2 // ========================================================================
3 // Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
19 package org.eclipse.jetty.security.authentication;
21 import java.io.IOException;
23 import javax.servlet.ServletRequest;
24 import javax.servlet.ServletResponse;
25 import javax.servlet.http.HttpServletRequest;
26 import javax.servlet.http.HttpServletResponse;
28 import org.eclipse.jetty.http.HttpHeader;
29 import org.eclipse.jetty.security.ServerAuthException;
30 import org.eclipse.jetty.security.UserAuthentication;
31 import org.eclipse.jetty.server.Authentication;
32 import org.eclipse.jetty.server.Authentication.User;
33 import org.eclipse.jetty.server.UserIdentity;
34 import org.eclipse.jetty.util.log.Log;
35 import org.eclipse.jetty.util.log.Logger;
36 import org.eclipse.jetty.util.security.Constraint;
38 public class SpnegoAuthenticator extends LoginAuthenticator
40 private static final Logger LOG = Log.getLogger(SpnegoAuthenticator.class);
41 private String _authMethod = Constraint.__SPNEGO_AUTH;
43 public SpnegoAuthenticator()
48 * Allow for a custom authMethod value to be set for instances where SPENGO may not be appropriate
51 public SpnegoAuthenticator( String authMethod )
53 _authMethod = authMethod;
57 public String getAuthMethod()
63 public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
65 HttpServletRequest req = (HttpServletRequest)request;
66 HttpServletResponse res = (HttpServletResponse)response;
68 String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
72 return new DeferredAuthentication(this);
75 // check to see if we have authorization headers required to continue
80 if (DeferredAuthentication.isDeferred(res))
82 return Authentication.UNAUTHENTICATED;
85 LOG.debug("SpengoAuthenticator: sending challenge");
86 res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
87 res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
88 return Authentication.SEND_CONTINUE;
90 catch (IOException ioe)
92 throw new ServerAuthException(ioe);
95 else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.asString()))
97 String spnegoToken = header.substring(10);
99 UserIdentity user = login(null,spnegoToken, request);
103 return new UserAuthentication(getAuthMethod(),user);
107 return Authentication.UNAUTHENTICATED;
111 public boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, User validatedUser) throws ServerAuthException