1
22
23 package com.liferay.portal.servlet.filters.sso.ntlm;
24
25 import com.liferay.portal.kernel.log.Log;
26 import com.liferay.portal.kernel.log.LogFactoryUtil;
27 import com.liferay.portal.kernel.util.StringPool;
28 import com.liferay.portal.security.ldap.PortalLDAPUtil;
29 import com.liferay.portal.util.PortalInstances;
30 import com.liferay.portal.util.PrefsPropsUtil;
31 import com.liferay.portal.util.PropsKeys;
32 import com.liferay.portal.util.WebKeys;
33 import com.liferay.util.servlet.filters.DynamicFilterConfig;
34
35 import java.io.IOException;
36
37 import javax.servlet.FilterChain;
38 import javax.servlet.FilterConfig;
39 import javax.servlet.ServletException;
40 import javax.servlet.ServletRequest;
41 import javax.servlet.ServletResponse;
42 import javax.servlet.http.HttpServletRequest;
43 import javax.servlet.http.HttpServletResponse;
44 import javax.servlet.http.HttpSession;
45
46 import jcifs.Config;
47 import jcifs.UniAddress;
48
49 import jcifs.http.NtlmHttpFilter;
50 import jcifs.http.NtlmSsp;
51
52 import jcifs.ntlmssp.Type1Message;
53 import jcifs.ntlmssp.Type2Message;
54
55 import jcifs.smb.NtlmPasswordAuthentication;
56 import jcifs.smb.SmbSession;
57
58 import jcifs.util.Base64;
59
60
67 public class NtlmFilter extends NtlmHttpFilter {
68
69 public void init(FilterConfig filterConfig) throws ServletException {
70 super.init(filterConfig);
71
72 _filterConfig = new DynamicFilterConfig(filterConfig);
73 }
74
75 public void doFilter(
76 ServletRequest servletRequest, ServletResponse servletResponse,
77 FilterChain filterChain)
78 throws IOException, ServletException {
79
80 try {
81 HttpServletRequest request = (HttpServletRequest)servletRequest;
82 HttpServletResponse response = (HttpServletResponse)servletResponse;
83
84 long companyId = PortalInstances.getCompanyId(request);
85
86 if (PortalLDAPUtil.isNtlmEnabled(companyId)) {
87 String domainController = _filterConfig.getInitParameter(
88 "jcifs.http.domainController");
89 String domain = _filterConfig.getInitParameter(
90 "jcifs.smb.client.domain");
91
92 if ((domainController == null) && (domain == null)) {
93 domainController = PrefsPropsUtil.getString(
94 companyId, PropsKeys.NTLM_DOMAIN_CONTROLLER);
95 domain = PrefsPropsUtil.getString(
96 companyId, PropsKeys.NTLM_DOMAIN);
97
98 _filterConfig.addInitParameter(
99 "jcifs.http.domainController", domainController);
100 _filterConfig.addInitParameter(
101 "jcifs.smb.client.domain", domain);
102
103 super.init(_filterConfig);
104
105 if (_log.isDebugEnabled()) {
106 _log.debug("Host " + domainController);
107 _log.debug("Domain " + domain);
108 }
109 }
110
111
116 String msg = request.getHeader("Authorization");
117
118 if (msg != null && msg.startsWith("NTLM")) {
119 byte[] src = Base64.decode(msg.substring(5));
120
121 if (src[8] == 1) {
122 UniAddress dc = UniAddress.getByName(
123 Config.getProperty("jcifs.http.domainController"),
124 true);
125
126 byte[] challenge = SmbSession.getChallenge(dc);
127
128 Type1Message type1 = new Type1Message(src);
129 Type2Message type2 = new Type2Message(
130 type1, challenge, null);
131
132 msg = Base64.encode(type2.toByteArray());
133
134 response.setHeader("WWW-Authenticate", "NTLM " + msg);
135 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
136 response.setContentLength(0);
137
138 response.flushBuffer();
139
140
143 return;
144 }
145 }
146
147 String path = request.getPathInfo();
148
149 if (path != null && path.endsWith("/login")) {
150 NtlmPasswordAuthentication ntlm = negotiate(
151 request, response, false);
152
153 if (ntlm == null) {
154 return;
155 }
156
157 String remoteUser = ntlm.getName();
158
159 int pos = remoteUser.indexOf(StringPool.BACK_SLASH);
160
161 if (pos != -1) {
162 remoteUser = remoteUser.substring(pos + 1);
163 }
164
165 if (_log.isDebugEnabled()) {
166 _log.debug("NTLM remote user " + remoteUser);
167 }
168
169 servletRequest.setAttribute(
170 WebKeys.NTLM_REMOTE_USER, remoteUser);
171 }
172 }
173 }
174 catch (Exception e) {
175 _log.error(e);
176 }
177
178 filterChain.doFilter(servletRequest, servletResponse);
179 }
180
181 public NtlmPasswordAuthentication negotiate(
182 HttpServletRequest request, HttpServletResponse response,
183 boolean skipAuthentication)
184 throws IOException, ServletException {
185
186 NtlmPasswordAuthentication ntlm = null;
187
188 HttpSession session = request.getSession(false);
189
190 String authorizationHeader = request.getHeader("Authorization");
191
192 if (_log.isDebugEnabled()) {
193 _log.debug("Authorization header " + authorizationHeader);
194 }
195
196 if ((authorizationHeader != null) && (
197 (authorizationHeader.startsWith("NTLM ")))) {
198
199 String domainController = Config.getProperty(
200 "jcifs.http.domainController");
201
202 UniAddress uniAddress = UniAddress.getByName(
203 domainController, true);
204
205 if (_log.isDebugEnabled()) {
206 _log.debug("Address " + uniAddress);
207 }
208
209 byte[] challenge = SmbSession.getChallenge(uniAddress);
210
211 ntlm = NtlmSsp.authenticate(request, response, challenge);
212
213 session.setAttribute("NtlmHttpAuth", ntlm);
214 }
215 else {
216 if (session != null) {
217 ntlm = (NtlmPasswordAuthentication)session.getAttribute(
218 "NtlmHttpAuth");
219 }
220
221 if (ntlm == null) {
222 response.setHeader("WWW-Authenticate", "NTLM");
223 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
224 response.setContentLength(0);
225
226 response.flushBuffer();
227
228 return null;
229 }
230 }
231
232 if (_log.isDebugEnabled()) {
233 _log.debug("Password authentication " + ntlm);
234 }
235
236 return ntlm;
237 }
238
239 private static Log _log = LogFactoryUtil.getLog(NtlmFilter.class);
240
241 private DynamicFilterConfig _filterConfig;
242
243 }