Package org.alfresco.repo.webdav.auth
Class BaseSSOAuthenticationFilter
- java.lang.Object
-
- org.alfresco.repo.webdav.auth.BaseAuthenticationFilter
-
- org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter
-
- All Implemented Interfaces:
org.alfresco.repo.management.subsystems.ActivateableBean
,DependencyInjectedFilter
,AuthenticationDriver
,org.springframework.beans.factory.InitializingBean
- Direct Known Subclasses:
BaseKerberosAuthenticationFilter
,BaseNTLMAuthenticationFilter
public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilter implements DependencyInjectedFilter, AuthenticationDriver, org.alfresco.repo.management.subsystems.ActivateableBean, org.springframework.beans.factory.InitializingBean
Base class with common code and initialisation for single signon authentication filters.- Author:
- gkspencer, kroast
-
-
Field Summary
Fields Modifier and Type Field Description protected String
loginPageLink
protected static String
MIME_HTML_TEXT
-
Fields inherited from class org.alfresco.repo.webdav.auth.BaseAuthenticationFilter
ARG_TICKET, AUTHENTICATION_USER, authenticationComponent, authenticationListener, authenticationService, NO_AUTH_REQUIRED, nodeService, personService, remoteUserMapper, transactionService
-
Fields inherited from interface org.alfresco.repo.webdav.auth.AuthenticationDriver
AUTHENTICATION_USER
-
-
Constructor Summary
Constructors Constructor Description BaseSSOAuthenticationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
protected boolean
allowsTicketLogons()
Check if ticket based logons are allowedprotected boolean
checkForTicketParameter(javax.servlet.ServletContext servletContext, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Check if the request has specified a ticket parameter to bypass the standard authentication.void
doFilter(javax.servlet.ServletContext context, javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected String
getLoginPage()
Return the login page addressString
getLoginPageLink()
protected org.alfresco.jlan.server.config.SecurityConfigSection
getSecurityConfigSection()
protected String
getServerName()
Because the file server configuration may change during the lifetime of this filter, this method checks against the last configured server name before returning a cached resultprotected boolean
hasLoginPage()
Determine if the login page is availableprotected void
includeFallbackAuth(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Include into response authentication method that is supported by fallback mechanismprotected void
init()
Initializes the filter.boolean
isActive()
boolean
isFallbackEnabled()
protected boolean
isNTLMSSPBlob(byte[] byts, int offset)
Check if a security blob starts with the NTLMSSP signatureprotected String
mapClientAddressToDomain(String clientIP)
Map a client IP address to a domainprotected boolean
onLoginComplete(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, boolean userInit)
Callback executed on completion of NTLM loginprotected void
onValidate(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, WebCredentials credentials)
Callback executed on successful ticket validation during Type3 Message processing.protected void
onValidateFailed(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.http.HttpSession session, WebCredentials credentials)
Callback executed on failed authentication of a user ticket during Type3 Message processingprotected boolean
performFallbackAuthentication(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Delegate authentication to the fallback mechanismprotected void
redirectToLoginPage(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
Redirect to the login pagevoid
setActive(boolean active)
Activates or deactivates the beanvoid
setFallback(AuthenticationDriver delegate)
Sets the fallback authentication support for this filtervoid
setFallbackEnabled(boolean fallbackEnabled)
Activates or deactivates the fallback authentication support for this filterprotected void
setLoginPage(String loginPage)
Set the login page addressvoid
setLoginPageLink(String loginPageLink)
void
setServerConfiguration(org.alfresco.filesys.ExtendedServerConfigurationAccessor serverConfiguration)
void
setTicketLogons(boolean ticketsAllowed)
Set the ticket based logons allowed flagprotected void
writeLoginPageLink(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Writes link to login page and refresh tag which cause user to be redirected to the login page.-
Methods inherited from class org.alfresco.repo.webdav.auth.BaseAuthenticationFilter
createUserEnvironment, createUserEnvironment, createUserObject, doInSystemTransaction, getLogger, getSessionUser, getUserAttributeName, handleLoginForm, invalidateSession, setAuthenticationComponent, setAuthenticationListener, setAuthenticationService, setNodeService, setPersonService, setRemoteUserMapper, setTransactionService, setUserAttributeName
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.alfresco.repo.webdav.auth.AuthenticationDriver
authenticateRequest, restartLoginChallenge
-
-
-
-
Field Detail
-
MIME_HTML_TEXT
protected static final String MIME_HTML_TEXT
- See Also:
- Constant Field Values
-
loginPageLink
protected String loginPageLink
-
-
Method Detail
-
getLoginPageLink
public String getLoginPageLink()
- Returns:
- login page link, which is send back to the client if the login fails in the filter. Override to change the default behaviour.
