Google Git
Sign in
apache / httpcomponents-client / fde3fca687e0e5aab5d67242f2523c112e623451 / . / httpclient5-win / src / main / java / org / apache / hc / client5 / http / impl / win / WindowsNegotiateScheme.java
blob: 0daed7e7ec32264f2cb16b2230476615fb8249ef [file] [log] [blame]
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.hc.client5.http.impl.win;
import java.security.Principal;
import org.apache.commons.codec.binary.Base64;
import org.apache.hc.client5.http.RouteInfo;
import org.apache.hc.client5.http.auth.AuthChallenge;
import org.apache.hc.client5.http.auth.AuthScheme;
import org.apache.hc.client5.http.auth.AuthenticationException;
import org.apache.hc.client5.http.auth.BasicUserPrincipal;
import org.apache.hc.client5.http.auth.ChallengeType;
import org.apache.hc.client5.http.auth.CredentialsProvider;
import org.apache.hc.client5.http.auth.MalformedChallengeException;
import org.apache.hc.client5.http.auth.StandardAuthScheme;
import org.apache.hc.client5.http.protocol.HttpClientContext;
import org.apache.hc.core5.annotation.Experimental;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.HttpRequest;
import org.apache.hc.core5.http.protocol.HttpContext;
import org.apache.hc.core5.net.URIAuthority;
import org.apache.hc.core5.util.Args;
import org.apache.hc.core5.util.TextUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.sun.jna.platform.win32.Secur32;
import com.sun.jna.platform.win32.Secur32Util;
import com.sun.jna.platform.win32.Sspi;
import com.sun.jna.platform.win32.Sspi.CredHandle;
import com.sun.jna.platform.win32.Sspi.CtxtHandle;
import com.sun.jna.platform.win32.Sspi.SecBufferDesc;
import com.sun.jna.platform.win32.Sspi.TimeStamp;
import com.sun.jna.platform.win32.SspiUtil.ManagedSecBufferDesc;
import com.sun.jna.platform.win32.Win32Exception;
import com.sun.jna.platform.win32.WinError;
import com.sun.jna.ptr.IntByReference;
/**
* Auth scheme that makes use of JNA to implement Negotiate and NTLM on Windows Platforms.
* <p>
* This will delegate negotiation to the windows machine.
* </p>
*
* @since 4.4
*/
@Experimental
public class WindowsNegotiateScheme implements AuthScheme {
private static final Logger LOG = LoggerFactory.getLogger(WindowsNegotiateScheme.class);
// NTLM or Negotiate
private final String schemeName;
private final String servicePrincipalName;
private ChallengeType challengeType;
private String challenge;
private CredHandle clientCred;
private CtxtHandle sspiContext;
private boolean continueNeeded;
WindowsNegotiateScheme(final String schemeName, final String servicePrincipalName) {
super();
this.schemeName = (schemeName == null) ? StandardAuthScheme.SPNEGO : schemeName;
this.continueNeeded = true;
this.servicePrincipalName = servicePrincipalName;
if (LOG.isDebugEnabled()) {
LOG.debug("Created WindowsNegotiateScheme using {}", this.schemeName);
}
}
public void dispose() {
if (clientCred != null && !clientCred.isNull()) {
final int rc = Secur32.INSTANCE.FreeCredentialsHandle(clientCred);
if (WinError.SEC_E_OK != rc) {
throw new Win32Exception(rc);
}
}
if (sspiContext != null && !sspiContext.isNull()) {
final int rc = Secur32.INSTANCE.DeleteSecurityContext(sspiContext);
if (WinError.SEC_E_OK != rc) {
throw new Win32Exception(rc);
}
}
continueNeeded = true; // waiting
clientCred = null;
sspiContext = null;
}
@Override
public String getName() {
return schemeName;
}
@Override
public boolean isConnectionBased() {
return true;
}
@Override
public String getRealm() {
return null;
}
@Override
public void processChallenge(
final AuthChallenge authChallenge,
final HttpContext context) throws MalformedChallengeException {
Args.notNull(authChallenge, "AuthChallenge");
challengeType = authChallenge.getChallengeType();
challenge = authChallenge.getValue();
if (TextUtils.isBlank(challenge)) {
if (clientCred != null) {
dispose(); // run cleanup first before throwing an exception otherwise can leak OS resources
if (continueNeeded) {
throw new IllegalStateException("Unexpected token");
}
}
}
}
@Override
public boolean isResponseReady(
final HttpHost host,
final CredentialsProvider credentialsProvider,
final HttpContext context) throws AuthenticationException {
return true;
}
/**
* Get the SAM-compatible username of the currently logged-on user.
