inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.3-BUG-FIX to HEAD

Browse Source 
21132: ALF-3855: Refactored repository authentication filters so that same code is re-used for Web Client, Web Script, Web DAV and Sharepoint authentication
      - 'Uber Filter' part 3
      - Means we now support Kerberos Authentication for Sharepoint
      - Threw away a lot of duplicated code
      - New common AuthenticationDriver interface created and now implemented by core authentication code
      - Sharepoint and BaseSSOAuthenticationFilter now both use AuthenticationDrivers
      - Needs regression testing
   21137: ALF-3841: Alfresco Explorer SSO Authentication Filters now accept ticket parameters too
      - Can be turned back off with ntlm.authentication.browser.ticketLogons=false or kerberos.authentication.browser.ticketLogons=false
      - Wiki updated
   21141: ALF-3855: Fixed wiring
   21146: ALF-2879: 'xamconnector' module behaviour for xam:archived
      - Application of xam:archived recurses and locks both files and folders
      - cm:content nodes also have the store selector applied for the XAMContentStore
      - TODO: Archive properties
   21165: Fixed ALF-3867: SQL format error when re-instating orphaned content URL
      - Parameter was not bounded with #
      - Added unit test to ensure SQL generated is correct
   21169: Merged V3.3 to V3.3-BUG-FIX
      21168: (RECORD ONLY Merged PATCHES/V3.2.1 to V3.3
         21166: Merged V3.3-BUG-FIX to PATCHES/V3.2.1
            21165: Fixed ALF-3867: SQL format error when re-instating orphaned content URL
               - Parameter was not bounded with #
               - Added unit test to ensure SQL generated is correct
      21118: Latest SpringSurf libs:
         - Fix for missing read of "keystore" in Remote config
         - Session Fixation attack mitigation improvements:
         - A Surf application no longer generates a Session (and therefore no JSESSIONID) until a user is authenticated - simply visiting a login page or similar will no longer generate a Session
         - Existing Sessions are always invalidated and destroyed if found when a user is authenticated via the LoginController (i.e. due to a JSESSIONID captured via an XSS attack)

         Merged HEAD to V3.3
            21111: Fix to encode form parameter on Share login template - prevents its potential use as an reflected XSS attack vector
            21117: Session Fixation mitigation:
               - Removed Session creation from Share index.jsp

         Merged V3.3-BUG-FIX-2010_06_24 to V3.3
            21096: Fix for ALF-3718 - JSF client login page input validator is too aggressive ("Login" button is disabled if username contains forward slash)
      21088: Latest SpringSurf libs


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@21170 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2010-07-14 14:49:50 +00:00
parent 53fc77ff7f
commit 80cda47b63
19 changed files with 280 additions and 1038 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
config/alfresco/subsystems/Authentication/alfrescoNtlm/ntlm-filter-context.xml
View File

@@ -12,6 +12,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>${ntlm.authentication.browser.ticketLogons}</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -66,6 +69,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>true</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -93,6 +99,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="serverConfiguration">
<ref bean="fileServerConfiguration" />
</property>
<property name="authenticationService"> <property name="authenticationService">
<ref bean="AuthenticationService" /> <ref bean="AuthenticationService" />
</property> </property>
@@ -108,6 +117,9 @@
<property name="transactionService"> <property name="transactionService">
<ref bean="TransactionService" /> <ref bean="TransactionService" />
</property> </property>
<property name="mapUnknownUserToGuest">
<value>${ntlm.authentication.mapUnknownUserToGuest}</value>
</property>
</bean> </bean>
</beans> </beans>

1
config/alfresco/subsystems/Authentication/alfrescoNtlm/ntlm-filter.properties
View File

@@ -1,2 +1,3 @@
ntlm.authentication.sso.enabled=false ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

40
config/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml
View File

@@ -12,6 +12,9 @@
<property name="active"> <property name="active">
<value>${kerberos.authentication.sso.enabled}</value> <value>${kerberos.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>${kerberos.authentication.browser.ticketLogons}</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -72,6 +75,9 @@
<property name="active"> <property name="active">
<value>${kerberos.authentication.sso.enabled}</value> <value>${kerberos.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>true</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -100,4 +106,38 @@
<value>${kerberos.authentication.http.configEntryName}</value> <value>${kerberos.authentication.http.configEntryName}</value>
</property> </property>
</bean> </bean>
<bean id="sharepointAuthenticationHandler" class="org.alfresco.web.sharepoint.auth.kerberos.KerberosAuthenticationHandler">
<property name="active">
<value>${kerberos.authentication.sso.enabled}</value>
</property>
<property name="serverConfiguration">
<ref bean="fileServerConfiguration" />
</property>
<property name="authenticationService">
<ref bean="AuthenticationService" />
</property>
<property name="authenticationComponent">
<ref bean="AuthenticationComponent" />
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="nodeService">
<ref bean="NodeService" />
</property>
<property name="transactionService">
<ref bean="TransactionService" />
</property>
<property name="realm">
<value>${kerberos.authentication.realm}</value>
</property>
<property name="password">
<value>${kerberos.authentication.http.password}</value>
</property>
<property name="jaasConfigEntryName">
<value>${kerberos.authentication.http.configEntryName}</value>
</property>
</bean>
</beans> </beans>

1
config/alfresco/subsystems/Authentication/kerberos/kerberos-filter.properties
View File

