001: /*
002: * $Header:$
003: * $Revision: 480424 $
004: * $Date: 2006-11-29 06:56:49 +0100 (Wed, 29 Nov 2006) $
005: *
006: * ====================================================================
007: *
008: * Licensed to the Apache Software Foundation (ASF) under one or more
009: * contributor license agreements. See the NOTICE file distributed with
010: * this work for additional information regarding copyright ownership.
011: * The ASF licenses this file to You under the Apache License, Version 2.0
012: * (the "License"); you may not use this file except in compliance with
013: * the License. You may obtain a copy of the License at
014: *
015: * http://www.apache.org/licenses/LICENSE-2.0
016: *
017: * Unless required by applicable law or agreed to in writing, software
018: * distributed under the License is distributed on an "AS IS" BASIS,
019: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
020: * See the License for the specific language governing permissions and
021: * limitations under the License.
022: * ====================================================================
023: *
024: * This software consists of voluntary contributions made by many
025: * individuals on behalf of the Apache Software Foundation. For more
026: * information on the Apache Software Foundation, please see
027: * <http://www.apache.org/>.
028: *
029: */
030:
031: package org.apache.commons.httpclient.contrib.auth;
032:
033: import org.apache.commons.codec.binary.Base64;
034: import org.apache.commons.httpclient.Credentials;
035: import org.apache.commons.httpclient.HttpMethod;
036: import org.apache.commons.httpclient.auth.AuthChallengeException;
037: import org.apache.commons.httpclient.auth.AuthScheme;
038: import org.apache.commons.httpclient.auth.AuthenticationException;
039: import org.apache.commons.httpclient.auth.CredentialsNotAvailableException;
040: import org.apache.commons.httpclient.auth.InvalidCredentialsException;
041: import org.apache.commons.logging.Log;
042: import org.apache.commons.logging.LogFactory;
043: import org.ietf.jgss.GSSContext;
044: import org.ietf.jgss.GSSException;
045: import org.ietf.jgss.GSSManager;
046: import org.ietf.jgss.GSSName;
047: import org.ietf.jgss.Oid;
048:
049: /**
050: *
051: * @author <a href="mailto:mikael.wikstrom@it.su.se">Mikael Wilstrom</a>
052: * @author Mikael Wikstrom
053: */
054: public class NegotiateScheme implements AuthScheme {
055:
056: /** Log object for this class. */
057: private static final Log LOG = LogFactory
058: .getLog(NegotiateScheme.class);
059:
060: /** challenge string. */
061: private String challenge = null;
062:
063: private static final int UNINITIATED = 0;
064: private static final int INITIATED = 1;
065: private static final int NEGOTIATING = 3;
066: private static final int ESTABLISHED = 4;
067: private static final int FAILED = Integer.MAX_VALUE;
068:
069: private GSSContext context = null;
070:
071: /** Authentication process state */
072: private int state;
073:
074: /** base64 decoded challenge **/
075: byte[] token = new byte[0];
076:
077: /**
078: * Init GSSContext for negotiation.
079: *
080: * @param server servername only (e.g: radar.it.su.se)
081: */
082: protected void init(String server) throws GSSException {
083: LOG.debug("init " + server);
084: /* Kerberos v5 GSS-API mechanism defined in RFC 1964. */
085: Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
086: GSSManager manager = GSSManager.getInstance();
087: GSSName serverName = manager.createName("HTTP/" + server, null);
088: context = manager.createContext(serverName, krb5Oid, null,
089: GSSContext.DEFAULT_LIFETIME);
090: context.requestMutualAuth(true);
091: context.requestCredDeleg(true);
092: state = INITIATED;
093: }
094:
095: /**
096: * Default constructor for the Negotiate authentication scheme.
097: *
098: * @since 3.0
099: */
100: public NegotiateScheme() {
101: super ();
102: state = UNINITIATED;
103: }
104:
105: /**
106: * Constructor for the Negotiate authentication scheme.
107: *
108: * @param challenge The authentication challenge
109: */
110: public NegotiateScheme(final String challenge) {
111: super ();
112: LOG.debug("enter NegotiateScheme(" + challenge + ")");
113: processChallenge(challenge);
114: }
115:
116: /**
117: * Processes the Negotiate challenge.
118: *
119: * @param challenge the challenge string
120: *
121: * @since 3.0
122: */
123: public void processChallenge(final String challenge) {
124: LOG.debug("enter processChallenge(challenge=\"" + challenge
125: + "\")");
126: if (challenge.startsWith("Negotiate")) {
127: if (isComplete() == false)
128: state = NEGOTIATING;
129:
130: if (challenge.startsWith("Negotiate "))
131: token = new Base64().decode(challenge.substring(10)
132: .getBytes());
133: else
134: token = new byte[0];
135: }
136: }
137:
138: /**
139: * Tests if the Negotiate authentication process has been completed.
140: *
141: * @return <tt>true</tt> if authorization has been processed,
142: * <tt>false</tt> otherwise.
