Commit emails of the iDok project

["AFS account Roman Geus" <geus AT savannah.psi.ch>]

Author: geus
Date: Tue Aug 26 17:34:25 2008
New Revision: 189

Log:
Renamed SpnegoFilter.java to NegotiateFilter.java

Added:
   branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java   
(contents, props changed)
      - copied, changed from r175, 
/branches/rest/java/ch/idok/service/server/rest/SpnegoFilter.java
Removed:
   branches/rest/java/ch/idok/service/server/rest/SpnegoFilter.java

Copied: branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java 
(from r175, /branches/rest/java/ch/idok/service/server/rest/SpnegoFilter.java)
==============================================================================
--- /branches/rest/java/ch/idok/service/server/rest/SpnegoFilter.java   
(original)
+++ branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java Tue 
Aug 26 17:34:25 2008
@@ -6,9 +6,6 @@
 import java.util.logging.Logger;
 
 import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
 
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
@@ -27,88 +24,87 @@
 import org.restlet.data.Status;
 import org.restlet.util.Series;
 
-import ch.idok.common.errorhandling.DmsException;
-import ch.idok.common.util.AuthUtil;
-import ch.idok.common.util.DmsCredentials;
-import ch.idok.common.util.DummyCallbackHandler;
-import ch.idok.common.util.Krb5DmsCredentials;
-
 import com.noelios.restlet.Engine;
 import com.noelios.restlet.authentication.AuthenticationHelper;
 import com.noelios.restlet.util.Base64;
 import com.sun.security.jgss.GSSUtil;
 
 /**
- * This is a small test filter to test SPNEGO authentication. Treat as
- * experimental!
+ * Restlet filter that implements HTTP authentication using both the 
Negotiate
+ * and the Basic authentication scheme.
+ * 
+ * For the Negotiate authentication scheme, SPNEGO and Kerberos 5 GSSAPI 
tokens
+ * are supported.
  * 
- * This filter is based on code by Bruno Harbulot
+ * This filter is inspired by Bruno Harbulot's SpnegoFilter
  */
-public class SpnegoFilter extends Filter {
-
-    private static final String subjectAttributeName = 
"ch.idok.service.server.rest.Subject";
-
-    private GSSManager gssManager;
-    private GSSCredential gssServerCreds;
+public abstract class NegotiateFilter extends Filter {
 
     /**
-     * The HTTP authentication realm
+     * Name of the request attribute that holds the Subject object
      */
-    private String realm;
+    protected static final String subjectAttributeName = 
"NegotiateFilter.authenticatedSubject";
 
-    /**
-     * The login configuration used for checking username and password for 
BASIC
-     * authentication scheme
-     */
-    private String jaasLoginConfig;
-
-    public static final ChallengeScheme HTTP_SPNEGO = new ChallengeScheme(
+    public static final ChallengeScheme HTTP_NEGOTIATE = new ChallengeScheme(
             "HTTP_Negotiate", "Negotiate");
 
-    public SpnegoFilter(String realm, String jaasLoginConfig) {
-        this.realm = realm;
-        this.jaasLoginConfig = jaasLoginConfig;
+    static {
         Engine.getInstance().getRegisteredAuthentications().add(0,
-                new SpnegoAuthenticationHelper());
-    }
-
-    private GSSContext gssInit() throws Exception {
-        gssManager = GSSManager.getInstance();
-
-        // Accept both SPNEGO and Kerberos v5 tokens
-        Oid[] spnegoOid = new Oid[] { new Oid("1.3.6.1.5.5.2"),
-                new Oid("1.2.840.113554.1.2.2") };
-
-        gssServerCreds = gssManager.createCredential(null,
-                GSSCredential.DEFAULT_LIFETIME, spnegoOid,
-                GSSCredential.ACCEPT_ONLY);
-        return gssManager.createContext((GSSCredential) gssServerCreds);
+                new NegotiateAuthenticationHelper());
     }
 
-    public static class SpnegoAuthenticationHelper extends 
AuthenticationHelper {
-        public static final String SPNEGO_TOKEN_PARAM_NAME = "spnego-token";
+    public static class NegotiateAuthenticationHelper extends
+            AuthenticationHelper {
+        public static final String NEGOTIATE_TOKEN_PARAM_NAME = 
"negotiate-token";
 
-        public SpnegoAuthenticationHelper() {
-            super(HTTP_SPNEGO, true, true);
+        public NegotiateAuthenticationHelper() {
+            super(HTTP_NEGOTIATE, true, true);
         }
 
         @Override
-        public void formatCredentials(StringBuilder arg0,
-                ChallengeResponse arg1, Request arg2, Series<Parameter> 
arg3) {
-            // TODO Auto-generated method stub
-
+        public void formatCredentials(StringBuilder sb, ChallengeResponse cr,
+                Request request, Series<Parameter> httpHeaders) {
+            String responseString = cr.getParameters().getFirstValue(
+                    NEGOTIATE_TOKEN_PARAM_NAME);
+            if (responseString != null)
+                sb.append(responseString);
+            if (cr.getSecret() != null)
+                sb.append(cr.getSecret());
         }
 
