org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator の継承関係図

org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator 連携図

公開メンバ関数
boolean	requiresUser ()

void	action (AuthenticationFlowContext context)

void	authenticate (AuthenticationFlowContext context)

boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)

void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)

void	close ()

boolean	invalidUser (AuthenticationFlowContext context, UserModel user)

boolean	enabledUser (AuthenticationFlowContext context, UserModel user)

boolean	validateUserAndPassword (AuthenticationFlowContext context, MultivaluedMap< String, String > inputData)

boolean	validatePassword (AuthenticationFlowContext context, UserModel user, MultivaluedMap< String, String > inputData)

静的公開変数類
static final String	KERBEROS_DISABLED = "kerberos_disabled"

static boolean	bypassChallengeJavascript = false

static final String	REGISTRATION_FORM_ACTION = "registration_form"

static final String	ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

限定公開メンバ関数
Response	optionalChallengeRedirect (AuthenticationFlowContext context, String negotiateHeader)

Response	invalidUser (AuthenticationFlowContext context)

Response	disabledUser (AuthenticationFlowContext context)

Response	temporarilyDisabledUser (AuthenticationFlowContext context)

Response	invalidCredentials (AuthenticationFlowContext context)

Response	setDuplicateUserChallenge (AuthenticationFlowContext context, String eventError, String loginFormError, AuthenticationFlowError authenticatorError)

void	runDefaultDummyHash (AuthenticationFlowContext context)

void	dummyHash (AuthenticationFlowContext context)

非公開メンバ関数
Response	challengeNegotiation (AuthenticationFlowContext context, final String negotiateToken)

静的非公開変数類
static final Logger	logger = Logger.getLogger(SpnegoAuthenticator.class)

詳解

著者: Bill Burke

バージョン

Revision: 1

関数詳解

◆ action()

void org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.action ( AuthenticationFlowContext context )

inline

                                                           {
         context.attempted();
         return;
     }

◆ authenticate()

void org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate ( AuthenticationFlowContext context )

inline

                                                                 {
         HttpRequest request = context.getHttpRequest();
         String authHeader = request.getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
         if (authHeader == null) {
             Response challenge = challengeNegotiation(context, null);
             context.forceChallenge(challenge);
             return;
         }
 
         String[] tokens = authHeader.split(" ");
         if (tokens.length == 0) { // assume not supported
             logger.debug("Invalid length of tokens: " + tokens.length);
             context.attempted();
             return;
         }
         if (!KerberosConstants.NEGOTIATE.equalsIgnoreCase(tokens[0])) {
             logger.debug("Unknown scheme " + tokens[0]);
             context.attempted();
             return;
         }
         if (tokens.length != 2) {
             context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
             return;
         }
 
         String spnegoToken = tokens[1];
         UserCredentialModel spnegoCredential = UserCredentialModel.kerberos(spnegoToken);
 
         CredentialValidationOutput output = context.getSession().userCredentialManager().authenticate(context.getSession(), context.getRealm(), spnegoCredential);
 
         if (output == null) {
             logger.warn("Received kerberos token, but there is no user storage provider that handles kerberos credentials.");
             context.attempted();
             return;
         }
         if (output.getAuthStatus() == CredentialValidationOutput.Status.AUTHENTICATED) {
             context.setUser(output.getAuthenticatedUser());
             if (output.getState() != null && !output.getState().isEmpty()) {
                 for (Map.Entry<String, String> entry : output.getState().entrySet()) {
                     context.getAuthenticationSession().setUserSessionNote(entry.getKey(), entry.getValue());
                 }
             }
             context.success();
         } else if (output.getAuthStatus() == CredentialValidationOutput.Status.CONTINUE) {
             String spnegoResponseToken = (String) output.getState().get(KerberosConstants.RESPONSE_TOKEN);
             Response challenge =  challengeNegotiation(context, spnegoResponseToken);
             context.challenge(challenge);
         } else {
             context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
             context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
         }
     }

◆ challengeNegotiation()

