Package org.codelibs.fess.sso.spnego
Class SpnegoAuthenticator
java.lang.Object
org.codelibs.fess.sso.spnego.SpnegoAuthenticator
- All Implemented Interfaces:
SsoAuthenticator
SPNEGO (Security Provider Negotiation Protocol) authenticator implementation.
This class provides Single Sign-On (SSO) authentication using the SPNEGO protocol,
which is commonly used for Kerberos-based authentication in Windows environments.
It handles the negotiation between client and server to establish a secure
authentication context without requiring users to explicitly enter credentials.
The authenticator supports various configuration options including delegation,
basic authentication fallback, and localhost authentication bypass.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected static classSPNEGO filter configuration implementation. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected org.codelibs.spnego.SpnegoAuthenticatorThe underlying SPNEGO authenticator instance.protected static final StringConfiguration key for allowing basic authentication.protected static final StringConfiguration key for enabling delegation in SPNEGO authentication.protected static final StringConfiguration key for allowing localhost authentication bypass.protected static final StringConfiguration key for allowing unsecure basic authentication.protected static final StringConfiguration key for the comma-separated list of additionally allowed Kerberos realms.protected static final StringConfiguration key for directories to exclude from SPNEGO authentication.protected static final StringConfiguration key for Kerberos configuration file path.protected static final StringConfiguration key for SPNEGO logger level.protected static final StringConfiguration key for login client module name.protected static final StringConfiguration key for login configuration file path.protected static final StringConfiguration key for login server module name.protected static final StringConfiguration key for pre-authentication password.protected static final StringConfiguration key for pre-authentication username.protected static final StringConfiguration key for prompting NTLM authentication. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoiddestroy()Releases the SPNEGO server credentials and login context on shutdown.protected org.codelibs.spnego.SpnegoAuthenticatorGets or creates the SPNEGO authenticator instance.org.lastaflute.web.login.credential.LoginCredentialAttempts to obtain login credentials using SPNEGO authentication.org.lastaflute.web.response.ActionResponsegetResponse(SsoResponseType responseType) Gets the action response for the specified SSO response type.voidinit()Initializes the SPNEGO authenticator and registers it with the SSO manager.protected booleanisAllowedRealm(String realm) Determines whether the given Kerberos realm is permitted to log in.protected booleanisAllowedRealm(String realm, String serverRealm) Determines whether the given Kerberos realm is permitted, considering the server realm and the comma-separatedspnego.allowed.realmssystem property (for intentional cross-realm trust setups).logout(org.codelibs.fess.mylasta.action.FessUserBean user) Performs logout for the specified user.voidResolves the SPNEGO credential to a user entity.
-
Field Details
-
SPNEGO_EXCLUDE_DIRS
Configuration key for directories to exclude from SPNEGO authentication.- See Also:
-
SPNEGO_ALLOW_DELEGATION
Configuration key for enabling delegation in SPNEGO authentication.- See Also:
-
SPNEGO_ALLOWED_REALMS
Configuration key for the comma-separated list of additionally allowed Kerberos realms.- See Also:
-
SPNEGO_ALLOW_LOCALHOST
Configuration key for allowing localhost authentication bypass.- See Also:
-
SPNEGO_PROMPT_NTLM
Configuration key for prompting NTLM authentication.- See Also:
-
SPNEGO_ALLOW_UNSECURE_BASIC
Configuration key for allowing unsecure basic authentication.- See Also:
-
SPNEGO_ALLOW_BASIC
Configuration key for allowing basic authentication.- See Also:
-
SPNEGO_PREAUTH_PASSWORD
Configuration key for pre-authentication password.- See Also:
-
SPNEGO_PREAUTH_USERNAME
Configuration key for pre-authentication username.- See Also:
-
SPNEGO_LOGIN_SERVER_MODULE
Configuration key for login server module name.- See Also:
-
SPNEGO_LOGIN_CLIENT_MODULE
Configuration key for login client module name.- See Also:
-
SPNEGO_KRB5_CONF
Configuration key for Kerberos configuration file path.- See Also:
-
SPNEGO_LOGIN_CONF
Configuration key for login configuration file path.- See Also:
-
SPNEGO_LOGGER_LEVEL
Configuration key for SPNEGO logger level.- See Also:
-
authenticator
protected org.codelibs.spnego.SpnegoAuthenticator authenticatorThe underlying SPNEGO authenticator instance.
-
-
Constructor Details
-
SpnegoAuthenticator
public SpnegoAuthenticator()Constructs a new SPNEGO authenticator.
-
-
Method Details
-
init
@PostConstruct public void init()Initializes the SPNEGO authenticator and registers it with the SSO manager. This method is called automatically after dependency injection is complete. -
destroy
@PreDestroy public void destroy()Releases the SPNEGO server credentials and login context on shutdown. -
getAuthenticator
protected org.codelibs.spnego.SpnegoAuthenticator getAuthenticator()Gets or creates the SPNEGO authenticator instance. This method implements lazy initialization with synchronization to ensure the authenticator is only created once per JVM. Because the underlying SpnegoFilterConfig is a JVM-wide singleton, the configuration is cached for the lifetime of the process and a Fess restart is required to apply changes.- Returns:
- The configured SPNEGO authenticator instance
- Throws:
SsoLoginException- if SPNEGO initialization fails
-
getLoginCredential
public org.lastaflute.web.login.credential.LoginCredential getLoginCredential()Attempts to obtain login credentials using SPNEGO authentication. This method processes the HTTP request to extract and validate SPNEGO authentication tokens. It handles the SPNEGO handshake process and extracts the user principal from successful authentication.- Specified by:
getLoginCredentialin interfaceSsoAuthenticator- Returns:
- The login credential containing the authenticated username, an ActionResponseCredential for authentication challenges, or null if no authentication information is available
- Throws:
SsoLoginException- if SPNEGO authentication fails
-
isAllowedRealm
Determines whether the given Kerberos realm is permitted to log in. The server's own realm is always allowed.- Parameters:
realm- the Kerberos realm extracted from the client principal- Returns:
- true if the realm is allowed
-
isAllowedRealm
Determines whether the given Kerberos realm is permitted, considering the server realm and the comma-separatedspnego.allowed.realmssystem property (for intentional cross-realm trust setups). When neither the server realm nor an allow list can be determined, the realm is accepted to preserve backward compatibility (a warning is logged).- Parameters:
realm- the Kerberos realm extracted from the client principalserverRealm- the Kerberos realm of the SPNEGO server principal (may be blank)- Returns:
- true if the realm is allowed
-
resolveCredential
Resolves the SPNEGO credential to a user entity. This method handles the resolution of SPNEGO credentials by checking if the user is an admin user or needs to be authenticated through LDAP.- Specified by:
resolveCredentialin interfaceSsoAuthenticator- Parameters:
resolver- The credential resolver to use for user lookup
-
getResponse
Gets the action response for the specified SSO response type. SPNEGO authentication typically doesn't require special response handling for metadata or logout operations, so this method returns null.- Specified by:
getResponsein interfaceSsoAuthenticator- Parameters:
responseType- The type of SSO response requested- Returns:
- Always returns null for SPNEGO authentication
-
logout
Performs logout for the specified user. SPNEGO authentication relies on the underlying Kerberos infrastructure for session management, so no specific logout URL is provided.- Specified by:
logoutin interfaceSsoAuthenticator- Parameters:
user- The user to logout- Returns:
- Always returns null as SPNEGO doesn't provide a logout URL
-