org.jasig.cas.authentication.principal.SimplePrincipal Java Examples

/** {@inheritDoc} */
@Override
protected final HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential)
        throws GeneralSecurityException, PreventedException {

    final String username = credential.getUsername();
    final String encyptedPassword = getPasswordEncoder().encode(credential.getPassword());
    final int count;
    try {
        count = getJdbcTemplate().queryForObject(this.sql, Integer.class, username, encyptedPassword);
    } catch (final DataAccessException e) {
        throw new PreventedException("SQL exception while executing query for " + username, e);
    }
    if (count == 0) {
        throw new FailedLoginException(username + " not found with SQL query.");
    }
    return createHandlerResult(credential, new SimplePrincipal(username), null);
}
 

/**
 * Creates a new named mock authentication handler that either successfully validates all credentials or fails to
 * validate all credentials.
 *
 * @param name Authentication handler name.
 * @param success True to authenticate all credentials, false to fail all credentials.
 *
 * @return New mock authentication handler instance.
 *
 * @throws Exception On errors.
 */
private static AuthenticationHandler newMockHandler(final String name, final boolean success) throws Exception {
    final AuthenticationHandler mock = mock(AuthenticationHandler.class);
    when(mock.getName()).thenReturn(name);
    when(mock.supports(any(Credential.class))).thenReturn(true);
    if (success) {
        final HandlerResult result = new HandlerResult(
                mock,
                mock(CredentialMetaData.class),
                new SimplePrincipal("nobody"));
        when(mock.authenticate(any(Credential.class))).thenReturn(result);
    } else {
        when(mock.authenticate(any(Credential.class))).thenThrow(new FailedLoginException());
    }
    return mock;
}
 

/** {@inheritDoc} */
@Override
protected final HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential)
        throws GeneralSecurityException, PreventedException {
    try {
        
        final String username = credential.getUsername();
        final String passwordOnRecord = getPasswordOnRecord(username);
        if (passwordOnRecord == null) {
            throw new AccountNotFoundException(username + " not found in backing file.");
        }
        if (credential.getPassword() != null
                && this.getPasswordEncoder().encode(credential.getPassword()).equals(passwordOnRecord)) {
            return createHandlerResult(credential, new SimplePrincipal(username), null);
        }
    } catch (final IOException e) {
        throw new PreventedException("IO error reading backing file", e);
    }
    throw new FailedLoginException();
}
 

@Override
protected final HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential)
        throws GeneralSecurityException, PreventedException {

    final String username = credential.getUsername();
    for (final RadiusServer radiusServer : this.servers) {
        logger.debug("Attempting to authenticate {} at {}", username, radiusServer);
        try {
            if (radiusServer.authenticate(username, credential.getPassword())) {
                return createHandlerResult(credential, new SimplePrincipal(username), null);
            } 
            
            if (!this.failoverOnAuthenticationFailure) {
                throw new FailedLoginException();
            }
            logger.debug("failoverOnAuthenticationFailure enabled -- trying next server");
        } catch (final PreventedException e) {
            if (!this.failoverOnException) {
                throw e;
            }
            logger.warn("failoverOnException enabled -- trying next server.", e);
        }
    }
    throw new FailedLoginException();
}
 

@Override
protected Credential constructCredentialsFromRequest(
        final RequestContext context) {
    final HttpServletRequest request = WebUtils
            .getHttpServletRequest(context);
    final Principal principal = request.getUserPrincipal();

    if (principal != null) {

        logger.debug("UserPrincipal [{}] found in HttpServletRequest", principal.getName());
        return new PrincipalBearingCredential(new SimplePrincipal(
                principal.getName()));
    }

    logger.debug("UserPrincipal not found in HttpServletRequest.");
    return null;
}
 

@Override
protected Credential constructCredentialsFromRequest(
        final RequestContext context) {
    final HttpServletRequest request = WebUtils
            .getHttpServletRequest(context);
    final String remoteUser = request.getRemoteUser();

    if (StringUtils.hasText(remoteUser)) {
        logger.debug("Remote  User [{}] found in HttpServletRequest", remoteUser);
        return new PrincipalBearingCredential(new SimplePrincipal(remoteUser));
    }

    logger.debug("Remote User not found in HttpServletRequest.");

    return null;
}
 

@Test
public void testGetSimpleCredentials() {
    String myNtlmUser = "DOMAIN\\Username";
    String myNtlmUserWithNoDomain = "Username";
    String myKerberosUser = "[email protected]";