@@ -1,3 +1,4 @@
kerberos.authentication.http.configEntryName=AlfrescoHTTP kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=secret kerberos.authentication.http.password=secret
kerberos.authentication.sso.enabled=true kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true

12
config/alfresco/subsystems/Authentication/passthru/ntlm-filter-context.xml
View File

@@ -12,6 +12,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>${ntlm.authentication.browser.ticketLogons}</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -66,6 +69,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="ticketLogons">
<value>true</value>
</property>
<property name="serverConfiguration"> <property name="serverConfiguration">
<ref bean="fileServerConfiguration" /> <ref bean="fileServerConfiguration" />
</property> </property>
@@ -93,6 +99,9 @@
<property name="active"> <property name="active">
<value>${ntlm.authentication.sso.enabled}</value> <value>${ntlm.authentication.sso.enabled}</value>
</property> </property>
<property name="serverConfiguration">
<ref bean="fileServerConfiguration" />
</property>
<property name="authenticationService"> <property name="authenticationService">
<ref bean="AuthenticationService" /> <ref bean="AuthenticationService" />
</property> </property>
@@ -108,6 +117,9 @@
<property name="transactionService"> <property name="transactionService">
<ref bean="TransactionService" /> <ref bean="TransactionService" />
</property> </property>
<property name="mapUnknownUserToGuest">
<value>${ntlm.authentication.mapUnknownUserToGuest}</value>
</property>
</bean> </bean>
</beans> </beans>

1
config/alfresco/subsystems/Authentication/passthru/ntlm-filter.properties
View File

@@ -1,2 +1,3 @@
ntlm.authentication.sso.enabled=true ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

2
config/alfresco/web-client-application-context.xml
View File

@@ -284,7 +284,7 @@
</property> </property>
<property name="interfaces"> <property name="interfaces">
<list> <list>
<value>org.alfresco.web.sharepoint.auth.AuthenticationHandler</value> <value>org.alfresco.repo.webdav.auth.AuthenticationDriver</value>
</list> </list>
</property> </property>
<property name="sourceBeanName"> <property name="sourceBeanName">

4
source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
View File

@@ -111,10 +111,10 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
} }
/* (non-Javadoc) /* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onValidateFailed(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession) * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
*/ */
@Override @Override
protected void onValidateFailed(HttpServletRequest req, HttpServletResponse res, HttpSession session) protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session)
throws IOException throws IOException
{ {
// Redirect to the login page if user validation fails // Redirect to the login page if user validation fails

4
source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java
View File

@@ -105,10 +105,10 @@ public class NTLMAuthenticationFilter extends BaseNTLMAuthenticationFilter
} }
/* (non-Javadoc) /* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onValidateFailed(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession) * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
*/ */
@Override @Override
protected void onValidateFailed(HttpServletRequest req, HttpServletResponse res, HttpSession session) protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session)
throws IOException throws IOException
{ {
// Redirect to the login page if user validation fails // Redirect to the login page if user validation fails

13
source/java/org/alfresco/web/sharepoint/auth/AbstractAuthenticationHandler.java
View File

@@ -18,9 +18,12 @@
*/ */
package org.alfresco.web.sharepoint.auth; package org.alfresco.web.sharepoint.auth;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.webdav.auth.AuthenticationDriver;
import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.security.PersonService;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
@@ -32,8 +35,10 @@ import org.apache.commons.logging.LogFactory;
* @author PavelYur * @author PavelYur
* *
*/ */
public abstract class AbstractAuthenticationHandler implements AuthenticationHandler, ActivateableBean public abstract class AbstractAuthenticationHandler implements AuthenticationDriver, ActivateableBean
{ {
private final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
protected Log logger = LogFactory.getLog(getClass()); protected Log logger = LogFactory.getLog(getClass());
protected AuthenticationService authenticationService; protected AuthenticationService authenticationService;
protected PersonService personService; protected PersonService personService;
@@ -67,7 +72,11 @@ public abstract class AbstractAuthenticationHandler implements AuthenticationHan
*/ */
public abstract String getWWWAuthenticate(); public abstract String getWWWAuthenticate();
public void forceClientToPromptLogonDetails(HttpServletResponse response)
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.SharepointAuthenticationHandler#restartLoginChallenge(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
public void restartLoginChallenge(ServletContext context, HttpServletRequest request, HttpServletResponse response)
{ {
if (logger.isDebugEnabled()) if (logger.isDebugEnabled())
logger.debug("Force the client to prompt for logon details"); logger.debug("Force the client to prompt for logon details");

67
source/java/org/alfresco/web/sharepoint/auth/AuthenticationHandler.java
View File

@@ -1,67 +0,0 @@
/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.sharepoint.auth;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.alfresco.repo.SessionUser;
/**
* Sharepoint authentication plugin API
*
* @author PavelYur
*/
public interface AuthenticationHandler
{
public final static String HEADER_AUTHORIZATION = "Authorization";
public final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
public final static String NTLM_START = "NTLM";
public final static String BASIC_START = "BASIC";
public final static String USER_SESSION_ATTRIBUTE = "_vtiAuthTicket";
/**
* Authenticate user based on information in http request such as Authorization header or else.
*
* @param request
* http request
* @param response
* http response
* @param alfrescoContext
* deployment context of alfresco application
* @param mapper
* an object capable of determining which users are site members
* @return SessionUser information about currently loged in user or null.
*/
public SessionUser authenticateRequest(HttpServletRequest request, HttpServletResponse response,
SiteMemberMapper mapper, String alfrescoContext);
/**
* Send to user response with http status 401
*
* @param response
* http response
*/
public void forceClientToPromptLogonDetails(HttpServletResponse response);
}

