You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by am...@apache.org on 2002/08/07 22:51:44 UTC
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm Constants.java JAASMemoryLoginModule.java LocalStrings.properties LocalStrings_es.properties LocalStrings_ja.properties RealmBase.java
amyroh 2002/08/07 13:51:44
Modified: catalina/src/conf tomcat-users.xml
catalina/src/share/org/apache/catalina Realm.java
catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
catalina/src/share/org/apache/catalina/realm Constants.java
JAASMemoryLoginModule.java LocalStrings.properties
LocalStrings_es.properties
LocalStrings_ja.properties RealmBase.java
Log:
Refactor o.a.c.authenticator.AuthenticatorBase and o.a.c.RealmBase.
Patch submitted by Jean-francois Arcand.
Revision Changes Path
1.2 +1 -1 jakarta-tomcat-catalina/catalina/src/conf/tomcat-users.xml
Index: tomcat-users.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/conf/tomcat-users.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- tomcat-users.xml 18 Jul 2002 16:48:14 -0000 1.1
+++ tomcat-users.xml 7 Aug 2002 20:51:44 -0000 1.2
@@ -4,7 +4,7 @@
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
- <user name="tomcat" password="tomcat" roles="tomcat" />
+ <user name="tomcat" password="tomcat,admin" roles="tomcat,admin" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
1.2 +27 -7 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Realm.java
Index: Realm.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Realm.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Realm.java 18 Jul 2002 16:47:38 -0000 1.1
+++ Realm.java 7 Aug 2002 20:51:44 -0000 1.2
@@ -66,10 +66,11 @@
import java.beans.PropertyChangeListener;
+import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
-
+import org.apache.catalina.deploy.SecurityConstraint;
/**
* A <b>Realm</b> is a read-only facade for an underlying security realm
* used to authenticate individual users, and identify the security roles
@@ -111,7 +112,7 @@
// --------------------------------------------------------- Public Methods
-
+
/**
* Add a property change listener to this component.
*
@@ -169,8 +170,27 @@
* the array being the certificate of the client itself.
*/
public Principal authenticate(X509Certificate certs[]);
+
-
+ /**
+ * Perform access control based on the specified authorization constraint.
+ * Return <code>true</code> if this constraint is satisfied and processing
+ * should continue, or <code>false</code> otherwise.
+ *
+ * @param request Request we are processing
+ * @param response Response we are creating
+ * @param constraint Security constraint we are enforcing
+ * @param The Context to which client of this class is attached.
+ *
+ * @exception IOException if an input/output error occurs
+ */
+ public boolean hasResourceAccess(HttpRequest request,
+ HttpResponse response,
+ SecurityConstraint constraint,
+ Context context)
+ throws IOException;
+
+
/**
* Return <code>true</code> if the specified Principal has the specified
* security role, within the context of this Realm; otherwise return
1.2 +5 -87 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Index: AuthenticatorBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- AuthenticatorBase.java 18 Jul 2002 16:48:02 -0000 1.1
+++ AuthenticatorBase.java 7 Aug 2002 20:51:44 -0000 1.2
@@ -512,7 +512,7 @@
if (constraint.getAuthConstraint()) {
if (debug >= 1)
log(" Calling accessControl()");
- if (!accessControl(hrequest, hresponse, constraint)) {
+ if (!this.context.getRealm().hasResourceAccess(hrequest, hresponse, constraint, this.context)) {
if (debug >= 1)
log(" Failed accessControl() test");
// ASSERT: AccessControl method has already set the appropriate
@@ -532,88 +532,6 @@
// ------------------------------------------------------ Protected Methods
- /**
- * Perform access control based on the specified authorization constraint.
- * Return <code>true</code> if this constraint is satisfied and processing
- * should continue, or <code>false</code> otherwise.
- *
- * @param request Request we are processing
- * @param response Response we are creating
- * @param constraint Security constraint we are enforcing
- *
- * @exception IOException if an input/output error occurs
- */
- protected boolean accessControl(HttpRequest request,
- HttpResponse response,
- SecurityConstraint constraint)
- throws IOException {
-
- if (constraint == null)
- return (true);
-
- // Specifically allow access to the form login and form error pages
- // and the "j_security_check" action
- LoginConfig config = context.getLoginConfig();
- if ((config != null) &&
- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
- String requestURI = request.getDecodedRequestURI();
- String loginPage = context.getPath() + config.getLoginPage();
- if (loginPage.equals(requestURI)) {
- if (debug >= 1)
- log(" Allow access to login page " + loginPage);
- return (true);
- }
- String errorPage = context.getPath() + config.getErrorPage();
- if (errorPage.equals(requestURI)) {
- if (debug >= 1)
- log(" Allow access to error page " + errorPage);
- return (true);
- }
- if (requestURI.endsWith(Constants.FORM_ACTION)) {
- if (debug >= 1)
- log(" Allow access to username/password submission");
- return (true);
- }
- }
-
- // Which user principal have we already authenticated?