    this.authenticationHandler.setPrincipalWithDomainName(true);
    assertEquals(new SimplePrincipal(myNtlmUser), this.authenticationHandler
            .getSimplePrincipal(myNtlmUser, true));
    assertEquals(new SimplePrincipal(myNtlmUserWithNoDomain), this.authenticationHandler
            .getSimplePrincipal(myNtlmUserWithNoDomain, false));
    assertEquals(new SimplePrincipal(myKerberosUser), this.authenticationHandler
            .getSimplePrincipal(myKerberosUser, false));

    this.authenticationHandler.setPrincipalWithDomainName(false);
    assertEquals(new SimplePrincipal("Username"), this.authenticationHandler
            .getSimplePrincipal(myNtlmUser, true));
    assertEquals(new SimplePrincipal("Username"), this.authenticationHandler
            .getSimplePrincipal(myNtlmUserWithNoDomain, true));
    assertEquals(new SimplePrincipal("Username"), this.authenticationHandler
            .getSimplePrincipal(myKerberosUser, false));
}
 

/** {@inheritDoc} */
@Override
protected final HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential)
        throws GeneralSecurityException, PreventedException {

    final String username = credential.getUsername();
    final String cachedPassword = this.users.get(username);

    if (cachedPassword == null) {
       logger.debug("{} was not found in the map.", username);
       throw new AccountNotFoundException(username + " not found in backing map.");
    }

    final String encodedPassword = this.getPasswordEncoder().encode(credential.getPassword());
    if (!cachedPassword.equals(encodedPassword)) {
        throw new FailedLoginException();
    }
    return createHandlerResult(credential, new SimplePrincipal(username), null);
}
 

public MockTicketGrantingTicket(final String id, final Credential credential) {
    this.id = id;
    final CredentialMetaData credentialMetaData = new BasicCredentialMetaData(credential);
    final AuthenticationBuilder builder = new AuthenticationBuilder();
    final Map<String, Object> attributes = new HashMap<String, Object>();
    attributes.put("nickname", "bob");
    builder.setPrincipal(new SimplePrincipal("handymanbob", attributes));
    builder.setAuthenticationDate(new Date());
    builder.addCredential(credentialMetaData);
    final AuthenticationHandler handler = new MockAuthenticationHandler();
    try {
        builder.addSuccess(handler.getName(), handler.authenticate(credential));
    } catch (final Exception e) {
        throw new RuntimeException(e);
    }
    builder.addFailure(handler.getName(), FailedLoginException.class);
    this.authentication = builder.build();
}
 

@Test
public void testResponseWithoutAuthMethod() throws Exception {
    final Map<String, Object> model = new HashMap<String, Object>();

    final Map<String, Object> attributes = new HashMap<String, Object>();
    attributes.put("testAttribute", "testValue");
    final SimplePrincipal principal = new SimplePrincipal("testPrincipal", attributes);

    final Authentication primary = TestUtils.getAuthentication(principal);

    final Assertion assertion = new ImmutableAssertion(
            primary, Collections.singletonList(primary), TestUtils.getService(), true);
    model.put("assertion", assertion);

    final MockHttpServletResponse servletResponse = new MockHttpServletResponse();

    this.response.renderMergedOutputModel(model, new MockHttpServletRequest(), servletResponse);
    final String written = servletResponse.getContentAsString();

    assertTrue(written.contains("testPrincipal"));
    assertTrue(written.contains("testAttribute"));
    assertTrue(written.contains("testValue"));
    assertTrue(written.contains("urn:oasis:names:tc:SAML:1.0:am:unspecified"));
}
 

@Test
public void testToStringWithPrincipal() {
    final SpnegoCredential credentials = new SpnegoCredential(new byte[] {});
    final Principal principal = new SimplePrincipal("test");
    credentials.setPrincipal(principal);
    assertEquals("test", credentials.toString());
}
 

protected SimplePrincipal getSimplePrincipal(final String name, final boolean isNtlm) {
    if (this.principalWithDomainName) {
        return new SimplePrincipal(name);
    }
    if (isNtlm) {
        return Pattern.matches("\\S+\\\\\\S+", name)
                ? new SimplePrincipal(name.split("\\\\")[1])
                : new SimplePrincipal(name);
    }
    return new SimplePrincipal(name.split("@")[0]);
}
 

/** {@inheritDoc} */
@Override
protected final HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {

    final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
    final X509Certificate[] certificates = x509Credential.getCertificates();

