You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2015/10/22 18:26:51 UTC
svn commit: r1710058 - in
/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules:
BasicAuthModule.java DigestAuthModule.java FormAuthModule.java
LocalStrings.properties SSLAuthModule.java SpnegoAuthModule.java
TomcatAuthModule.java
Author: remm
Date: Thu Oct 22 16:26:51 2015
New Revision: 1710058
URL: http://svn.apache.org/viewvc?rev=1710058&view=rev
Log:
Pull up some methods and quick port of SSL authenticator.
Added:
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SSLAuthModule.java
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SpnegoAuthModule.java
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java?rev=1710058&r1=1710057&r2=1710058&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java Thu Oct 22 16:26:51 2015
@@ -28,7 +28,6 @@ import javax.security.auth.message.AuthS
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.PasswordValidationCallback;
-import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
@@ -42,10 +41,6 @@ import org.apache.tomcat.util.buf.Messag
*/
public class BasicAuthModule extends TomcatAuthModule {
- private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class,
- HttpServletResponse.class };
-
-
public BasicAuthModule(Context context) {
super(context);
}
@@ -111,22 +106,4 @@ public class BasicAuthModule extends Tom
}
- @Override
- public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
- throws AuthException {
- return null;
- }
-
-
- @Override
- public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
-
- }
-
-
- @Override
- public Class<?>[] getSupportedMessageTypes() {
- return supportedMessageTypes;
- }
-
}
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java?rev=1710058&r1=1710057&r2=1710058&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java Thu Oct 22 16:26:51 2015
@@ -51,9 +51,6 @@ public class DigestAuthModule extends To
*/
protected static final String QOP = "auth";
- private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class,
- HttpServletResponse.class };
-
private CallbackHandler handler;
private Realm realm;
@@ -292,25 +289,6 @@ public class DigestAuthModule extends To
}
- @Override
- public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
- throws AuthException {
- return null;
- }
-
-
- @Override
- public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
-
- }
-
-
- @Override
- public Class<?>[] getSupportedMessageTypes() {
- return supportedMessageTypes;
- }
-
-
/**
* Removes the quotes on a string. RFC2617 states quotes are optional for
* all parameters except realm.
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1710058&r1=1710057&r2=1710058&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Thu Oct 22 16:26:51 2015
@@ -35,7 +35,6 @@ import javax.security.auth.message.Messa
import javax.security.auth.message.callback.PasswordValidationCallback;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
@@ -61,9 +60,6 @@ import org.apache.tomcat.util.http.MimeH
public class FormAuthModule extends TomcatAuthModule {
private static final Log log = LogFactory.getLog(FormAuthModule.class);
- private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class,
- HttpServletResponse.class };
-
private String landingPage;
private String characterEncoding;
@@ -327,24 +323,6 @@ public class FormAuthModule extends Tomc
}
- @Override
- public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
- throws AuthException {
- return null;
- }
-
-
- @Override
- public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
- }
-
-
- @Override
- public Class<?>[] getSupportedMessageTypes() {
- return supportedMessageTypes;
- }
-
-
/**
* Called to forward to the login page
*
Added: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/LocalStrings.properties?rev=1710058&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/LocalStrings.properties (added)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/LocalStrings.properties Thu Oct 22 16:26:51 2015
@@ -0,0 +1,37 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+authenticator.certificates=No client certificate chain in this request
+authenticator.formlogin=Invalid direct reference to form login page
+authenticator.loginFail=Login failed
+authenticator.manager=Exception initializing trust managers
+authenticator.noAuthHeader=No authorization header sent by client
+authenticator.notContext=Configuration error: Must be attached to a Context
+authenticator.requestBodyTooBig=The request body was too large to be cached during the authentication process
+authenticator.sessionExpired=The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser
+authenticator.unauthorized=Cannot authenticate with the provided credentials
+
+digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
+
+formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method [{1}] to login page [{2}] of context [{3}] using request method GET
+formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
+formAuthenticator.noErrorPage=No error page was defined for FORM authentication in context [{0}]
+formAuthenticator.noLoginPage=No login page was defined for FORM authentication in context [{0}]
+
+spnegoAuthenticator.authHeaderNoToken=The Negotiate authorization header sent by the client did not include a token
+spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the client did not start with Negotiate
+spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
+spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
Added: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SSLAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SSLAuthModule.java?rev=1710058&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SSLAuthModule.java (added)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SSLAuthModule.java Thu Oct 22 16:26:51 2015
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.authenticator.jaspic.provider.modules;
+
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.security.auth.message.MessagePolicy;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Globals;
+import org.apache.catalina.connector.Request;
+import org.apache.coyote.ActionCode;
+
+/**
+ * This class implements JASPIC based HTTP BASIC authentication.