- Principal principal =
- ((HttpServletRequest) request.getRequest()).getUserPrincipal();
- if (principal == null) {
- if (debug >= 2)
- log(" No user authenticated, cannot grant access");
- ((HttpServletResponse) response.getResponse()).sendError
- (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- sm.getString("authenticator.notAuthenticated"));
- return (false);
- }
-
- // Check each role included in this constraint
- Realm realm = context.getRealm();
- String roles[] = constraint.findAuthRoles();
- if (roles == null)
- roles = new String[0];
-
- if (constraint.getAllRoles())
- return (true);
- if ((roles.length == 0) && (constraint.getAuthConstraint())) {
- ((HttpServletResponse) response.getResponse()).sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("authenticator.forbidden"));
- return (false); // No listed roles means no access at all
- }
- for (int i = 0; i < roles.length; i++) {
- if (realm.hasRole(principal, roles[i]))
- return (true);
- }
-
- // Return a "Forbidden" message denying access to this resource
- ((HttpServletResponse) response.getResponse()).sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("authenticator.forbidden"));
- return (false);
-
- }
/**
1.2 +11 -4 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/Constants.java
Index: Constants.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/Constants.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Constants.java 18 Jul 2002 16:47:54 -0000 1.1
+++ Constants.java 7 Aug 2002 20:51:44 -0000 1.2
@@ -76,5 +76,12 @@
public final class Constants {
public static final String Package = "org.apache.catalina.realm";
+
+ // Authentication methods for login configuration
+ public static final String FORM_METHOD = "FORM";
+
+ // Form based authentication constants
+ public static final String FORM_ACTION = "/j_security_check";
+
}
1.2 +104 -4 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JAASMemoryLoginModule.java
Index: JAASMemoryLoginModule.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JAASMemoryLoginModule.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- JAASMemoryLoginModule.java 18 Jul 2002 16:47:54 -0000 1.1
+++ JAASMemoryLoginModule.java 7 Aug 2002 20:51:44 -0000 1.2
@@ -70,6 +70,7 @@
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
+
import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.security.auth.Subject;
@@ -81,8 +82,18 @@
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.HttpRequest;
+import org.apache.catalina.HttpResponse;
import org.apache.catalina.Realm;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.util.StringManager;
import org.apache.commons.digester.Digester;
@@ -163,6 +174,11 @@
*/
protected HashMap principals = new HashMap();
+ /**
+ * The string manager for this package.
+ */
+ protected static StringManager sm =
+ StringManager.getManager(Constants.Package);
/**
* The state information that is shared with other configured
@@ -561,6 +577,90 @@
exception.printStackTrace(System.out);
}
+
+ /**
+ * Perform access control based on the specified authorization constraint.
+ * Return <code>true</code> if this constraint is satisfied and processing
+ * should continue, or <code>false</code> otherwise.
+ *
+ * @param request Request we are processing
+ * @param response Response we are creating
+ * @param constraint Security constraint we are enforcing
+ * @param The Context to which client of this class is attached.
+ *
+ * @exception IOException if an input/output error occurs
+ */
+ public boolean hasResourceAccess(HttpRequest request,
+ HttpResponse response,
+ SecurityConstraint constraint,
+ Context context)
+ throws IOException {
+
+ if (constraint == null)
+ return (true);
+
+ // Specifically allow access to the form login and form error pages
+ // and the "j_security_check" action
+ LoginConfig config = context.getLoginConfig();
+ if ((config != null) &&
+ (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
+ String requestURI = request.getDecodedRequestURI();
+ String loginPage = context.getPath() + config.getLoginPage();
+ if (loginPage.equals(requestURI)) {
+ if (debug)
+ log(" Allow access to login page " + loginPage);
+ return (true);
+ }
+ String errorPage = context.getPath() + config.getErrorPage();
+ if (errorPage.equals(requestURI)) {
+ if (debug)
+ log(" Allow access to error page " + errorPage);
+ return (true);
+ }
+ if (requestURI.endsWith(Constants.FORM_ACTION)) {
+ if (debug)
+ log(" Allow access to username/password submission");
+ return (true);
+ }
+ }
+
+ // Which user principal have we already authenticated?
