Package org.springframework.security.kerberos.web.authentication

Class SpnegoAuthenticationProcessingFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.web.filter.OncePerRequestFilter

org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter

All Implemented Interfaces:

jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class SpnegoAuthenticationProcessingFilter
extends org.springframework.web.filter.OncePerRequestFilter

Parses the SPNEGO authentication Header, which was generated by the browser and creates a KerberosServiceRequestToken out if it. It will then call the AuthenticationManager.

A typical Spring Security configuration might look like this:

 <beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <sec:http entry-point-ref="spnegoEntryPoint">
        <sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
 </sec:http>

 <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

 <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
 </bean>

 <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
 </sec:authentication-manager>

 <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.kerberos.authenitcation.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
                <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                        <property name="servicePrincipal" value="HTTP/web.springsource.com" />
                        <property name="keyTabLocation" value="classpath:http-java.keytab" />
                </bean>
        </property>
        <property name="userDetailsService" ref="inMemoryUserDetailsService" />
 </bean>

 <bean id="inMemoryUserDetailsService"
        class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
        <property name="userProperties">
                <value>
                        [email protected]=notUsed,ROLE_ADMIN
                </value>
        </property>
 </bean>
 </beans>
 

If you get a "GSSException: Channel binding mismatch (Mechanism level:ChannelBinding not provided!) have a look at this bug.

A workaround unti this is fixed in the JVM is to change

HKEY_LOCAL_MACHINE\System \CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02

Since:

1.0

See Also:

• KerberosServiceAuthenticationProvider
• SpnegoEntryPoint

Field Summary

Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor	Description
SpnegoAuthenticationProcessingFilter()

Method Summary

Modifier and Type	Method	Description
void	afterPropertiesSet()
protected void	doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain)
void	setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)	Sets the authentication details source.
void	setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)	The authentication manager for validating the ticket.
void	setFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)	This handler is called after a failure authentication.
void	setSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionStrategy)	The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager.
void	setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated)	Should Kerberos authentication be skipped if a user is already authenticated for this request (e.g.
void	setStopFilterChainOnSuccessfulAuthentication(boolean shouldStop)	If set to false (the default) and authentication is successful, the request will be processed by the next filter in the chain.
void	setSuccessHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler)	This handler is called after a successful authentication.

Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SpnegoAuthenticationProcessingFilter

public SpnegoAuthenticationProcessingFilter()

Method Details

doFilterInternal

protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 jakarta.servlet.FilterChain chain)
                         throws jakarta.servlet.ServletException,
IOException

Specified by:

doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter

Throws:

jakarta.servlet.ServletException

IOException

afterPropertiesSet

public void afterPropertiesSet()
                        throws jakarta.servlet.ServletException

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Overrides:

afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

Throws:

jakarta.servlet.ServletException

setAuthenticationManager

public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)

The authentication manager for validating the ticket.

Parameters:

authenticationManager - the authentication manager

setSuccessHandler

public void setSuccessHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler)

This handler is called after a successful authentication. One can add additional authentication behavior by setting this.

Default is null, which means nothing additional happens

Parameters:

successHandler - the authentication success handler

setFailureHandler

public void setFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)

This handler is called after a failure authentication. In most cases you only get Kerberos/SPNEGO failures with a wrong server or network configurations and not during runtime. If the client encounters an error, he will just stop the communication with server and therefore this handler will not be called in this case.

Default is null, which means that the Filter returns the HTTP 500 code

Parameters:

failureHandler - the authentication failure handler

setSkipIfAlreadyAuthenticated

public void setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated)

Should Kerberos authentication be skipped if a user is already authenticated for this request (e.g. in the HTTP session).

Parameters:

skipIfAlreadyAuthenticated - default is true

setSessionAuthenticationStrategy

public void setSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionStrategy)

The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.

Parameters:

sessionStrategy - the implementation to use. If not set a null implementation is used.

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)

Sets the authentication details source.

Parameters:

authenticationDetailsSource - the authentication details source

setStopFilterChainOnSuccessfulAuthentication

public void setStopFilterChainOnSuccessfulAuthentication(boolean shouldStop)

If set to false (the default) and authentication is successful, the request will be processed by the next filter in the chain. If true and authentication is successful, the filter chain will stop here.

Parameters:

shouldStop - set to true to prevent the next filter in the chain from processing the request after a successful authentication.

Since:

1.0.2