143: *
144: * @since 3.0
145: */
146: public boolean isComplete() {
147: LOG.debug("enter isComplete()");
148: return this .state == ESTABLISHED || this .state == FAILED;
149: }
150:
151: /**
152: * Returns textual designation of the Negotiate authentication scheme.
153: *
154: * @return <code>Negotiate</code>
155: */
156: public String getSchemeName() {
157: return "Negotiate";
158: }
159:
160: /**
161: * The concept of an authentication realm is not supported by the Negotiate
162: * authentication scheme. Always returns <code>null</code>.
163: *
164: * @return <code>null</code>
165: */
166: public String getRealm() {
167: return null;
168: }
169:
170: /**
171: * Returns a String identifying the authentication challenge. This is
172: * used, in combination with the host and port to determine if
173: * authorization has already been attempted or not. Schemes which
174: * require multiple requests to complete the authentication should
175: * return a different value for each stage in the request.
176: *
177: * <p>Additionally, the ID should take into account any changes to the
178: * authentication challenge and return a different value when appropriate.
179: * For example when the realm changes in basic authentication it should be
180: * considered a different authentication attempt and a different value should
181: * be returned.</p>
182: *
183: * @return String a String identifying the authentication challenge. The
184: * returned value may be null.
185: *
186: * @deprecated no longer used
187: */
188: public String getID() {
189: LOG.debug("enter getID(): " + challenge);
190: return challenge;
191: }
192:
193: /**
194: * Returns the authentication parameter with the given name, if available.
195: *
196: * <p>There are no valid parameters for Negotiate authentication so this
197: * method always returns <tt>null</tt>.</p>
198: *
199: * @param name The name of the parameter to be returned
200: *
201: * @return the parameter with the given name
202: */
203: public String getParameter(String name) {
204: LOG.debug("enter getParameter(" + name + ")");
205: if (name == null) {
206: throw new IllegalArgumentException(
207: "Parameter name may not be null");
208: }
209: return null;
210: }
211:
212: /**
213: * Returns <tt>true</tt>.
214: * Negotiate authentication scheme is connection based.
215: *
216: * @return <tt>true</tt>.
217: *
218: * @since 3.0
219: */
220: public boolean isConnectionBased() {
221: LOG.info("enter isConnectionBased()");
222: return true;
223: }
224:
225: /**
226: * Method not supported by Negotiate scheme.
227: *
228: * @throws AuthenticationException if called.
229: *
230: * @deprecated Use {@link #authenticate(Credentials, HttpMethod)}
231: */
232: public String authenticate(Credentials credentials, String method,
233: String uri) throws AuthenticationException {
234: throw new AuthenticationException(
235: "method not supported by Negotiate scheme");
236: }
237:
238: /**
239: * Produces Negotiate authorization string based on token created by
240: * processChallenge.
241: *
242: * @param credentials Never used be the Negotiate scheme but must be provided to
243: * satisfy common-httpclient API. Credentials from JAAS will be used insted.
244: * @param method The method being authenticated
245: *
246: * @throws AuthenticationException if authorization string cannot
247: * be generated due to an authentication failure
248: *
249: * @return an Negotiate authorization string
250: *
251: * @since 3.0
252: */
253: public String authenticate(Credentials credentials,
254: HttpMethod method) throws AuthenticationException {
255: LOG
256: .debug("enter NegotiateScheme.authenticate(Credentials, HttpMethod)");
257:
258: if (state == UNINITIATED) {
259: throw new IllegalStateException(
260: "Negotiation authentication process has not been initiated");
261: }
262:
263: try {
264: try {
265: if (context == null) {
266: LOG.info("host: " + method.getURI().getHost());
267: init(method.getURI().getHost());
268: }
269: } catch (org.apache.commons.httpclient.URIException urie) {
270: LOG.error(urie.getMessage());
271: state = FAILED;
272: throw new AuthenticationException(urie.getMessage());
273: }
274:
275: // HTTP 1.1 issue:
276: // Mutual auth will never complete do to 200 insted of 401 in
277: // return from server. "state" will never reach ESTABLISHED
278: // but it works anyway
279: token = context.initSecContext(token, 0, token.length);
280: LOG.info("got token, sending " + token.length
281: + " to server");
282: } catch (GSSException gsse) {
283: LOG.fatal(gsse.getMessage());
284: state = FAILED;
285: if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL
286: || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
287: throw new InvalidCredentialsException(
288: gsse.getMessage(), gsse);
289: if (gsse.getMajor() == GSSException.NO_CRED)
290: throw new CredentialsNotAvailableException(gsse
291: .getMessage(), gsse);
292: if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN
293: || gsse.getMajor() == GSSException.DUPLICATE_TOKEN
294: || gsse.getMajor() == GSSException.OLD_TOKEN)
295: throw new AuthChallengeException(gsse.getMessage(),
296: gsse);
297: // other error
298: throw new AuthenticationException(gsse.getMessage());
299: }
300: return "Negotiate " + new String(new Base64().encode(token));
301: }
302: }
|