57
source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
View File

@@ -18,12 +18,17 @@
*/ */
package org.alfresco.web.sharepoint.auth; package org.alfresco.web.sharepoint.auth;
import java.io.IOException;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.alfresco.repo.SessionUser; import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.webdav.auth.SharepointConstants;
import org.alfresco.web.bean.repository.User; import org.alfresco.web.bean.repository.User;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
@@ -33,19 +38,20 @@ import org.apache.commons.codec.binary.Base64;
* @author PavelYur * @author PavelYur
* *
*/ */
public class BasicAuthenticationHandler extends AbstractAuthenticationHandler public class BasicAuthenticationHandler extends AbstractAuthenticationHandler implements SharepointConstants
{ {
private final static String HEADER_AUTHORIZATION = "Authorization";
private final static String BASIC_START = "BASIC";
/* (non-Javadoc) /* (non-Javadoc)
* @see org.alfresco.web.vti.auth.AuthenticationHandler#authenticateRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.alfresco.web.vti.auth.SiteMemberMapper, java.lang.String) * @see org.alfresco.repo.webdav.auth.SharepointAuthenticationHandler#authenticateRequest(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/ */
public SessionUser authenticateRequest(HttpServletRequest request, HttpServletResponse response, public boolean authenticateRequest(ServletContext context, HttpServletRequest request, HttpServletResponse response)
SiteMemberMapper mapper, String alfrescoContext) throws IOException, ServletException
{ {
SessionUser user = null;
String authHdr = request.getHeader(HEADER_AUTHORIZATION); String authHdr = request.getHeader(HEADER_AUTHORIZATION);
HttpSession session = request.getSession();
if (authHdr != null && authHdr.length() > 5 && authHdr.substring(0, 5).equalsIgnoreCase(BASIC_START)) if (authHdr != null && authHdr.length() > 5 && authHdr.substring(0, 5).equalsIgnoreCase(BASIC_START))
{ {
String basicAuth = new String(Base64.decodeBase64(authHdr.substring(5).getBytes())); String basicAuth = new String(Base64.decodeBase64(authHdr.substring(5).getBytes()));
@@ -77,20 +83,41 @@ public class BasicAuthenticationHandler extends AbstractAuthenticationHandler
if (logger.isDebugEnabled()) if (logger.isDebugEnabled())
logger.debug("Authenticated user '" + username + "'"); logger.debug("Authenticated user '" + username + "'");
if (mapper.isSiteMember(request, alfrescoContext, username)) request.getSession().setAttribute(USER_SESSION_ATTRIBUTE, new User(username, authenticationService.getCurrentTicket(), personService.getPerson(username)));
{
user = new User(username, authenticationService.getCurrentTicket(), personService.getPerson(username)); return true;
if (session != null)
session.setAttribute(USER_SESSION_ATTRIBUTE, user);
}
} }
catch (AuthenticationException ex) catch (AuthenticationException ex)
{ {
// Do nothing, user object will be null // Do nothing, user object will be null
} }
} }
else
{
HttpSession session = request.getSession(false);
if (session == null)
{
return false;
}
return user; SessionUser user = (SessionUser) session
.getAttribute(USER_SESSION_ATTRIBUTE);
if (user == null)
{
return false;
}
try
{
authenticationService.validate(user.getTicket());
return true;
}
catch (AuthenticationException ex)
{
session.invalidate();
}
}
return false;
} }

46
source/java/org/alfresco/web/sharepoint/auth/SiteMemberMapper.java
View File

@@ -1,46 +0,0 @@
/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.sharepoint.auth;
import javax.servlet.http.HttpServletRequest;
/**
* An object capable of answering whether a particular user is a member of the site indicated by the request URL.
*
* @author dward
*/
public interface SiteMemberMapper
{
/**
* Determines whether a particular user is a member of the site indicated by the request URI.
*
* @param request
* the request
* @param alfrescoContext
* the context path to strip from the request URI
* @param userName
* the user name
* @return <code>true</code> if the user is a member
* @throws SiteMemberMappingException
* on error
*/
boolean isSiteMember(HttpServletRequest request, String alfrescoContext, String userName)
throws SiteMemberMappingException;
}

85
source/java/org/alfresco/web/sharepoint/auth/SiteMemberMappingException.java
View File

@@ -1,85 +0,0 @@
/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.sharepoint.auth;
import org.alfresco.error.AlfrescoRuntimeException;
/**
* An exception thrown by a {@link SiteMemberMapper}.
*
* @author dward
*/
public class SiteMemberMappingException extends AlfrescoRuntimeException
{
private static final long serialVersionUID = -7235067946629381543L;
/**
* Constructs a <code>SiteMemberMappingException</code>.
*
* @param msgId
* the message id
*/
public SiteMemberMappingException(String msgId)
{
super(msgId);
}
/**
* Constructs a <code>SiteMemberMappingException</code>.
*
* @param msgId
* the message id
* @param msgParams
* the message parameters
*/
public SiteMemberMappingException(String msgId, Object[] msgParams)
{
super(msgId, msgParams);
}
/**
* Constructs a <code>SiteMemberMappingException</code>.
*
* @param msgId
* the message id
* @param cause
* the cause
*/
public SiteMemberMappingException(String msgId, Throwable cause)
{
super(msgId, cause);
}
/**
* Constructs a <code>SiteMemberMappingException</code>.
*
* @param msgId
* the message id
* @param msgParams
* the message parameters
* @param cause
* the cause
*/
public SiteMemberMappingException(String msgId, Object[] msgParams, Throwable cause)
{
super(msgId, msgParams, cause);
}
}

