org.apache.commons.httpclient.auth.AuthenticationException Java Examples

/**
 * Authenticating requests with SPNEGO means that a request will execute before the client is sure that the
 * server is mutually authenticated. This means that, at best, if mutual auth is requested, the client cannot
 * trust that the server is giving accurate information, or in the case that the client has already sent data,
 * further communication with the server should not happen.
 * @param returnChallenge The Negotiate challenge from the response headers of a successful executed request
 * @throws AuthenticationException If the response header does not allow for mutual authentication to be established.
 */
public void ensureMutualAuth(String returnChallenge) throws AuthenticationException {
    try {
        processChallenge(returnChallenge);
    } catch (MalformedChallengeException mce) {
        throw new AuthenticationException("Received invalid response header for mutual authentication", mce);
    }
    try {
        String token = getNegotiateToken();
        if (!spnegoNegotiator.established() || token != null) {
            throw new AuthenticationException("Could not complete SPNEGO Authentication, Mutual Authentication Failed");
        }
    } catch (GSSException gsse) {
        throw new AuthenticationException("Could not complete SPNEGO Authentication", gsse);
    }
}
 

/** Constructor to use when message contents are known */
NTLMMessage(String messageBody, int expectedType) throws AuthenticationException {
    messageContents = Base64.decodeBase64(EncodingUtils.getBytes(messageBody,
            DEFAULT_CHARSET));
    // Look for NTLM message
    if (messageContents.length < SIGNATURE.length) {
        throw new AuthenticationException("NTLM message decoding error - packet too short");
    }
    int i = 0;
    while (i < SIGNATURE.length) {
        if (messageContents[i] != SIGNATURE[i]) {
            throw new AuthenticationException(
                    "NTLM message expected - instead got unrecognized bytes");
        }
        i++;
    }

    // Check to be sure there's a type 2 message indicator next
    int type = readULong(SIGNATURE.length);
    if (type != expectedType) {
        throw new AuthenticationException("NTLM type " + Integer.toString(expectedType)
                + " message expected - instead got type " + Integer.toString(type));
    }

    currentOutputPosition = messageContents.length;
}
 

/**
 * Creates the negotiator if it is not yet created, or does nothing if the negotiator is already initialized.
 * @param requestURI request being authenticated
 * @param spnegoCredentials The user and service principals
 * @throws UnknownHostException If the service principal is host based, and if the request URI cannot be resolved to a FQDN
 * @throws AuthenticationException If the service principal is malformed
 * @throws GSSException If the negotiator cannot be created.
 */
private void initializeNegotiator(URI requestURI, SpnegoCredentials spnegoCredentials) throws UnknownHostException, AuthenticationException, GSSException {
    // Initialize negotiator
    if (spnegoNegotiator == null) {
        // Determine host principal
        String servicePrincipal = spnegoCredentials.getServicePrincipalName();
        if (spnegoCredentials.getServicePrincipalName().contains(HOSTNAME_PATTERN)) {
            String fqdn = getFQDN(requestURI);
            String[] components = spnegoCredentials.getServicePrincipalName().split("[/@]");
            if (components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) {
                throw new AuthenticationException("Malformed service principal name [" + spnegoCredentials.getServicePrincipalName()
                        + "]. To use host substitution, the principal must be of the format [serviceName/[email protected]].");
            }
            servicePrincipal = components[0] + "/" + fqdn.toLowerCase() + "@" + components[2];
        }
        User userInfo = spnegoCredentials.getUserProvider().getUser();
        KerberosPrincipal principal = userInfo.getKerberosPrincipal();
        if (principal == null) {
            throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on currently logged in user.");
        }
        spnegoNegotiator = new SpnegoNegotiator(principal.getName(), servicePrincipal);
    }
}
 

/**
 * Implementation method for authentication
 */
private String authenticate(Credentials credentials) throws AuthenticationException {
    if (!(credentials instanceof EsApiKeyCredentials)) {
        throw new AuthenticationException("Incorrect credentials type provided. Expected [" + EsApiKeyCredentials.class.getName()
                + "] but got [" + credentials.getClass().getName() + "]");
    }

    EsApiKeyCredentials esApiKeyCredentials = ((EsApiKeyCredentials) credentials);
    String authString = null;

    if (esApiKeyCredentials.getToken() != null && StringUtils.hasText(esApiKeyCredentials.getToken().getName())) {
        EsToken token = esApiKeyCredentials.getToken();
        String keyComponents = token.getId() + ":" + token.getApiKey();
        byte[] base64Encoded = Base64.encodeBase64(keyComponents.getBytes(StringUtils.UTF_8));
        String tokenText = new String(base64Encoded, StringUtils.UTF_8);
        authString = EsHadoopAuthPolicies.APIKEY + " " + tokenText;
    }

    return authString;
}
 

public String generateType3Msg(
        final String username,
        final String password,
        final String domain,
        final String workstation,
        final String challenge) throws AuthenticationException {
    Type2Message t2m = new Type2Message(challenge);
    return getType3Message(
            username,
            password,
            workstation,
            domain,
            t2m.getChallenge(),
            t2m.getFlags(),
            t2m.getTarget(),
            t2m.getTargetInfo());
}
 

/** Calculate the NTLMv2Blob */
public byte[] getNTLMv2Blob()
        throws AuthenticationException {
    if (ntlmv2Blob == null) {
        ntlmv2Blob = createBlob(getClientChallenge(), targetInformation, getTimestamp());
    }
    return ntlmv2Blob;
}
 

/** Calculate and return the NTLMHash */
public byte[] getNTLMHash()
        throws AuthenticationException {
    if (ntlmHash == null) {
        ntlmHash = ntlmHash(password);
    }
    return ntlmHash;
}
 

/** Calculate the NTLMv2Response */
public byte[] getNTLMv2Response()
        throws AuthenticationException {
    if (ntlmv2Response == null) {
        ntlmv2Response = lmv2Response(getNTLMv2Hash(), challenge, getNTLMv2Blob());
    }
    return ntlmv2Response;
}
 

/** Calculate the LMv2Response */
public byte[] getLMv2Response()
        throws AuthenticationException {
    if (lmv2Response == null) {
        lmv2Response = lmv2Response(getNTLMv2Hash(), challenge, getClientChallenge());
    }
    return lmv2Response;
}
 

/** Get NTLM2SessionResponse */
public byte[] getNTLM2SessionResponse()
        throws AuthenticationException {
    if (ntlm2SessionResponse == null) {
        ntlm2SessionResponse = ntlm2SessionResponse(getNTLMHash(), challenge, getClientChallenge());
    }
    return ntlm2SessionResponse;
}
 

/** Calculate and return LM2 session response */
public byte[] getLM2SessionResponse()
        throws AuthenticationException {
    if (lm2SessionResponse == null) {
        byte[] clientChallenge = getClientChallenge();
        lm2SessionResponse = new byte[24];
        System.arraycopy(clientChallenge, 0, lm2SessionResponse, 0, clientChallenge.length);
        Arrays.fill(lm2SessionResponse, clientChallenge.length, lm2SessionResponse.length, (byte) 0x00);
    }
    return lm2SessionResponse;
}
 

/** Get LMUserSessionKey */
public byte[] getLMUserSessionKey()
        throws AuthenticationException {
    if (lmUserSessionKey == null) {
        byte[] lmHash = getLMHash();
        lmUserSessionKey = new byte[16];
        System.arraycopy(lmHash, 0, lmUserSessionKey, 0, 8);
        Arrays.fill(lmUserSessionKey, 8, 16, (byte) 0x00);
    }
    return lmUserSessionKey;
}
 

/** Get NTLMUserSessionKey */
public byte[] getNTLMUserSessionKey()
        throws AuthenticationException {
    if (ntlmUserSessionKey == null) {
        byte[] ntlmHash = getNTLMHash();
        MD4 md4 = new MD4();
        md4.update(ntlmHash);
        ntlmUserSessionKey = md4.getOutput();
    }
    return ntlmUserSessionKey;
}
 

/** GetNTLMv2UserSessionKey */
public byte[] getNTLMv2UserSessionKey()
        throws AuthenticationException {
    if (ntlmv2UserSessionKey == null) {
        byte[] ntlmv2Hash = getNTLMv2Hash();
        byte[] ntlmv2Blob = getNTLMv2Blob();
        byte[] temp = new byte[ntlmv2Blob.length + challenge.length];
        // "The challenge is concatenated with the blob" - check this (MHL)
        System.arraycopy(challenge, 0, temp, 0, challenge.length);
        System.arraycopy(ntlmv2Blob, 0, temp, challenge.length, ntlmv2Blob.length);
        byte[] partial = hmacMD5(temp, ntlmv2Hash);
        ntlmv2UserSessionKey = hmacMD5(partial, ntlmv2Hash);
    }
    return ntlmv2UserSessionKey;
}
 

