geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r291192 - in /geronimo/trunk/modules: security/src/java/org/apache/geronimo/security/realm/providers/ tomcat/src/java/org/apache/geronimo/tomcat/ tomcat/src/java/org/apache/geronimo/tomcat/realm/ tomcat/src/test/org/apache/geronimo/tomcat/
Date Fri, 23 Sep 2005 19:10:39 GMT
Author: djencks
Date: Fri Sep 23 12:10:26 2005
New Revision: 291192

URL: http://svn.apache.org/viewcvs?rev=291192&view=rev
Log:
GERONIMO-1021 Implement a Realm suitable for ejb ws, modify TomcatGeronimoRealm to work with
cert chains, make the CertChainCallbackHandler a little more flexible.  THIS DISABLES A TEST
IN ContainerTest

Added:
    geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatEJBWSGeronimoRealm.java
Modified:
    geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
    geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatEJBWebServiceContext.java
    geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
    geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/ContainerTest.java

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java?rev=291192&r1=291191&r2=291192&view=diff
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/CertificateChainCallbackHandler.java
Fri Sep 23 12:10:26 2005
@@ -28,6 +28,7 @@
  */
 public class CertificateChainCallbackHandler implements CallbackHandler {
     Certificate[] certificateChain;
+
     public CertificateChainCallbackHandler(Certificate[] certificateChain) {
         this.certificateChain = certificateChain;
     }
@@ -38,6 +39,12 @@
             if (callback instanceof CertificateChainCallback) {
                 CertificateChainCallback cc = (CertificateChainCallback) callback;
                 cc.setCertificateChain(certificateChain);
+            } else if (callback instanceof CertificateCallback
+                    && certificateChain != null
+                    && certificateChain.length > 0
+                    && certificateChain[0] instanceof X509Certificate) {
+                CertificateCallback cc = (CertificateCallback) callback;
+                cc.setCertificate((X509Certificate) certificateChain[0]);
             } else {
                 throw new UnsupportedCallbackException(callback);
             }

Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatEJBWebServiceContext.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatEJBWebServiceContext.java?rev=291192&r1=291191&r2=291192&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatEJBWebServiceContext.java
(original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatEJBWebServiceContext.java
Fri Sep 23 12:10:26 2005
@@ -39,6 +39,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.geronimo.tomcat.realm.TomcatJAASRealm;
+import org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm;
+import org.apache.geronimo.tomcat.realm.TomcatEJBWSGeronimoRealm;
 import org.apache.geronimo.webservices.WebServiceContainer;
 
 public class TomcatEJBWebServiceContext extends StandardContext{
@@ -53,57 +55,57 @@
     public TomcatEJBWebServiceContext(String contextPath, WebServiceContainer webServiceContainer,
String securityRealmName, String realmName, String transportGuarantee, String authMethod,
ClassLoader classLoader) {
 
         super();
-        
+
         this.contextPath = contextPath;
         this.webServiceContainer = webServiceContainer;
         this.setPath(contextPath);
         this.setDocBase("");
         this.setParentClassLoader(classLoader);
         this.setDelegate(true);
-        
-        log.info("EJB Webservice Context = " + contextPath);        
+
+        log.info("EJB Webservice Context = " + contextPath);
         if (securityRealmName != null) {
-            
-            TomcatJAASRealm realm = new TomcatJAASRealm();
+
+            TomcatEJBWSGeronimoRealm realm = new TomcatEJBWSGeronimoRealm();
             realm.setAppName(securityRealmName);
             realm.setUserClassNames("org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal");
             realm.setRoleClassNames("org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal");
             setRealm(realm);
             this.realm = realm;
-            
+
             if ("NONE".equals(transportGuarantee)) {
                 isSecureTransportGuarantee = false;
-            } else if ("INTEGRAL".equals(transportGuarantee) || 
+            } else if ("INTEGRAL".equals(transportGuarantee) ||
                        "CONFIDENTIAL".equals(transportGuarantee)) {
                 isSecureTransportGuarantee = true;
             } else {
                 throw new IllegalArgumentException("Invalid transport-guarantee: " + transportGuarantee);
             }
-                        
-            if ("BASIC".equals(authMethod) || 
-                "DIGEST".equals(authMethod) || 
+
+            if ("BASIC".equals(authMethod) ||
+                "DIGEST".equals(authMethod) ||
                 "CLIENT-CERT".equals(authMethod)) {
 