84
source/java/org/alfresco/web/sharepoint/auth/kerberos/KerberosAuthenticationHandler.java Normal file
View File

@@ -0,0 +1,84 @@
/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.sharepoint.auth.kerberos;
import java.io.IOException;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter;
import org.alfresco.repo.webdav.auth.SharepointConstants;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.web.bean.repository.User;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* <p>
* Kerberos SSO web authentication implementation.
* </p>
*/
public class KerberosAuthenticationHandler extends BaseKerberosAuthenticationFilter
{
// Debug logging
private static Log logger = LogFactory.getLog(KerberosAuthenticationHandler.class);
@Override
protected void init() throws ServletException
{
setUserAttributeName(SharepointConstants.USER_SESSION_ATTRIBUTE);
super.init();
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
*/
@Override
protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session)
throws IOException
{
// Restart the login challenge process if validation fails
restartLoginChallenge(sc, req, res);
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
{
// Create a web client user object
User user = new User( userName, ticket, personNode);
user.setHomeSpaceId( homeSpaceRef.getId());
return user;
}
@Override
protected Log getLogger()
{
return logger;
}
}

841
source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
View File

@@ -19,845 +19,66 @@
package org.alfresco.web.sharepoint.auth.ntlm; package org.alfresco.web.sharepoint.auth.ntlm;
import java.io.IOException; import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Random;
import javax.servlet.ServletContext;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.BadCredentialsException;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.auth.ntlm.NTLM;
import org.alfresco.jlan.server.auth.ntlm.NTLMLogonDetails;
import org.alfresco.jlan.server.auth.ntlm.NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.NTLMv2Blob;
import org.alfresco.jlan.server.auth.ntlm.TargetInfo;
import org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type2NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage;
import org.alfresco.jlan.util.DataPacker;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.SessionUser; import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.webdav.auth.SharepointConstants;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.bean.repository.User; import org.alfresco.web.bean.repository.User;
import org.alfresco.web.sharepoint.auth.AbstractAuthenticationHandler; import org.apache.commons.logging.Log;
import org.alfresco.web.sharepoint.auth.SiteMemberMapper; import org.apache.commons.logging.LogFactory;
import org.alfresco.web.sharepoint.auth.SiteMemberMappingException;
import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.InitializingBean;
/** /**
* <p> * <p>
* NTLM SSO web authentication implementation. * NTLM SSO web authentication implementation.
* </p> * </p>
*/ */
public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler implements InitializingBean public class NtlmAuthenticationHandler extends BaseNTLMAuthenticationFilter
{ {
// NTLM authentication session object names // Debug logging
private static final String NTLM_AUTH_DETAILS = "_alfNTLMDetails"; private static Log logger = LogFactory.getLog(NtlmAuthenticationHandler.class);
private MD4PasswordEncoder md4Encoder = new MD4PasswordEncoderImpl(); @Override
private PasswordEncryptor encryptor = new PasswordEncryptor(); protected void init() throws ServletException
private Random random = new Random(System.currentTimeMillis());
private NLTMAuthenticator authenticationComponent;
private TransactionService transactionService;
private NodeService nodeService;
// NTLM flags mask for use with an authentication component that supports MD4 hashed password
// Enable NTLMv1 and NTLMv2
private static final int NTLM_FLAGS_NTLM2 = NTLM.Flag56Bit +
NTLM.Flag128Bit +
NTLM.FlagLanManKey +
NTLM.FlagNegotiateNTLM +
NTLM.FlagNTLM2Key +
NTLM.FlagNegotiateUnicode;
// NTLM flags mask for use with an authentication component that uses passthru auth
// Enable NTLMv1 only
private static final int NTLM_FLAGS_NTLM1 = NTLM.Flag56Bit +
NTLM.FlagLanManKey +
NTLM.FlagNegotiateNTLM +
NTLM.FlagNegotiateOEM +
NTLM.FlagNegotiateUnicode;
private int ntlmFlags;
public void setAuthenticationComponent(NLTMAuthenticator authenticationComponent)
{ {
this.authenticationComponent = authenticationComponent; setUserAttributeName(SharepointConstants.USER_SESSION_ATTRIBUTE);
super.init();
} }
public void setTransactionService(TransactionService transactionService) /* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
*/
@Override
protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session)
throws IOException
{ {
this.transactionService = transactionService; // Restart the login challenge process if validation fails
restartLoginChallenge(sc, req, res);
} }
public void setNodeService(NodeService nodeService) /* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
{ {
this.nodeService = nodeService; // Create a web client user object
} User user = new User( userName, ticket, personNode);
user.setHomeSpaceId( homeSpaceRef.getId());
public void afterPropertiesSet() throws Exception
{
if (authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
ntlmFlags = NTLM_FLAGS_NTLM2;
}
else
{
ntlmFlags = NTLM_FLAGS_NTLM1;
}
}
public SessionUser authenticateRequest(HttpServletRequest request, HttpServletResponse response,
SiteMemberMapper mapper, String alfrescoContext)
{
if (logger.isDebugEnabled())
{
logger.debug("Start NTLM authentication for request: " + request.getRequestURI());