    X509Certificate clientCert = null;
    boolean hasTrustedIssuer = false;
    for (int i = certificates.length - 1; i >= 0; i--) {
        final X509Certificate certificate = certificates[i];
        logger.debug("Evaluating {}", CertUtils.toString(certificate));

        validate(certificate);

        if (!hasTrustedIssuer) {
            hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
        }

        // getBasicConstraints returns pathLenContraint which is generally
        // >=0 when this is a CA cert and -1 when it's not
        int pathLength = certificate.getBasicConstraints();
        if (pathLength < 0) {
            logger.debug("Found valid client certificate");
            clientCert = certificate;
        } else {
            logger.debug("Found valid CA certificate");
        }
    }
    if (hasTrustedIssuer && clientCert != null) {
        x509Credential.setCertificate(clientCert);
        return new HandlerResult(this, x509Credential, new SimplePrincipal(x509Credential.getId()));
    }
    throw new FailedLoginException();
}
 

/**
 * @deprecated As of 4.1. Use {@link #getPrincipal(String, boolean)}
 * Gets the simple principal from the given name.
 *
 * @param name the name
 * @param isNtlm the is ntlm
 * @return the simple principal
 */
@Deprecated
protected SimplePrincipal getSimplePrincipal(final String name, final boolean isNtlm) {
    logger.warn("getSimplePrincipal() is deprecated and will be removed. Consider getPrincipal() instead.");

    if (this.principalWithDomainName) {
        return (SimplePrincipal) new DefaultPrincipalFactory().createPrincipal(name);
    }
    if (isNtlm) {
        return Pattern.matches("\\S+\\\\\\S+", name)
                ? (SimplePrincipal) new DefaultPrincipalFactory().createPrincipal(name.split("\\\\")[1])
                : (SimplePrincipal) new DefaultPrincipalFactory().createPrincipal(name);
    }
    return (SimplePrincipal) new DefaultPrincipalFactory().createPrincipal(name.split("@")[0]);
}
 

/**
 * {@InheritDoc}
 */
@Override
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
	final ClientCredential clientCredentials = (ClientCredential) credential;
	final OpenIdCredentials openIdCredentials = clientCredentials.getOpenIdCredentials();
	logger.debug("Client credentials : '{}'", clientCredentials);

	final String clientName = openIdCredentials.getClientName();
	logger.debug("Client name : '{}'", clientName);

	// Web context
	final ServletExternalContext servletExternalContext = (ServletExternalContext) ExternalContextHolder.getExternalContext();
	final HttpServletRequest request = (HttpServletRequest) servletExternalContext.getNativeRequest();
	final HttpServletResponse response = (HttpServletResponse) servletExternalContext.getNativeResponse();
	final WebContext webContext = new J2EContext(request, response);

	// Get user profile
	final UserProfile userProfile = this.client.getUserProfile(openIdCredentials, webContext);
	logger.debug("userProfile : {}", userProfile);

	if (userProfile != null) {
		final String id = userProfile.getId();
		if (StringHelper.isNotEmpty(id)) {
			openIdCredentials.setUserProfile(userProfile);

			return new HandlerResult(this, clientCredentials, new SimplePrincipal(id, userProfile.getAttributes()));
		}
	}

	throw new FailedLoginException("Provider did not produce profile for " + clientCredentials);
}
 

protected final HandlerResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential)
        throws GeneralSecurityException, PreventedException {

    final String username = credential.getUsername();
    if (this.users.contains(username)) {
        throw new FailedLoginException();
    }

    return createHandlerResult(credential, new SimplePrincipal(username), null);
}
 

@Override
public HandlerResult authenticate(final Credential credential) throws GeneralSecurityException {
    final RemoteAddressCredential c = (RemoteAddressCredential) credential;
    try {
        final InetAddress inetAddress = InetAddress.getByName(c.getRemoteAddress().trim());
        if (containsAddress(this.inetNetwork, this.inetNetmask, inetAddress)) {
            return new HandlerResult(this, c, new SimplePrincipal(c.getId()));
        }
    } catch (final UnknownHostException e) {
        logger.debug("Unknown host {}", c.getRemoteAddress());
    }
    throw new FailedLoginException(c.getRemoteAddress() + " not in allowed range.");
}
 

