You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jl...@apache.org on 2021/04/02 18:37:36 UTC
[tomee] branch master updated: TOMEE-2992 Patch Tomcat JASPIC
Callback Handler
This is an automated email from the ASF dual-hosted git repository.
jlmonteiro pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/master by this push:
new 53778c2 TOMEE-2992 Patch Tomcat JASPIC Callback Handler
53778c2 is described below
commit 53778c2ae88c328d9bfb3f972595b5aab8902466
Author: Jean-Louis Monteiro <jl...@tomitribe.com>
AuthorDate: Fri Apr 2 20:37:22 2021 +0200
TOMEE-2992 Patch Tomcat JASPIC Callback Handler
---
tomee/apache-tomee/pom.xml | 18 +++
.../authenticator/jaspic/CallbackHandlerImpl.java | 158 +++++++++++++++++++++
2 files changed, 176 insertions(+)
diff --git a/tomee/apache-tomee/pom.xml b/tomee/apache-tomee/pom.xml
index ba3b706..f5fe890 100644
--- a/tomee/apache-tomee/pom.xml
+++ b/tomee/apache-tomee/pom.xml
@@ -506,6 +506,24 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.tomee.patch</groupId>
+ <artifactId>tomee-patch-plugin</artifactId>
+ <version>0.4-SNAPSHOT</version>
+ <configuration>
+ <select>apache-tomee-(plus|plume|webprofile|microprofile).*\.zip</select>
+ <skipTransform>true</skipTransform>
+ <createTarGz>true</createTarGz>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <phase>package</phase>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java b/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
new file mode 100644
index 0000000..45d6bf7
--- /dev/null
+++ b/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.authenticator.jaspic;
+
+import org.apache.catalina.Contained;
+import org.apache.catalina.Container;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import javax.security.auth.message.callback.CallerPrincipalCallback;
+import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.callback.PasswordValidationCallback;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * This is a clone of Tomcat default callback handler but with a better handling of the Generic Principals when more than
+ * one callback is used.
+ * <p>
+ * For instance https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java#L96
+ * keeps adding new Generic Principals even for the same name whereas the authenticator base
+ * https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L956
+ * randomly picks the first one. So it results in random failures
+ * <p>
+ * See https://github.com/eclipse-ee4j/jakartaee-tck/issues/575
+ */
+public class CallbackHandlerImpl implements CallbackHandler, Contained {
+
+ private static final StringManager sm = StringManager.getManager(
+ org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl.class);
+ private final Log log = LogFactory.getLog(org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl.class); // must not be static
+
+ private Container container;
+
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+
+ String name = null;
+ Principal principal = null;
+ Subject subject = null;
+ String[] groups = null;
+
+ if (callbacks != null) {
+ // Need to combine data from multiple callbacks so use this to hold
+ // the data
+ // Process the callbacks
+ for (Callback callback : callbacks) {
+ if (callback instanceof CallerPrincipalCallback) {
+ CallerPrincipalCallback cpc = (CallerPrincipalCallback) callback;
+ name = cpc.getName();
+ principal = cpc.getPrincipal();
+ subject = cpc.getSubject();
+ } else if (callback instanceof GroupPrincipalCallback) {
+ GroupPrincipalCallback gpc = (GroupPrincipalCallback) callback;
+ groups = gpc.getGroups();
+ } else if (callback instanceof PasswordValidationCallback) {
+ if (container == null) {
+ log.warn(sm.getString("callbackHandlerImpl.containerMissing", callback.getClass().getName()));
+ } else if (container.getRealm() == null) {
+ log.warn(sm.getString("callbackHandlerImpl.realmMissing",
+ callback.getClass().getName(), container.getName()));
+ } else {
+ PasswordValidationCallback pvc = (PasswordValidationCallback) callback;
+ principal = container.getRealm().authenticate(pvc.getUsername(),
+ String.valueOf(pvc.getPassword()));
+ subject = pvc.getSubject();
+ }
+ } else {
+ log.error(sm.getString("callbackHandlerImpl.jaspicCallbackMissing",
+ callback.getClass().getName()));
+ }
+ }
+
+ // Create the GenericPrincipal
+ Principal gp = getPrincipal(principal, name, groups);
+ if (subject != null && gp != null) {
+
+ // merge if needed
+ String mergeName = gp.getName();
+ List<String> mergeRoles = new ArrayList<>(Arrays.asList(((GenericPrincipal) gp).getRoles()));
+ Principal mergePrincipal = ((GenericPrincipal) gp).getUserPrincipal();
+
+ for (Object oPrincipal : subject.getPrivateCredentials()) {
+ if (!(oPrincipal instanceof GenericPrincipal)) {
+ continue;
+ }
+ final GenericPrincipal privateCredential = (GenericPrincipal) oPrincipal;
+ if (mergeName != null && mergeName.equals(privateCredential.getName())) {
+ mergeRoles.addAll(Arrays.asList(privateCredential.getRoles()));
+ subject.getPrivateCredentials().remove(oPrincipal);
+ }
+ }
+
+ subject.getPrivateCredentials().add(new GenericPrincipal(mergeName, null, mergeRoles, mergePrincipal));
+ }
+ }
+ }
+
+ private Principal getPrincipal(Principal principal, String name, String[] groups) {
+ // If the Principal is cached in the session JASPIC may simply return it
+ if (principal instanceof GenericPrincipal) {
+ return principal;
+ }
+ if (name == null && principal != null) {
+ name = principal.getName();
+ }
+ if (name == null) {
+ return null;
+ }
+ List<String> roles;
+ if (groups == null || groups.length == 0) {
+ roles = Collections.emptyList();
+ } else {
+ roles = Arrays.asList(groups);
+ }
+
+ return new GenericPrincipal(name, null, roles, principal);
+ }
+
+ // Contained interface methods
+ @Override
+ public Container getContainer() {
+ return this.container;
+ }
+
+
+ @Override
+ public void setContainer(Container container) {
+ this.container = container;
+ }
+}