}
HttpSession session = request.getSession();
SessionUser user = (SessionUser) session.getAttribute(USER_SESSION_ATTRIBUTE);
String authHdr = request.getHeader(HEADER_AUTHORIZATION);
boolean needToAuthenticate = false;
if (authHdr != null && authHdr.startsWith(NTLM_START))
{
needToAuthenticate = true;
}
if (user != null && needToAuthenticate == false)
{
try
{
authenticationService.validate(user.getTicket());
needToAuthenticate = false;
}
catch (AuthenticationException e)
{
session.removeAttribute(USER_SESSION_ATTRIBUTE);
needToAuthenticate = true;
}
}
if (needToAuthenticate == false && user != null)
{
if (logger.isDebugEnabled())
{
logger.debug("NTLM header wasn't present. Authenticated by user from session. Username: "
+ user.getUserName());
}
return user;
}
if (authHdr == null)
{
if (logger.isDebugEnabled())
{
logger.debug("NTLM header wasn't present. No user was found in session. Return 401 status.");
}
removeNtlmLogonDetailsFromSession(request);
forceClientToPromptLogonDetails(response);
return null;
}
else
{
if (logger.isDebugEnabled())
{
logger.debug("NTLM header present in request.");
}
// Decode the received NTLM blob and validate
final byte[] ntlmByts = Base64.decodeBase64(authHdr.substring(5).getBytes());
int ntlmTyp = NTLMMessage.isNTLMType(ntlmByts);
if (ntlmTyp == NTLM.Type1)
{
Type1NTLMMessage type1Msg = new Type1NTLMMessage(ntlmByts);
try
{
if (logger.isDebugEnabled())
{
logger.debug("Start process type 1 message.");
}
processType1(type1Msg, request, response, session);
user = null;
if (logger.isDebugEnabled())
{
logger.debug("Finish process type 1 message.");
}
}
catch (Exception e)
{
if (logger.isDebugEnabled())
{
logger.debug("Process type 1 message fail with error: " + e.getMessage());
}
session.removeAttribute(USER_SESSION_ATTRIBUTE);
removeNtlmLogonDetailsFromSession(request);
return null;
}
}
else if (ntlmTyp == NTLM.Type3)
{
Type3NTLMMessage type3Msg = new Type3NTLMMessage(ntlmByts);
try
{
if (logger.isDebugEnabled())
{
logger.debug("Start process message type 3.");
}
user = processType3(type3Msg, mapper, request, response, session, alfrescoContext);
if (logger.isDebugEnabled())
{
logger.debug("Finish process message type 3.");
}
}
catch (SiteMemberMappingException e)
{
throw e;
}
catch (Exception e)
{
if (user != null)
{
try
{
authenticationService.validate(user.getTicket());
return user;
}
catch (AuthenticationException ae)
{
}
}
if (logger.isDebugEnabled())
{
logger.debug("Process message type 3 fail with message: " + e.getMessage());
}
session.removeAttribute(USER_SESSION_ATTRIBUTE);
removeNtlmLogonDetailsFromSession(request);
return null;
}
}
return user; return user;
} }
}
@Override @Override
public String getWWWAuthenticate() protected Log getLogger()
{ {
return NTLM_START; return logger;
} }
private void processType1(Type1NTLMMessage type1Msg, HttpServletRequest request, HttpServletResponse response,
HttpSession session) throws IOException
{
removeNtlmLogonDetailsFromSession(request);
NTLMLogonDetails ntlmDetails = new NTLMLogonDetails();
// Set the 8 byte challenge for the new logon request
byte[] challenge = null;
// Generate a random 8 byte challenge
NTLMPassthruToken authToken = null;
if (authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
challenge = new byte[8];
DataPacker.putIntelLong(random.nextLong(), challenge, 0);
}
else
{
// Get the client domain
String domain = type1Msg.getDomain();
// Create an authentication token for the new logon
authToken = new NTLMPassthruToken(domain);
// Run the first stage of the passthru authentication to get the challenge
authenticationComponent.authenticate(authToken);
// Get the challenge from the token
if (authToken.getChallenge() != null)
{
challenge = authToken.getChallenge().getBytes();
}
}
// Get the flags from the client request and mask out unsupported features
int flags = type1Msg.getFlags() & ntlmFlags;
// Build a type2 message to send back to the client, containing the challenge
List<TargetInfo> tList = new ArrayList<TargetInfo>();
String srvName = getServerName();
tList.add(new TargetInfo(NTLM.TargetServer, srvName));
Type2NTLMMessage type2Msg = new Type2NTLMMessage();
type2Msg.buildType2(flags, srvName, challenge, null, tList);
// Store the NTLM logon details, cache the type2 message, and token if using passthru
ntlmDetails.setType2Message(type2Msg);
ntlmDetails.setAuthenticationToken(authToken);
putNtlmLogonDetailsToSession(request, ntlmDetails);
// Send back a request for NTLM authentication
byte[] type2Bytes = type2Msg.getBytes();
String ntlmBlob = "NTLM " + new String(Base64.encodeBase64(type2Bytes));
response.setHeader(HEADER_WWW_AUTHENTICATE, ntlmBlob);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();
response.getOutputStream().close();
}
private SessionUser processType3(Type3NTLMMessage type3Msg, SiteMemberMapper callback, HttpServletRequest request,
HttpServletResponse response, HttpSession session, String alfrescoContext) throws IOException,
ServletException
{
// Get the existing NTLM details
NTLMLogonDetails ntlmDetails = null;
SessionUser user = null;
if (session != null)
{
ntlmDetails = getNtlmLogonDetailsFromSession(request);
user = (SessionUser) session.getAttribute(USER_SESSION_ATTRIBUTE);
}
// Get the NTLM logon details
String userName = type3Msg.getUserName();
String workstation = type3Msg.getWorkstation();
String domain = type3Msg.getDomain();
boolean authenticated = false;
if (authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
// Get the stored MD4 hashed password for the user, or null if the user does not exist
String md4hash = getMD4Hash(userName);
if (md4hash != null)
{
