Class CASServer::Authenticators::NTLM
In: lib/casserver/authenticators/ntlm.rb
Parent: Object

Methods

Public Instance methods

This will have to be somehow called by the top of the ‘get’ method in the Login controller (maybe via a hook?)… if this code fails then the controller should fall back to some other method of authentication (probably AD/LDAP or something).

[Source]

    # File lib/casserver/authenticators/ntlm.rb, line 23
23:       def filter_for_top_of_login_get_controller_method
24:         $LOG.debug @env.inspect
25:         if @env['HTTP_AUTHORIZATION'] =~ /NTLM ([^\s]+)/
26:           # if we're here, then the client has sent back a Type1 or Type3 message
27:           # in reply to our NTLM challenge or our Type2 message
28:           data_raw = Base64.decode64($~[1])
29:           $LOG.debug "T1 RAW: #{t1_raw}"
30:           t = Net::NTLM::Message::Message.parse(t1_raw)
31:           if t.kind_of? Net::NTLM::Type1
32:             t1 = t
33:           elsif t.kind_of? Net::NTLM::Type3
34:             t3 = t
35:           else
36:             raise "Invalid NTLM reply from client."
37:           end
38: 
39:           if t1
40:             $LOG.debug "T1: #{t1.inspect}"
41: 
42:             # now put together a Type2 message asking for the client to send
43:             # back NTLM credentials (LM hash and such)
44:             t2 = Net::NTLM::Message::Type2.new
45:             t2.set_flag :UNICODE
46:             t2.set_flag :NTLM
47:             t2.context = 0x0000000000000000 # this can probably just be left unassigned
48:             t2.challenge = 0x0123456789abcdef # this should be a random 8-byte integer
49: 
50:             $LOG.debug "T2: #{t2.inspect}"
51:             $LOG.debug "T2: #{t2.serialize}"
52:             headers["WWW-Authenticate"] = "NTLM #{t2.encode64}"
53: 
54:             # the client should respond to this with a Type3 message...
55:             r('401', '', headers)
56:             return
57:           else
58:             # NOTE: for some reason the server never receives the T3 response, even though monitoring
59:             # the HTTP traffic I can see that the client does send it back... there's probably
60:             # another bug hiding somewhere here
61: 
62:             lm_response = t3.lm_response
63:             ntlm_response = t3.ntlm_response
64:             username = t3.user
65:             # this is where we run up against a wall... we need some way to check the lm and/or ntlm
66:             # reponse against the authentication server (probably Active Directory)... maybe a samba
67:             # call would do it?
68:             $LOG.debug "T3 LM: #{lm_response.inspect}"
69:             $LOG.debug "T3 NTLM: #{ntlm_response.inspect}"
70: 
71:             # assuming the authentication was successful, we'll now need to do something in the
72:             # controller acting as if we'd received correct login credentials (i.e. proceed as if
73:             # CAS authentication was successful).... if authentication failed, then we should
74:             # just fall back to old-school web-based authentication, asking the user to enter
75:             # their username and password the normal CAS way
76:           end
77:         else
78:           # this sends the initial NTLM challenge, asking the browser
79:           # to send back a Type1 message
80:           headers['WWW-Authenticate'] = "NTLM"
81:           headers['Connection'] = "Close"
82:           r('401', '', headers)
83:           return
84:         end
85:       end

[Validate]