@Test
public void testResponse() throws Exception {
    final Map<String, Object> model = new HashMap<String, Object>();

    final Map<String, Object> attributes = new HashMap<String, Object>();
    attributes.put("testAttribute", "testValue");
    attributes.put("testEmptyCollection", Collections.emptyList());
    attributes.put("testAttributeCollection", Arrays.asList(new String[] {"tac1", "tac2"}));
    final SimplePrincipal principal = new SimplePrincipal("testPrincipal", attributes);

    final Map<String, Object> authAttributes = new HashMap<String, Object>();
    authAttributes.put(
            SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD,
            SamlAuthenticationMetaDataPopulator.AUTHN_METHOD_SSL_TLS_CLIENT);
    authAttributes.put("testSamlAttribute", "value");

    final Authentication primary = TestUtils.getAuthentication(principal, authAttributes);
    final Assertion assertion = new ImmutableAssertion(
            primary, Collections.singletonList(primary), TestUtils.getService(), true);
    model.put("assertion", assertion);

    final MockHttpServletResponse servletResponse = new MockHttpServletResponse();

    this.response.renderMergedOutputModel(model, new MockHttpServletRequest(), servletResponse);
    final String written = servletResponse.getContentAsString();

    assertTrue(written.contains("testPrincipal"));
    assertTrue(written.contains("testAttribute"));
    assertTrue(written.contains("testValue"));
    assertFalse(written.contains("testEmptyCollection"));
    assertTrue(written.contains("testAttributeCollection"));
    assertTrue(written.contains("tac1"));
    assertTrue(written.contains("tac2"));
    assertTrue(written.contains(SamlAuthenticationMetaDataPopulator.AUTHN_METHOD_SSL_TLS_CLIENT));
    assertTrue(written.contains("AuthenticationMethod"));
    assertTrue(written.contains("AssertionID"));
}
 

@Test
public void testResponseWithNoAttributes() throws Exception {
    final Map<String, Object> model = new HashMap<String, Object>();

    final SimplePrincipal principal = new SimplePrincipal("testPrincipal");

    final Map<String, Object> authAttributes = new HashMap<String, Object>();
    authAttributes.put(
            SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD,
            SamlAuthenticationMetaDataPopulator.AUTHN_METHOD_SSL_TLS_CLIENT);
    authAttributes.put("testSamlAttribute", "value");

    final Authentication primary = TestUtils.getAuthentication(principal, authAttributes);

    final Assertion assertion = new ImmutableAssertion(
            primary, Collections.singletonList(primary), TestUtils.getService(), true);
    model.put("assertion", assertion);

    final MockHttpServletResponse servletResponse = new MockHttpServletResponse();

    this.response.renderMergedOutputModel(model, new MockHttpServletRequest(), servletResponse);
    final String written = servletResponse.getContentAsString();

    assertTrue(written.contains("testPrincipal"));
    assertTrue(written.contains(SamlAuthenticationMetaDataPopulator.AUTHN_METHOD_SSL_TLS_CLIENT));
    assertTrue(written.contains("AuthenticationMethod"));
}
 

@Override
public HandlerResult authenticate(final Credential credential)
        throws GeneralSecurityException, PreventedException {
    final OneTimePasswordCredential otp = (OneTimePasswordCredential) credential;
    final String valueOnRecord = credentialMap.get(otp.getId());
    if (otp.getPassword().equals(credentialMap.get(otp.getId()))) {
        return new HandlerResult(this, new BasicCredentialMetaData(otp), new SimplePrincipal(otp.getId()));
    }
    throw new FailedLoginException();
}
 

@Override
public Principal resolve(Credential credential) {
    logger.debug("Attempting to resolve a principal...");

    if (credential instanceof ClientCredential){
        // do nothing
    } else {
        throw new RuntimeException("用户数据转换异常!");
    }

    ClientCredential oauthCredential = (ClientCredential) credential;
    UserProfile userProfile = oauthCredential.getUserProfile();
    logger.info("userProfile = {}", userProfile);


    //String principalId = oauthCredential.getUserProfile().getId();
    String principalId = oauthCredential.getId();
    if (principalId == null) {
        logger.debug("Got null for extracted principal ID; returning null.");
        return null;
    }

    logger.debug("Creating SimplePrincipal for [{}]", principalId);
    //UserProfile userProfile = oauthCredential.getUserProfile();
    final Map<String, Object> attributes = userProfile.getAttributes();

    if (attributes == null & !this.returnNullIfNoAttributes) {
        return new SimplePrincipal(principalId);
    }

    if (attributes == null) {
        return null;
    }

    return new SimplePrincipal(principalId, attributes);
}
 

static TicketGrantingTicket newTGT() {
    final Principal principal = new SimplePrincipal(
            "bob", Collections.singletonMap("displayName", (Object) "Bob"));
    return new TicketGrantingTicketImpl(
            ID_GENERATOR.getNewTicketId("TGT"),
            TestUtils.getAuthentication(principal),
            EXP_POLICY_TGT);
}
 

