter.
*/
public NegotiateSecurityFilter() {
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] loaded");
}
@Override
public void destroy() {
NegotiateSecurityFilter.LOGGER.info("[waffle.servlet.NegotiateSecurityFilter] stopped");
}
@Override
public void doFilter(final ServletRequest sreq, final ServletResponse sres, final FilterChain chain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) sreq;
final HttpServletResponse response = (HttpServletResponse) sres;
NegotiateSecurityFilter.LOGGER.debug("{} {}, contentlength: {}", request.getMethod(), request.getRequestURI(),
Integer.valueOf(request.getContentLength()));
// If we are not in a windows environment, resume filter chain
if (!NegotiateSecurityFilter.isWindows()) {
NegotiateSecurityFilter.LOGGER.debug("Running in a non windows environment, SSO skipped");
chain.doFilter(request, response);
return;
}
// If sso is disabled, resume filter chain
if (this.disableSSO) {
NegotiateSecurityFilter.LOGGER.debug("SSO is disabled, resuming filter chain");
chain.doFilter(request, response);
return;
}
// If excluded URL, resume the filter chain
if (request.getRequestURL() != null && this.excludePatterns != null) {
final String url = request.getRequestURL().toString();
for (final String pattern : this.excludePatterns) {
if (url.matches(pattern)) {
NegotiateSecurityFilter.LOGGER.info("Pattern :{} excluded URL:{}", url, pattern);
chain.doFilter(sreq, sres);
return;
}
}
}
// If exclude cores pre-flight and is pre flight, resume the filter chain
if (this.excludeCorsPreflight && CorsPreFlightCheck.isPreflight(request)) {
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] CORS preflight");
chain.doFilter(sreq, sres);
return;
}
final AuthorizationHeader authorizationHeader = new AuthorizationHeader(request);
// If exclude bearer authorization and is bearer authorization, result the filter chain
if (this.excludeBearerAuthorization && authorizationHeader.isBearerAuthorizationHeader()) {
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] Authorization: Bearer");
chain.doFilter(sreq, sres);
return;
}
if (this.doFilterPrincipal(request, response, chain)) {
// previously authenticated user
return;
}
// authenticate user
if (!authorizationHeader.isNull()) {
// log the user in using the token
IWindowsIdentity windowsIdentity;
try {
windowsIdentity = this.providers.doFilter(request, response);
if (windowsIdentity == null) {
return;
}
} catch (final IOException e) {
NegotiateSecurityFilter.LOGGER.warn("error logging in user: {}", e.getMessage());
NegotiateSecurityFilter.LOGGER.trace("", e);
this.sendUnauthorized(response, true);
return;
}
IWindowsImpersonationContext ctx = null;
try {
if (!this.allowGuestLogin && windowsIdentity.isGuest()) {
NegotiateSecurityFilter.LOGGER.warn("guest login disabled: {}", windowsIdentity.getFqn());
this.sendUnauthorized(response, true);
return;
}
NegotiateSecurityFilter.LOGGER.debug("logged in user: {} ({})", windowsIdentity.getFqn(),
windowsIdentity.getSidString());
final HttpSession session = request.getSession(true);
if (session == null) {
throw new ServletException("Expected HttpSession");
}
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
subject = new Subject();
}
WindowsPrincipal windowsPrincipal;
if (this.impersonate) {
windowsPrincipal = new AutoDisposableWindowsPrincipal(windowsIdentity, this.principalFormat,
this.roleFormat);
} else {
windowsPrincipal = new WindowsPrincipal(windowsIdentity, this.principalFormat, this.roleFormat);
}
NegotiateSecurityFilter.LOGGER.debug("roles: {}", windowsPrincipal.getRolesString());
subject.getPrincipals().add(windowsPrincipal);
request.getSession(false).setAttribute("javax.security.auth.subject", subject);
NegotiateSecurityFilter.LOGGER.info("successfully logged in user: {}", windowsIdentity.getFqn());
request.getSession(false).setAttribute(NegotiateSecurityFilter.PRINCIPALSESSIONKEY, windowsPrincipal);
final NegotiateRequestWrapper requestWrapper = new NegotiateRequestWrapper(request, windowsPrincipal);
if (this.impersonate) {
NegotiateSecurityFilter.LOGGER.debug("impersonating user");
ctx = windowsIdentity.impersonate();
}
chain.doFilter(requestWrapper, response);
} finally {
if (this.impersonate && ctx != null) {
NegotiateSecurityFilter.LOGGER.debug("terminating impersonation");
ctx.revertToSelf();
} else {
windowsIdentity.dispose();
}
}
return;
}
NegotiateSecurityFilter.LOGGER.debug("authorization required");
this.sendUnauthorized(response, false);
}
/**
* Filter for a previously logged on user.
*
* @param request
* HTTP request.
* @param response
* HTTP response.
* @param chain
* Filter chain.
*
* @return True if a user already authenticated.
*
* @throws IOException
* Signals that an I/O exception has occurred.
* @throws ServletException
* the servlet exception
*/
private boolean doFilterPrincipal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain chain) throws IOException, ServletException {
Principal principal = request.getUserPrincipal();
if (principal == null) {
final HttpSession session = request.getSession(false);
if (session != null) {
principal = (Principal) session.getAttribute(NegotiateSecurityFilter.PRINCIPALSESSIONKEY);
}
}
if (principal == null) {
// no principal in this request
return false;
}
if (this.providers.isPrincipalException(request)) {
// the providers signal to authenticate despite an existing principal, eg. NTLM post
return false;
}
// user already authenticated
if (principal instanceof WindowsPrincipal) {
NegotiateSecurityFilter.LOGGER.debug("previously authenticated Windows user: {}", principal.getName());
final WindowsPrincipal windowsPrincipal = (WindowsPrincipal) principal;
if (this.impersonate && windowsPrincipal.getIdentity() == null) {
// This can happen when the session has been serialized then de-serialized
// and because the IWindowsIdentity field is transient. In this case re-ask an
// authentication to get a new identity.
return false;
}
final NegotiateRequestWrapper requestWrapper = new NegotiateRequestWrapper(request, windowsPrincipal);
IWindowsImpersonationContext ctx = null;
if (this.impersonate) {
NegotiateSecurityFilter.LOGGER.debug("re-impersonating user");
ctx = windowsPrincipal.getIdentity().impersonate();
}
try {
chain.doFilter(requestWrapper, response);
} finally {
if (this.impersonate && ctx != null) {
NegotiateSecurityFilter.LOGGER.debug("terminating impersonation");
ctx.revertToSelf();
}
}
} else {
NegotiateSecurityFilter.LOGGER.debug("previously authenticated user: {}", principal.getName());
chain.doFilter(request, response);
}
return true;
}
@Override
public void init(final FilterConfig filterConfig) throws ServletException {
final Map implParameters = new HashMap<>();
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] starting");
String authProvider = null;
String[] providerNames = null;
if (filterConfig != null) {
final List parameterNames = Collections.list(filterConfig.getInitParameterNames());
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] processing filterConfig");
for (String parameterName : parameterNames) {
final String parameterValue = filterConfig.getInitParameter(parameterName);
NegotiateSecurityFilter.LOGGER.debug("Init Param: '{}={}'", parameterName, parameterValue);
switch (parameterName) {
case "principalFormat":
this.principalFormat = PrincipalFormat.valueOf(parameterValue.toUpperCase(Locale.ENGLISH));
break;
case "roleFormat":
this.roleFormat = PrincipalFormat.valueOf(parameterValue.toUpperCase(Locale.ENGLISH));
break;
case "allowGuestLogin":
this.allowGuestLogin = Boolean.parseBoolean(parameterValue);
break;
case "impersonate":
this.impersonate = Boolean.parseBoolean(parameterValue);
break;
case "securityFilterProviders":
providerNames = parameterValue.split("\\s+", -1);
break;
case "authProvider":
authProvider = parameterValue;
break;
case "excludePatterns":
this.excludePatterns = parameterValue.split("\\s+", -1);
break;
case "excludeCorsPreflight":
this.excludeCorsPreflight = Boolean.parseBoolean(parameterValue);
break;
case "excludeBearerAuthorization":
this.excludeBearerAuthorization = Boolean.parseBoolean(parameterValue);
break;
case "disableSSO":
this.disableSSO = Boolean.parseBoolean(parameterValue);
break;
default:
implParameters.put(parameterName, parameterValue);
break;
}
}
}
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] authProvider");
if (authProvider != null) {
try {
this.auth = Class.forName(authProvider).asSubclass(IWindowsAuthProvider.class).getConstructor()
.newInstance();
} catch (final ClassNotFoundException | IllegalArgumentException | SecurityException
| InstantiationException | IllegalAccessException | InvocationTargetException
| NoSuchMethodException e) {
throw new ServletException(e);
}
}
if (this.auth == null) {
