< prev index next >

src/share/classes/sun/net/www/protocol/http/AuthenticationHeader.java

Print this page
rev 1564 : 7090158: Networking Libraries don't build with javac -Werror
7125055: ContentHandler.getContent API changed in error
Summary: Minor changes to networking java files to remove warnings
Reviewed-by: chegar, weijun, hawtin, alanb
Contributed-by: kurchi.subhra.hazra@oracle.com, sasha_bu@hotmail.com
rev 1572 : 8160838: Better HTTP service
Reviewed-by: ahgross, alanb, michaelm
   1 /*
   2  * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.net.www.protocol.http;
  27 
  28 import sun.net.www.*;

  29 import java.util.Iterator;
  30 import java.util.HashMap;

  31 
  32 /**
  33  * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate:
  34  * headers. It searches among multiple header lines and within each header line
  35  * for the best currently supported scheme. It can also return a HeaderParser
  36  * containing the challenge data for that particular scheme.
  37  *
  38  * Some examples:
  39  *
  40  * WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM
  41  *  Note the realm parameter must be associated with the particular scheme.
  42  *
  43  * or
  44  *
  45  * WWW-Authenticate: Basic realm="foo"
  46  * WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce"
  47  * WWW-Authenticate: NTLM
  48  *
  49  * or
  50  *
  51  * WWW-Authenticate: Basic realm="foo"
  52  * WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN
  53  *
  54  * The last example shows how NTLM breaks the rules of rfc2617 for the structure of
  55  * the authentication header. This is the reason why the raw header field is used for ntlm.
  56  *
  57  * At present, the class chooses schemes in following order :
  58  *      1. Negotiate (if supported)
  59  *      2. Kerberos (if supported)
  60  *      3. Digest
  61  *      4. NTLM (if supported)
  62  *      5. Basic
  63  *
  64  * This choice can be modified by setting a system property:
  65  *
  66  *      -Dhttp.auth.preference="scheme"
  67  *
  68  * which in this case, specifies that "scheme" should be used as the auth scheme when offered
  69  * disregarding the default prioritisation. If scheme is not offered then the default priority
  70  * is used.
  71  *
  72  * Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate
  73  * with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate
  74  * scheme with GSS/SPNEGO or GSS/Kerberos mechanism.
  75  *
  76  * This also means that the real "Kerberos" scheme can never be set as a preference.
  77  */
  78 
  79 public class AuthenticationHeader {
  80 
  81     MessageHeader rsp; // the response to be parsed
  82     HeaderParser preferred;
  83     String preferred_r; // raw Strings
  84     private final HttpCallerInfo hci;   // un-schemed, need check
  85 
  86     static String authPref=null;
  87 
  88     public String toString() {
  89         return "AuthenticationHeader: prefer " + preferred_r;
  90     }


  93         authPref = java.security.AccessController.doPrivileged(
  94             new sun.security.action.GetPropertyAction("http.auth.preference"));
  95 
  96         // http.auth.preference can be set to SPNEGO or Kerberos.
  97         // In fact they means "Negotiate with SPNEGO" and "Negotiate with
  98         // Kerberos" separately, so here they are all translated into
  99         // Negotiate. Read NegotiateAuthentication.java to see how they
 100         // were used later.
 101 
 102         if (authPref != null) {
 103             authPref = authPref.toLowerCase();
 104             if(authPref.equals("spnego") || authPref.equals("kerberos")) {
 105                 authPref = "negotiate";
 106             }
 107         }
 108     }
 109 
 110     String hdrname; // Name of the header to look for
 111 
 112     /**
 113      * parse a set of authentication headers and choose the preferred scheme
 114      * that we support for a given host
 115      */
 116     public AuthenticationHeader (String hdrname, MessageHeader response, HttpCallerInfo hci) {