                 //Setup a login configuration
                 LoginConfig loginConfig = new LoginConfig();
                 loginConfig.setAuthMethod(authMethod);
                 loginConfig.setRealmName(realmName);
-                this.setLoginConfig(loginConfig);                
-                
+                this.setLoginConfig(loginConfig);
+
                 //Setup a default Security Constraint
                 SecurityCollection collection = new SecurityCollection();
                 collection.addMethod("GET");
                 collection.addMethod("POST");
                 collection.addPattern("/*");
-                collection.setName("default");  
+                collection.setName("default");
                 SecurityConstraint sc = new SecurityConstraint();
                 sc.addAuthRole("*");
                 sc.addCollection(collection);
                 sc.setAuthConstraint(true);
                 sc.setUserConstraint(transportGuarantee);
                 this.addConstraint(sc);
-                this.addSecurityRole("default");               
-                
+                this.addSecurityRole("default");
+
                 //Set the proper authenticator
                 if ("BASIC".equals(authMethod) ){
                     this.addValve(new BasicAuthenticator());
@@ -112,7 +114,7 @@
                 } else if ("CLIENT-CERT".equals(authMethod) ){
                     this.addValve(new SSLAuthenticator());
                 }
-               
+
             } else {
                 throw new IllegalArgumentException("Invalid authMethod: " + authMethod);
             }
@@ -123,7 +125,7 @@
         this.addValve(new EJBWebServiceValve());
 
     }
-    
+
     public class EJBWebServiceValve extends ValveBase{
 
         public void invoke(Request req, Response res) throws IOException, ServletException
{
@@ -164,11 +166,11 @@
                 } finally {
                     currentThread.setContextClassLoader(oldClassLoader);
                 }
-            }            
+            }
         }
-        
+
     }
-    
+
     public static class RequestAdapter implements WebServiceContainer.Request {
         private final Request request;
         private URI uri;
@@ -282,5 +284,5 @@
             response.setStatus(response.getStatus(), responseString);
         }
     }
-    
+
 }

Added: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatEJBWSGeronimoRealm.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatEJBWSGeronimoRealm.java?rev=291192&view=auto
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatEJBWSGeronimoRealm.java
(added)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatEJBWSGeronimoRealm.java
Fri Sep 23 12:10:26 2005
@@ -0,0 +1,53 @@
+/**
+ *
+ * Copyright 2005 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.tomcat.realm;
+
+import java.io.IOException;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.Context;
+
+/**
+ * TomcatEJBWSGeronimoRealm is intended only for use with ejb web services in tomcat.
+ * Tomcat appears to conflate the separate concepts of logging in and checking permissions
+ * into one class.  This is wholly inappropriate for ejb web services, where logging in
+ * is handled by the web container but authorization is handled by the ejb container.
+ * This class "separates" the concerns by always authorizing everything.
+ * 
+ * @version $Rev:  $ $Date:  $
+ */
+public class TomcatEJBWSGeronimoRealm extends TomcatGeronimoRealm {
+
+    public boolean hasResourcePermission(Request request,
+                                         Response response,
+                                         SecurityConstraint[] constraints,
+                                         Context context)
+            throws IOException {
+        return true;
+
+    }
+
+    public boolean hasUserDataPermission(Request request,
+                                         Response response,
+                                         SecurityConstraint[] constraints)
+            throws IOException {
+        return true;
+    }
+
+}

Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java?rev=291192&r1=291191&r2=291192&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
(original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
Fri Sep 23 12:10:26 2005
@@ -20,8 +20,10 @@
 import java.security.AccessControlContext;
 import java.security.AccessControlException;
 import java.security.Principal;
+import java.security.cert.X509Certificate;
 
 import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.AccountExpiredException;
 import javax.security.auth.login.CredentialExpiredException;
 import javax.security.auth.login.FailedLoginException;
@@ -45,6 +47,9 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler;
+import org.apache.geronimo.security.realm.providers.CertificateCallbackHandler;
+import org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler;
 import org.apache.geronimo.security.jacc.PolicyContextHandlerContainerSubject;
 import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
 
@@ -55,7 +60,7 @@
 
 //    private Context context = null;
     private static ThreadLocal currentRequest = new ThreadLocal();
-    
+
     private boolean enabled = false;
 
     /**
@@ -87,7 +92,7 @@
                                          Response response,
                                          SecurityConstraint[] constraints)
             throws IOException {
-        
+
         //Get an authenticated subject, if there is one
         Subject subject = null;
         try {
@@ -179,12 +184,12 @@
 
         // Which user principal have we already authenticated?
         Principal principal = request.getUserPrincipal();
- 
+
         //If we have no principal, then we should use the default.
         if (principal == null) {
             if (request.isSecure())
                 return true;
-            
+
             return false;
         } else {
             ContextManager.setCurrentCaller(((JAASTomcatPrincipal) principal).getSubject());
@@ -196,7 +201,7 @@
 
 
             /**
-             * JACC v1.0 secion 4.1.2
+             * JACC v1.0 section 4.1.2
              */
             acc.checkPermission(new WebResourcePermission(request));
 
@@ -320,6 +325,21 @@
      */
     public Principal authenticate(String username, String credentials) {
 