authenticated = validateLocalHashedPassword(type3Msg, ntlmDetails, authenticated, md4hash);
}
else
{
authenticated = false;
}
}
else
{
// Determine if the client sent us NTLMv1 or NTLMv2
if (type3Msg.hasFlag(NTLM.Flag128Bit) && type3Msg.hasFlag(NTLM.FlagNTLM2Key) ||
(type3Msg.getNTLMHash() != null && type3Msg.getNTLMHash().length > 24))
{
// Cannot accept NTLMv2 if we are using passthru auth
if (logger.isErrorEnabled())
logger.error("Client " + workstation + " using NTLMv2 logon, not valid with passthru authentication");
}
else
{
// Passthru mode, send the hashed password details to the passthru authentication server
NTLMPassthruToken authToken = (NTLMPassthruToken) ntlmDetails.getAuthenticationToken();
authToken.setUserAndPassword(type3Msg.getUserName(), type3Msg.getNTLMHash(), PasswordEncryptor.NTLM1);
try
{
// Run the second stage of the passthru authentication
authenticationComponent.authenticate(authToken);
authenticated = true;
// Set the authentication context
authenticationComponent.setCurrentUser(userName);
}
catch (BadCredentialsException ex)
{
if (logger.isDebugEnabled())
logger.debug("Authentication failed, " + ex.getMessage());
}
catch (AuthenticationException ex)
{
if (logger.isDebugEnabled())
logger.debug("Authentication failed, " + ex.getMessage());
}
finally
{
// Clear the authentication token from the NTLM details
ntlmDetails.setAuthenticationToken(null);
}
}
}
// Check if the user has been authenticated, if so then setup the user environment
if (authenticated == true && callback.isSiteMember(request, alfrescoContext, userName))
{
String uri = request.getRequestURI();
if (request.getMethod().equals("POST") && !uri.endsWith(".asmx"))
{
response.setHeader("Connection", "Close");
response.setContentType("application/x-vermeer-rpc");
}
if (user == null)
{
user = createUserEnvironment(session, userName);
session.setAttribute(USER_SESSION_ATTRIBUTE, user);
}
else
{
// user already exists - revalidate ticket to authenticate the current user thread
try
{
authenticationService.validate(user.getTicket());
}
catch (AuthenticationException ex)
{
session.removeAttribute(USER_SESSION_ATTRIBUTE);
removeNtlmLogonDetailsFromSession(request);
return null;
}
}
// Update the NTLM logon details in the session
String srvName = getServerName();
if (ntlmDetails == null)
{
// No cached NTLM details
ntlmDetails = new NTLMLogonDetails(userName, workstation, domain, false, srvName);
putNtlmLogonDetailsToSession(request, ntlmDetails);
}
else
{
// Update the cached NTLM details
ntlmDetails.setDetails(userName, workstation, domain, false, srvName);
putNtlmLogonDetailsToSession(request, ntlmDetails);
}
}
else
{
removeNtlmLogonDetailsFromSession(request);
session.removeAttribute(USER_SESSION_ATTRIBUTE);
return null;
}
return user;
}
/*
* returns server name
*/
private String getServerName()
{
return "Alfresco Server";
}
/*
* Create the SessionUser object that represent currently authenticated user.
*/
private SessionUser createUserEnvironment(HttpSession session, final String userName) throws IOException,
ServletException
{
SessionUser user = null;
UserTransaction tx = transactionService.getUserTransaction();
try
{
tx.begin();
RunAsWork<NodeRef> getUserNodeRefRunAsWork = new RunAsWork<NodeRef>()
{
public NodeRef doWork() throws Exception
{
return personService.getPerson(userName);
}
};
NodeRef personNodeRef = AuthenticationUtil.runAs(getUserNodeRefRunAsWork,
AuthenticationUtil.SYSTEM_USER_NAME);
// Use the system user context to do the user lookup
RunAsWork<String> getUserNameRunAsWork = new RunAsWork<String>()
{
public String doWork() throws Exception
{
final NodeRef personNodeRef = personService.getPerson(userName);
return (String) nodeService.getProperty(personNodeRef, ContentModel.PROP_USERNAME);
}
};
String username = AuthenticationUtil.runAs(getUserNameRunAsWork, AuthenticationUtil.SYSTEM_USER_NAME);
authenticationComponent.setCurrentUser(userName);
String currentTicket = authenticationService.getCurrentTicket();
// Create the user object to be stored in the session
user = new User(username, currentTicket, personNodeRef);
tx.commit();
}
catch (Throwable ex)
{
try
{
tx.rollback();
}
catch (Exception err)
{
logger.error("Failed to rollback transaction", err);
}
if (ex instanceof RuntimeException)
{
throw (RuntimeException) ex;
}
else if (ex instanceof IOException)
{
throw (IOException) ex;
}
else if (ex instanceof ServletException)
{
throw (ServletException) ex;
}
else
{
throw new RuntimeException("Authentication setup failed", ex);
}
}
// Store the user on the session
session.setAttribute(USER_SESSION_ATTRIBUTE, user);
return user;
}
/*
* returns the hash of password
*/
protected String getMD4Hash(String userName)
{
String md4hash = null;
// Wrap the auth component calls in a transaction
UserTransaction tx = transactionService.getUserTransaction();
try
{
tx.begin();
// Get the stored MD4 hashed password for the user, or null if the user does not exist
md4hash = authenticationComponent.getMD4HashedPassword(userName);
tx.commit();
}
catch (Throwable ex)
{
try
{
tx.rollback();
}
catch (Exception e)
{
}
}
return md4hash;
}
/*
* Validate local hash for user password and hash that was sent by client
*/
private boolean validateLocalHashedPassword(Type3NTLMMessage type3Msg, NTLMLogonDetails ntlmDetails,
boolean authenticated, String md4hash)
{
if (ntlmDetails == null || ntlmDetails.getType2Message() == null)
{
return false;
}
if (type3Msg.hasFlag(NTLM.FlagNTLM2Key))
{
// Determine if the client sent us an NTLMv2 blob or an NTLMv2 session key
if (type3Msg.getNTLMHashLength() > 24)
{
// Looks like an NTLMv2 blob
authenticated = checkNTLMv2(md4hash, ntlmDetails.getChallengeKey(), type3Msg);
if (logger.isDebugEnabled())