*
* @return String.
*/
public static String getCurrentUsername() {
return Secur32Util.getUserNameEx(Secur32.EXTENDED_NAME_FORMAT.NameSamCompatible);
}
@Override
public Principal getPrincipal() {
return new BasicUserPrincipal(getCurrentUsername());
}
@Override
public String generateAuthResponse(
final HttpHost host,
final HttpRequest request,
final HttpContext context) throws AuthenticationException {
final HttpClientContext clientContext = HttpClientContext.adapt(context);
final String response;
if (clientCred == null) {
// client credentials handle
try {
final String username = getCurrentUsername();
final TimeStamp lifetime = new TimeStamp();
clientCred = new CredHandle();
final int rc = Secur32.INSTANCE.AcquireCredentialsHandle(username,
schemeName, Sspi.SECPKG_CRED_OUTBOUND, null, null, null, null,
clientCred, lifetime);
if (WinError.SEC_E_OK != rc) {
throw new Win32Exception(rc);
}
final String targetName = getServicePrincipalName(request, clientContext);
response = getToken(null, null, targetName);
} catch (final RuntimeException ex) {
failAuthCleanup();
if (ex instanceof Win32Exception) {
throw new AuthenticationException("Authentication Failed", ex);
}
throw ex;
}
} else if (challenge == null || challenge.isEmpty()) {
failAuthCleanup();
throw new AuthenticationException("Authentication Failed");
} else {
try {
final byte[] continueTokenBytes = Base64.decodeBase64(challenge);
final SecBufferDesc continueTokenBuffer = new ManagedSecBufferDesc(
Sspi.SECBUFFER_TOKEN, continueTokenBytes);
final String targetName = getServicePrincipalName(request, clientContext);
response = getToken(this.sspiContext, continueTokenBuffer, targetName);
} catch (final RuntimeException ex) {
failAuthCleanup();
if (ex instanceof Win32Exception) {
throw new AuthenticationException("Authentication Failed", ex);
}
throw ex;
}
}
return schemeName + " " + response;
}
private void failAuthCleanup() {
dispose();
this.continueNeeded = false;
}
// Per RFC4559, the Service Principal Name should HTTP/<hostname>. However, <hostname>
// can just be the host or the fully qualified name (e.g., see "Kerberos SPN generation"
// at http://www.chromium.org/developers/design-documents/http-authentication). Here,
// I've chosen to use the host that has been provided in HttpHost so that I don't incur
// any additional DNS lookup cost.
private String getServicePrincipalName(final HttpRequest request, final HttpClientContext clientContext) {
String spn = null;
if (this.servicePrincipalName != null) {
spn = this.servicePrincipalName;
} else if (challengeType == ChallengeType.PROXY) {
final RouteInfo route = clientContext.getHttpRoute();
if (route != null) {
spn = "HTTP/" + route.getProxyHost().getHostName();
}
} else {
final URIAuthority authority = request.getAuthority();
if (authority != null) {
spn = "HTTP/" + authority.getHostName();
} else {
final RouteInfo route = clientContext.getHttpRoute();
if (route != null) {
spn = "HTTP/" + route.getTargetHost().getHostName();
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Using SPN: {}", spn);
}
return spn;
}
// See http://msdn.microsoft.com/en-us/library/windows/desktop/aa375506(v=vs.85).aspx
String getToken(
final CtxtHandle continueCtx,
final SecBufferDesc continueToken,
final String targetName) {
final IntByReference attr = new IntByReference();
final ManagedSecBufferDesc token = new ManagedSecBufferDesc(
Sspi.SECBUFFER_TOKEN, Sspi.MAX_TOKEN_SIZE);
sspiContext = new CtxtHandle();
final int rc = Secur32.INSTANCE.InitializeSecurityContext(clientCred,
continueCtx, targetName, Sspi.ISC_REQ_DELEGATE | Sspi.ISC_REQ_MUTUAL_AUTH, 0,
Sspi.SECURITY_NATIVE_DREP, continueToken, 0, sspiContext, token,
attr, null);
switch (rc) {
case WinError.SEC_I_CONTINUE_NEEDED:
continueNeeded = true;
break;
case WinError.SEC_E_OK:
dispose(); // Don't keep the context
continueNeeded = false;
break;
default:
dispose();
throw new Win32Exception(rc);
}
return Base64.encodeBase64String(token.getBuffer(0).getBytes());
}
@Override
public boolean isChallengeComplete() {
return !continueNeeded;
}
}