spnegofilter.java

JAAS 例子代码

/**
 * SpnegoFilter.java
 *
 * Copyright 2009 Tidal Software. All rights reserved.
 *
 * Revision History:
 * Date             Name                Action
 * ------------------------------------------------
 * Feb 12, 2009       wayne            Created
 */
package com.tidalsoft.webconsole.sso.filter;

import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;

import org.apache.commons.logging.*;

import com.liferay.portal.servlet.filters.*;
import com.tidalsoft.webconsole.sso.*;

public class SpnegoFilter extends BasePortalFilter {
	final static Log logger = LogFactory.getLog(SpnegoFilter.class);

	/**
	 * SPNEGO handler name in session 
	 */
	private final static String HANDLER_ATTRIBUTE_KEY = "com.tidalsoft.webconsole.sso.filter.SpnegoHandler";

	/**
	 * Initial parameter name from kerberos enable flag
	 */
	private final static String KERBEROS_ENABLED_KEY = "KerberosEnabled";

	/**
	 * Kerberos enable flg
	 */
	private static boolean KERBEROS_ENABLED = false;

	/**
	 * @see javax.servlet.Filter#init(FilterConfig)
	 */
	@Override
	public void init(FilterConfig filterConfig) {
		super.init(filterConfig);
		String keyStr = filterConfig.getInitParameter(KERBEROS_ENABLED_KEY);
		if ("true".equalsIgnoreCase(keyStr))
			KERBEROS_ENABLED = true;
	}

	/**
	 * @see com.liferay.portal.kernel.servlet.BaseFilter#processFilter()
	 */
	@Override
	protected void processFilter(HttpServletRequest request,
			HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {

		// if user agent is not a IE core browser, do not do anything.
		boolean isIE = true;
		String userAgent = request.getHeader("User-Agent");
		if (userAgent == null || userAgent.toUpperCase().indexOf("MSIE") < 0) {
			isIE = false;
		}
		
		// the user send the request via FQDN or IP address, do not do anything.
		boolean isAccessByHostName = true;
		String host = request.getHeader("Host");
		logger.debug("Host:"+host);
		if (host == null || host.split(":")[0].indexOf('.')>=0) {
			isAccessByHostName = false;
		}
		
		//if one of following conditions meet, skip the filter and go on
		if (!KERBEROS_ENABLED || !isIE || !isAccessByHostName) {
			chain.doFilter(request, response);
			return;
		}

		SpnegoHandler handler = extractServletSpnegoHandlerFromSession(request);
		if (handler == null) {
			handler = bindNewServletSpnegoHandlerInSession(request);
		}
		
		// if it is a 
		if (request.getMethod().toLowerCase().equals("get")
				&& handler.getResult().isComplete()) {
			chain.doFilter(request, response);
			return;
		}

		if (!handler.getResult().isComplete())			
			handler.authenticate(request, response);
		else if(handler.getResult().isNTLMPass() && request.getMethod().toLowerCase().equals("post"))
			handler.authenticate(request, response);
		else {
			chain.doFilter(request, response);
			return;
		}

		if (handler.getResult().isEstablished()) {
			UserAuthResult result = handler.getResult();
			UserCredential userCred = new UserCredential();
			userCred.setKerberosAuth(true);
			userCred.setName(result.getSrcName());
			userCred.setPassword("");
			userCred.setDeleCred(result.getDeleCred());
			request.getSession().setAttribute(UserCredential.USER_CRED,
					userCred);
			chain.doFilter(request, response);
		} else if (handler.getResult().isFailed()) {
			chain.doFilter(request, response);
		} else if (handler.getResult().isNegotiating()) {
			response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
		} else if (handler.getResult().isNTLM()) {
			response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
		} else if (handler.getResult().isNTLMPass()) {
			chain.doFilter(request, response);
		}
	}

	/**
	 * get SPNEGO handler from session
	 * @param request
	 * @return
	 */
	public static SpnegoHandler extractServletSpnegoHandlerFromSession(
			HttpServletRequest request) {
		HttpSession session = request.getSession(false);
		if (session == null)
			return null;
		return (SpnegoHandler) session.getAttribute(HANDLER_ATTRIBUTE_KEY);
	}

	/**
	 * put SPNEGO Handler in session
	 * @param request
	 * @return
	 */
	public static SpnegoHandler bindNewServletSpnegoHandlerInSession(
			HttpServletRequest request) {
		HttpSession session = request.getSession();
		SpnegoHandler handler = new SpnegoHandler();
		session.setAttribute(HANDLER_ATTRIBUTE_KEY, handler);
		return handler;
	}
}