org.ametys.plugins.core.impl.authentication

Class KerberosCredentialProvider

java.lang.Object

org.ametys.runtime.plugin.component.AbstractLogEnabled

org.ametys.core.authentication.AbstractCredentialProvider

org.ametys.plugins.core.impl.authentication.KerberosCredentialProvider

All Implemented Interfaces:

CredentialProvider, NonBlockingCredentialProvider, LogEnabled, Component, Contextualizable

public class KerberosCredentialProvider
extends AbstractCredentialProvider
implements NonBlockingCredentialProvider, Contextualizable

Kerberos http authentication.

Field Summary

Fields

Modifier and Type	Field and Description
protected static String	__LOGIN_CONF_FILE Name of the login config file
protected static String	__PARAM_IPRESTRICTION Name of the parameter holding the regexp to match ip adresses
protected static String	__PARAM_KDC Name of the parameter holding the authentication server kdc adress
protected static String	__PARAM_LOGIN Name of the parameter holding the ametys login
protected static String	__PARAM_PASSWORD Name of the parameter holding the ametys password
protected static String	__PARAM_REALM Name of the parameter holding the authentication server realm
protected static String	__SESSION_ATTRIBUTE_GSSCONTEXT Kerberos context
protected static String	__SKIP_KERBEROS_URL The url to redirect to skip kerberos current authentication
private Context	_context
private GSSCredential	_gssCredential
private Pattern	_ipRestriction

Constructor Summary

Constructors

Constructor and Description
KerberosCredentialProvider()

Method Summary

Modifier and Type	Method and Description
private boolean	_isIPAuthorized(Request request)
void	contextualize(Context context)
static LoginContext	createLoginContext(String kdc, String realm, String login, String password, Context context) Create a logged in LoginContext for Kerberos
void	init(String id, String cpModelId, Map<String,Object> paramValues, String label) Initialize the credential provider with given parameters' values.
UserIdentity	nonBlockingGetUserIdentity(Redirector redirector) Method called by AuthenticateAction each time a request need authentication.
boolean	nonBlockingGrantAnonymousRequest() Method called by AuthenticateAction before asking for credentials.
boolean	nonBlockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) Validates that the user specify is still connected
void	nonBlockingUserAllowed(UserIdentity userIdentity) Method called by AuthenticateAction after authentication process succeeded
void	nonBlockingUserNotAllowed(Redirector redirector) Method called by AuthenticateAction each a user could not get authenticated.

Methods inherited from class org.ametys.core.authentication.AbstractCredentialProvider

equals, getCredentialProviderModelId, getId, getLabel, getParameterValues, hashCode

Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled

getLogger, setLogger

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.ametys.core.authentication.CredentialProvider

getCredentialProviderModelId, getId, getLabel, getParameterValues, getUserIdentity, grantAnonymousRequest, isStillConnected, userAllowed, userNotAllowed

Field Detail

__PARAM_KDC

protected static final String __PARAM_KDC

Name of the parameter holding the authentication server kdc adress

See Also:

Constant Field Values

__PARAM_REALM

protected static final String __PARAM_REALM

Name of the parameter holding the authentication server realm

See Also:

Constant Field Values

__PARAM_LOGIN

protected static final String __PARAM_LOGIN

Name of the parameter holding the ametys login

See Also:

Constant Field Values

__PARAM_PASSWORD

protected static final String __PARAM_PASSWORD

Name of the parameter holding the ametys password

See Also:

Constant Field Values

__PARAM_IPRESTRICTION

protected static final String __PARAM_IPRESTRICTION

Name of the parameter holding the regexp to match ip adresses

See Also:

Constant Field Values

__LOGIN_CONF_FILE

protected static final String __LOGIN_CONF_FILE

Name of the login config file

See Also:

Constant Field Values

__SKIP_KERBEROS_URL

protected static final String __SKIP_KERBEROS_URL

The url to redirect to skip kerberos current authentication

See Also:

Constant Field Values

__SESSION_ATTRIBUTE_GSSCONTEXT

protected static final String __SESSION_ATTRIBUTE_GSSCONTEXT

Kerberos context

See Also:

Constant Field Values

_context

private Context _context

_gssCredential

private GSSCredential _gssCredential

_ipRestriction

private Pattern _ipRestriction

Constructor Detail

KerberosCredentialProvider

public KerberosCredentialProvider()

Method Detail

contextualize

public void contextualize(Context context)
                   throws ContextException

Specified by:

contextualize in interface Contextualizable

Throws:

ContextException

createLoginContext

public static LoginContext createLoginContext(String kdc,
                                              String realm,
                                              String login,
                                              String password,
                                              Context context)
                                       throws IOException,
                                              LoginException,
                                              ContextException

Create a logged in LoginContext for Kerberos

Parameters:

kdc - The key distribution center

realm - The realm

login - The identifier of a user to the kdc

password - The associated password

context - The avalong context

Returns:

A non null LoginContext (to be logged out)

Throws:

IOException - If an error occurred while creating a temporary configuration file on the disk

LoginException - If the login process failed

ContextException - If an error occurred while getting cocoon environment from context

init

public void init(String id,
                 String cpModelId,
                 Map<String,Object> paramValues,
                 String label)

Description copied from interface: CredentialProvider

Initialize the credential provider with given parameters' values.

Specified by:

init in interface CredentialProvider

Overrides:

init in class AbstractCredentialProvider

Parameters:

id - The unique identifier

cpModelId - The id of credential provider extension point

paramValues - The parameters' values

label - The specific label of this instance. Can be null

nonBlockingIsStillConnected

public boolean nonBlockingIsStillConnected(UserIdentity userIdentity,
                                           Redirector redirector)
                                    throws Exception

Description copied from interface: NonBlockingCredentialProvider

Validates that the user specify is still connected

Specified by:

nonBlockingIsStillConnected in interface NonBlockingCredentialProvider

Parameters:

userIdentity - the user previously correctly identified with this credential provider

redirector - The cocoon redirector

Returns:

true if this CredentialProvider was in a valid state, false to restart authentication process

Throws:

Exception - If an error occurred

nonBlockingGrantAnonymousRequest

public boolean nonBlockingGrantAnonymousRequest()

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction before asking for credentials. This method is used to bypass authentication. If this method returns true, no authentication will be require. Use it with care, as it may lead to obvious security issues.

Specified by:

nonBlockingGrantAnonymousRequest in interface NonBlockingCredentialProvider

Returns:

true if the Request is not authenticated

nonBlockingGetUserIdentity

public UserIdentity nonBlockingGetUserIdentity(Redirector redirector)
                                        throws Exception

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction each time a request need authentication.

Specified by:

nonBlockingGetUserIdentity in interface NonBlockingCredentialProvider

Parameters:

redirector - the cocoon redirector.

Returns:

the UserIdentity corresponding to the user (with or without population specified), or null if user could not get authenticated.

Throws:

Exception - if something wrong occurs

_isIPAuthorized

private boolean _isIPAuthorized(Request request)

nonBlockingUserNotAllowed

public void nonBlockingUserNotAllowed(Redirector redirector)
                               throws Exception

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction each a user could not get authenticated. This method implementation is responsible of redirecting response to appropriate url.

Specified by:

nonBlockingUserNotAllowed in interface NonBlockingCredentialProvider

Parameters:

redirector - the cocoon Redirector that can be used for redirecting response.

Throws:

Exception - if something wrong occurs

nonBlockingUserAllowed

public void nonBlockingUserAllowed(UserIdentity userIdentity)

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction after authentication process succeeded

Specified by:

nonBlockingUserAllowed in interface NonBlockingCredentialProvider

Parameters:

userIdentity - The user correctly connected