1 /*
2 * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.net.www.protocol.http;
27
28 import sun.net.www.*;
29 import java.util.Iterator;
30 import java.util.HashMap;
31
32 /**
33 * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate:
34 * headers. It searches among multiple header lines and within each header line
35 * for the best currently supported scheme. It can also return a HeaderParser
36 * containing the challenge data for that particular scheme.
37 *
38 * Some examples:
39 *
40 * WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM
41 * Note the realm parameter must be associated with the particular scheme.
42 *
43 * or
44 *
45 * WWW-Authenticate: Basic realm="foo"
46 * WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce"
47 * WWW-Authenticate: NTLM
48 *
49 * or
50 *
51 * WWW-Authenticate: Basic realm="foo"
52 * WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN
53 *
54 * The last example shows how NTLM breaks the rules of rfc2617 for the structure of
55 * the authentication header. This is the reason why the raw header field is used for ntlm.
56 *
57 * At present, the class chooses schemes in following order :
58 * 1. Negotiate (if supported)
59 * 2. Kerberos (if supported)
60 * 3. Digest
61 * 4. NTLM (if supported)
62 * 5. Basic
63 *
64 * This choice can be modified by setting a system property:
65 *
66 * -Dhttp.auth.preference="scheme"
67 *
68 * which in this case, specifies that "scheme" should be used as the auth scheme when offered
69 * disregarding the default prioritisation. If scheme is not offered then the default priority
70 * is used.
71 *
72 * Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate
73 * with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate
74 * scheme with GSS/SPNEGO or GSS/Kerberos mechanism.
75 *
76 * This also means that the real "Kerberos" scheme can never be set as a preference.
77 */
78
79 public class AuthenticationHeader {
80
81 MessageHeader rsp; // the response to be parsed
82 HeaderParser preferred;
83 String preferred_r; // raw Strings
84 private final HttpCallerInfo hci; // un-schemed, need check
85
86 static String authPref=null;
87
88 public String toString() {
89 return "AuthenticationHeader: prefer " + preferred_r;
90 }
93 authPref = java.security.AccessController.doPrivileged(
94 new sun.security.action.GetPropertyAction("http.auth.preference"));
95
96 // http.auth.preference can be set to SPNEGO or Kerberos.
97 // In fact they means "Negotiate with SPNEGO" and "Negotiate with
98 // Kerberos" separately, so here they are all translated into
99 // Negotiate. Read NegotiateAuthentication.java to see how they
100 // were used later.
101
102 if (authPref != null) {
103 authPref = authPref.toLowerCase();
104 if(authPref.equals("spnego") || authPref.equals("kerberos")) {
105 authPref = "negotiate";
106 }
107 }
108 }
109
110 String hdrname; // Name of the header to look for
111
112 /**
113 * parse a set of authentication headers and choose the preferred scheme
114 * that we support for a given host
115 */
116 public AuthenticationHeader (String hdrname, MessageHeader response, HttpCallerInfo hci) {
117 this.hci = hci;
118 rsp = response;
119 this.hdrname = hdrname;
120 schemes = new HashMap();
121 parse();
122 }
123
124 public HttpCallerInfo getHttpCallerInfo() {
125 return hci;
126 }
127 /* we build up a map of scheme names mapped to SchemeMapValue objects */
128 static class SchemeMapValue {
129 SchemeMapValue (HeaderParser h, String r) {raw=r; parser=h;}
130 String raw;
131 HeaderParser parser;
132 }
133
134 HashMap schemes;
135
136 /* Iterate through each header line, and then within each line.
137 * If multiple entries exist for a particular scheme (unlikely)
138 * then the last one will be used. The
139 * preferred scheme that we support will be used.
140 */
141 private void parse () {
142 Iterator iter = rsp.multiValueIterator (hdrname);
143 while (iter.hasNext()) {
144 String raw = (String)iter.next();
145 HeaderParser hp = new HeaderParser (raw);
146 Iterator keys = hp.keys();
147 int i, lastSchemeIndex;
148 for (i=0, lastSchemeIndex = -1; keys.hasNext(); i++) {
149 keys.next();
150 if (hp.findValue(i) == null) { /* found a scheme name */
151 if (lastSchemeIndex != -1) {
152 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
153 String scheme = hpn.findKey(0);
154 schemes.put (scheme, new SchemeMapValue (hpn, raw));
155 }
156 lastSchemeIndex = i;
157 }
158 }
159 if (i > lastSchemeIndex) {
160 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
161 String scheme = hpn.findKey(0);
162 schemes.put (scheme, new SchemeMapValue (hpn, raw));
163 }
164 }
165
166 /* choose the best of them, the order is
167 * negotiate -> kerberos -> digest -> ntlm -> basic
168 */
169 SchemeMapValue v = null;
170 if (authPref == null || (v=(SchemeMapValue)schemes.get (authPref)) == null) {
171
172 if(v == null) {
173 SchemeMapValue tmp = (SchemeMapValue)schemes.get("negotiate");
174 if(tmp != null) {
175 if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Negotiate"))) {
176 tmp = null;
177 }
178 v = tmp;
179 }
180 }
181
182 if(v == null) {
183 SchemeMapValue tmp = (SchemeMapValue)schemes.get("kerberos");
184 if(tmp != null) {
185 // the Kerberos scheme is only observed in MS ISA Server. In
186 // fact i think it's a Kerberos-mechnism-only Negotiate.