+ Principal principal =
+ ((HttpServletRequest) request.getRequest()).getUserPrincipal();
+ if (principal == null) {
+ if (debug)
+ log(" No user authenticated, cannot grant access");
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+ sm.getString("realmBase.notAuthenticated"));
+ return (false);
+ }
+
+ String roles[] = constraint.findAuthRoles();
+ if (roles == null)
+ roles = new String[0];
+
+ if (constraint.getAllRoles())
+ return (true);
+ if ((roles.length == 0) && (constraint.getAuthConstraint())) {
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ return (false); // No listed roles means no access at all
+ }
+ for (int i = 0; i < roles.length; i++) {
+ if (hasRole(principal, roles[i]))
+ return (true);
+ }
+
+ // Return a "Forbidden" message denying access to this resource
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ return (false);
+
+ }
+
}
1.2 +4 -1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings.properties
Index: LocalStrings.properties
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- LocalStrings.properties 18 Jul 2002 16:47:54 -0000 1.1
+++ LocalStrings.properties 7 Aug 2002 20:51:44 -0000 1.2
@@ -27,8 +27,10 @@
realmBase.algorithm=Invalid message digest algorithm {0} specified
realmBase.alreadyStarted=This Realm has already been started
realmBase.digest=Error digesting user credentials
+realmBase.forbidden=Access to the requested resource has been denied
realmBase.hasRoleFailure=Username {0} does NOT have role {1}
realmBase.hasRoleSuccess=Username {0} has role {1}
+realmBase.notAuthenticated=Configuration error: Cannot perform access control without an authenticated principal
realmBase.notStarted=This Realm has not yet been started
userDatabaseRealm.authenticateError=Login configuration error authenticating username {0}
userDatabaseRealm.authenticateFailure=Username {0} NOT successfully authenticated
@@ -37,3 +39,4 @@
userDatabaseRealm.noDatabase=No UserDatabase component found under key {0}
userDatabaseRealm.noEngine=No Engine component found in container hierarchy
userDatabaseRealm.noGlobal=No global JNDI resources context found
+
1.2 +3 -1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings_es.properties
Index: LocalStrings_es.properties
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings_es.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- LocalStrings_es.properties 18 Jul 2002 16:47:54 -0000 1.1
+++ LocalStrings_es.properties 7 Aug 2002 20:51:44 -0000 1.2
@@ -28,7 +28,9 @@
realmBase.algorithm=El algoritmo digest {0} es invalido
realmBase.alreadyStarted=Este dominio ya ha sido inicializado
realmBase.digest=Error procesando las credenciales del usuario
+realmBase.forbidden=El acceso al recurso pedido ha sido denegado
realmBase.hasRoleFailure=El usuario {0} NO tiene el rol {1}
realmBase.hasRoleSuccess=El usuario {0} tiene el rol {1}
+realmBase.notAuthenticated=Error de Configuracion: No se puede realizar funciones de control de acceso sin un principal autentificado
realmBase.notStarted=Este dominio a�n no ha sido inicializado
1.2 +3 -1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings_ja.properties
Index: LocalStrings_ja.properties
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/LocalStrings_ja.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- LocalStrings_ja.properties 18 Jul 2002 16:47:54 -0000 1.1
+++ LocalStrings_ja.properties 7 Aug 2002 20:51:44 -0000 1.2
@@ -22,6 +22,8 @@
realmBase.algorithm=\u7121\u52b9\u306a\u30e1\u30c3\u30bb\u30fc\u30b8\u30c0\u30a4\u30b8\u30a7\u30b9\u30c8\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0 {0} \u304c\u6307\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059
realmBase.alreadyStarted=\u3053\u306e\u30ec\u30eb\u30e0\u306f\u3059\u3067\u306b\u8d77\u52d5\u3055\u308c\u3066\u3044\u307e\u3059
realmBase.digest=\u30e6\u30fc\u30b6\u306e\u8a3c\u660e\u66f8\u306e\u8981\u7d04\u30a8\u30e9\u30fc
+realmBase.forbidden=\u30ea\u30af\u30a8\u30b9\u30c8\u3055\u308c\u305f\u30ea\u30bd\u30fc\u30b9\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u307e\u3057\u305f
