1 /*
   2  * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.net.www.protocol.http;
  27 
  28 import sun.net.www.*;
  29 import java.util.Iterator;
  30 import java.util.HashMap;
  31 
  32 /**
  33  * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate:
  34  * headers. It searches among multiple header lines and within each header line
  35  * for the best currently supported scheme. It can also return a HeaderParser
  36  * containing the challenge data for that particular scheme.
  37  *
  38  * Some examples:
  39  *
  40  * WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM
  41  *  Note the realm parameter must be associated with the particular scheme.
  42  *
  43  * or
  44  *
  45  * WWW-Authenticate: Basic realm="foo"
  46  * WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce"
  47  * WWW-Authenticate: NTLM
  48  *
  49  * or
  50  *
  51  * WWW-Authenticate: Basic realm="foo"
  52  * WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN
  53  *
  54  * The last example shows how NTLM breaks the rules of rfc2617 for the structure of
  55  * the authentication header. This is the reason why the raw header field is used for ntlm.
  56  *
  57  * At present, the class chooses schemes in following order :
  58  *      1. Negotiate (if supported)
  59  *      2. Kerberos (if supported)
  60  *      3. Digest
  61  *      4. NTLM (if supported)
  62  *      5. Basic
  63  *
  64  * This choice can be modified by setting a system property:
  65  *
  66  *      -Dhttp.auth.preference="scheme"
  67  *
  68  * which in this case, specifies that "scheme" should be used as the auth scheme when offered
  69  * disregarding the default prioritisation. If scheme is not offered then the default priority
  70  * is used.
  71  *
  72  * Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate
  73  * with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate
  74  * scheme with GSS/SPNEGO or GSS/Kerberos mechanism.
  75  *
  76  * This also means that the real "Kerberos" scheme can never be set as a preference.
  77  */
  78 
  79 public class AuthenticationHeader {
  80 
  81     MessageHeader rsp; // the response to be parsed
  82     HeaderParser preferred;
  83     String preferred_r; // raw Strings
  84     private final HttpCallerInfo hci;   // un-schemed, need check
  85 
  86     // When set true, do not use Negotiate even if the response
  87     // headers suggest so.
  88     boolean dontUseNegotiate = false;
  89     static String authPref=null;
  90 
  91     public String toString() {
  92         return "AuthenticationHeader: prefer " + preferred_r;
  93     }
  94 
  95     static {
  96         authPref = java.security.AccessController.doPrivileged(
  97             new sun.security.action.GetPropertyAction("http.auth.preference"));
  98 
  99         // http.auth.preference can be set to SPNEGO or Kerberos.
 100         // In fact they means "Negotiate with SPNEGO" and "Negotiate with
 101         // Kerberos" separately, so here they are all translated into
 102         // Negotiate. Read NegotiateAuthentication.java to see how they
 103         // were used later.
 104 
 105         if (authPref != null) {
 106             authPref = authPref.toLowerCase();
 107             if(authPref.equals("spnego") || authPref.equals("kerberos")) {
 108                 authPref = "negotiate";
 109             }
 110         }
 111     }
 112 
 113     String hdrname; // Name of the header to look for
 114 
 115     /**
 116      * parse a set of authentication headers and choose the preferred scheme
 117      * that we support for a given host
 118      */
 119     public AuthenticationHeader (String hdrname, MessageHeader response,
 120             HttpCallerInfo hci, boolean dontUseNegotiate) {
 121         this.hci = hci;
 122         this.dontUseNegotiate = dontUseNegotiate;
 123         rsp = response;
 124         this.hdrname = hdrname;
 125         schemes = new HashMap<>();
 126         parse();
 127     }
 128 
 129     public HttpCallerInfo getHttpCallerInfo() {
 130         return hci;
 131     }
 132     /* we build up a map of scheme names mapped to SchemeMapValue objects */
 133     static class SchemeMapValue {
 134         SchemeMapValue (HeaderParser h, String r) {raw=r; parser=h;}
 135         String raw;
 136         HeaderParser parser;
 137     }
 138 
 139     HashMap<String, SchemeMapValue> schemes;
 140 
 141     /* Iterate through each header line, and then within each line.
 142      * If multiple entries exist for a particular scheme (unlikely)
 143      * then the last one will be used. The
 144      * preferred scheme that we support will be used.
