Class SpnegoAuthenticator

java.lang.Object
org.codelibs.fess.sso.spnego.SpnegoAuthenticator
All Implemented Interfaces:
SsoAuthenticator

public class SpnegoAuthenticator extends Object implements SsoAuthenticator
SPNEGO (Security Provider Negotiation Protocol) authenticator implementation. This class provides Single Sign-On (SSO) authentication using the SPNEGO protocol, which is commonly used for Kerberos-based authentication in Windows environments. It handles the negotiation between client and server to establish a secure authentication context without requiring users to explicitly enter credentials. The authenticator supports various configuration options including delegation, basic authentication fallback, and localhost authentication bypass.
  • Field Details

    • SPNEGO_EXCLUDE_DIRS

      protected static final String SPNEGO_EXCLUDE_DIRS
      Configuration key for directories to exclude from SPNEGO authentication.
      See Also:
    • SPNEGO_ALLOW_DELEGATION

      protected static final String SPNEGO_ALLOW_DELEGATION
      Configuration key for enabling delegation in SPNEGO authentication.
      See Also:
    • SPNEGO_ALLOWED_REALMS

      protected static final String SPNEGO_ALLOWED_REALMS
      Configuration key for the comma-separated list of additionally allowed Kerberos realms.
      See Also:
    • SPNEGO_ALLOW_LOCALHOST

      protected static final String SPNEGO_ALLOW_LOCALHOST
      Configuration key for allowing localhost authentication bypass.
      See Also:
    • SPNEGO_PROMPT_NTLM

      protected static final String SPNEGO_PROMPT_NTLM
      Configuration key for prompting NTLM authentication.
      See Also:
    • SPNEGO_ALLOW_UNSECURE_BASIC

      protected static final String SPNEGO_ALLOW_UNSECURE_BASIC
      Configuration key for allowing unsecure basic authentication.
      See Also:
    • SPNEGO_ALLOW_BASIC

      protected static final String SPNEGO_ALLOW_BASIC
      Configuration key for allowing basic authentication.
      See Also:
    • SPNEGO_PREAUTH_PASSWORD

      protected static final String SPNEGO_PREAUTH_PASSWORD
      Configuration key for pre-authentication password.
      See Also:
    • SPNEGO_PREAUTH_USERNAME

      protected static final String SPNEGO_PREAUTH_USERNAME
      Configuration key for pre-authentication username.
      See Also:
    • SPNEGO_LOGIN_SERVER_MODULE

      protected static final String SPNEGO_LOGIN_SERVER_MODULE
      Configuration key for login server module name.
      See Also:
    • SPNEGO_LOGIN_CLIENT_MODULE

      protected static final String SPNEGO_LOGIN_CLIENT_MODULE
      Configuration key for login client module name.
      See Also:
    • SPNEGO_KRB5_CONF

      protected static final String SPNEGO_KRB5_CONF
      Configuration key for Kerberos configuration file path.
      See Also:
    • SPNEGO_LOGIN_CONF

      protected static final String SPNEGO_LOGIN_CONF
      Configuration key for login configuration file path.
      See Also:
    • SPNEGO_LOGGER_LEVEL

      protected static final String SPNEGO_LOGGER_LEVEL
      Configuration key for SPNEGO logger level.
      See Also:
    • authenticator

      protected org.codelibs.spnego.SpnegoAuthenticator authenticator
      The underlying SPNEGO authenticator instance.
  • Constructor Details

    • SpnegoAuthenticator

      public SpnegoAuthenticator()
      Constructs a new SPNEGO authenticator.
  • Method Details

    • init

      @PostConstruct public void init()
      Initializes the SPNEGO authenticator and registers it with the SSO manager. This method is called automatically after dependency injection is complete.
    • destroy

      @PreDestroy public void destroy()
      Releases the SPNEGO server credentials and login context on shutdown.
    • getAuthenticator

      protected org.codelibs.spnego.SpnegoAuthenticator getAuthenticator()
      Gets or creates the SPNEGO authenticator instance. This method implements lazy initialization with synchronization to ensure the authenticator is only created once per JVM. Because the underlying SpnegoFilterConfig is a JVM-wide singleton, the configuration is cached for the lifetime of the process and a Fess restart is required to apply changes.
      Returns:
      The configured SPNEGO authenticator instance
      Throws:
      SsoLoginException - if SPNEGO initialization fails
    • getLoginCredential

      public org.lastaflute.web.login.credential.LoginCredential getLoginCredential()
      Attempts to obtain login credentials using SPNEGO authentication. This method processes the HTTP request to extract and validate SPNEGO authentication tokens. It handles the SPNEGO handshake process and extracts the user principal from successful authentication.
      Specified by:
      getLoginCredential in interface SsoAuthenticator
      Returns:
      The login credential containing the authenticated username, an ActionResponseCredential for authentication challenges, or null if no authentication information is available
      Throws:
      SsoLoginException - if SPNEGO authentication fails
    • isAllowedRealm

      protected boolean isAllowedRealm(String realm)
      Determines whether the given Kerberos realm is permitted to log in. The server's own realm is always allowed.
      Parameters:
      realm - the Kerberos realm extracted from the client principal
      Returns:
      true if the realm is allowed
    • isAllowedRealm

      protected boolean isAllowedRealm(String realm, String serverRealm)
      Determines whether the given Kerberos realm is permitted, considering the server realm and the comma-separated spnego.allowed.realms system property (for intentional cross-realm trust setups). When neither the server realm nor an allow list can be determined, the realm is accepted to preserve backward compatibility (a warning is logged).
      Parameters:
      realm - the Kerberos realm extracted from the client principal
      serverRealm - the Kerberos realm of the SPNEGO server principal (may be blank)
      Returns:
      true if the realm is allowed
    • resolveCredential

      public void resolveCredential(FessLoginAssist.LoginCredentialResolver resolver)
      Resolves the SPNEGO credential to a user entity. This method handles the resolution of SPNEGO credentials by checking if the user is an admin user or needs to be authenticated through LDAP.
      Specified by:
      resolveCredential in interface SsoAuthenticator
      Parameters:
      resolver - The credential resolver to use for user lookup
    • getResponse

      public org.lastaflute.web.response.ActionResponse getResponse(SsoResponseType responseType)
      Gets the action response for the specified SSO response type. SPNEGO authentication typically doesn't require special response handling for metadata or logout operations, so this method returns null.
      Specified by:
      getResponse in interface SsoAuthenticator
      Parameters:
      responseType - The type of SSO response requested
      Returns:
      Always returns null for SPNEGO authentication
    • logout

      public String logout(org.codelibs.fess.mylasta.action.FessUserBean user)
      Performs logout for the specified user. SPNEGO authentication relies on the underlying Kerberos infrastructure for session management, so no specific logout URL is provided.
      Specified by:
      logout in interface SsoAuthenticator
      Parameters:
      user - The user to logout
      Returns:
      Always returns null as SPNEGO doesn't provide a logout URL