@Test
public void testTicketExpirationWithRememberMe() {
    final Authentication authentication = TestUtils.getAuthentication(
            new SimplePrincipal("test"),
            Collections.<String, Object>singletonMap(
                    RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME, true));
    final TicketGrantingTicketImpl t = new TicketGrantingTicketImpl("111", authentication, this.p);
    assertFalse(t.isExpired());
    t.grantServiceTicket("55", TestUtils.getService(), this.p, false);
    assertTrue(t.isExpired());

}
 

@Override
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
    final ClientCredential clientCredentials = (ClientCredential) credential;
    logger.debug("clientCredentials : {}", clientCredentials);

    final String clientName = clientCredentials.getCredentials().getClientName();
    logger.debug("clientName : {}", clientName);

    // get client
    final Client<org.pac4j.core.credentials.Credentials, UserProfile> client = this.clients.findClient(clientName);
    logger.debug("client : {}", client);

    // web context
    final ServletExternalContext servletExternalContext = (ServletExternalContext) ExternalContextHolder.getExternalContext();
    final HttpServletRequest request = (HttpServletRequest) servletExternalContext.getNativeRequest();
    final HttpServletResponse response = (HttpServletResponse) servletExternalContext.getNativeResponse();
    final WebContext webContext = new J2EContext(request, response);

    // get user profile
    final UserProfile userProfile = client.getUserProfile(clientCredentials.getCredentials(), webContext);
    logger.debug("userProfile : {}", userProfile);

    if (userProfile != null && StringUtils.isNotBlank(userProfile.getTypedId())) {
        clientCredentials.setUserProfile(userProfile);
        return new HandlerResult(
                this,
                new BasicCredentialMetaData(credential),
                new SimplePrincipal(userProfile.getTypedId(), userProfile.getAttributes()));
    }

    throw new FailedLoginException("Provider did not produce profile for " + clientCredentials);
}
 

public HandlerResult authenticate(final Credential credential) throws GeneralSecurityException {
    final HttpBasedServiceCredential httpCredential = (HttpBasedServiceCredential) credential;
    if (this.requireSecure && !httpCredential.getCallbackUrl().getProtocol().equals(PROTOCOL_HTTPS)) {
        logger.debug("Authentication failed because url was not secure.");
        throw new FailedLoginException(httpCredential.getCallbackUrl() + " is not an HTTPS endpoint as required.");
    }
    logger.debug("Attempting to authenticate {}", httpCredential);
    if (!this.httpClient.isValidEndPoint(httpCredential.getCallbackUrl())) {
        throw new FailedLoginException(
                httpCredential.getCallbackUrl() + " sent an unacceptable response status code");
    }
    return new HandlerResult(this, httpCredential, new SimplePrincipal(httpCredential.getId()));
}
 

/**
 * Creates a CAS principal with attributes if the LDAP entry contains principal attributes.
 *
 * @param username Username that was successfully authenticated which is used for principal ID when
 *                 {@link #setPrincipalIdAttribute(String)} is not specified.
 * @param ldapEntry LDAP entry that may contain principal attributes.
 *
 * @return Principal if the LDAP entry contains at least a principal ID attribute value, null otherwise.
 *
 * @throws LoginException On security policy errors related to principal creation.
 */
protected Principal createPrincipal(final String username, final LdapEntry ldapEntry) throws LoginException {
    final String id;
    if (this.principalIdAttribute != null) {
        final LdapAttribute principalAttr = ldapEntry.getAttribute(this.principalIdAttribute);
        if (principalAttr == null || principalAttr.size() == 0) {
            throw new LoginException(this.principalIdAttribute + " attribute not found for " + username);
        }
        if (principalAttr.size() > 1) {
            if (this.allowMultiplePrincipalAttributeValues) {
                logger.warn(
                        "Found multiple values for principal ID attribute: {}. Using first value={}.",
                        principalAttr,
                        principalAttr.getStringValue());
            } else {
                throw new LoginException("Multiple principal values not allowed: " + principalAttr);
            }
        }
        id = principalAttr.getStringValue();
    } else {
        id = username;
    }
    final Map<String, Object> attributeMap = new LinkedHashMap<String, Object>(this.principalAttributeMap.size());
    for (String ldapAttrName : this.principalAttributeMap.keySet()) {
        final LdapAttribute attr = ldapEntry.getAttribute(ldapAttrName);
        if (attr != null) {
            logger.debug("Found principal attribute: {}", attr);
            final String principalAttrName = this.principalAttributeMap.get(ldapAttrName);
            if (attr.size() > 1) {
                attributeMap.put(principalAttrName, attr.getStringValues());
            } else {
                attributeMap.put(principalAttrName, attr.getStringValue());
            }
        }
    }
    return new SimplePrincipal(id, attributeMap);
}
 