 145      */
 146     private void parse () {
 147         Iterator<String> iter = rsp.multiValueIterator(hdrname);
 148         while (iter.hasNext()) {
 149             String raw = iter.next();
 150             HeaderParser hp = new HeaderParser(raw);
 151             Iterator<String> keys = hp.keys();
 152             int i, lastSchemeIndex;
 153             for (i=0, lastSchemeIndex = -1; keys.hasNext(); i++) {
 154                 keys.next();
 155                 if (hp.findValue(i) == null) { /* found a scheme name */
 156                     if (lastSchemeIndex != -1) {
 157                         HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 158                         String scheme = hpn.findKey(0);
 159                         schemes.put (scheme, new SchemeMapValue (hpn, raw));
 160                     }
 161                     lastSchemeIndex = i;
 162                 }
 163             }
 164             if (i > lastSchemeIndex) {
 165                 HeaderParser hpn = hp.subsequence (lastSchemeIndex, i);
 166                 String scheme = hpn.findKey(0);
 167                 schemes.put(scheme, new SchemeMapValue (hpn, raw));
 168             }
 169         }
 170 
 171         /* choose the best of them, the order is
 172          * negotiate -> kerberos -> digest -> ntlm -> basic
 173          */
 174         SchemeMapValue v = null;
 175         if (authPref == null || (v=schemes.get (authPref)) == null) {
 176 
 177             if(v == null && !dontUseNegotiate) {
 178                 SchemeMapValue tmp = schemes.get("negotiate");
 179                 if(tmp != null) {
 180                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Negotiate"))) {
 181                         tmp = null;
 182                     }
 183                     v = tmp;
 184                 }
 185             }
 186 
 187             if(v == null && !dontUseNegotiate) {
 188                 SchemeMapValue tmp = schemes.get("kerberos");
 189                 if(tmp != null) {
 190                     // the Kerberos scheme is only observed in MS ISA Server. In
 191                     // fact i think it's a Kerberos-mechnism-only Negotiate.
 192                     // Since the Kerberos scheme is always accompanied with the
 193                     // Negotiate scheme, so it seems impossible to reach this
 194                     // line. Even if the user explicitly set http.auth.preference
 195                     // as Kerberos, it means Negotiate with Kerberos, and the code
 196                     // will still tried to use Negotiate at first.
 197                     //
 198                     // The only chance this line get executed is that the server
 199                     // only suggest the Kerberos scheme.
 200                     if(hci == null || !NegotiateAuthentication.isSupported(new HttpCallerInfo(hci, "Kerberos"))) {
 201                         tmp = null;
 202                     }
 203                     v = tmp;
 204                 }
 205             }
 206 
 207             if(v == null) {
 208                 if ((v=schemes.get ("digest")) == null) {
 209                     if (!NTLMAuthenticationProxy.supported
 210                         || ((v=schemes.get("ntlm"))==null)) {
 211                         v = schemes.get ("basic");
 212                     }
 213                 }
 214             }
 215         } else {    // authPref != null && it's found in reponses'
 216             if (dontUseNegotiate && authPref.equals("negotiate")) {
 217                 v = null;
 218             }
 219         }
 220 
 221         if (v != null) {
 222             preferred = v.parser;
 223             preferred_r = v.raw;
 224         }
 225     }
 226 
 227     /**
 228      * return a header parser containing the preferred authentication scheme (only).
 229      * The preferred scheme is the strongest of the schemes proposed by the server.
 230      * The returned HeaderParser will contain the relevant parameters for that scheme
 231      */
 232     public HeaderParser headerParser() {
 233         return preferred;
 234     }
 235 
 236     /**
 237      * return the name of the preferred scheme
 238      */
 239     public String scheme() {
 240         if (preferred != null) {
 241             return preferred.findKey(0);
 242         } else {
 243             return null;
 244         }
 245     }
 246 
 247     /* return the raw header field for the preferred/chosen scheme */
 248 
 249     public String raw () {
 250         return preferred_r;
 251     }
 252 
 253     /**
 254      * returns true is the header exists and contains a recognised scheme
 255      */
 256     public boolean isPresent () {
 257         return preferred != null;
 258     }
 259 }