idok-commit AT lists.psi.ch

Subject: Commit emails of the iDok project

List archive

[idok-commit] idok commit r213 - branches/rest/java/ch/idok/service/server/rest

From: "AFS account Roman Geus" <geus AT savannah.psi.ch>
To: idok-commit AT lists.psi.ch
Subject: [idok-commit] idok commit r213 - branches/rest/java/ch/idok/service/server/rest
Date: Wed, 17 Sep 2008 10:45:00 +0200
List-archive: <https://lists.web.psi.ch/pipermail/idok-commit/>
List-id: Commit emails of the iDok project <idok-commit.lists.psi.ch>

Author: geus
Date: Wed Sep 17 10:45:00 2008
New Revision: 213

Log:
Made Negotiate authentication optional, improved error recovery when
credentials cannot be extracted from the GSSAPI token

Modified:
branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java

Modified: branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java
==============================================================================
--- branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java
(original)
+++ branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java Wed
Sep 17 10:45:00 2008
@@ -40,6 +40,12 @@
* request.
*
* This filter is inspired by Bruno Harbulot's SpnegoFilter
+ *
+ * Tested with Java 6.
+ *
+ * Does not work with Java 5, because SPNEGO is not supported.
+ *
+ * TODO proper fallback to Basic when Negotiate token cannot be accepted
*/
public abstract class NegotiateFilter extends Filter {

@@ -54,6 +60,11 @@
static final String GSS_SPNEGO_MECH_OID = "1.3.6.1.5.5.2";

/**
+ * Offer Negotiate challenge iff true
+ */
+ protected final boolean offerNegotiate = true;
+
+ /**
* Name of the request attribute that holds the Subject object
*/
protected static final String subjectAttributeName =
"NegotiateFilter.authenticatedSubject";
@@ -131,7 +142,7 @@
ChallengeResponse cr = request.getChallengeResponse();

Subject authenticatedSubject = null;
-
+
int result = Filter.STOP;
@SuppressWarnings("unchecked")
Series<Parameter> reqHeaders = (Series<Parameter>) request
@@ -220,15 +231,17 @@
} else {
response.setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
}
- }
+ }

/*
- * Adds two challenges.
+ * Add challenges
*/
- ChallengeRequest challengeReq = new ChallengeRequest(
- HTTP_NEGOTIATE, null);
- challengeReq.setParameters(spnegoParams);
- response.getChallengeRequests().add(challengeReq);
+ if (offerNegotiate) {
+ ChallengeRequest negotiateChallengeReq = new
ChallengeRequest(
+ HTTP_NEGOTIATE, null);
+ negotiateChallengeReq.setParameters(spnegoParams);
+ response.getChallengeRequests().add(negotiateChallengeReq);
+ }

ChallengeRequest basicChallengeReq = new ChallengeRequest(
ChallengeScheme.HTTP_BASIC, realm);
@@ -238,14 +251,22 @@
try {
final GSSName srcName = gssContext.getSrcName();
logger
- .log(Level.FINER,
- "Authenticated via GSS/SPNEGO: {0}({1})",
+ .log(
+ Level.FINER,
+ "Authenticated via GSS/Negotiate:
{0}({1})",
new Object[] { srcName,
srcName.getStringNameType() });

- // Create Subject from GSS-API token (including TGT)
- authenticatedSubject = GSSUtil.createSubject(gssContext
- .getSrcName(), gssContext.getDelegCred());
+ // Create Subject from GSS-API token (including TGT if
+ // available)
+ try {
+ GSSCredential gssCred = gssContext.getDelegCred();
+ authenticatedSubject =
GSSUtil.createSubject(gssContext
+ .getSrcName(), gssCred);
+ } catch (GSSException e) {
+ authenticatedSubject =
GSSUtil.createSubject(gssContext
+ .getSrcName(), null);
+ }
// Set identifier, so ChallengeResponse.getPrincipal()
works
cr.setIdentifier(srcName.toString());
} catch (GSSException e) {

[idok-commit] idok commit r213 - branches/rest/java/ch/idok/service/server/rest, AFS account Roman Geus, 09/17/2008