+        @Override
         public void formatParameters(StringBuilder sb,
                 Series<Parameter> parameters, ChallengeRequest request) {
             String challengeString = parameters
-                    .getFirstValue(SPNEGO_TOKEN_PARAM_NAME);
+                    .getFirstValue(NEGOTIATE_TOKEN_PARAM_NAME);
             if (challengeString != null) {
                 sb.append(challengeString);
             }
         }
     }
 
+    /**
+     * The HTTP authentication realm
+     */
+    private final String realm;
+
+    public NegotiateFilter(String realm) {
+        this.realm = realm;
+    }
+
+    private GSSContext gssInit() throws Exception {
+        GSSManager gssManager = GSSManager.getInstance();
+
+        // Accept both SPNEGO and Kerberos v5 tokens
+        Oid[] spnegoOid = new Oid[] { new Oid("1.3.6.1.5.5.2"),
+                new Oid("1.2.840.113554.1.2.2") };
+
+        GSSCredential gssServerCreds = gssManager.createCredential(null,
+                GSSCredential.DEFAULT_LIFETIME, spnegoOid,
+                GSSCredential.ACCEPT_ONLY);
+        return gssManager.createContext((GSSCredential) gssServerCreds);
+    }
+
     @Override
     protected int doHandle(Request request, Response response) {
         Logger logger = getContext().getLogger();
@@ -162,9 +158,10 @@
                                 false);
                     }
 
-                    spnegoParams.add(
-                            
SpnegoAuthenticationHelper.SPNEGO_TOKEN_PARAM_NAME,
-                            spnegoOutputTokenString);
+                    spnegoParams
+                            .add(
+                                    
NegotiateAuthenticationHelper.NEGOTIATE_TOKEN_PARAM_NAME,
+                                    spnegoOutputTokenString);
                     logger.log(Level.FINEST,
                             "Sending this Negotiate challenge: {0}",
                             spnegoOutputTokenString);
@@ -209,8 +206,8 @@
             /*
              * Adds two challenges.
              */
-            ChallengeRequest challengeReq = new ChallengeRequest(HTTP_SPNEGO,
-                    null);
+            ChallengeRequest challengeReq = new ChallengeRequest(
+                    HTTP_NEGOTIATE, null);
             challengeReq.setParameters(spnegoParams);
             response.getChallengeRequests().add(challengeReq);
 
@@ -234,7 +231,7 @@
                     cr.setIdentifier(srcName.toString());
                 } catch (GSSException e) {
                     logger.log(Level.FINER,
-                            "An exception occurred in SpnegoFilter", e);
+                            "An exception occurred in NegotiateFilter", e);
                     response.setStatus(Status.SERVER_ERROR_INTERNAL);
                 }
             }
@@ -250,7 +247,8 @@
             }
 
         } catch (Exception e) {
-            logger.log(Level.FINER, "An exception occurred in SpnegoFilter", 
e);
+            logger.log(Level.FINER, "An exception occurred in 
NegotiateFilter",
+                    e);
             response.setStatus(Status.SERVER_ERROR_INTERNAL);
         }
 
@@ -258,39 +256,12 @@
     }
 
     /**
-     * Check the username/password combination using a JAAS login
+     * Check the username/password combination of a Authorization Basic 
request
+     * header
      * 
      * @return the authenticated Subject if successful, null otherwise
      */
-    private Subject checkSecret(Logger logger, Request request,
-            String identifier, char[] secret) {
-        CallbackHandler handler = new DummyCallbackHandler(identifier, 
secret);
-
-        try {
-            LoginContext lc = new LoginContext(jaasLoginConfig, handler);
-            lc.login();
-            logger.finer("Authentication successful for user " + identifier);
-            return lc.getSubject();
-        } catch (LoginException e) {
-            logger.log(Level.FINER, "Authentication failed for user "
-                    + identifier, e);
-            return null;
-        }
-    }
-
-    /**
-     * Return a DmsCredentials object created from the current Restlet 
request.
-     * 
-     * @throws DmsException
-     */
-    static public DmsCredentials getDmsCredentials() throws DmsException {
-        Request request = Request.getCurrent();
-        Subject subject = (Subject) request.getAttributes().get(
-                subjectAttributeName);
-        char[] password = (char[]) 
request.getChallengeResponse().getSecret();
-
-        return new Krb5DmsCredentials(AuthUtil.getUserPrincipal(subject)
-                .getName(), password, subject);
-    }
+    protected abstract Subject checkSecret(Logger logger, Request request,
+            String identifier, char[] secret);
 
 }