You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/21 21:23:47 UTC
[tomcat] branch BZ-63681/8.5.x created (now 8a23438)
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a change to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 8a23438 Frist draft
This branch includes the following new commits:
new 8a23438 Frist draft
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/01: Frist draft
Posted by mi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8a2343878a7f9eaca5c795ead752bd213edc4de1
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
Frist draft
changelog.xml pending
---
java/org/apache/catalina/Realm.java | 13 +++++
java/org/apache/catalina/realm/CombinedRealm.java | 34 ++++++++++++
java/org/apache/catalina/realm/LockOutRealm.java | 12 ++++
java/org/apache/catalina/realm/RealmBase.java | 67 +++++++++++++++++++----
4 files changed, 116 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java
index a6360cc..412e845 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
/**
* A <b>Realm</b> is a read-only facade for an underlying security realm
@@ -135,6 +137,17 @@ public interface Realm {
/**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential);
+
+
+ /**
* Try to authenticate using {@link X509Certificate}s
*
* @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index 59511fa..5645457 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -393,6 +394,39 @@ public class CombinedRealm extends RealmBase {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredentail) {
+ Principal authenticatedUser = null;
+
+ String username = String.valueOf(gssName);
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart",
+ username, realm.getClass().getName()));
+ }
+
+ authenticatedUser = realm.authenticate(gssName, gssCredentail);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail",
+ username, realm.getClass().getName()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSuccess",
+ username, realm.getClass().getName()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
@Override
@Deprecated
protected String getName() {
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java
index b2dc29e..46e6a97 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -205,6 +206,17 @@ public class LockOutRealm extends CombinedRealm {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+ String username = String.valueOf(gssName);
+
+ Principal authenticatedUser = super.authenticate(gssName, gssCredential);
+ return filterLockedAccounts(username, authenticatedUser);
+ }
+
/*
* Filters authenticated principals to ensure that <code>null</code> is
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index dd1761c..26f94d2 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -499,16 +499,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
}
- String name = gssName.toString();
-
- if (isStripRealmForGss()) {
- int i = name.indexOf('@');
- if (i > 0) {
- // Zero so we don't leave a zero length name
- name = name.substring(0, i);
- }
- }
- return getPrincipal(name, gssCredential);
+ return getPrincipal(gssName, gssCredential);
}
} else {
log.error(sm.getString("realmBase.gssContextNotEstablished"));
@@ -520,6 +511,19 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
/**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+ if (gssName == null) {
+ return null;
+ }
+
+ return getPrincipal(gssName, gssCredential);
+ }
+
+
+ /**
* Execute a periodic task, such as reloading, etc. This method will be
* invoked inside the classloading context of this container. Unexpected
* throwables will be caught and logged.
@@ -1253,6 +1257,49 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
return p;
}
+
+ /**
+ * Get the principal associated with the specified {@link GSSName}.
+ *
+ * This is a convenience method you can override to obtain a GSS credential
+ * via S4U2self.
+ *
+ * @param gssName The GSS name
+ * @return the principal associated with the given user name.
+ */
+ protected Principal getPrincipal(GSSName gssName) {
+ return getPrincipal(gssName, null);
+ }
+
+
+ /**
+ * Get the principal associated with the specified {@link GSSName}.
+ *
+ * @param gssName The GSS name
+ * @param gssCredential the GSS credential of the principal
+ * @return the principal associated with the given user name.
+ */
+ protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential) {
+ String name = String.valueOf(gssName);
+
+ if (isStripRealmForGss()) {
+ int i = name.indexOf('@');
+ if (i > 0) {
+ // Zero so we don't leave a zero length name
+ name = name.substring(0, i);
+ }
+ }
+
+ Principal p = getPrincipal(name);
+
+ if (p instanceof GenericPrincipal) {
+ ((GenericPrincipal) p).setGssCredential(gssCredential);
+ }
+
+ return p;
+ }
+
+
/**
* Return the Server object that is the ultimate parent for the container
* with which this Realm is associated. If the server cannot be found (eg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org