You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/12/02 11:55:02 UTC
[tomcat] branch 7.0.x updated: BZ 63681: Introduce
RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 09ea8ce BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
09ea8ce is described below
commit 09ea8ce8f7e94cb9c15e925925c3377a3c88e769
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
---
java/org/apache/catalina/GSSRealm.java | 45 ++++++++++++++++
java/org/apache/catalina/realm/CombinedRealm.java | 43 ++++++++++++++++
java/org/apache/catalina/realm/LockOutRealm.java | 13 +++++
java/org/apache/catalina/realm/RealmBase.java | 62 ++++++++++++++++++-----
webapps/docs/changelog.xml | 4 ++
5 files changed, 155 insertions(+), 12 deletions(-)
diff --git a/java/org/apache/catalina/GSSRealm.java b/java/org/apache/catalina/GSSRealm.java
new file mode 100644
index 0000000..2f4b16f
--- /dev/null
+++ b/java/org/apache/catalina/GSSRealm.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina;
+
+import java.security.Principal;
+
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
+
+/**
+ * A <b>GSSRealm</b> is a specialized realm for GSS-based principals.
+ *
+ * @deprecated This will be removed in Tomcat 9 and integrated into {@link Realm}.
+ */
+@Deprecated
+public interface GSSRealm extends Realm {
+
+
+ // --------------------------------------------------------- Public Methods
+
+ /**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential);
+
+}
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index b203a29..6390dde 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -26,12 +26,14 @@ import java.util.List;
import javax.management.ObjectName;
import org.apache.catalina.Container;
+import org.apache.catalina.GSSRealm;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -374,6 +376,47 @@ public class CombinedRealm extends RealmBase {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+ Principal authenticatedUser = null;
+ String username = gssName.toString();
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart",
+ username, realm.getClass().getName()));
+ }
+
+ if (!(realm instanceof GSSRealm)) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail",
+ username, realm.getClass().getName()));
+ }
+
+ continue;
+ }
+
+ authenticatedUser = ((GSSRealm) realm).authenticate(gssName, gssCredential);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail",
+ username, realm.getClass().getName()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSuccess",
+ username, realm.getClass().getName()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
@Override
protected String getName() {
return name;
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java
index 6ec2f79..a771142 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -205,6 +206,18 @@ public class LockOutRealm extends CombinedRealm {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+ String username = gssName.toString();
+
+ Principal authenticatedUser = super.authenticate(gssName, gssCredential);
+
+ return filterLockedAccounts(username, authenticatedUser);
+ }
+
/*
* Filters authenticated principals to ensure that <code>null</code> is
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 80027fd..41eef83 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -34,10 +34,10 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
+import org.apache.catalina.GSSRealm;
import org.apache.catalina.Host;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleState;
-import org.apache.catalina.Realm;
import org.apache.catalina.Server;
import org.apache.catalina.Service;
import org.apache.catalina.Wrapper;
@@ -67,7 +67,7 @@ import org.ietf.jgss.GSSName;
*
* @author Craig R. McClanahan
*/
-public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
+public abstract class RealmBase extends LifecycleMBeanBase implements GSSRealm {
private static final Log log = LogFactory.getLog(RealmBase.class);
@@ -574,16 +574,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
}
- String name = gssName.toString();
-
- if (isStripRealmForGss()) {
- int i = name.indexOf('@');
- if (i > 0) {
- // Zero so we don't leave a zero length name
- name = name.substring(0, i);
- }
- }
- return getPrincipal(name, gssCredential);
+ return getPrincipal(gssName, gssCredential);
}
} else {
log.error(sm.getString("realmBase.gssContextNotEstablished"));
@@ -661,6 +652,19 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
/**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+ if (gssName == null) {
+ return null;
+ }
+
+ return getPrincipal(gssName, gssCredential);
+ }
+
+
+ /**
* Execute a periodic task, such as reloading, etc. This method will be
* invoked inside the classloading context of this container. Unexpected
* throwables will be caught and logged.
@@ -1374,6 +1378,11 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
protected abstract Principal getPrincipal(String username);
+ /**
+ * @deprecated This will be removed in Tomcat 10. Use
+ * {@link #getPrincipal(GSSName, GSSCredential)} instead.
+ */
+ @Deprecated
protected Principal getPrincipal(String username,
GSSCredential gssCredential) {
Principal p = getPrincipal(username);
@@ -1385,6 +1394,35 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
return p;
}
+
+ /**
+ * Get the principal associated with the specified {@link GSSName}.
+ *
+ * @param gssName The GSS name
+ * @param gssCredential the GSS credential of the principal
+ * @return the principal associated with the given user name.
+ */
+ protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential) {
+ String name = gssName.toString();
+
+ if (isStripRealmForGss()) {
+ int i = name.indexOf('@');
+ if (i > 0) {
+ // Zero so we don't leave a zero length name
+ name = name.substring(0, i);
+ }
+ }
+
+ Principal p = getPrincipal(name);
+
+ if (p instanceof GenericPrincipal) {
+ ((GenericPrincipal) p).setGssCredential(gssCredential);
+ }
+
+ return p;
+ }
+
+
/**
* Return the Server object that is the ultimate parent for the container
* with which this Realm is associated. If the server cannot be found (eg
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c8e8116..b3201a7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -62,6 +62,10 @@
<section name="Tomcat 7.0.99 (violetagg)">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential)
+ and friends. (michaelo)
+ </add>
<fix>
<bug>63950</bug>: Fix timing issue in
<code>TestAsyncContextStateChanges</code> test that caused it
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org