Redesign of the CIFS authentication code to support NTLMv1/NTLMv2, SPNEGO and NTLMSSP

authentication methods via the session setup. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@2760 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-24 17:32:48 +00:00 · 2006-05-04 15:29:26 +00:00
parent fe5257a3a2
commit d021b46d07
29 changed files with 4719 additions and 2124 deletions
--- a/source/java/org/alfresco/filesys/server/auth/kerberos/KerberosDetails.java
+++ b/source/java/org/alfresco/filesys/server/auth/kerberos/KerberosDetails.java
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2005-2006 Alfresco, Inc.
+ *
+ * Licensed under the Mozilla Public License version 1.1 
+ * with a permitted attribution clause. You may obtain a
+ * copy of the License at
+ *
+ *   http://www.alfresco.org/legal/license.txt
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package org.alfresco.filesys.server.auth.kerberos;
+
+import org.ietf.jgss.GSSName;
+
+/**
+ * Kerberos Details Class
+ * 
+ * <p>Holds the Kerberos response token and session details about the user.
+ * 
+ * @author gkspencer
+ */
+public class KerberosDetails
+{
+    // Source and target details
+    
+    private String m_krbSource;
+    private String m_krbTarget;
+    
+    // Kerberos response token
+    
+    private byte[] m_krbResponse;
+    
+    /**
+     * Class constructor
+     * 
+     * @param source GSSName
+     * @param target GSSName
+     * @param response byte[]
+     */
+    public KerberosDetails(GSSName source, GSSName target, byte[] response)
+    {
+        m_krbSource = source.toString();
+        m_krbTarget = target.toString();
+        
+        m_krbResponse = response;
+    }
+    
+    /**
+     * Return the context initiator for the Kerberos authentication
+     * 
+     * @return String
+     */
+    public final String getSourceName()
+    {
+        return m_krbSource;
+    }
+    
+    /**
+     * Return the context acceptor for the Kerberos authentication
+     * 
+     * @return String
+     */
+    public final String getTargetName()
+    {
+        return m_krbTarget;
+    }
+    
+    /**
+     * Return the Kerberos response token
+     * 
+     * @return byte[]
+     */
+    public final byte[] getResponseToken()
+    {
+        return m_krbResponse;
+    }
+    
+    /**
+     * Parse the source name to return the user name part only
+     * 
+     * @return String
+     */
+    public final String getUserName()
+    {
+        String userName = m_krbSource;
+        
+        if ( m_krbSource != null)
+        {
+            int pos = m_krbSource.indexOf( '@');
+            if ( pos != -1)
+            {
+                userName = m_krbSource.substring(0, pos);
+            }
+        }
+        
+        return userName;
+    }
+    
+    /**
+     * Return the response token length
+     * 
+     * @return int
+     */
+    public final int getResponseLength()
+    {
+        return m_krbResponse != null ? m_krbResponse.length : 0; 
+    }
+    
+    /**
+     * Return the Kerberos authentication details as a string
+     * 
+     * @return String
+     */
+    public String toString()
+    {
+        StringBuilder str = new StringBuilder();
+        
+        str.append("[Source=");
+        str.append(getSourceName());
+        str.append(",Target=");
+        str.append(getTargetName());
+        str.append(":Response=");
+        str.append(getResponseLength());
+        str.append(" bytes]");
+        
+        return str.toString();
+    }
+}
--- a/source/java/org/alfresco/filesys/server/auth/kerberos/SessionSetupPrivilegedAction.java
+++ b/source/java/org/alfresco/filesys/server/auth/kerberos/SessionSetupPrivilegedAction.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2005-2006 Alfresco, Inc.
+ *
+ * Licensed under the Mozilla Public License version 1.1 
+ * with a permitted attribution clause. You may obtain a
+ * copy of the License at
+ *
+ *   http://www.alfresco.org/legal/license.txt
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package org.alfresco.filesys.server.auth.kerberos;
+
+import java.security.PrivilegedAction;
+
+import org.alfresco.filesys.server.auth.spnego.OID;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+
+/**
+ * Session Setup Privileged Action Class
+ *
+ * <p>Handle the processing of a received SPNEGO packet in the context of the CIFS server.
+ * 
+ * @author gkspencer
+ */
+public class SessionSetupPrivilegedAction implements PrivilegedAction
+{
+    //  Received security blob details
+    
+    private byte[] m_secBlob;
+    private int m_secOffset;
+    private int m_secLen;
+
+    // CIFS server account name
+    
+    private String m_accountName;
+    
+    /**
+     * Class constructor
+     * 
+     * @param accountName String
+     * @param secBlob byte[]
+     */
+    public SessionSetupPrivilegedAction ( String accountName, byte[] secBlob)
+    {
+        m_accountName = accountName;
+        
+        m_secBlob   = secBlob;
+        m_secOffset = 0;
+        m_secLen    = secBlob.length;
+    }
+    
+    /**
+     * Class constructor
+     * 
+     * @param accountName String
+     * @param secBlob byte[]
+     * @param secOffset int
+     * @param secLen int
+     */
+    public SessionSetupPrivilegedAction ( String accountName, byte[] secBlob, int secOffset, int secLen)
+    {
+        m_accountName = accountName;
+        
+        m_secBlob   = secBlob;
+        m_secOffset = secOffset;
+        m_secLen    = secLen;
+    }
+    
+    /**
+     * Run the privileged action
+     */
+    public Object run()
+    {
+        KerberosDetails krbDetails = null;
+        
+        try
+        {
+            GSSManager gssManager = GSSManager.getInstance();
+            GSSName serverGSSName = gssManager.createName(m_accountName, GSSName.NT_USER_NAME);
+            GSSCredential serverGSSCreds = gssManager.createCredential( serverGSSName, GSSCredential.INDEFINITE_LIFETIME,
+                    OID.KERBEROS5, GSSCredential.ACCEPT_ONLY);
+            
+            GSSContext serverGSSContext = gssManager.createContext( serverGSSCreds);
+            
+            // Accept the incoming security blob and generate the response blob
+            
+            byte[] respBlob = serverGSSContext.acceptSecContext( m_secBlob, m_secOffset, m_secLen);
+
+            // Create the Kerberos response details
+
+            krbDetails = new KerberosDetails( serverGSSContext.getSrcName(), serverGSSContext.getTargName(), respBlob);
+        }
+        catch (GSSException ex)
+        {
+            System.out.println("GSSException: " + ex.getMajorString());
+            System.out.println("  " + ex.getMessage());
+        }
+        
+        // Return the Kerberos response
+        
+        return krbDetails;
+    }
+}