Response org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation	(	AuthenticationFlowContext	context,
		final String	negotiateToken
	)

inlineprivate

                                                                                                           {
         String negotiateHeader = negotiateToken == null ? KerberosConstants.NEGOTIATE : KerberosConstants.NEGOTIATE + " " + negotiateToken;
 
         if (logger.isTraceEnabled()) {
             logger.trace("Sending back " + HttpHeaders.WWW_AUTHENTICATE + ": " + negotiateHeader);
         }
         if (context.getExecution().isRequired()) {
             return context.getSession().getProvider(LoginFormsProvider.class)
                     .setAuthenticationSession(context.getAuthenticationSession())
                     .setResponseHeader(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader)
                     .setError(Messages.KERBEROS_NOT_ENABLED).createErrorPage(Response.Status.UNAUTHORIZED);
         } else {
             return optionalChallengeRedirect(context, negotiateHeader);
         }
     }

◆ close()

void org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.close ( )

inline

                         {
 
     }

◆ configuredFor()

boolean org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.configuredFor	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inline

                                                                                             {
         return true;
     }

◆ disabledUser()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.disabledUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                        {
         return context.form()
                 .setError(Messages.ACCOUNT_DISABLED).createLogin();
     }

◆ dummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.dummyHash ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                 {
         PasswordPolicy policy = context.getRealm().getPasswordPolicy();
         if (policy == null) {
             runDefaultDummyHash(context);
             return;
         } else {
             PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, policy.getHashAlgorithm());
             if (hash == null) {
                 runDefaultDummyHash(context);
                 return;
 
             } else {
                 hash.encode("dummypassword", policy.getHashIterations());
             }
         }
 
     }

◆ enabledUser()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.enabledUser	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineinherited

                                                                                   {
         if (!user.isEnabled()) {
             context.getEvent().user(user);
             context.getEvent().error(Errors.USER_DISABLED);
             Response challengeResponse = disabledUser(context);
             // this is not a failure so don't call failureChallenge.
             //context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
             context.forceChallenge(challengeResponse);
             return false;
         }
         if (isTemporarilyDisabledByBruteForce(context, user)) return false;
         return true;
     }

◆ invalidCredentials()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidCredentials ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                              {
         return context.form()
                 .setError(Messages.INVALID_USER).createLogin();
     }

◆ invalidUser() [1/2]

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                       {
         return context.form()
                 .setError(Messages.INVALID_USER)
                 .createLogin();
     }

◆ invalidUser() [2/2]

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidUser	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineinherited

                                                                                   {
         if (user == null) {
             dummyHash(context);
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = invalidUser(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
             return true;
         }
         return false;
     }

◆ optionalChallengeRedirect()

Response org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect	(	AuthenticationFlowContext	context,
		String	negotiateHeader
	)

inlineprotected

401 challenge sent back that bypasses

引数

context
negotiateHeader

戻り値

                                                                                                             {
         String accessCode = context.generateAccessCode();
         URI action = context.getActionUrl(accessCode);
 
         StringBuilder builder = new StringBuilder();
 
         builder.append("<HTML>");
         builder.append("<HEAD>");
 
         builder.append("<TITLE>Kerberos Unsupported</TITLE>");
         builder.append("</HEAD>");
         if (bypassChallengeJavascript) {
             builder.append("<BODY>");
 
         } else {
             builder.append("<BODY Onload=\"document.forms[0].submit()\">");
         }
         builder.append("<FORM METHOD=\"POST\" ACTION=\"" + action.toString() + "\">");
         builder.append("<NOSCRIPT>");
         builder.append("<P>JavaScript is disabled. We strongly recommend to enable it. You were unable to login via Kerberos.  Click the button below to login via an alternative method .</P>");
         builder.append("<INPUT name=\"continue\" TYPE=\"SUBMIT\" VALUE=\"CONTINUE\" />");
         builder.append("</NOSCRIPT>");
 
         builder.append("</FORM></BODY></HTML>");
         return Response.status(Response.Status.UNAUTHORIZED)
                 .header(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader)
                 .type(MediaType.TEXT_HTML_TYPE)
                 .entity(builder.toString()).build();
     }

◆ requiresUser()

boolean org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.requiresUser ( )

inline

                                   {
         return false;
     }

◆ runDefaultDummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.runDefaultDummyHash ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                           {
         PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, PasswordPolicy.HASH_ALGORITHM_DEFAULT);
         hash.encode("dummypassword", PasswordPolicy.HASH_ITERATIONS_DEFAULT);
     }

