You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/03 21:30:15 UTC
svn commit: r1622328 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/authenticator/ java/org/apache/coyote/http11/
test/org/apache/tomcat/util/net/
Author: markt
Date: Wed Sep 3 19:30:15 2014
New Revision: 1622328
URL: http://svn.apache.org/r1622328
Log:
Don't trigger re-authentication for webapps that don't need it.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1617461
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Wed Sep 3 19:30:15 2014
@@ -562,7 +562,7 @@ public abstract class AuthenticatorBase
}
if (!authRequired && context.getPreemptiveAuthentication()) {
- X509Certificate[] certs = getRequestCertificates(request);
+ X509Certificate[] certs = getRequestCertificates(request, false);
authRequired = certs != null && certs.length > 0;
}
@@ -620,11 +620,13 @@ public abstract class AuthenticatorBase
* extracting the certificate chain from the Coyote request.
*
* @param request Request to be processed
+ * @param force Should a renegotiation be forced to request certificates
+ * from the user agent if none have been provided
*
* @return The X509 certificate chain if found, <code>null</code>
* otherwise.
*/
- protected X509Certificate[] getRequestCertificates(final Request request)
+ protected X509Certificate[] getRequestCertificates(final Request request, boolean force)
throws IllegalStateException {
X509Certificate certs[] =
@@ -632,7 +634,7 @@ public abstract class AuthenticatorBase
if ((certs == null) || (certs.length < 1)) {
try {
- request.getCoyoteRequest().action (ActionCode.REQ_SSL_CERTIFICATE, null);
+ request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, Boolean.valueOf(force));
certs = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
} catch (IllegalStateException ise) {
// Request body was too large for save buffer
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java Wed Sep 3 19:30:15 2014
@@ -127,7 +127,7 @@ public class SSLAuthenticator
if (containerLog.isDebugEnabled())
containerLog.debug(" Looking up certificates");
- X509Certificate certs[] = getRequestCertificates(request);
+ X509Certificate certs[] = getRequestCertificates(request, true);
if ((certs == null) || (certs.length < 1)) {
if (containerLog.isDebugEnabled())
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java Wed Sep 3 19:30:15 2014
@@ -402,18 +402,26 @@ public class Http11AprProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (endpoint.isSSLEnabled() && (socketRef != 0)) {
- // Consume and buffer the request body, so that it does not
- // interfere with the client's handshake messages
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
try {
- // Configure connection to require a certificate
- SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
- ((AprEndpoint)endpoint).getSSLVerifyDepth());
- // Renegotiate certificates
- if (SSLSocket.renegotiate(socketRef) == 0) {
- // Don't look for certs unless we know renegotiation worked.
+ if (force) {
+ // Configure connection to require a certificate
+ SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
+ ((AprEndpoint)endpoint).getSSLVerifyDepth());
+ }
+ if (!force || SSLSocket.renegotiate(socketRef) == 0) {
+ // Only look for certs if not forcing a renegotiation or
+ // if we know renegotiation worked.
// Get client certificate and the certificate chain if present
// certLength == -1 indicates an error
int certLength = SSLSocket.getInfoI(socketRef,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Wed Sep 3 19:30:15 2014
@@ -408,18 +408,20 @@ public class Http11NioProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
SecureNioChannel sslChannel = (SecureNioChannel) socketWrapper.getSocket();
SSLEngine engine = sslChannel.getSslEngine();
- if (!engine.getNeedClientAuth()) {
+ if (!engine.getNeedClientAuth() && force) {
// Need to re-negotiate SSL connection
engine.setNeedClientAuth(true);
try {
@@ -436,9 +438,8 @@ public class Http11NioProcessor extends
// use force=false since re-negotiation is handled above
// (and it is a NO-OP for NIO anyway)
Object sslO = sslSupport.getPeerCertificateChain(false);
- if( sslO != null) {
- request.setAttribute
- (SSLSupport.CERTIFICATE_KEY, sslO);
+ if (sslO != null) {
+ request.setAttribute(SSLSupport.CERTIFICATE_KEY, sslO);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Wed Sep 3 19:30:15 2014
@@ -331,17 +331,19 @@ public class Http11Processor extends Abs
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
try {
- Object sslO = sslSupport.getPeerCertificateChain(true);
+ Object sslO = sslSupport.getPeerCertificateChain(force);
if( sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified: tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java (original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java Wed Sep 3 19:30:15 2014
@@ -45,16 +45,24 @@ public class TestClientCert extends Tomc
doTestClientCertGet(true);
}
- public void doTestClientCertGet(boolean preemtive) throws Exception {
+ private void doTestClientCertGet(boolean preemtive) throws Exception {
Assume.assumeTrue("SSL renegotiation has to be supported for this test",
TesterSupport.isRenegotiationSupported(getTomcatInstance()));
if (preemtive) {
+ Tomcat tomcat = getTomcatInstance();
// Only one context deployed
- Context c = (Context) getTomcatInstance().getHost().findChildren()[0];
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ // Enable pre-emptive auth
c.setPreemptiveAuthentication(true);
+
+ // Connector needs to advertise is accepts client certs for
+ // pre-emptive to work
+ tomcat.getConnector().setAttribute("clientAuth", "want");
}
+ getTomcatInstance().start();
+
// Unprotected resource
ByteChunk res =
getUrl("https://localhost:" + getPort() + "/unprotected");
@@ -95,6 +103,8 @@ public class TestClientCert extends Tomc
Assume.assumeTrue("SSL renegotiation has to be supported for this test",
TesterSupport.isRenegotiationSupported(getTomcatInstance()));
+ getTomcatInstance().start();
+
byte[] body = new byte[bodySize];
Arrays.fill(body, TesterSupport.DATA);
@@ -127,9 +137,6 @@ public class TestClientCert extends Tomc
TesterSupport.configureClientCertContext(tomcat);
- // Start Tomcat
- tomcat.start();
-
TesterSupport.configureClientSsl();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org