/** Get NTLM2SessionResponseUserSessionKey */
public byte[] getNTLM2SessionResponseUserSessionKey()
        throws AuthenticationException {
    if (ntlm2SessionResponseUserSessionKey == null) {
        byte[] ntlmUserSessionKey = getNTLMUserSessionKey();
        byte[] ntlm2SessionResponseNonce = getLM2SessionResponse();
        byte[] sessionNonce = new byte[challenge.length + ntlm2SessionResponseNonce.length];
        System.arraycopy(challenge, 0, sessionNonce, 0, challenge.length);
        System.arraycopy(ntlm2SessionResponseNonce, 0, sessionNonce, challenge.length,
                ntlm2SessionResponseNonce.length);
        ntlm2SessionResponseUserSessionKey = hmacMD5(sessionNonce, ntlmUserSessionKey);
    }
    return ntlm2SessionResponseUserSessionKey;
}
 

/** Get LAN Manager session key */
public byte[] getLanManagerSessionKey()
        throws AuthenticationException {
    if (lanManagerSessionKey == null) {
        byte[] lmHash = getLMHash();
        byte[] lmResponse = getLMResponse();
        try {
            byte[] keyBytes = new byte[14];
            System.arraycopy(lmHash, 0, keyBytes, 0, 8);
            Arrays.fill(keyBytes, 8, keyBytes.length, (byte) 0xbd);
            Key lowKey = createDESKey(keyBytes, 0);
            Key highKey = createDESKey(keyBytes, 7);
            byte[] truncatedResponse = new byte[8];
            System.arraycopy(lmResponse, 0, truncatedResponse, 0, truncatedResponse.length);
            Cipher des = Cipher.getInstance("DES/ECB/NoPadding");
            des.init(Cipher.ENCRYPT_MODE, lowKey);
            byte[] lowPart = des.doFinal(truncatedResponse);
            des = Cipher.getInstance("DES/ECB/NoPadding");
            des.init(Cipher.ENCRYPT_MODE, highKey);
            byte[] highPart = des.doFinal(truncatedResponse);
            lanManagerSessionKey = new byte[16];
            System.arraycopy(lowPart, 0, lanManagerSessionKey, 0, lowPart.length);
            System.arraycopy(highPart, 0, lanManagerSessionKey, lowPart.length, highPart.length);
        } catch (Exception e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }
    return lanManagerSessionKey;
}
 

/** Calculates RC4 */
static byte[] RC4(byte[] value, byte[] key)
        throws AuthenticationException {
    try {
        Cipher rc4 = Cipher.getInstance("RC4");
        rc4.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "RC4"));
        return rc4.doFinal(value);
    } catch (Exception e) {
        throw new AuthenticationException(e.getMessage(), e);
    }
}
 

/**
 * Calculates the NTLM2 Session Response for the given challenge, using the
 * specified password and client challenge.
 *
 * @param ntlmHash
 *            The user's password.
 * @param challenge
 *            The Type 2 challenge from the server.
 * @param clientChallenge
 *            The random 8-byte client challenge.
 *
 * @return The NTLM2 Session Response. This is placed in the NTLM response
 *         field of the Type 3 message; the LM response field contains the
 *         client challenge, null-padded to 24 bytes.
 */
static byte[] ntlm2SessionResponse(byte[] ntlmHash, byte[] challenge,
                                   byte[] clientChallenge) throws AuthenticationException {
    try {
        // Look up MD5 algorithm (was necessary on jdk 1.4.2)
        // This used to be needed, but java 1.5.0_07 includes the MD5
        // algorithm (finally)
        // Class x = Class.forName("gnu.crypto.hash.MD5");
        // Method updateMethod = x.getMethod("update",new
        // Class[]{byte[].class});
        // Method digestMethod = x.getMethod("digest",new Class[0]);
        // Object mdInstance = x.newInstance();
        // updateMethod.invoke(mdInstance,new Object[]{challenge});
        // updateMethod.invoke(mdInstance,new Object[]{clientChallenge});
        // byte[] digest = (byte[])digestMethod.invoke(mdInstance,new
        // Object[0]);

