You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/04 15:18:39 UTC
svn commit: r1622473 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/authenticator/ java/org/apache/coyote/http11/
test/org/apache/tomcat/util/net/
Author: markt
Date: Thu Sep 4 13:18:39 2014
New Revision: 1622473
URL: http://svn.apache.org/r1622473
Log:
Correct the previous fix for bug 56825 that enabled pre-emptive authentication to work with the SSL authenticator.
An SSL handshake is now triggered if:
- premetive authentication is enabled;
- CLIENT-CERT is being used; and
- the previous handshake did not include a client cert
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1622470
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Sep 4 13:18:39 2014
@@ -28,6 +28,7 @@ import java.util.Locale;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Authenticator;
@@ -561,8 +562,9 @@ public abstract class AuthenticatorBase
"authorization") != null;
}
- if (!authRequired && context.getPreemptiveAuthentication()) {
- X509Certificate[] certs = getRequestCertificates(request, false);
+ if (!authRequired && context.getPreemptiveAuthentication() &&
+ HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
+ X509Certificate[] certs = getRequestCertificates(request);
authRequired = certs != null && certs.length > 0;
}
@@ -620,13 +622,11 @@ public abstract class AuthenticatorBase
* extracting the certificate chain from the Coyote request.
*
* @param request Request to be processed
- * @param force Should a renegotiation be forced to request certificates
- * from the user agent if none have been provided
*
* @return The X509 certificate chain if found, <code>null</code>
* otherwise.
*/
- protected X509Certificate[] getRequestCertificates(final Request request, boolean force)
+ protected X509Certificate[] getRequestCertificates(final Request request)
throws IllegalStateException {
X509Certificate certs[] =
@@ -634,7 +634,7 @@ public abstract class AuthenticatorBase
if ((certs == null) || (certs.length < 1)) {
try {
- request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, Boolean.valueOf(force));
+ request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null);
certs = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
} catch (IllegalStateException ise) {
// Request body was too large for save buffer
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java Thu Sep 4 13:18:39 2014
@@ -127,7 +127,7 @@ public class SSLAuthenticator
if (containerLog.isDebugEnabled())
containerLog.debug(" Looking up certificates");
- X509Certificate certs[] = getRequestCertificates(request, true);
+ X509Certificate certs[] = getRequestCertificates(request);
if ((certs == null) || (certs.length < 1)) {
if (containerLog.isDebugEnabled())
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java Thu Sep 4 13:18:39 2014
@@ -402,26 +402,18 @@ public class Http11AprProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (endpoint.isSSLEnabled() && (socketRef != 0)) {
- boolean force = ((Boolean) param).booleanValue();
- if (force) {
- /* Forced triggers a handshake so consume and buffer the
- * request body, so that it does not interfere with the
- * client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
- }
+ // Consume and buffer the request body, so that it does not
+ // interfere with the client's handshake messages
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
try {
- if (force) {
- // Configure connection to require a certificate
- SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
- ((AprEndpoint)endpoint).getSSLVerifyDepth());
- }
- if (!force || SSLSocket.renegotiate(socketRef) == 0) {
- // Only look for certs if not forcing a renegotiation or
- // if we know renegotiation worked.
+ // Configure connection to require a certificate
+ SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
+ ((AprEndpoint)endpoint).getSSLVerifyDepth());
+ // Renegotiate certificates
+ if (SSLSocket.renegotiate(socketRef) == 0) {
+ // Don't look for certs unless we know renegotiation worked.
// Get client certificate and the certificate chain if present
// certLength == -1 indicates an error
int certLength = SSLSocket.getInfoI(socketRef,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Thu Sep 4 13:18:39 2014
@@ -408,20 +408,18 @@ public class Http11NioProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- boolean force = ((Boolean) param).booleanValue();
- if (force) {
- /* Forced triggers a handshake so consume and buffer the
- * request body, so that it does not interfere with the
- * client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
- }
+ /*
+ * Consume and buffer the request body, so that it does not
+ * interfere with the client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter
+ (inputFilters[Constants.BUFFERED_FILTER]);
SecureNioChannel sslChannel = (SecureNioChannel) socketWrapper.getSocket();
SSLEngine engine = sslChannel.getSslEngine();
- if (!engine.getNeedClientAuth() && force) {
+ if (!engine.getNeedClientAuth()) {
// Need to re-negotiate SSL connection
engine.setNeedClientAuth(true);
try {
@@ -438,8 +436,9 @@ public class Http11NioProcessor extends
// use force=false since re-negotiation is handled above
// (and it is a NO-OP for NIO anyway)
Object sslO = sslSupport.getPeerCertificateChain(false);
- if (sslO != null) {
- request.setAttribute(SSLSupport.CERTIFICATE_KEY, sslO);
+ if( sslO != null) {
+ request.setAttribute
+ (SSLSupport.CERTIFICATE_KEY, sslO);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Thu Sep 4 13:18:39 2014
@@ -331,19 +331,17 @@ public class Http11Processor extends Abs
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- boolean force = ((Boolean) param).booleanValue();
- if (force) {
- /* Forced triggers a handshake so consume and buffer the
- * request body, so that it does not interfere with the
- * client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
- }
+ /*
+ * Consume and buffer the request body, so that it does not
+ * interfere with the client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter
+ (inputFilters[Constants.BUFFERED_FILTER]);
try {
- Object sslO = sslSupport.getPeerCertificateChain(force);
+ Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified: tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java?rev=1622473&r1=1622472&r2=1622473&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java (original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java Thu Sep 4 13:18:39 2014
@@ -55,10 +55,6 @@ public class TestClientCert extends Tomc
Context c = (Context) tomcat.getHost().findChildren()[0];
// Enable pre-emptive auth
c.setPreemptiveAuthentication(true);
-
- // Connector needs to advertise is accepts client certs for
- // pre-emptive to work
- tomcat.getConnector().setAttribute("clientAuth", "want");
}
getTomcatInstance().start();
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org