+ */
+public class SSLAuthModule extends TomcatAuthModule {
+
+ public SSLAuthModule(Context context) {
+ super(context);
+ }
+
+
+ @Override
+ public void initializeModule(MessagePolicy requestPolicy, MessagePolicy responsePolicy,
+ CallbackHandler handler, Map<String, String> options) throws AuthException {
+ }
+
+
+ @Override
+ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
+ Subject serviceSubject) throws AuthException {
+ if (!isMandatory(messageInfo)) {
+ return AuthStatus.SUCCESS;
+ }
+
+ Request request = (Request) messageInfo.getRequestMessage();
+ HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
+ try {
+ X509Certificate certs[] = getRequestCertificates(request);
+
+ if ((certs == null) || (certs.length < 1)) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+ sm.getString("authenticator.certificates"));
+ return AuthStatus.FAILURE;
+ }
+
+ // Authenticate the specified certificate chain
+ Principal principal = context.getRealm().authenticate(certs);
+ if (principal == null) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+ sm.getString("authenticator.unauthorized"));
+ return AuthStatus.FAILURE;
+ }
+ handlePrincipalCallbacks(clientSubject, principal);
+ return AuthStatus.SUCCESS;
+ } catch (Exception e) {
+ throw new AuthException(e.getMessage());
+ }
+
+ }
+
+
+ /**
+ * Look for the X509 certificate chain in the Request under the key
+ * <code>javax.servlet.request.X509Certificate</code>. If not found, trigger
+ * extracting the certificate chain from the Coyote request.
+ *
+ * @param request Request to be processed
+ *
+ * @return The X509 certificate chain if found, <code>null</code>
+ * otherwise.
+ */
+ protected X509Certificate[] getRequestCertificates(final Request request)
+ throws IllegalStateException {
+
+ X509Certificate certs[] =
+ (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
+
+ if ((certs == null) || (certs.length < 1)) {
+ try {
+ request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null);
+ certs = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
+ } catch (IllegalStateException ise) {
+ // Request body was too large for save buffer
+ // Return null which will trigger an auth failure
+ }
+ }
+
+ return certs;
+ }
+
+}
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SpnegoAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SpnegoAuthModule.java?rev=1710058&r1=1710057&r2=1710058&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SpnegoAuthModule.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/SpnegoAuthModule.java Thu Oct 22 16:26:51 2015
@@ -33,7 +33,6 @@ import javax.security.auth.message.AuthE
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
-import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
@@ -64,21 +63,12 @@ import org.ietf.jgss.Oid;
public class SpnegoAuthModule extends TomcatAuthModule {
private static final Log log = LogFactory.getLog(SpnegoAuthModule.class);
- private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class,
- HttpServletResponse.class };
-
private String loginConfigName = Constants.DEFAULT_LOGIN_MODULE_NAME;
private boolean storeDelegatedCredential = true;
private Pattern noKeepAliveUserAgents = null;
private boolean applyJava8u40Fix = true;
@Override
- public Class<?>[] getSupportedMessageTypes() {
- return supportedMessageTypes;
- }
-
-
- @Override
public void initializeModule(MessagePolicy requestPolicy, MessagePolicy responsePolicy,
CallbackHandler handler, Map<String, String> options) throws AuthException {
this.loginConfigName = options.getOrDefault("loginConfigName", Constants.DEFAULT_LOGIN_MODULE_NAME);
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java?rev=1710058&r1=1710057&r2=1710058&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Thu Oct 22 16:26:51 2015
@@ -26,15 +26,18 @@ import javax.security.auth.callback.Call
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import javax.security.auth.message.module.ServerAuthModule;
+import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
import org.apache.catalina.authenticator.jaspic.MessageInfoImpl;
+import org.apache.catalina.connector.Request;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.tomcat.util.res.StringManager;
@@ -54,6 +57,9 @@ public abstract class TomcatAuthModule i
*/
protected static final StringManager sm = StringManager.getManager(TomcatAuthModule.class);
+ private Class<?>[] supportedMessageTypes = new Class[] { Request.class,
+ HttpServletResponse.class };
+
protected String realmName = DEFAULT_REALM_NAME;
protected CallbackHandler handler;
@@ -134,4 +140,20 @@ public abstract class TomcatAuthModule i
}
+ @Override
+ public Class<?>[] getSupportedMessageTypes() {
+ return supportedMessageTypes;
+ }
+
+ @Override
+ public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
+ throws AuthException {
+ return null;
+ }
+
+
+ @Override
+ public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
+ }
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org