geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r191222 - /geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers
Date Fri, 17 Jun 2005 23:07:32 GMT
Author: djencks
Date: Fri Jun 17 16:07:28 2005
New Revision: 191222

URL: http://svn.apache.org/viewcvs?rev=191222&view=rev
Log:
Feeble first draft of a certificate chain login module

Added:
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallback.java
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainLoginModule.java

Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallback.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallback.java?rev=191222&view=auto
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallback.java
(added)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallback.java
Fri Jun 17 16:07:28 2005
@@ -0,0 +1,36 @@
+/**
+ *
+ * Copyright 2005 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.security.realm.providers;
+
+import java.security.cert.X509Certificate;
+import java.security.cert.Certificate;
+import javax.security.auth.callback.Callback;
+
+/**
+ * @version $Rev:  $ $Date:  $
+ */
+public class CertificateChainCallback implements Callback {
+    Certificate[] certificateChain;
+
+    public Certificate[] getCertificateChain() {
+        return certificateChain;
+    }
+
+    public void setCertificateChain(Certificate[] certificateChain) {
+        this.certificateChain = certificateChain;
+    }
+}

Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java?rev=191222&view=auto
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
(added)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
Fri Jun 17 16:07:28 2005
@@ -0,0 +1,47 @@
+/**
+ *
+ * Copyright 2005 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.security.realm.providers;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.security.cert.Certificate;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ * @version $Rev:  $ $Date:  $
+ */
+public class CertificateChainCallbackHandler implements CallbackHandler {
+    Certificate[] certificateChain;
+    public CertificateChainCallbackHandler(Certificate[] certificateChain) {
+        this.certificateChain = certificateChain;
+    }
+
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+        for (int i = 0; i < callbacks.length; i++) {
+            Callback callback = callbacks[i];
+            if (callback instanceof CertificateChainCallback) {
+                CertificateChainCallback cc = (CertificateChainCallback) callback;
+                cc.setCertificateChain(certificateChain);
+            } else {
+                throw new UnsupportedCallbackException(callback);
+            }
+        }
+    }
+
+}

Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainLoginModule.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainLoginModule.java?rev=191222&view=auto
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainLoginModule.java
(added)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainLoginModule.java
Fri Jun 17 16:07:28 2005
@@ -0,0 +1,130 @@
+/**
+ *
+ * Copyright 2003-2005 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.geronimo.security.realm.providers;
+
+import java.io.IOException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.Set;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import javax.security.auth.x500.X500Principal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+
+/**
+ * An example LoginModule that reads a list of users and group from a file on disk.
+ * Authentication is provided by the SSL layer supplying the client certificate.
+ * All we check is that it is present.  The
+ * file should be formatted using standard Java properties syntax.  Expects
+ * to be run by a GenericSecurityRealm (doesn't work on its own).
+ *
+ * The usersURI property file should have lines of the form token=certificatename
+ * where certificate name is X509Certificate.getSubjectX500Principal().getName()
+ *
+ * The groupsURI property file should have lines of the form group=token1,token2,...
+ * where the tokens were associated to the certificate names in the usersURI properties file.
+ *
+ * @version $Rev: 169154 $ $Date: 2005-05-08 12:35:23 -0700 (Sun, 08 May 2005) $
+ */
+public class CertificateChainLoginModule implements LoginModule {
+    private static Log log = LogFactory.getLog(CertificateChainLoginModule.class);
+
+    Subject subject;
+    CallbackHandler handler;
+    X500Principal principal;
+
+    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,
Map options) {
+        this.subject = subject;
+        this.handler = callbackHandler;
+//        try {
+//            Kernel kernel = KernelRegistry.getKernel((String)options.get(JaasLoginModuleUse.KERNEL_LM_OPTION));
+//            ServerInfo serverInfo = (ServerInfo) options.get(JaasLoginModuleUse.SERVERINFO_LM_OPTION);
+//            URI usersURI = new URI((String)options.get(USERS_URI));
+//            URI groupsURI = new URI((String)options.get(GROUPS_URI));
+//            loadProperties(kernel, serverInfo, usersURI, groupsURI);
+//        } catch (Exception e) {
+//            log.error(e);
+//            throw new IllegalArgumentException("Unable to configure properties file login
module: "+e);
+//        }
+    }
+
+
+
+    public boolean login() throws LoginException {
+        Callback[] callbacks = new Callback[1];
+
+        callbacks[0] = new CertificateChainCallback();
+        try {
+            handler.handle(callbacks);
+        } catch (IOException ioe) {
+            throw (LoginException) new LoginException().initCause(ioe);
+        } catch (UnsupportedCallbackException uce) {
+            throw (LoginException) new LoginException().initCause(uce);
+        }
+        assert callbacks.length == 1;
+        Certificate[] certificateChain = ((CertificateChainCallback)callbacks[0]).getCertificateChain();
+        if (certificateChain == null || certificateChain.length == 0) {
+            return false;
+        }
+        if (!(certificateChain[0] instanceof X509Certificate)) {
+            return false;
+        }
+        //TODO actually validate chain
+        principal = ((X509Certificate)certificateChain[0]).getSubjectX500Principal();
+
+        return true;
+    }
+
+    public boolean commit() throws LoginException {
+        Set principals = subject.getPrincipals();
+
+        principals.add(principal);
+        principals.add(new GeronimoUserPrincipal(principal.getName()));
+
+        return true;
+    }
+
+    public boolean abort() throws LoginException {
+        principal = null;
+
+        return true;
+    }
+
+    public boolean logout() throws LoginException {
+        principal = null;
+
+        return true;
+    }
+
+    /**
+     * Gets the names of all principal classes that may be populated into
+     * a Subject.
+     */
+    public String[] getPrincipalClassNames() {
+        return new String[]{GeronimoUserPrincipal.class.getName()};
+    }
+
+}



Mime
View raw message