-
setLoginPageLink
public void setLoginPageLink(String loginPageLink)
-
setServerConfiguration
public void setServerConfiguration(org.alfresco.filesys.ExtendedServerConfigurationAccessor serverConfiguration)
- Parameters:
serverConfiguration
- the serverConfiguration to set
-
setActive
public final void setActive(boolean active)
Activates or deactivates the bean- Parameters:
active
-true
if the bean is active and initialization should complete
-
isActive
public final boolean isActive()
- Specified by:
isActive
in interfaceorg.alfresco.repo.management.subsystems.ActivateableBean
-
setFallback
public final void setFallback(AuthenticationDriver delegate)
Sets the fallback authentication support for this filter- Parameters:
delegate
- AuthenticationDriver
-
setFallbackEnabled
public final void setFallbackEnabled(boolean fallbackEnabled)
Activates or deactivates the fallback authentication support for this filter- Parameters:
fallbackEnabled
-
-
isFallbackEnabled
public final boolean isFallbackEnabled()
- Returns:
true
if fallback authentication enabled
-
afterPropertiesSet
public final void afterPropertiesSet() throws javax.servlet.ServletException
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Throws:
javax.servlet.ServletException
-
doFilter
public void doFilter(javax.servlet.ServletContext context, javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
Description copied from interface:DependencyInjectedFilter
ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()
),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.- Specified by:
doFilter
in interfaceDependencyInjectedFilter
- Throws:
IOException
javax.servlet.ServletException
-
init
protected void init() throws javax.servlet.ServletException
Initializes the filter. Only called if the filter is active, as indicated byisActive()
. Subclasses should override.- Throws:
javax.servlet.ServletException
-
onValidate
protected void onValidate(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, WebCredentials credentials)
Callback executed on successful ticket validation during Type3 Message processing.- Parameters:
sc
- the servlet contextreq
- the requestres
- the response
-
onValidateFailed
protected void onValidateFailed(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, javax.servlet.http.HttpSession session, WebCredentials credentials) throws IOException
Callback executed on failed authentication of a user ticket during Type3 Message processing- Parameters:
sc
- the servlet contextreq
- HttpServletRequestres
- HttpServletResponsesession
- HttpSession- Throws:
IOException
-
onLoginComplete
protected boolean onLoginComplete(javax.servlet.ServletContext sc, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res, boolean userInit) throws IOException
Callback executed on completion of NTLM login- Parameters:
req
- HttpServletRequestres
- HttpServletResponse- Returns:
- true to continue filter chaining, false otherwise
- Throws:
IOException
-
mapClientAddressToDomain
protected final String mapClientAddressToDomain(String clientIP)
Map a client IP address to a domain- Parameters:
clientIP
- String- Returns:
- String
-
checkForTicketParameter
protected boolean checkForTicketParameter(javax.servlet.ServletContext servletContext, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp)
Check if the request has specified a ticket parameter to bypass the standard authentication.- Parameters:
servletContext
- the servlet contextreq
- the requestresp
- the response- Returns:
- boolean
-
redirectToLoginPage
protected void redirectToLoginPage(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) throws IOException
Redirect to the login page- Parameters:
req
- HttpServletRequestres
- HttpServletResponse- Throws:
IOException
-
hasLoginPage
protected final boolean hasLoginPage()
Determine if the login page is available- Returns:
- boolean
-
getLoginPage
protected final String getLoginPage()
Return the login page address- Returns:
- String
-
setLoginPage
protected final void setLoginPage(String loginPage)
Set the login page address- Parameters:
loginPage
- String
-
allowsTicketLogons
protected final boolean allowsTicketLogons()
Check if ticket based logons are allowed- Returns:
- boolean
-
setTicketLogons
public final void setTicketLogons(boolean ticketsAllowed)
Set the ticket based logons allowed flag- Parameters:
ticketsAllowed
- boolean
-
isNTLMSSPBlob
protected final boolean isNTLMSSPBlob(byte[] byts, int offset)
Check if a security blob starts with the NTLMSSP signature- Parameters:
byts
- byte[]offset
- int- Returns:
- boolean
-
getServerName
protected String getServerName()
Because the file server configuration may change during the lifetime of this filter, this method checks against the last configured server name before returning a cached result- Returns:
- resolved local server name
-
getSecurityConfigSection
protected org.alfresco.jlan.server.config.SecurityConfigSection getSecurityConfigSection()
-
writeLoginPageLink
protected void writeLoginPageLink(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp) throws IOException
Writes link to login page and refresh tag which cause user to be redirected to the login page.- Parameters:
context
- ServletContextreq
- HttpServletRequestresp
- HttpServletResponse- Throws:
IOException
-
includeFallbackAuth
protected void includeFallbackAuth(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp) throws IOException
Include into response authentication method that is supported by fallback mechanism- Parameters:
context
- ServletContextreq
- HttpServletRequestresp
- HttpServletResponse- Throws:
IOException
-
performFallbackAuthentication
protected boolean performFallbackAuthentication(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp) throws IOException, javax.servlet.ServletException
Delegate authentication to the fallback mechanism- Parameters:
context
- ServletContextreq
- HttpServletRequestresp
- HttpServletResponse- Returns:
- boolean
- Throws:
IOException
javax.servlet.ServletException
-
-