realmBase.hasRoleFailure=\u30e6\u30fc\u30b6\u540d {0} \u306f\u3001\u30ed\u30fc\u30eb {1} \u3092\u6301\u3063\u3066\u3044\u307e\u305b\u3093
realmBase.hasRoleSuccess=\u30e6\u30fc\u30b6\u540d {0} \u306f\u3001\u30ed\u30fc\u30eb {1} \u3092\u6301\u3063\u3066\u3044\u307e\u3059
+realmBase.notAuthenticated=\u8a2d\u5b9a\u30a8\u30e9\u30fc: \u8a3c\u660e\u3055\u308c\u305f\u4e3b\u4f53\u306a\u3057\u306b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3092\u5b9f\u884c\u3067\u304d\u307e\u305b\u3093
realmBase.notStarted=\u3053\u306e\u30ec\u30eb\u30e0\u306f\u307e\u3060\u8d77\u52d5\u3055\u308c\u3066\u3044\u307e\u305b\u3093
1.2 +99 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- RealmBase.java 18 Jul 2002 16:47:55 -0000 1.1
+++ RealmBase.java 7 Aug 2002 20:51:44 -0000 1.2
@@ -72,13 +72,23 @@
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.io.File;
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.HttpRequest;
+import org.apache.catalina.HttpResponse;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Logger;
import org.apache.catalina.Realm;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.util.HexUtils;
import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.util.StringManager;
@@ -285,6 +295,7 @@
// --------------------------------------------------------- Public Methods
+
/**
* Add a property change listener to this component.
*
@@ -418,7 +429,91 @@
}
+
+ /**
+ * Perform access control based on the specified authorization constraint.
+ * Return <code>true</code> if this constraint is satisfied and processing
+ * should continue, or <code>false</code> otherwise.
+ *
+ * @param request Request we are processing
+ * @param response Response we are creating
+ * @param constraint Security constraint we are enforcing
+ * @param The Context to which client of this class is attached.
+ *
+ * @exception IOException if an input/output error occurs
+ */
+ public boolean hasResourceAccess(HttpRequest request,
+ HttpResponse response,
+ SecurityConstraint constraint,
+ Context context)
+ throws IOException {
+
+ if (constraint == null)
+ return (true);
+
+ // Specifically allow access to the form login and form error pages
+ // and the "j_security_check" action
+ LoginConfig config = context.getLoginConfig();
+ if ((config != null) &&
+ (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
+ String requestURI = request.getDecodedRequestURI();
+ String loginPage = context.getPath() + config.getLoginPage();
+ if (loginPage.equals(requestURI)) {
+ if (debug >= 1)
+ log(" Allow access to login page " + loginPage);
+ return (true);
+ }
+ String errorPage = context.getPath() + config.getErrorPage();
+ if (errorPage.equals(requestURI)) {
+ if (debug >= 1)
+ log(" Allow access to error page " + errorPage);
+ return (true);
+ }
+ if (requestURI.endsWith(Constants.FORM_ACTION)) {
+ if (debug >= 1)
+ log(" Allow access to username/password submission");
+ return (true);
+ }
+ }
+ // Which user principal have we already authenticated?
+ Principal principal =
+ ((HttpServletRequest) request.getRequest()).getUserPrincipal();
+ if (principal == null) {
+ if (debug >= 2)
+ log(" No user authenticated, cannot grant access");
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+ sm.getString("realmBase.notAuthenticated"));
+ return (false);
+ }
+
+ String roles[] = constraint.findAuthRoles();
+ if (roles == null)
+ roles = new String[0];
+
+ if (constraint.getAllRoles())
+ return (true);
+ if ((roles.length == 0) && (constraint.getAuthConstraint())) {
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ return (false); // No listed roles means no access at all
+ }
+ for (int i = 0; i < roles.length; i++) {
+ if (hasRole(principal, roles[i]))
+ return (true);
+ }
+
+ // Return a "Forbidden" message denying access to this resource
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ return (false);
+
+ }
+
+
/**
* Return <code>true</code> if the specified Principal has the specified
* security role, within the context of this Realm; otherwise return
@@ -730,6 +825,5 @@
}
}
-
}
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>