Class | CASServer::Authenticators::NTLM |
In: |
lib/casserver/authenticators/ntlm.rb
|
Parent: | Object |
This will have to be somehow called by the top of the ‘get’ method in the Login controller (maybe via a hook?)… if this code fails then the controller should fall back to some other method of authentication (probably AD/LDAP or something).
# File lib/casserver/authenticators/ntlm.rb, line 23 23: def filter_for_top_of_login_get_controller_method 24: $LOG.debug @env.inspect 25: if @env['HTTP_AUTHORIZATION'] =~ /NTLM ([^\s]+)/ 26: # if we're here, then the client has sent back a Type1 or Type3 message 27: # in reply to our NTLM challenge or our Type2 message 28: data_raw = Base64.decode64($~[1]) 29: $LOG.debug "T1 RAW: #{t1_raw}" 30: t = Net::NTLM::Message::Message.parse(t1_raw) 31: if t.kind_of? Net::NTLM::Type1 32: t1 = t 33: elsif t.kind_of? Net::NTLM::Type3 34: t3 = t 35: else 36: raise "Invalid NTLM reply from client." 37: end 38: 39: if t1 40: $LOG.debug "T1: #{t1.inspect}" 41: 42: # now put together a Type2 message asking for the client to send 43: # back NTLM credentials (LM hash and such) 44: t2 = Net::NTLM::Message::Type2.new 45: t2.set_flag :UNICODE 46: t2.set_flag :NTLM 47: t2.context = 0x0000000000000000 # this can probably just be left unassigned 48: t2.challenge = 0x0123456789abcdef # this should be a random 8-byte integer 49: 50: $LOG.debug "T2: #{t2.inspect}" 51: $LOG.debug "T2: #{t2.serialize}" 52: headers["WWW-Authenticate"] = "NTLM #{t2.encode64}" 53: 54: # the client should respond to this with a Type3 message... 55: r('401', '', headers) 56: return 57: else 58: # NOTE: for some reason the server never receives the T3 response, even though monitoring 59: # the HTTP traffic I can see that the client does send it back... there's probably 60: # another bug hiding somewhere here 61: 62: lm_response = t3.lm_response 63: ntlm_response = t3.ntlm_response 64: username = t3.user 65: # this is where we run up against a wall... we need some way to check the lm and/or ntlm 66: # reponse against the authentication server (probably Active Directory)... maybe a samba 67: # call would do it? 68: $LOG.debug "T3 LM: #{lm_response.inspect}" 69: $LOG.debug "T3 NTLM: #{ntlm_response.inspect}" 70: 71: # assuming the authentication was successful, we'll now need to do something in the 72: # controller acting as if we'd received correct login credentials (i.e. proceed as if 73: # CAS authentication was successful).... if authentication failed, then we should 74: # just fall back to old-school web-based authentication, asking the user to enter 75: # their username and password the normal CAS way 76: end 77: else 78: # this sends the initial NTLM challenge, asking the browser 79: # to send back a Type1 message 80: headers['WWW-Authenticate'] = "NTLM" 81: headers['Connection'] = "Close" 82: r('401', '', headers) 83: return 84: end 85: end