 117         this.hci = hci;
 118         rsp = response;
 119         this.hdrname = hdrname;
 120         schemes = new HashMap();
 121         parse();
 122     }
 123 
 124     public HttpCallerInfo getHttpCallerInfo() {
 125         return hci;
 126     }
 127     /* we build up a map of scheme names mapped to SchemeMapValue objects */
 128     static class SchemeMapValue {
 129         SchemeMapValue (HeaderParser h, String r) {raw=r; parser=h;}
 130         String raw;
 131         HeaderParser parser;
 132     }
 133 
 134     HashMap schemes;
 135 
 136     /* Iterate through each header line, and then within each line.
 137      * If multiple entries exist for a particular scheme (unlikely)
 138      * then the last one will be used. The
 139      * preferred scheme that we support will be used.
 140      */
 141     private void parse () {
 142         Iterator iter = rsp.multiValueIterator (hdrname);
 143         while (iter.hasNext()) {
 144             String raw = (String)iter.next();
 145             HeaderParser hp = new HeaderParser (raw);
 146             Iterator keys = hp.keys();

 147             int i, lastSchemeIndex;
 148             for (i=0, lastSchemeIndex = -1; keys.hasNext(); i++) {
 149                 keys.next();
 150                 if (hp.findValue(i) == null) { /* found a scheme name */
 151                     if (lastSchemeIndex != -1) {
 152                         HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 153                         String scheme = hpn.findKey(0);

 154                         schemes.put (scheme, new SchemeMapValue (hpn, raw));
 155                     }
 156                     lastSchemeIndex = i;
 157                 }
 158             }
 159             if (i > lastSchemeIndex) {
 160                 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 161                 String scheme = hpn.findKey(0);
 162                 schemes.put (scheme, new SchemeMapValue (hpn, raw));

 163             }
 164         }
 165 
 166         /* choose the best of them, the order is
 167          * negotiate -> kerberos -> digest -> ntlm -> basic
 168          */
 169         SchemeMapValue v = null;
 170         if (authPref == null || (v=(SchemeMapValue)schemes.get (authPref)) == null) {
 171 
 172             if(v == null) {
 173                 SchemeMapValue tmp = (SchemeMapValue)schemes.get("negotiate");
 174                 if(tmp != null) {
 175                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Negotiate"))) {
 176                         tmp = null;
 177                     }
 178                     v = tmp;
 179                 }
 180             }
 181 
 182             if(v == null) {
 183                 SchemeMapValue tmp = (SchemeMapValue)schemes.get("kerberos");
 184                 if(tmp != null) {
 185                     // the Kerberos scheme is only observed in MS ISA Server. In
 186                     // fact i think it's a Kerberos-mechnism-only Negotiate.
 187                     // Since the Kerberos scheme is always accompanied with the
 188                     // Negotiate scheme, so it seems impossible to reach this
 189                     // line. Even if the user explicitly set http.auth.preference
 190                     // as Kerberos, it means Negotiate with Kerberos, and the code
 191                     // will still tried to use Negotiate at first.
 192                     //
 193                     // The only chance this line get executed is that the server
 194                     // only suggest the Kerberos scheme.
 195                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Kerberos"))) {
 196                         tmp = null;
 197                     }
 198                     v = tmp;
 199                 }
 200             }
 201 
 202             if(v == null) {
 203                 if ((v=(SchemeMapValue)schemes.get ("digest")) == null) {
 204                     if (((v=(SchemeMapValue)schemes.get("ntlm"))==null)) {
 205                         v = (SchemeMapValue)schemes.get ("basic");
 206                     }
 207                 }
 208             }
 209         }
 210         if (v != null) {
 211             preferred = v.parser;
 212             preferred_r = v.raw;;
 213         }
 214     }
 215 
 216     /**
 217      * return a header parser containing the preferred authentication scheme (only).
 218      * The preferred scheme is the strongest of the schemes proposed by the server.
 219      * The returned HeaderParser will contain the relevant parameters for that scheme
 220      */
 221     public HeaderParser headerParser() {
 222         return preferred;
 223     }
 224 
 225     /**