{
logger.debug((authenticated ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv2");
}
if ( authenticated == false && type3Msg.hasFlag(NTLM.Flag56Bit) && type3Msg.getLMHashLength() == 24)
{
authenticated = checkNTLMv1(md4hash, ntlmDetails.getChallengeKey(), type3Msg, true);
if (logger.isDebugEnabled())
{
logger.debug((authenticated ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv1 (via fallback)");
}
}
}
else
{
authenticated = checkNTLMv2SessionKey(md4hash, ntlmDetails.getChallengeKey(), type3Msg);
if (logger.isDebugEnabled())
{
logger.debug((authenticated ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv2SessKey");
}
}
}
else
{
authenticated = checkNTLMv1(md4hash, ntlmDetails.getChallengeKey(), type3Msg, false);
if (logger.isDebugEnabled())
{
logger.debug((authenticated ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv1");
}
}
return authenticated;
}
private final boolean checkNTLMv1(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg, boolean checkLMHash)
{
// Generate the local encrypted password using the challenge that was sent to the client
byte[] p21 = new byte[21];
byte[] md4byts = md4Encoder.decodeHash(md4hash);
System.arraycopy(md4byts, 0, p21, 0, 16);
// Generate the local hash of the password using the same challenge
byte[] localHash = null;
try
{
localHash = encryptor.doNTLM1Encryption(p21, challenge);
}
catch (NoSuchAlgorithmException ex)
{
}
// Validate the password
byte[] clientHash = checkLMHash ? type3Msg.getLMHash() : type3Msg.getNTLMHash();
if (clientHash != null && localHash != null && clientHash.length == localHash.length)
{
int i = 0;
while (i < clientHash.length && clientHash[i] == localHash[i])
{
i++;
}
if (i == clientHash.length)
{
// Hashed passwords match
return true;
}
}
// Hashed passwords do not match
return false;
}
private final boolean checkNTLMv2(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg)
{
boolean ntlmv2OK = false;
boolean lmv2OK = false;
try
{
byte[] v2hash = encryptor.doNTLM2Encryption(md4Encoder.decodeHash(md4hash), type3Msg.getUserName(), type3Msg.getDomain());
NTLMv2Blob v2blob = new NTLMv2Blob(type3Msg.getNTLMHash());
byte[] srvHmac = v2blob.calculateHMAC(challenge, v2hash);
byte[] clientHmac = v2blob.getHMAC();
if (clientHmac != null && srvHmac != null && clientHmac.length == srvHmac.length)
{
int i = 0;
while (i < clientHmac.length && clientHmac[i] == srvHmac[i])
{
i++;
}
if (i == clientHmac.length)
{
ntlmv2OK = true;
}
}
if ( ntlmv2OK == false)
{
byte[] lmv2 = type3Msg.getLMHash();
byte[] clChallenge = v2blob.getClientChallenge();
if ( lmv2 != null && lmv2.length == 24 && clChallenge != null && clChallenge.length == 8)
{
int i = 0;
while ( i < clChallenge.length && lmv2[ i + 16] == clChallenge[ i])
i++;
if ( i == clChallenge.length)
{
byte[] lmv2Hmac = v2blob.calculateLMv2HMAC(v2hash, challenge, clChallenge);
i = 0;
while (i < lmv2Hmac.length && lmv2[i] == lmv2Hmac[i])
i++;
if (i == lmv2Hmac.length)
{
lmv2OK = true;
}
}
}
}
}
catch (Exception ex)
{
if (logger.isDebugEnabled())
{
logger.debug(ex);
}
}
if ( ntlmv2OK || lmv2OK)
return true;
return false;
}
private final boolean checkNTLMv2SessionKey(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg)
{
// Create the value to be encrypted by appending the server challenge and client challenge
// and applying an MD5 digest
byte[] nonce = new byte[16];
System.arraycopy(challenge, 0, nonce, 0, 8);
System.arraycopy(type3Msg.getLMHash(), 0, nonce, 8, 8);
MessageDigest md5 = null;
byte[] v2challenge = new byte[8];
try
{
md5 = MessageDigest.getInstance("MD5");
// Apply the MD5 digest to the nonce
md5.update(nonce);
byte[] md5nonce = md5.digest();
// We only want the first 8 bytes
System.arraycopy(md5nonce, 0, v2challenge, 0, 8);
}
catch (NoSuchAlgorithmException ex)
{
if (logger.isDebugEnabled())
{
logger.debug(ex.getMessage());
}
}
// Generate the local encrypted password using the MD5 generated challenge
byte[] p21 = new byte[21];
byte[] md4byts = md4Encoder.decodeHash(md4hash);
System.arraycopy(md4byts, 0, p21, 0, 16);
// Generate the local hash of the password
byte[] localHash = null;
try
{
localHash = encryptor.doNTLM1Encryption(p21, v2challenge);
}
catch (NoSuchAlgorithmException ex)
{
if (logger.isDebugEnabled())
{
logger.debug(ex.getMessage());
}
}
byte[] clientHash = type3Msg.getNTLMHash();
if (clientHash != null && localHash != null && clientHash.length == localHash.length)
{
int i = 0;
while (i < clientHash.length && clientHash[i] == localHash[i])
{
i++;
}
if (i == clientHash.length)
{
return true;
}
}
return false;
}
@SuppressWarnings("unchecked")
private void putNtlmLogonDetailsToSession(HttpServletRequest request, NTLMLogonDetails details)
{
Object detailsMap = request.getSession().getAttribute(NTLM_AUTH_DETAILS);
if (detailsMap != null)
{
((Map<String, NTLMLogonDetails>) detailsMap).put(request.getRequestURI(), details);
return;
}
else
{
Map<String, NTLMLogonDetails> newMap = new HashMap<String, NTLMLogonDetails>();
newMap.put(request.getRequestURI(), details);
request.getSession().setAttribute(NTLM_AUTH_DETAILS, newMap);
}
}
@SuppressWarnings("unchecked")
private NTLMLogonDetails getNtlmLogonDetailsFromSession(HttpServletRequest request)
{
Object detailsMap = request.getSession().getAttribute(NTLM_AUTH_DETAILS);
if (detailsMap != null)
{
return ((Map<String, NTLMLogonDetails>) detailsMap).get(request.getRequestURI());
}
return null;
}
@SuppressWarnings("unchecked")
private void removeNtlmLogonDetailsFromSession(HttpServletRequest request)
{
Object detailsMap = request.getSession().getAttribute(NTLM_AUTH_DETAILS);
if (detailsMap != null)
{
((Map<String, NTLMLogonDetails>) detailsMap).remove(request.getRequestURI());
}
}
} }

