Commit 91edd49d authored by Misagh Moayyed's avatar Misagh Moayyed
Browse files


parent 559394b9
* Licensed to Apereo under one or more contributor license
* agreements. See the NOTICE file distributed with this work
* for additional information regarding copyright ownership.
* Apereo licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a
* copy of the License at the following location:
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
import jcifs.spnego.Authentication;
import org.jasig.cas.authentication.BasicCredentialMetaData;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.authentication.DefaultHandlerResult;
import org.jasig.cas.authentication.HandlerResult;
import org.jasig.cas.authentication.PreventedException;
import org.jasig.cas.authentication.principal.Principal;
import java.util.regex.Pattern;
* Implementation of an AuthenticationHandler for SPNEGO supports. This Handler
* support both NTLM and Kerberos. NTLM is disabled by default.
* @author Arnaud Lesueur
* @author Marc-Antoine Garrigue
* @author Scott Battaglia
* @author Marvin S. Addison
* @since 3.1
public final class JcifsSpnegoAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
private Authentication authentication;
* Principal contains the DomainName ? (true by default).
private boolean principalWithDomainName = true;
* Allow SPNEGO/NTLM Token as valid credentials. (false by default)
private boolean isNTLMallowed;
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final SpnegoCredential spnegoCredential = (SpnegoCredential) credential; principal;
byte[] nextToken;
if (!this.isNTLMallowed && spnegoCredential.isNtlm()) {
throw new FailedLoginException("NTLM not allowed");
try {
// proceed authentication using jcifs
synchronized (this) {
principal = this.authentication.getPrincipal();
nextToken = this.authentication.getNextToken();
} catch (final jcifs.spnego.AuthenticationException e) {
throw new FailedLoginException(e.getMessage());
// evaluate jcifs response
if (nextToken != null) {
logger.debug("Setting nextToken in credential");
} else {
logger.debug("nextToken is null");
boolean success = false;
if (principal != null) {
if (spnegoCredential.isNtlm()) {
logger.debug("NTLM Credential is valid for user [{}]", principal.getName());
} else {
logger.debug("Kerberos Credential is valid for user [{}]", principal.getName());
spnegoCredential.setPrincipal(getPrincipal(principal.getName(), spnegoCredential.isNtlm()));
success = true;
if (!success) {
throw new FailedLoginException("Principal is null, the processing of the SPNEGO Token failed");
return new DefaultHandlerResult(this, new BasicCredentialMetaData(credential), spnegoCredential.getPrincipal());
public boolean supports(final Credential credential) {
return credential instanceof SpnegoCredential;
public void setAuthentication(final Authentication authentication) {
this.authentication = authentication;
public void setPrincipalWithDomainName(final boolean principalWithDomainName) {
this.principalWithDomainName = principalWithDomainName;
public void setNTLMallowed(final boolean isNTLMallowed) {
this.isNTLMallowed = isNTLMallowed;
* Gets the principal from the given name. The principal
* is created by the factory instance.
* @param name the name
* @param isNtlm the is ntlm
* @return the simple principal
protected Principal getPrincipal(final String name, final boolean isNtlm) {
if (this.principalWithDomainName) {
return this.principalFactory.createPrincipal(name);
if (isNtlm) {
return Pattern.matches("\\S+\\\\\\S+", name)
? this.principalFactory.createPrincipal(name.split("\\\\")[1])
: this.principalFactory.createPrincipal(name);
return this.principalFactory.createPrincipal(name.split("@")[0]);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment