NtlmProcessingFilter (Spring Security 2.0.6.RELEASE API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

Spring Security Framework

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.ui.ntlm
Class NtlmProcessingFilter

java.lang.Object
  org.springframework.security.ui.SpringSecurityFilter
      org.springframework.security.ui.ntlm.NtlmProcessingFilter

All Implemented Interfaces:: Filter, InitializingBean, Ordered

public class NtlmProcessingFilter
extends SpringSecurityFilter
implements InitializingBean
extends SpringSecurityFilter
implements InitializingBean

A clean-room implementation for Spring Security of an NTLM HTTP filter leveraging the JCIFS library.

NTLM is a Microsoft-developed protocol providing single sign-on capabilities to web applications and other integrated applications. It allows a web server to automatically discover the username of a browser client when that client is logged into a Windows domain and is using an NTLM-aware browser. A web application can then reuse the user's Windows credentials without having to ask for them again.

Because NTLM only provides the username of the Windows client, a Spring Security NTLM deployment must have a UserDetailsService that provides a UserDetails object with the empty string as the password and whatever GrantedAuthority values necessary to pass the FilterSecurityInterceptor.

The Spring Security bean configuration file must also place the ExceptionTranslationFilter before this filter in the FilterChainProxy definition.

Version:: $Id$
Author:: Davide Baroncelli, Edward Smith

Field Summary

Fields inherited from interface org.springframework.core.Ordered
`HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE`

Constructor Summary
`NtlmProcessingFilter()`

Method Summary
`void`	`afterPropertiesSet()` Ensures an `AuthenticationManager` and authentication failure URL have been provided in the bean configuration file.
`protected void`	`doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)`
`int`	`getOrder()`
`boolean`	`isForceIdentification()` Returns `true` if NTLM authentication is forced.
`void`	`setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)`
`void`	`setAuthenticationManager(AuthenticationManager authenticationManager)` Sets the `AuthenticationManager` to use.
`void`	`setCachePolicy(String numSeconds)` Sets the `jcifs.netbios.cachePolicy` property to the number of seconds a NetBIOS address is cached by JCIFS.
`void`	`setDefaultDomain(String defaultDomain)` The NT domain against which clients should be authenticated.
`void`	`setDomainController(String domainController)` The IP address of any SMB server that should be used to authenticate HTTP clients.
`void`	`setForceIdentification(boolean forceIdentification)` Sets a flag denoting whether NTLM authentication should be forced.
`void`	`setJcifsProperties(Properties props)` Loads properties starting with "jcifs" into the JCIFS configuration.
`void`	`setLoadBalance(boolean loadBalance)` If the default domain is specified and the domain controller is not specified, then query for domain controllers by name.
`void`	`setNetbiosWINS(String netbiosWINS)` Configures JCIFS to use a WINS server.
`void`	`setRetryOnAuthFailure(boolean retryOnFailure)` Sets a flag denoting whether NTLM should retry whenever authentication fails.
`void`	`setSmbClientPassword(String smbClientPassword)` Sets the SMB client password.
`void`	`setSmbClientSSNLimit(String smbClientSSNLimit)` Sets the SMB client SSN limit.
`void`	`setSmbClientUsername(String smbClientUsername)` Sets the SMB client username.
`void`	`setSoTimeout(String timeout)` Sets the `jcifs.smb.client.soTimeout` property to the timeout value specified in milliseconds.
`void`	`setStripDomain(boolean stripDomain)` Configures `NtlmProcessingFilter` to strip the Windows domain name from the username when set to `true`, which is the default value.

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter
`destroy, doFilter, init, toString`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait`

Constructor Detail

NtlmProcessingFilter

public NtlmProcessingFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Ensures an AuthenticationManager and authentication failure URL have been provided in the bean configuration file.

Specified by:: afterPropertiesSet in interface InitializingBean

Throws:: Exception

setAuthenticationManager

public void setAuthenticationManager(AuthenticationManager authenticationManager)

Sets the AuthenticationManager to use.

Parameters:: authenticationManager - the AuthenticationManager to use.

setDefaultDomain

public void setDefaultDomain(String defaultDomain)

The NT domain against which clients should be authenticated. If the SMB client username and password are also set, then preauthentication will be used which is necessary to initialize the SMB signing digest. SMB signatures are required by default on Windows 2003 domain controllers.

Parameters:: defaultDomain - The name of the default domain.

setSmbClientUsername

public void setSmbClientUsername(String smbClientUsername)

Sets the SMB client username.

Parameters:: smbClientUsername - The SMB client username.

setSmbClientPassword

public void setSmbClientPassword(String smbClientPassword)

Sets the SMB client password.

Parameters:: smbClientPassword - The SMB client password.

setSmbClientSSNLimit

public void setSmbClientSSNLimit(String smbClientSSNLimit)

Sets the SMB client SSN limit. When set to 1, every authentication is forced to use a separate transport. This effectively ignores SMB signing requirements, however at the expense of reducing scalability. Preauthentication with a domain, username, and password is the preferred method for working with servers that require signatures.

Parameters:: smbClientSSNLimit - The SMB client SSN limit.

setNetbiosWINS

public void setNetbiosWINS(String netbiosWINS)

Configures JCIFS to use a WINS server. It is preferred to use a WINS server over a specific domain controller. Set this property instead of domainController if there is a WINS server available.

Parameters:: netbiosWINS - The WINS server JCIFS will use.

setDomainController

public void setDomainController(String domainController)

The IP address of any SMB server that should be used to authenticate HTTP clients.

Parameters:: domainController - The IP address of the domain controller.

setLoadBalance

public void setLoadBalance(boolean loadBalance)

If the default domain is specified and the domain controller is not specified, then query for domain controllers by name. When load balance is true, rotate through the list of domain controllers when authenticating users.

Parameters:: loadBalance - The load balance flag value.

setStripDomain

public void setStripDomain(boolean stripDomain)

Configures NtlmProcessingFilter to strip the Windows domain name from the username when set to true, which is the default value.

Parameters:: stripDomain - The strip domain flag value.

setSoTimeout

public void setSoTimeout(String timeout)

Sets the jcifs.smb.client.soTimeout property to the timeout value specified in milliseconds. Defaults to 5 minutes if not specified.

Parameters:: timeout - The milliseconds timeout value.

setCachePolicy

public void setCachePolicy(String numSeconds)

Sets the jcifs.netbios.cachePolicy property to the number of seconds a NetBIOS address is cached by JCIFS. Defaults to 20 minutes if not specified.

Parameters:: numSeconds - The number of seconds a NetBIOS address is cached.

setJcifsProperties

public void setJcifsProperties(Properties props)

Loads properties starting with "jcifs" into the JCIFS configuration. Any other properties are ignored.

Parameters:: props - The JCIFS properties to set.

isForceIdentification

public boolean isForceIdentification()

Returns true if NTLM authentication is forced.

Returns:: true if NTLM authentication is forced.

setForceIdentification

public void setForceIdentification(boolean forceIdentification)

Sets a flag denoting whether NTLM authentication should be forced.

Parameters:: forceIdentification - the force identification flag value to set.

setRetryOnAuthFailure

public void setRetryOnAuthFailure(boolean retryOnFailure)

Sets a flag denoting whether NTLM should retry whenever authentication fails. Retry will occur if the credentials are rejected by the domain controller or if an an AuthenticationCredentialsNotFoundException or InsufficientAuthenticationException is thrown.

Parameters:: retryOnFailure - the retry on failure flag value to set.

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

doFilterHttp

protected void doFilterHttp(HttpServletRequest request,
                            HttpServletResponse response,
                            FilterChain chain)
                     throws IOException,
                            ServletException

Specified by:: doFilterHttp in class SpringSecurityFilter

Throws:: IOException; ServletException

getOrder

public int getOrder()

Specified by:: getOrder in interface Ordered