   1 /*
   2  * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.net.www.protocol.http;
  27 
  28 import sun.net.www.*;
  29 import java.util.Collections;
  30 import java.util.Iterator;
  31 import java.util.HashMap;
  32 import java.util.Set;
  33 
  34 /**
  35  * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate:
  36  * headers. It searches among multiple header lines and within each header line
  37  * for the best currently supported scheme. It can also return a HeaderParser
  38  * containing the challenge data for that particular scheme.
  39  *
  40  * Some examples:
  41  *
  42  * WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM
  43  *  Note the realm parameter must be associated with the particular scheme.
  44  *
  45  * or
  46  *
  47  * WWW-Authenticate: Basic realm="foo"
  48  * WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce"
  49  * WWW-Authenticate: NTLM
  50  *
  51  * or
  52  *
  53  * WWW-Authenticate: Basic realm="foo"
  54  * WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN
  55  *
  56  * The last example shows how NTLM breaks the rules of rfc2617 for the structure of
  57  * the authentication header. This is the reason why the raw header field is used for ntlm.
  58  *
  59  * At present, the class chooses schemes in following order :
  60  *      1. Negotiate (if supported)
  61  *      2. Kerberos (if supported)
  62  *      3. Digest
  63  *      4. NTLM (if supported)
  64  *      5. Basic
  65  *
  66  * This choice can be modified by setting a system property:
  67  *
  68  *      -Dhttp.auth.preference="scheme"
  69  *
  70  * which in this case, specifies that "scheme" should be used as the auth scheme when offered
  71  * disregarding the default prioritisation. If scheme is not offered, or explicitly
  72  * disabled, by {@code disabledSchemes}, then the default priority is used.
  73  *
  74  * Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate
  75  * with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate
  76  * scheme with GSS/SPNEGO or GSS/Kerberos mechanism.
  77  *
  78  * This also means that the real "Kerberos" scheme can never be set as a preference.
  79  */
  80 
  81 public class AuthenticationHeader {
  82 
  83     MessageHeader rsp; // the response to be parsed
  84     HeaderParser preferred;
  85     String preferred_r; // raw Strings
  86     private final HttpCallerInfo hci;   // un-schemed, need check
  87 
  88     static String authPref=null;
  89 
  90     public String toString() {
  91         return "AuthenticationHeader: prefer " + preferred_r;
  92     }


