org.springframework.security.ui.ntlm

Class NtlmProcessingFilter

java.lang.Object

org.springframework.security.ui.SpringSecurityFilter

org.springframework.security.ui.ntlm.NtlmProcessingFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.InitializingBean, org.springframework.core.Ordered

public class NtlmProcessingFilter
extends SpringSecurityFilter
implements org.springframework.beans.factory.InitializingBean

A clean-room implementation for Spring Security of an NTLM HTTP filter leveraging the JCIFS library.

NTLM is a Microsoft-developed protocol providing single sign-on capabilities to web applications and other integrated applications. It allows a web server to automatically discover the username of a browser client when that client is logged into a Windows domain and is using an NTLM-aware browser. A web application can then reuse the user's Windows credentials without having to ask for them again.

Because NTLM only provides the username of the Windows client, a Spring Security NTLM deployment must have a UserDetailsService that provides a UserDetails object with the empty string as the password and whatever GrantedAuthority values necessary to pass the FilterSecurityInterceptor.

The Spring Security bean configuration file must also place the ExceptionTranslationFilter before this filter in the FilterChainProxy definition.

Version:

$Id$

Author:

Davide Baroncelli, Edward Smith

Field Summary

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description
NtlmProcessingFilter()

Method Summary

Methods

Modifier and Type	Method and Description
void	afterPropertiesSet() Ensures an AuthenticationManager and authentication failure URL have been provided in the bean configuration file.
protected void	doFilterHttp(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
int	getOrder()
boolean	isForceIdentification() Returns true if NTLM authentication is forced.
void	setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
void	setAuthenticationManager(AuthenticationManager authenticationManager) Sets the AuthenticationManager to use.
void	setCachePolicy(java.lang.String numSeconds) Sets the jcifs.netbios.cachePolicy property to the number of seconds a NetBIOS address is cached by JCIFS.
void	setDefaultDomain(java.lang.String defaultDomain) The NT domain against which clients should be authenticated.
void	setDomainController(java.lang.String domainController) The IP address of any SMB server that should be used to authenticate HTTP clients.
void	setForceIdentification(boolean forceIdentification) Sets a flag denoting whether NTLM authentication should be forced.
void	setJcifsProperties(java.util.Properties props) Loads properties starting with "jcifs" into the JCIFS configuration.
void	setLoadBalance(boolean loadBalance) If the default domain is specified and the domain controller is not specified, then query for domain controllers by name.
void	setNetbiosWINS(java.lang.String netbiosWINS) Configures JCIFS to use a WINS server.
void	setRetryOnAuthFailure(boolean retryOnFailure) Sets a flag denoting whether NTLM should retry whenever authentication fails.
void	setSmbClientPassword(java.lang.String smbClientPassword) Sets the SMB client password.
void	setSmbClientSSNLimit(java.lang.String smbClientSSNLimit) Sets the SMB client SSN limit.
void	setSmbClientUsername(java.lang.String smbClientUsername) Sets the SMB client username.
void	setSoTimeout(java.lang.String timeout) Sets the jcifs.smb.client.soTimeout property to the timeout value specified in milliseconds.
void	setStripDomain(boolean stripDomain) Configures NtlmProcessingFilter to strip the Windows domain name from the username when set to true, which is the default value.

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter

destroy, doFilter, init, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

NtlmProcessingFilter

public NtlmProcessingFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Ensures an AuthenticationManager and authentication failure URL have been provided in the bean configuration file.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

java.lang.Exception

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

Sets the AuthenticationManager to use.

Parameters:

authenticationManager - the AuthenticationManager to use.

setDefaultDomain

public void setDefaultDomain(java.lang.String defaultDomain)

The NT domain against which clients should be authenticated. If the SMB client username and password are also set, then preauthentication will be used which is necessary to initialize the SMB signing digest. SMB signatures are required by default on Windows 2003 domain controllers.

Parameters:

defaultDomain - The name of the default domain.

setSmbClientUsername

public void setSmbClientUsername(java.lang.String smbClientUsername)

Sets the SMB client username.

Parameters:

smbClientUsername - The SMB client username.

setSmbClientPassword

public void setSmbClientPassword(java.lang.String smbClientPassword)

Sets the SMB client password.

Parameters:

smbClientPassword - The SMB client password.

setSmbClientSSNLimit

public void setSmbClientSSNLimit(java.lang.String smbClientSSNLimit)

Sets the SMB client SSN limit. When set to 1, every authentication is forced to use a separate transport. This effectively ignores SMB signing requirements, however at the expense of reducing scalability. Preauthentication with a domain, username, and password is the preferred method for working with servers that require signatures.

Parameters:

smbClientSSNLimit - The SMB client SSN limit.

setNetbiosWINS

public void setNetbiosWINS(java.lang.String netbiosWINS)

Configures JCIFS to use a WINS server. It is preferred to use a WINS server over a specific domain controller. Set this property instead of domainController if there is a WINS server available.

Parameters:

netbiosWINS - The WINS server JCIFS will use.

setDomainController

public void setDomainController(java.lang.String domainController)

The IP address of any SMB server that should be used to authenticate HTTP clients.

Parameters:

domainController - The IP address of the domain controller.

setLoadBalance

public void setLoadBalance(boolean loadBalance)

If the default domain is specified and the domain controller is not specified, then query for domain controllers by name. When load balance is true, rotate through the list of domain controllers when authenticating users.

Parameters:

loadBalance - The load balance flag value.

setStripDomain

public void setStripDomain(boolean stripDomain)

Configures NtlmProcessingFilter to strip the Windows domain name from the username when set to true, which is the default value.

Parameters:

stripDomain - The strip domain flag value.

setSoTimeout

public void setSoTimeout(java.lang.String timeout)

Sets the jcifs.smb.client.soTimeout property to the timeout value specified in milliseconds. Defaults to 5 minutes if not specified.

Parameters:

timeout - The milliseconds timeout value.

setCachePolicy

public void setCachePolicy(java.lang.String numSeconds)

Sets the jcifs.netbios.cachePolicy property to the number of seconds a NetBIOS address is cached by JCIFS. Defaults to 20 minutes if not specified.

Parameters:

numSeconds - The number of seconds a NetBIOS address is cached.

setJcifsProperties

public void setJcifsProperties(java.util.Properties props)

Loads properties starting with "jcifs" into the JCIFS configuration. Any other properties are ignored.

Parameters:

props - The JCIFS properties to set.

isForceIdentification

public boolean isForceIdentification()

Returns true if NTLM authentication is forced.

Returns:

true if NTLM authentication is forced.

setForceIdentification

public void setForceIdentification(boolean forceIdentification)

Sets a flag denoting whether NTLM authentication should be forced.

Parameters:

forceIdentification - the force identification flag value to set.

setRetryOnAuthFailure

public void setRetryOnAuthFailure(boolean retryOnFailure)

Sets a flag denoting whether NTLM should retry whenever authentication fails. Retry will occur if the credentials are rejected by the domain controller or if an an AuthenticationCredentialsNotFoundException or InsufficientAuthenticationException is thrown.

Parameters:

retryOnFailure - the retry on failure flag value to set.

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

doFilterHttp

protected void doFilterHttp(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                javax.servlet.FilterChain chain)
                     throws java.io.IOException,
                            javax.servlet.ServletException

Specified by:

doFilterHttp in class SpringSecurityFilter

Throws:

java.io.IOException

javax.servlet.ServletException

getOrder

public int getOrder()

Specified by:

getOrder in interface org.springframework.core.Ordered