+        CallbackHandler callbackHandler = new PasswordCallbackHandler(username, credentials.toCharArray());
+        return authenticate(callbackHandler, username);
+    }
+
+    public Principal authenticate(X509Certificate[] certs) {
+        if (certs == null || certs.length == 0) {
+            return null;
+        }
+        CallbackHandler callbackHandler = new CertificateChainCallbackHandler(certs);
+        String principalName = certs[0].getSubjectX500Principal().getName();
+        return authenticate(callbackHandler, principalName);
+    }
+
+    public Principal authenticate(CallbackHandler callbackHandler, String principalName)
{
+
         // Establish a LoginContext to use for authentication
         try {
             LoginContext loginContext = null;
@@ -327,7 +347,7 @@
                 appName = "Tomcat";
 
             if (log.isDebugEnabled())
-                log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
+                log.debug(sm.getString("jaasRealm.beginLogin", principalName, appName));
 
             // What if the LoginModule is in the container class loader ?
             ClassLoader ocl = null;
@@ -338,7 +358,7 @@
             }
 
             try {
-                loginContext = new LoginContext(appName, new JAASCallbackHandler(this, username,
credentials));
+                loginContext = new LoginContext(appName, callbackHandler);
             } catch (Throwable e) {
                 log.error(sm.getString("jaasRealm.unexpectedError"), e);
                 return (null);
@@ -349,7 +369,7 @@
             }
 
             if (log.isDebugEnabled())
-                log.debug("Login context created " + username);
+                log.debug("Login context created " + principalName);
 
             // Negotiate a login via this LoginContext
             Subject subject = null;
@@ -358,14 +378,14 @@
                 Subject tempSubject = loginContext.getSubject();
                 if (tempSubject == null) {
                     if (log.isDebugEnabled())
-                        log.debug(sm.getString("jaasRealm.failedLogin", username));
+                        log.debug(sm.getString("jaasRealm.failedLogin", principalName));
                     return (null);
                 }
 
                 subject = ContextManager.getServerSideSubject(tempSubject);
                 if (subject == null) {
                     if (log.isDebugEnabled())
-                        log.debug(sm.getString("jaasRealm.failedLogin", username));
+                        log.debug(sm.getString("jaasRealm.failedLogin", principalName));
                     return (null);
                 }
 
@@ -373,18 +393,18 @@
 
             } catch (AccountExpiredException e) {
                 if (log.isDebugEnabled())
-                    log.debug(sm.getString("jaasRealm.accountExpired", username));
+                    log.debug(sm.getString("jaasRealm.accountExpired", principalName));
                 return (null);
             } catch (CredentialExpiredException e) {
                 if (log.isDebugEnabled())
-                    log.debug(sm.getString("jaasRealm.credentialExpired", username));
+                    log.debug(sm.getString("jaasRealm.credentialExpired", principalName));
                 return (null);
             } catch (FailedLoginException e) {
                 if (log.isDebugEnabled())
-                    log.debug(sm.getString("jaasRealm.failedLogin", username));
+                    log.debug(sm.getString("jaasRealm.failedLogin", principalName));
                 return (null);
             } catch (LoginException e) {
-                log.warn(sm.getString("jaasRealm.loginException", username), e);
+                log.warn(sm.getString("jaasRealm.loginException", principalName), e);
                 return (null);
             } catch (Throwable e) {
                 log.error(sm.getString("jaasRealm.unexpectedError"), e);
@@ -392,7 +412,7 @@
             }
 
             if (log.isDebugEnabled())
-                log.debug(sm.getString("jaasRealm.loginContextCreated", username));
+                log.debug(sm.getString("jaasRealm.loginContextCreated", principalName));
 
             // Return the appropriate Principal for this authenticated Subject
 /*            Principal principal = createPrincipal(username, subject);
@@ -404,7 +424,7 @@
                 log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
             }
 */
-            JAASTomcatPrincipal jaasPrincipal = new JAASTomcatPrincipal(username);
+            JAASTomcatPrincipal jaasPrincipal = new JAASTomcatPrincipal(principalName);
             jaasPrincipal.setSubject(subject);
 
             return (jaasPrincipal);
@@ -414,7 +434,6 @@
             return null;
         }
     }
-
     /**
      * Prepare for active use of the public methods of this <code>Component</code>.
      *

Modified: geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/ContainerTest.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/ContainerTest.java?rev=291192&r1=291191&r2=291192&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/ContainerTest.java (original)
+++ geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/ContainerTest.java Fri
Sep 23 12:10:26 2005
@@ -116,7 +116,7 @@
        tearDownWeb();
    }
 
-   public void testSecureWebServiceHandler() throws Exception {
+   public void XtestSecureWebServiceHandler() throws Exception {
 
        setUpWeb();
 



Mime
View raw message