View Javadoc

1   /*
2    * ====================================================================
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *   http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing,
14   * software distributed under the License is distributed on an
15   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16   * KIND, either express or implied.  See the License for the
17   * specific language governing permissions and limitations
18   * under the License.
19   * ====================================================================
20   *
21   * This software consists of voluntary contributions made by many
22   * individuals on behalf of the Apache Software Foundation.  For more
23   * information on the Apache Software Foundation, please see
24   * <http://www.apache.org/>.
25   *
26   */
27  package org.apache.http.impl.auth;
28  
29  import java.io.IOException;
30  
31  import org.apache.commons.logging.Log;
32  import org.apache.commons.logging.LogFactory;
33  import org.apache.http.Header;
34  import org.apache.http.HttpRequest;
35  import org.apache.http.auth.AuthenticationException;
36  import org.apache.http.auth.Credentials;
37  import org.apache.http.protocol.HttpContext;
38  import org.apache.http.util.Args;
39  import org.ietf.jgss.GSSException;
40  import org.ietf.jgss.Oid;
41  
42  /**
43   * SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) authentication
44   * scheme.
45   *
46   * @since 4.1
47   *
48   * @deprecated (4.2)  use {@link SPNegoScheme} or {@link KerberosScheme}.
49   */
50  @Deprecated
51  public class NegotiateScheme extends GGSSchemeBase {
52  
53      private final Log log = LogFactory.getLog(getClass());
54  
55      private static final String SPNEGO_OID       = "1.3.6.1.5.5.2";
56      private static final String KERBEROS_OID     = "1.2.840.113554.1.2.2";
57  
58      private final SpnegoTokenGenerator spengoGenerator;
59  
60      /**
61       * Default constructor for the Negotiate authentication scheme.
62       *
63       */
64      public NegotiateScheme(final SpnegoTokenGenerator spengoGenerator, final boolean stripPort) {
65          super(stripPort);
66          this.spengoGenerator = spengoGenerator;
67      }
68  
69      public NegotiateScheme(final SpnegoTokenGenerator spengoGenerator) {
70          this(spengoGenerator, false);
71      }
72  
73      public NegotiateScheme() {
74          this(null, false);
75      }
76  
77      /**
78       * Returns textual designation of the Negotiate authentication scheme.
79       *
80       * @return {@code Negotiate}
81       */
82      @Override
83      public String getSchemeName() {
84          return "Negotiate";
85      }
86  
87      @Override
88      public Header authenticate(
89              final Credentials credentials,
90              final HttpRequest request) throws AuthenticationException {
91          return authenticate(credentials, request, null);
92      }
93  
94      /**
95       * Produces Negotiate authorization Header based on token created by
96       * processChallenge.
97       *
98       * @param credentials Never used be the Negotiate scheme but must be provided to
99       * satisfy common-httpclient API. Credentials from JAAS will be used instead.
100      * @param request The request being authenticated
101      *
102      * @throws AuthenticationException if authorisation string cannot
103      *   be generated due to an authentication failure
104      *
105      * @return an Negotiate authorisation Header
106      */
107     @Override
108     public Header authenticate(
109             final Credentials credentials,
110             final HttpRequest request,
111             final HttpContext context) throws AuthenticationException {
112         return super.authenticate(credentials, request, context);
113     }
114 
115     @Override
116     protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException {
117         return super.generateToken(input, authServer);
118     }
119 
120     @Override
121     protected byte[] generateToken(final byte[] input, final String authServer, final Credentials credentials) throws GSSException {
122         /* Using the SPNEGO OID is the correct method.
123          * Kerberos v5 works for IIS but not JBoss. Unwrapping
124          * the initial token when using SPNEGO OID looks like what is
125          * described here...
126          *
127          * http://msdn.microsoft.com/en-us/library/ms995330.aspx
128          *
129          * Another helpful URL...
130          *
131          * http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
132          *
133          * Unfortunately SPNEGO is JRE >=1.6.
134          */
135 
136         /** Try SPNEGO by default, fall back to Kerberos later if error */
137         Oid negotiationOid  = new Oid(SPNEGO_OID);
138 
139         byte[] token = input;
140         boolean tryKerberos = false;
141         try {
142             token = generateGSSToken(token, negotiationOid, authServer, credentials);
143         } catch (final GSSException ex){
144             // BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
145             // Rethrow any other exception.
146             if (ex.getMajor() == GSSException.BAD_MECH ){
147                 log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
148                 tryKerberos = true;
149             } else {
150                 throw ex;
151             }
152 
153         }
154         if (tryKerberos){
155             /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
156             log.debug("Using Kerberos MECH " + KERBEROS_OID);
157             negotiationOid  = new Oid(KERBEROS_OID);
158             token = generateGSSToken(token, negotiationOid, authServer, credentials);
159 
160             /*
161              * IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
162              * seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
163              */
164             if (token != null && spengoGenerator != null) {
165                 try {
166                     token = spengoGenerator.generateSpnegoDERObject(token);
167                 } catch (final IOException ex) {
168                     log.error(ex.getMessage(), ex);
169                 }
170             }
171         }
172         return token;
173     }
174 
175     /**
176      * Returns the authentication parameter with the given name, if available.
177      *
178      * <p>There are no valid parameters for Negotiate authentication so this
179      * method always returns {@code null}.</p>
180      *
181      * @param name The name of the parameter to be returned
182      *
183      * @return the parameter with the given name
184      */
185     @Override
186     public String getParameter(final String name) {
187         Args.notNull(name, "Parameter name");
188         return null;
189     }
190 
191     /**
192      * The concept of an authentication realm is not supported by the Negotiate
193      * authentication scheme. Always returns {@code null}.
194      *
195      * @return {@code null}
196      */
197     @Override
198     public String getRealm() {
199         return null;
200     }
201 
202     /**
203      * Returns {@code true}.
204      * Negotiate authentication scheme is connection based.
205      *
206      * @return {@code true}.
207      */
208     @Override
209     public boolean isConnectionBased() {
210         return true;
211     }
212 
213 }