◆ setDuplicateUserChallenge()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.setDuplicateUserChallenge	(	AuthenticationFlowContext	context,
		String	eventError,
		String	loginFormError,
		AuthenticationFlowError	authenticatorError
	)

inlineprotectedinherited

                                                                                                                                                                           {
         context.getEvent().error(eventError);
         Response challengeResponse = context.form()
                 .setError(loginFormError).createLogin();
         context.failureChallenge(authenticatorError, challengeResponse);
         return challengeResponse;
     }

◆ setRequiredActions()

void org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.setRequiredActions	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inline

177 {

178 }

◆ temporarilyDisabledUser()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.temporarilyDisabledUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                                   {
         return context.form()
                 .setError(Messages.INVALID_USER).createLogin();
     }

◆ validatePassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword	(	AuthenticationFlowContext	context,
		UserModel	user,
		MultivaluedMap< String, String >	inputData
	)

inlineinherited

                                                                                                                                  {
         List<CredentialInput> credentials = new LinkedList<>();
         String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
         credentials.add(UserCredentialModel.password(password));
 
         if (isTemporarilyDisabledByBruteForce(context, user)) return false;
 
         if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
             return true;
         } else {
             context.getEvent().user(user);
             context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
             Response challengeResponse = invalidCredentials(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
             context.clearUser();
             return false;
         }
     }

◆ validateUserAndPassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword	(	AuthenticationFlowContext	context,
		MultivaluedMap< String, String >	inputData
	)

inlineinherited

                                                                                                                         {
         String username = inputData.getFirst(AuthenticationManager.FORM_USERNAME);
         if (username == null) {
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = invalidUser(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
             return false;
         }
 
         // remove leading and trailing whitespace
         username = username.trim();
 
         context.getEvent().detail(Details.USERNAME, username);
         context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username);
 
         UserModel user = null;
         try {
             user = KeycloakModelUtils.findUserByNameOrEmail(context.getSession(), context.getRealm(), username);
         } catch (ModelDuplicateException mde) {
             ServicesLogger.LOGGER.modelDuplicateException(mde);
 
             // Could happen during federation import
             if (mde.getDuplicateFieldName() != null && mde.getDuplicateFieldName().equals(UserModel.EMAIL)) {
                 setDuplicateUserChallenge(context, Errors.EMAIL_IN_USE, Messages.EMAIL_EXISTS, AuthenticationFlowError.INVALID_USER);
             } else {
                 setDuplicateUserChallenge(context, Errors.USERNAME_IN_USE, Messages.USERNAME_EXISTS, AuthenticationFlowError.INVALID_USER);
             }
 
             return false;
         }
 
         if (invalidUser(context, user)) {
             return false;
         }
 
         if (!validatePassword(context, user, inputData)) {
             return false;
         }
 
         if (!enabledUser(context, user)) {
             return false;
         }
 
         String rememberMe = inputData.getFirst("rememberMe");
         boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on");
         if (remember) {
             context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
             context.getEvent().detail(Details.REMEMBER_ME, "true");
         } else {
             context.getAuthenticationSession().removeAuthNote(Details.REMEMBER_ME);
         }
         context.setUser(user);
         return true;
     }

メンバ詳解

◆ ATTEMPTED_USERNAME

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

staticinherited

◆ bypassChallengeJavascript

boolean org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.bypassChallengeJavascript = false

static

◆ KERBEROS_DISABLED

final String org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.KERBEROS_DISABLED = "kerberos_disabled"

static

◆ logger

final Logger org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.logger = Logger.getLogger(SpnegoAuthenticator.class)

staticprivate

◆ REGISTRATION_FORM_ACTION

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.REGISTRATION_FORM_ACTION = "registration_form"

staticinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

非公開メンバ関数

静的非公開変数類

詳解

関数詳解

◆ action()

◆ authenticate()

◆ challengeNegotiation()

◆ close()

◆ configuredFor()

◆ disabledUser()

◆ dummyHash()

◆ enabledUser()

◆ invalidCredentials()

◆ invalidUser() [1/2]

◆ invalidUser() [2/2]

◆ optionalChallengeRedirect()

◆ requiresUser()

◆ runDefaultDummyHash()

◆ setDuplicateUserChallenge()

◆ setRequiredActions()

◆ temporarilyDisabledUser()

◆ validatePassword()

◆ validateUserAndPassword()

メンバ詳解

◆ ATTEMPTED_USERNAME

◆ bypassChallengeJavascript

◆ KERBEROS_DISABLED

◆ logger

◆ REGISTRATION_FORM_ACTION