SpnegoAuthenticationProcessingFilter (Spring Security Kerberos Extension 1.0.1.RELEASE API)

java.lang.Object
- org.springframework.web.filter.GenericFilterBean
- - org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter

All Implemented Interfaces:: javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class SpnegoAuthenticationProcessingFilter
extends org.springframework.web.filter.GenericFilterBean

Parses the SPNEGO authentication Header, which was generated by the browser and creates a KerberosServiceRequestToken out if it. It will then call the AuthenticationManager.

A typical Spring Security configuration might look like this:

 <beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <sec:http entry-point-ref="spnegoEntryPoint">
        <sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
 </sec:http>

 <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

 <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
 </bean>

 <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
 </sec:authentication-manager>

 <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.kerberos.authenitcation.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
                <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                        <property name="servicePrincipal" value="HTTP/web.springsource.com" />
                        <property name="keyTabLocation" value="classpath:http-java.keytab" />
                </bean>
        </property>
        <property name="userDetailsService" ref="inMemoryUserDetailsService" />
 </bean>

 <bean id="inMemoryUserDetailsService"
        class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
        <property name="userProperties">
                <value>
                        [email protected]=notUsed,ROLE_ADMIN
                </value>
        </property>
 </bean>
 </beans>

If you get a "GSSException: Channel binding mismatch (Mechanism level:ChannelBinding not provided!) have a look at this bug.

A workaround unti this is fixed in the JVM is to change

HKEY_LOCAL_MACHINE\System \CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02

Since:: 1.0
Author:: Mike Wiesner, Jeremy Stone
See Also:: KerberosServiceAuthenticationProvider, SpnegoEntryPoint

Field Summary
- Fields inherited from class org.springframework.web.filter.GenericFilterBean
  logger

Constructor Summary

Constructors
Constructor and Description

SpnegoAuthenticationProcessingFilter()

Constructors
Constructor and Description
`SpnegoAuthenticationProcessingFilter()`

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`afterPropertiesSet()`
`void`	`doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)`
`void`	`setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)` Sets the authentication details source.
`void`	`setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)` The authentication manager for validating the ticket.
`void`	`setFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)` This handler is called after a failure authentication.
`void`	`setSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionStrategy)` The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the `AuthenticationManager`.
`void`	`setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated)` Should Kerberos authentication be skipped if a user is already authenticated for this request (e.g.
`void`	`setSuccessHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler)` This handler is called after a successful authentication.

Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - SpnegoAuthenticationProcessingFilter
```
public SpnegoAuthenticationProcessingFilter()
```
- Method Detail
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest req,
            javax.servlet.ServletResponse res,
            javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
```
    Throws:
    
    java.io.IOException
    
    javax.servlet.ServletException
  - afterPropertiesSet
```
public void afterPropertiesSet()
                        throws javax.servlet.ServletException
```
    Specified by:
    
    afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
    
    Overrides:
    
    afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
    
    Throws:
    
    javax.servlet.ServletException
  - setAuthenticationManager
```
public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
```
    The authentication manager for validating the ticket.
    
    Parameters:
    authenticationManager - the authentication manager
  - setSuccessHandler
```
public void setSuccessHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler successHandler)
```
    This handler is called after a successful authentication. One can add additional authentication behavior by setting this.
    
    Default is null, which means nothing additional happens
    
    Parameters:
    successHandler - the authentication success handler
  - setFailureHandler
```
public void setFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
```
    This handler is called after a failure authentication. In most cases you only get Kerberos/SPNEGO failures with a wrong server or network configurations and not during runtime. If the client encounters an error, he will just stop the communication with server and therefore this handler will not be called in this case.
    
    Default is null, which means that the Filter returns the HTTP 500 code
    
    Parameters:
    failureHandler - the authentication failure handler
  - setSkipIfAlreadyAuthenticated
```
public void setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated)
```
    Should Kerberos authentication be skipped if a user is already authenticated for this request (e.g. in the HTTP session).
    
    Parameters:
    skipIfAlreadyAuthenticated - default is true
  - setSessionAuthenticationStrategy
```
public void setSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionStrategy)
```
    The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.
    
    Parameters:
    sessionStrategy - the implementation to use. If not set a null implementation is used.
  - setAuthenticationDetailsSource
```
public void setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
```
    Sets the authentication details source.
    
    Parameters:
    authenticationDetailsSource - the authentication details source

Class SpnegoAuthenticationProcessingFilter

Field Summary

Fields inherited from class org.springframework.web.filter.GenericFilterBean

Constructor Summary

Method Summary

Methods inherited from class org.springframework.web.filter.GenericFilterBean

Methods inherited from class java.lang.Object

Constructor Detail

SpnegoAuthenticationProcessingFilter

Method Detail

doFilter

afterPropertiesSet

setAuthenticationManager

setSuccessHandler

setFailureHandler

setSkipIfAlreadyAuthenticated

setSessionAuthenticationStrategy

setAuthenticationDetailsSource