187 // Since the Kerberos scheme is always accompanied with the
188 // Negotiate scheme, so it seems impossible to reach this
189 // line. Even if the user explicitly set http.auth.preference
190 // as Kerberos, it means Negotiate with Kerberos, and the code
191 // will still tried to use Negotiate at first.
192 //
193 // The only chance this line get executed is that the server
194 // only suggest the Kerberos scheme.
195 if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Kerberos"))) {
196 tmp = null;
197 }
198 v = tmp;
199 }
200 }
201
202 if(v == null) {
203 if ((v=(SchemeMapValue)schemes.get ("digest")) == null) {
204 if (((v=(SchemeMapValue)schemes.get("ntlm"))==null)) {
205 v = (SchemeMapValue)schemes.get ("basic");
206 }
207 }
208 }
209 }
210 if (v != null) {
211 preferred = v.parser;
212 preferred_r = v.raw;;
213 }
214 }
215
216 /**
217 * return a header parser containing the preferred authentication scheme (only).
218 * The preferred scheme is the strongest of the schemes proposed by the server.
219 * The returned HeaderParser will contain the relevant parameters for that scheme
220 */
221 public HeaderParser headerParser() {
222 return preferred;
223 }
224
225 /**
|
1 /*
2 * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.net.www.protocol.http;
27
28 import sun.net.www.*;
29 import java.util.Collections;
30 import java.util.Iterator;
31 import java.util.HashMap;
32 import java.util.Set;
33
34 /**
35 * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate:
36 * headers. It searches among multiple header lines and within each header line
37 * for the best currently supported scheme. It can also return a HeaderParser
38 * containing the challenge data for that particular scheme.
39 *
40 * Some examples:
41 *
42 * WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM
43 * Note the realm parameter must be associated with the particular scheme.
44 *
45 * or
46 *
47 * WWW-Authenticate: Basic realm="foo"
48 * WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce"
49 * WWW-Authenticate: NTLM
50 *
51 * or
52 *
53 * WWW-Authenticate: Basic realm="foo"
54 * WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN
55 *
56 * The last example shows how NTLM breaks the rules of rfc2617 for the structure of
57 * the authentication header. This is the reason why the raw header field is used for ntlm.
58 *
59 * At present, the class chooses schemes in following order :
60 * 1. Negotiate (if supported)
61 * 2. Kerberos (if supported)
62 * 3. Digest
63 * 4. NTLM (if supported)
64 * 5. Basic
65 *
66 * This choice can be modified by setting a system property:
67 *
68 * -Dhttp.auth.preference="scheme"
69 *
70 * which in this case, specifies that "scheme" should be used as the auth scheme when offered
71 * disregarding the default prioritisation. If scheme is not offered, or explicitly
72 * disabled, by {@code disabledSchemes}, then the default priority is used.
73 *
74 * Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate
75 * with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate
76 * scheme with GSS/SPNEGO or GSS/Kerberos mechanism.
77 *
78 * This also means that the real "Kerberos" scheme can never be set as a preference.
79 */
80
81 public class AuthenticationHeader {
82
83 MessageHeader rsp; // the response to be parsed
84 HeaderParser preferred;
85 String preferred_r; // raw Strings
86 private final HttpCallerInfo hci; // un-schemed, need check
87
88 static String authPref=null;
89
90 public String toString() {
91 return "AuthenticationHeader: prefer " + preferred_r;
92 }
95 authPref = java.security.AccessController.doPrivileged(
96 new sun.security.action.GetPropertyAction("http.auth.preference"));
97
98 // http.auth.preference can be set to SPNEGO or Kerberos.
99 // In fact they means "Negotiate with SPNEGO" and "Negotiate with
100 // Kerberos" separately, so here they are all translated into
101 // Negotiate. Read NegotiateAuthentication.java to see how they
102 // were used later.