        MessageDigest md5 = MessageDigest.getInstance("MD5");
        md5.update(challenge);
        md5.update(clientChallenge);
        byte[] digest = md5.digest();

        byte[] sessionHash = new byte[8];
        System.arraycopy(digest, 0, sessionHash, 0, 8);
        return lmResponse(ntlmHash, sessionHash);
    } catch (Exception e) {
        if (e instanceof AuthenticationException) {
            throw (AuthenticationException) e;
        }
        throw new AuthenticationException(e.getMessage(), e);
    }
}
 

/**
 * Creates the NTLM Hash of the user's password.
 *
 * @param password
 *            The password.
 *
 * @return The NTLM Hash of the given password, used in the calculation of
 *         the NTLM Response and the NTLMv2 and LMv2 Hashes.
 */
private static byte[] ntlmHash(String password) throws AuthenticationException {
    try {
        byte[] unicodePassword = password.getBytes("UnicodeLittleUnmarked");
        MD4 md4 = new MD4();
        md4.update(unicodePassword);
        return md4.getOutput();
    } catch (java.io.UnsupportedEncodingException e) {
        throw new AuthenticationException("Unicode not supported: " + e.getMessage(), e);
    }
}
 

/**
 * Creates the NTLMv2 Hash of the user's password.
 *
 * @param target
 *            The authentication target (i.e., domain).
 * @param user
 *            The username.
 * @param password
 *            The password.
 *
 * @return The NTLMv2 Hash, used in the calculation of the NTLMv2 and LMv2
 *         Responses.
 */
private static byte[] ntlmv2Hash(String target, String user, String password)
        throws AuthenticationException {
    try {
        byte[] ntlmHash = ntlmHash(password);
        HMACMD5 hmacMD5 = new HMACMD5(ntlmHash);
        // Upper case username, mixed case target!!
        hmacMD5.update(user.toUpperCase(Locale.US).getBytes("UnicodeLittleUnmarked"));
        hmacMD5.update(target.getBytes("UnicodeLittleUnmarked"));
        return hmacMD5.getOutput();
    } catch (java.io.UnsupportedEncodingException e) {
        throw new AuthenticationException("Unicode not supported! " + e.getMessage(), e);
    }
}
 

/** Read a byte from a position within the message buffer */
protected byte readByte(int position) throws AuthenticationException {
    if (messageContents.length < position + 1) {
        throw new AuthenticationException("NTLM: Message too short");
    }
    return messageContents[position];
}
 

/** Read a bunch of bytes from a position in the message buffer */
protected void readBytes(byte[] buffer, int position) throws AuthenticationException {
    if (messageContents.length < position + buffer.length) {
        throw new AuthenticationException("NTLM: Message too short");
    }
    System.arraycopy(messageContents, position, buffer, 0, buffer.length);
}
 

HMACMD5(byte[] key) throws AuthenticationException {
    try {
        md5 = MessageDigest.getInstance("MD5");
    } catch (Exception ex) {
        // Umm, the algorithm doesn't exist - throw an
        // AuthenticationException!
        throw new AuthenticationException(
                "Error getting md5 message digest implementation: " + ex.getMessage(), ex);
    }

    // Initialize the pad buffers with the key
    ipad = new byte[64];
    opad = new byte[64];

    int keyLength = key.length;
    if (keyLength > 64) {
        // Use MD5 of the key instead, as described in RFC 2104
        md5.update(key);
        key = md5.digest();
        keyLength = key.length;
    }
    int i = 0;
    while (i < keyLength) {
        ipad[i] = (byte) (key[i] ^ (byte) 0x36);
        opad[i] = (byte) (key[i] ^ (byte) 0x5c);
        i++;
    }
    while (i < 64) {
        ipad[i] = (byte) 0x36;
        opad[i] = (byte) 0x5c;
        i++;
    }

    // Very important: update the digest with the ipad buffer
    md5.reset();
    md5.update(ipad);