  95         authPref = java.security.AccessController.doPrivileged(
  96             new sun.security.action.GetPropertyAction("http.auth.preference"));
  97 
  98         // http.auth.preference can be set to SPNEGO or Kerberos.
  99         // In fact they means "Negotiate with SPNEGO" and "Negotiate with
 100         // Kerberos" separately, so here they are all translated into
 101         // Negotiate. Read NegotiateAuthentication.java to see how they
 102         // were used later.
 103 
 104         if (authPref != null) {
 105             authPref = authPref.toLowerCase();
 106             if(authPref.equals("spnego") || authPref.equals("kerberos")) {
 107                 authPref = "negotiate";
 108             }
 109         }
 110     }
 111 
 112     String hdrname; // Name of the header to look for
 113 
 114     /**
 115      * Parses a set of authentication headers and chooses the preferred scheme
 116      * that is supported for a given host.
 117      */
 118     public AuthenticationHeader (String hdrname, MessageHeader response, HttpCallerInfo hci) {
 119         this(hdrname, response, hci, Collections.<String>emptySet());
 120     }
 121 
 122     /**
 123      * Parses a set of authentication headers and chooses the preferred scheme
 124      * that is supported for a given host.
 125      *
 126      * <p> The {@code disabledSchemes} parameter is a, possibly empty, set of
 127      * authentication schemes that are disabled.
 128      */
 129     public AuthenticationHeader(String hdrname,
 130                                 MessageHeader response,
 131                                 HttpCallerInfo hci,
 132                                 Set<String> disabledSchemes) {
 133         this.hci = hci;
 134         this.rsp = response;
 135         this.hdrname = hdrname;
 136         this.schemes = new HashMap<String,SchemeMapValue>();
 137         parse(disabledSchemes);
 138     }
 139 
 140     public HttpCallerInfo getHttpCallerInfo() {
 141         return hci;
 142     }
 143     /* we build up a map of scheme names mapped to SchemeMapValue objects */
 144     static class SchemeMapValue {
 145         SchemeMapValue (HeaderParser h, String r) {raw=r; parser=h;}
 146         String raw;
 147         HeaderParser parser;
 148     }
 149 
 150     HashMap<String, SchemeMapValue> schemes;
 151 
 152     /* Iterate through each header line, and then within each line.
 153      * If multiple entries exist for a particular scheme (unlikely)
 154      * then the last one will be used. The
 155      * preferred scheme that we support will be used.
 156      */
 157     private void parse(Set<String> disabledSchemes) {
 158         Iterator<String> iter = rsp.multiValueIterator(hdrname);
 159         while (iter.hasNext()) {
 160             String raw = iter.next();
 161             // HeaderParser lower cases everything, so can be used case-insensitively
 162             HeaderParser hp = new HeaderParser(raw);
 163             Iterator<String> keys = hp.keys();
 164             int i, lastSchemeIndex;
 165             for (i=0, lastSchemeIndex = -1; keys.hasNext(); i++) {
 166                 keys.next();
 167                 if (hp.findValue(i) == null) { /* found a scheme name */
 168                     if (lastSchemeIndex != -1) {
 169                         HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 170                         String scheme = hpn.findKey(0);
 171                         if (!disabledSchemes.contains(scheme))
 172                             schemes.put (scheme, new SchemeMapValue (hpn, raw));
 173                     }
 174                     lastSchemeIndex = i;
 175                 }
 176             }
 177             if (i > lastSchemeIndex) {
 178                 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 179                 String scheme = hpn.findKey(0);
 180                 if (!disabledSchemes.contains(scheme))
 181                     schemes.put(scheme, new SchemeMapValue (hpn, raw));
 182             }
 183         }
 184 
 185         /* choose the best of them, the order is
 186          * negotiate -> kerberos -> digest -> ntlm -> basic
 187          */
 188         SchemeMapValue v = null;
 189         if (authPref == null || (v=schemes.get (authPref)) == null) {
 190 
 191             if(v == null) {
 192                 SchemeMapValue tmp = schemes.get("negotiate");
 193                 if(tmp != null) {
 194                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Negotiate"))) {
 195                         tmp = null;
 196                     }
 197                     v = tmp;
 198                 }
 199             }
 200 
 201             if(v == null) {
 202                 SchemeMapValue tmp = schemes.get("kerberos");
 203                 if(tmp != null) {
 204                     // the Kerberos scheme is only observed in MS ISA Server. In
 205                     // fact i think it's a Kerberos-mechnism-only Negotiate.
 206                     // Since the Kerberos scheme is always accompanied with the
 207                     // Negotiate scheme, so it seems impossible to reach this
 208                     // line. Even if the user explicitly set http.auth.preference
 209                     // as Kerberos, it means Negotiate with Kerberos, and the code
 210                     // will still tried to use Negotiate at first.
 211                     //
 212                     // The only chance this line get executed is that the server
 213                     // only suggest the Kerberos scheme.
 214                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Kerberos"))) {
 215                         tmp = null;
 216                     }
 217                     v = tmp;
 218                 }
 219             }
 220 
 221             if(v == null) {
 222                 if ((v=schemes.get ("digest")) == null) {
 223                     if (((v=schemes.get("ntlm"))==null)) {
 224                         v = schemes.get ("basic");
 225                     }
 226                 }
 227             }
 228         }
 229         if (v != null) {
 230             preferred = v.parser;
 231             preferred_r = v.raw;;
 232         }
 233     }
 234 
 235     /**
 236      * return a header parser containing the preferred authentication scheme (only).
 237      * The preferred scheme is the strongest of the schemes proposed by the server.
 238      * The returned HeaderParser will contain the relevant parameters for that scheme
 239      */
 240     public HeaderParser headerParser() {
 241         return preferred;
 242     }
 243 
 244     /**


< prev index next >