103
104 if (authPref != null) {
105 authPref = authPref.toLowerCase();
106 if(authPref.equals("spnego") || authPref.equals("kerberos")) {
107 authPref = "negotiate";
108 }
109 }
110 }
111
112 String hdrname; // Name of the header to look for
113
114 /**
115 * Parses a set of authentication headers and chooses the preferred scheme
116 * that is supported for a given host.
117 */
118 public AuthenticationHeader (String hdrname, MessageHeader response, HttpCallerInfo hci) {
119 this(hdrname, response, hci, Collections.<String>emptySet());
120 }
121
122 /**
123 * Parses a set of authentication headers and chooses the preferred scheme
124 * that is supported for a given host.
125 *
126 * <p> The {@code disabledSchemes} parameter is a, possibly empty, set of
127 * authentication schemes that are disabled.
128 */
129 public AuthenticationHeader(String hdrname,
130 MessageHeader response,
131 HttpCallerInfo hci,
132 Set<String> disabledSchemes) {
133 this.hci = hci;
134 this.rsp = response;
135 this.hdrname = hdrname;
136 this.schemes = new HashMap<String,SchemeMapValue>();
137 parse(disabledSchemes);
138 }
139
140 public HttpCallerInfo getHttpCallerInfo() {
141 return hci;
142 }
143 /* we build up a map of scheme names mapped to SchemeMapValue objects */
144 static class SchemeMapValue {
145 SchemeMapValue (HeaderParser h, String r) {raw=r; parser=h;}
146 String raw;
147 HeaderParser parser;
148 }
149
150 HashMap<String, SchemeMapValue> schemes;
151
152 /* Iterate through each header line, and then within each line.
153 * If multiple entries exist for a particular scheme (unlikely)
154 * then the last one will be used. The
155 * preferred scheme that we support will be used.
156 */
157 private void parse(Set<String> disabledSchemes) {
158 Iterator<String> iter = rsp.multiValueIterator(hdrname);
159 while (iter.hasNext()) {
160 String raw = iter.next();
161 // HeaderParser lower cases everything, so can be used case-insensitively
162 HeaderParser hp = new HeaderParser(raw);
163 Iterator<String> keys = hp.keys();
164 int i, lastSchemeIndex;
165 for (i=0, lastSchemeIndex = -1; keys.hasNext(); i++) {
166 keys.next();
167 if (hp.findValue(i) == null) { /* found a scheme name */
168 if (lastSchemeIndex != -1) {
169 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
170 String scheme = hpn.findKey(0);
171 if (!disabledSchemes.contains(scheme))
172 schemes.put (scheme, new SchemeMapValue (hpn, raw));
173 }
174 lastSchemeIndex = i;
175 }
176 }
177 if (i > lastSchemeIndex) {
178 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
179 String scheme = hpn.findKey(0);
180 if (!disabledSchemes.contains(scheme))
181 schemes.put(scheme, new SchemeMapValue (hpn, raw));
182 }
183 }
184
185 /* choose the best of them, the order is
186 * negotiate -> kerberos -> digest -> ntlm -> basic
187 */
188 SchemeMapValue v = null;
189 if (authPref == null || (v=schemes.get (authPref)) == null) {
190
191 if(v == null) {
192 SchemeMapValue tmp = schemes.get("negotiate");
193 if(tmp != null) {
194 if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Negotiate"))) {
195 tmp = null;
196 }
197 v = tmp;
198 }
199 }
200
201 if(v == null) {
202 SchemeMapValue tmp = schemes.get("kerberos");
203 if(tmp != null) {
204 // the Kerberos scheme is only observed in MS ISA Server. In
205 // fact i think it's a Kerberos-mechnism-only Negotiate.
206 // Since the Kerberos scheme is always accompanied with the
207 // Negotiate scheme, so it seems impossible to reach this
208 // line. Even if the user explicitly set http.auth.preference
209 // as Kerberos, it means Negotiate with Kerberos, and the code
210 // will still tried to use Negotiate at first.
211 //
212 // The only chance this line get executed is that the server
213 // only suggest the Kerberos scheme.
214 if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Kerberos"))) {
215 tmp = null;
216 }
217 v = tmp;
218 }
219 }
220
221 if(v == null) {
222 if ((v=schemes.get ("digest")) == null) {
223 if (((v=schemes.get("ntlm"))==null)) {
224 v = schemes.get ("basic");
225 }
226 }
227 }
228 }
229 if (v != null) {
230 preferred = v.parser;
231 preferred_r = v.raw;;
232 }
233 }
234
235 /**
236 * return a header parser containing the preferred authentication scheme (only).
237 * The preferred scheme is the strongest of the schemes proposed by the server.
238 * The returned HeaderParser will contain the relevant parameters for that scheme
239 */
240 public HeaderParser headerParser() {
241 return preferred;
242 }
243
244 /**
|