@Test
public void testSupports() {
    assertTrue(this.resolver.supports(new PrincipalBearingCredential(new SimplePrincipal("test"))));
    assertFalse(this.resolver.supports(new UsernamePasswordCredential()));
    assertFalse(this.resolver.supports(null));
}
 

@Test
public void testValidCredentials() {
    this.spnegoCredentials.setPrincipal(new SimplePrincipal("test"));
    assertEquals("test", this.resolver.resolve(this.spnegoCredentials)
            .getId());
}
 

/**
 * @throws IllegalArgumentException if the ServiceTicketId or the Service
 * are null.
 */
@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="VALIDATE_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(service, "service cannot be null");
 
    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("ServiceTicket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("ServiceTicket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new TicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        Map<String, Object> attributesToRelease = this.defaultAttributeFilter.filter(principal.getId(),
                principal.getAttributes(), registeredService);
        if (registeredService.getAttributeFilter() != null) {
            attributesToRelease = registeredService.getAttributeFilter().filter(principal.getId(),
                    attributesToRelease, registeredService);
        }

        final String principalId = determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket);
        final Principal modifiedPrincipal = new SimplePrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = AuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 

@Override
protected final HandlerResult doAuthentication(
        final Credential credential) throws GeneralSecurityException, PreventedException {

    final SpnegoCredential ntlmCredential = (SpnegoCredential) credential;
    final byte[] src = ntlmCredential.getInitToken();

    UniAddress dc = null;

    boolean success = false;
    try {
        if (this.loadBalance) {
            // find the first dc that matches the includepattern
            if(this.includePattern != null){
                NbtAddress [] dcs  = NbtAddress.getAllByName(this.domainController, 0x1C, null, null);
                for (NbtAddress dc2 : dcs) {
                    if(dc2.getHostAddress().matches(this.includePattern)){
                        dc = new UniAddress(dc2);
                        break;
                    }
                }
            } else {
                dc = new UniAddress(NbtAddress.getByName(this.domainController,
                        0x1C, null));
            }
        } else {
            dc = UniAddress.getByName(this.domainController, true);
        }
        final byte[] challenge = SmbSession.getChallenge(dc);

        switch (src[8]) {
            case 1:
                logger.debug("Type 1 received");
                final Type1Message type1 = new Type1Message(src);
                final Type2Message type2 = new Type2Message(type1,
                        challenge, null);
                logger.debug("Type 2 returned. Setting next token.");
                ntlmCredential.setNextToken(type2.toByteArray());
            case 3:
                logger.debug("Type 3 received");
                final Type3Message type3 = new Type3Message(src);
                final byte[] lmResponse = type3.getLMResponse() == null ? new byte[0] : type3.getLMResponse();
                byte[] ntResponse = type3.getNTResponse() == null ? new byte[0] : type3.getNTResponse();
                final NtlmPasswordAuthentication ntlm = new NtlmPasswordAuthentication(
                        type3.getDomain(), type3.getUser(), challenge,
                        lmResponse, ntResponse);
                logger.debug("Trying to authenticate {} with domain controller", type3.getUser());
                try {
                    SmbSession.logon(dc, ntlm);
                    ntlmCredential.setPrincipal(new SimplePrincipal(type3.getUser()));
                    success = true;
                } catch (final SmbAuthException sae) {
                    throw new FailedLoginException(sae.getMessage());
                }
            default:
                logger.debug("Unknown type: {}", src[8]);
        }
    } catch (final Exception e) {
        throw new FailedLoginException(e.getMessage());
    }

    if (!success) {
        throw new FailedLoginException();
    }
    return new HandlerResult(this, new BasicCredentialMetaData(ntlmCredential), ntlmCredential.getPrincipal());
}