Package org.springframework.security.kerberos.web.authentication

Class SpnegoAuthenticationProcessingFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class SpnegoAuthenticationProcessingFilter extends org.springframework.web.filter.OncePerRequestFilter
Parses the SPNEGO authentication Header, which was generated by the browser and creates a KerberosServiceRequestToken out if it. It will then call the AuthenticationManager.

A typical Spring Security configuration might look like this: 

 <beans xmlns="https://www.springframework.org/schema/beans"
 xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:sec="https://www.springframework.org/schema/security"
 xsi:schemaLocation="https://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        https://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <sec:http entry-point-ref="spnegoEntryPoint">
        <sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
 </sec:http>

 <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

 <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
 </bean>

 <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
 </sec:authentication-manager>

 <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.kerberos.authenitcation.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
                <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                        <property name="servicePrincipal" value="HTTP/web.springsource.com" />
                        <property name="keyTabLocation" value="classpath:http-java.keytab" />
                </bean>
        </property>
        <property name="userDetailsService" ref="inMemoryUserDetailsService" />
 </bean>

 <bean id="inMemoryUserDetailsService"
        class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
        <property name="userProperties">
                <value>
                        mike@SECPOD.DE=notUsed,ROLE_ADMIN
                </value>
        </property>
 </bean>
 </beans>

If you get a "GSSException: Channel binding mismatch (Mechanism level:ChannelBinding not provided!) have a look at this bug.

A workaround unti this is fixed in the JVM is to change

HKEY_LOCAL_MACHINE\System \CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02
Since:
1.0
See Also:

  • Constructor Details

    • SpnegoAuthenticationProcessingFilter

      public SpnegoAuthenticationProcessingFilter()

  • Method Details

    • doFilterInternal

      protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain) throws jakarta.servlet.ServletException, IOException
      Specified by:
      doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException
      IOException

    • afterPropertiesSet

      public void afterPropertiesSet() throws jakarta.servlet.ServletException
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Overrides:
      afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
      Throws:
      jakarta.servlet.ServletException

    • setAuthenticationManager

      public void setAuthenticationManager(AuthenticationManager authenticationManager)
      The authentication manager for validating the ticket.
      Parameters:
      authenticationManager - the authentication manager

    • setSuccessHandler

      public void setSuccessHandler(AuthenticationSuccessHandler successHandler)

      This handler is called after a successful authentication. One can add additional authentication behavior by setting this.

      Default is null, which means nothing additional happens

      Parameters:
      successHandler - the authentication success handler

    • setFailureHandler

      public void setFailureHandler(AuthenticationFailureHandler failureHandler)

      This handler is called after a failure authentication. In most cases you only get Kerberos/SPNEGO failures with a wrong server or network configurations and not during runtime. If the client encounters an error, he will just stop the communication with server and therefore this handler will not be called in this case.

      Default is null, which means that the Filter returns the HTTP 500 code

      Parameters:
      failureHandler - the authentication failure handler

    • setSkipIfAlreadyAuthenticated

      public void setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated)
      Should Kerberos authentication be skipped if a user is already authenticated for this request (e.g. in the HTTP session).
      Parameters:
      skipIfAlreadyAuthenticated - default is true

    • setSessionAuthenticationStrategy

      public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy)
      The session handling strategy which will be invoked immediately after an authentication request is successfully processed by the AuthenticationManager. Used, for example, to handle changing of the session identifier to prevent session fixation attacks.
      Parameters:
      sessionStrategy - the implementation to use. If not set a null implementation is used.

    • setAuthenticationDetailsSource

      public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
      Sets the authentication details source.
      Parameters:
      authenticationDetailsSource - the authentication details source

    • setStopFilterChainOnSuccessfulAuthentication

      public void setStopFilterChainOnSuccessfulAuthentication(boolean shouldStop)
      If set to false (the default) and authentication is successful, the request will be processed by the next filter in the chain. If true and authentication is successful, the filter chain will stop here.
      Parameters:
      shouldStop - set to true to prevent the next filter in the chain from processing the request after a successful authentication.
      Since:
      1.0.2

    • setSecurityContextRepository

      public void setSecurityContextRepository(SecurityContextRepository securityContextRepository)
      Sets the SecurityContextRepository to save the SecurityContext on authentication success. The default action is not to save the SecurityContext.
      Parameters:
      securityContextRepository - the SecurityContextRepository to use. Cannot be null.

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Parameters:
      securityContextHolderStrategy - the SecurityContextHolderStrategy to use. Cannot be null.