this.auth = new WindowsAuthProviderImpl();
}
if (providerNames != null) {
this.providers = new SecurityFilterProviderCollection(providerNames, this.auth);
}
// create default providers if none specified
if (this.providers == null) {
NegotiateSecurityFilter.LOGGER.debug("initializing default security filter providers");
this.providers = new SecurityFilterProviderCollection(this.auth);
}
// apply provider implementation parameters
NegotiateSecurityFilter.LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] load provider parameters");
for (final Map.Entry implParameter : implParameters.entrySet()) {
final String[] classAndParameter = implParameter.getKey().split("/", 2);
if (classAndParameter.length == 2) {
try {
NegotiateSecurityFilter.LOGGER.debug("setting {}, {}={}", classAndParameter[0],
classAndParameter[1], implParameter.getValue());
final SecurityFilterProvider provider = this.providers.getByClassName(classAndParameter[0]);
provider.initParameter(classAndParameter[1], implParameter.getValue());
} catch (final ClassNotFoundException e) {
NegotiateSecurityFilter.LOGGER.error("invalid class: {} in {}", classAndParameter[0],
implParameter.getKey());
throw new ServletException(e);
} catch (final Exception e) {
NegotiateSecurityFilter.LOGGER.error("Error setting {} in {}", classAndParameter[0],
classAndParameter[1]);
throw new ServletException(e);
}
} else {
NegotiateSecurityFilter.LOGGER.error("Invalid parameter: {}", implParameter.getKey());
throw new ServletException("Invalid parameter: " + implParameter.getKey());
}
}
NegotiateSecurityFilter.LOGGER.info("[waffle.servlet.NegotiateSecurityFilter] started");
}
/**
* Set the principal format.
*
* @param format
* Principal format.
*/
public void setPrincipalFormat(final String format) {
this.principalFormat = PrincipalFormat.valueOf(format.toUpperCase(Locale.ENGLISH));
NegotiateSecurityFilter.LOGGER.info("principal format: {}", this.principalFormat);
}
/**
* Principal format.
*
* @return Principal format.
*/
public PrincipalFormat getPrincipalFormat() {
return this.principalFormat;
}
/**
* Set the principal format.
*
* @param format
* Role format.
*/
public void setRoleFormat(final String format) {
this.roleFormat = PrincipalFormat.valueOf(format.toUpperCase(Locale.ENGLISH));
NegotiateSecurityFilter.LOGGER.info("role format: {}", this.roleFormat);
}
/**
* Principal format.
*
* @return Role format.
*/
public PrincipalFormat getRoleFormat() {
return this.roleFormat;
}
/**
* Send a 401 Unauthorized along with protocol authentication headers.
*
* @param response
* HTTP Response
* @param close
* Close connection.
*/
private void sendUnauthorized(final HttpServletResponse response, final boolean close) {
try {
this.providers.sendUnauthorized(response);
if (close) {
response.setHeader("Connection", "close");
} else {
response.setHeader("Connection", "keep-alive");
}
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();
} catch (final IOException e) {
throw new RuntimeException(e);
}
}
/**
* Windows auth provider.
*
* @return IWindowsAuthProvider.
*/
public IWindowsAuthProvider getAuth() {
return this.auth;
}
/**
* Set Windows auth provider.
*
* @param provider
* Class implements IWindowsAuthProvider.
*/
public void setAuth(final IWindowsAuthProvider provider) {
this.auth = provider;
}
/**
* True if guest login is allowed.
*
* @return True if guest login is allowed, false otherwise.
*/
public boolean isAllowGuestLogin() {
return this.allowGuestLogin;
}
/**
* Enable/Disable impersonation.
*
* @param value
* true to enable impersonation, false otherwise
*/
public void setImpersonate(final boolean value) {
this.impersonate = value;
}
/**
* Checks if is impersonate.
*
* @return true if impersonation is enabled, false otherwise
*/
public boolean isImpersonate() {
return this.impersonate;
}
/**
* Security filter providers.
*
* @return A collection of security filter providers.
*/
public SecurityFilterProviderCollection getProviders() {
return this.providers;
}
private static boolean isWindows() {
if (NegotiateSecurityFilter.windows == null) {
NegotiateSecurityFilter.windows = System.getProperty("os.name").toLowerCase(Locale.ENGLISH).contains("win");
}
return NegotiateSecurityFilter.windows.booleanValue();
}
}