2
source/web/jsp/login.jsp
View File

@@ -210,7 +210,7 @@
function validate() function validate()
{ {
return validateName(document.getElementById("loginForm:user-name"), null, false); return validateUserNameForLogin(document.getElementById("loginForm:user-name"), null, false);
} }
function updateButtonState() function updateButtonState()

2
source/web/jsp/users/new-user-wizard/new-user-properties.jsp
View File

@@ -78,7 +78,7 @@ function validate()
finishButtonPressed = false; finishButtonPressed = false;
var message = $("wizard:wizard-body:validation_invalid_character").textContent ? $("wizard:wizard-body:validation_invalid_character").textContent : $("wizard:wizard-body:validation_invalid_character").innerText; var message = $("wizard:wizard-body:validation_invalid_character").textContent ? $("wizard:wizard-body:validation_invalid_character").textContent : $("wizard:wizard-body:validation_invalid_character").innerText;
return validateName(document.getElementById("wizard:wizard-body:userName"), return validateUserNameForCreate(document.getElementById("wizard:wizard-body:userName"),
message, message,
true); true);
} }

34
source/web/scripts/validation.js
View File

@@ -157,8 +157,40 @@ function validateRegex(control, expression, requiresMatch, matchMessage, noMatch
*/ */
function validateName(control, message, showMessage) function validateName(control, message, showMessage)
{ {
var result = true;
var pattern = /([\"\*\\\>\<\?\/\:\|]+)|([ ]+$)|([\.]?[\.]+$)/; var pattern = /([\"\*\\\>\<\?\/\:\|]+)|([ ]+$)|([\.]?[\.]+$)/;
return validateValue(control, pattern, message, showMessage);
}
/**
* Ensures the user name value does not contain any illegal characters while user creating.
*
* @return true if the user name is valid
*/
function validateUserNameForCreate(control, message, showMessage)
{
var pattern = /([\"\*\\\>\<\?\:\|]+)|([ ]+$)|([\.]?[\.]+$)/;
return validateValue(control, pattern, message, showMessage);
}
/**
* Ensures the user name value does not contain any illegal characters while login.
*
* @return true if the user name is valid
*/
function validateUserNameForLogin(control, message, showMessage)
{
var pattern = /([\"\*\>\<\?\:\|]+)|([ ]+$)|([\.]?[\.]+$)/;
return validateValue(control, pattern, message, showMessage);
}
/**
* Ensures the value of the 'control' coresponds to required pattern.
*
* @return true if the file name is valid
*/
function validateValue(control, pattern, message, showMessage)
{
var result = true;
var trimed = control.value.replace(/^\s\s*/, '').replace(/\s\s*$/, ''); var trimed = control.value.replace(/^\s\s*/, '').replace(/\s\s*$/, '');
var idx = trimed.search(pattern); var idx = trimed.search(pattern);
if (idx != -1) if (idx != -1)