}
 

/** Constructor. Include the arguments the message will need */
Type1Message(String domain, String host) throws AuthenticationException {
    super();
    try {
        // Strip off domain name from the host!
        host = convertHost(host);
        // Use only the base domain name!
        domain = convertDomain(domain);

        hostBytes = host.getBytes("UnicodeLittleUnmarked");
        domainBytes = domain.toUpperCase(Locale.US).getBytes("UnicodeLittleUnmarked");
    } catch (java.io.UnsupportedEncodingException e) {
        throw new AuthenticationException("Unicode unsupported: " + e.getMessage(), e);
    }
}
 

private static int readULong(byte[] src, int index) throws AuthenticationException {
    if (src.length < index + 4) {
        throw new AuthenticationException("NTLM authentication - buffer too small for DWORD");
    }
    return (src[index] & 0xff) | ((src[index + 1] & 0xff) << 8)
            | ((src[index + 2] & 0xff) << 16) | ((src[index + 3] & 0xff) << 24);
}
 

private void authenticate(final HttpMethod method) {
    try {
        if (this.conn.isProxied() && !this.conn.isSecure()) {
            authenticateProxy(method);
        }
        authenticateHost(method);
    } catch (AuthenticationException e) {
        LOG.error(e.getMessage(), e);
    }
}
 

private void authenticateProxy(final HttpMethod method) throws AuthenticationException {
    // Clean up existing authentication headers
    if (!cleanAuthHeaders(method, PROXY_AUTH_RESP)) {
        // User defined authentication header(s) present
        return;
    }
    AuthState authstate = method.getProxyAuthState();
    AuthScheme authscheme = authstate.getAuthScheme();
    if (authscheme == null) {
        return;
    }
    if (authstate.isAuthRequested() || !authscheme.isConnectionBased()) {
        AuthScope authscope = new AuthScope(
            conn.getProxyHost(), conn.getProxyPort(), 
            authscheme.getRealm(), 
            authscheme.getSchemeName());  
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authenticating with " + authscope);
        }
        Credentials credentials = this.state.getProxyCredentials(authscope);
        if (credentials != null) {
            String authstring = authscheme.authenticate(credentials, method);
            if (authstring != null) {
                method.addRequestHeader(new Header(PROXY_AUTH_RESP, authstring, true));
            }
        } else {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Required proxy credentials not available for " + authscope);
                if (method.getProxyAuthState().isPreemptive()) {
                    LOG.warn("Preemptive authentication requested but no default " +
                        "proxy credentials available"); 
                }
            }
        }
    }
}
 

private void authenticate(final HttpMethod method) {
    try {
        if (this.conn.isProxied() && !this.conn.isSecure()) {
            authenticateProxy(method);
        }
        authenticateHost(method);
    } catch (AuthenticationException e) {
        LOG.error(e.getMessage(), e);
    }
}
 

private void authenticateProxy(final HttpMethod method) throws AuthenticationException {
    // Clean up existing authentication headers
    if (!cleanAuthHeaders(method, PROXY_AUTH_RESP)) {
        // User defined authentication header(s) present
        return;
    }
    AuthState authstate = method.getProxyAuthState();
    AuthScheme authscheme = authstate.getAuthScheme();
    if (authscheme == null) {
        return;
    }
    if (authstate.isAuthRequested() || !authscheme.isConnectionBased()) {
        AuthScope authscope = new AuthScope(
            conn.getProxyHost(), conn.getProxyPort(), 
            authscheme.getRealm(), 
            authscheme.getSchemeName());  
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authenticating with " + authscope);
        }
        Credentials credentials = this.state.getProxyCredentials(authscope);
        if (credentials != null) {
            String authstring = authscheme.authenticate(credentials, method);
            if (authstring != null) {
                method.addRequestHeader(new Header(PROXY_AUTH_RESP, authstring, true));
            }
        } else {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Required proxy credentials not available for " + authscope);
                if (method.getProxyAuthState().isPreemptive()) {
                    LOG.warn("Preemptive authentication requested but no default " +
                        "proxy credentials available"); 
                }
            }
        }
    }
}
 

/**
 * Returns the text to send via the Authenticate header on the next request.
 */
@Override
public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
    try {
        return authenticate(credentials, URI.create(method.getURI().getURI()));
    } catch (URIException e) {
        throw new AuthenticationException("Could not determine request URI", e);
    }
}