Return-Path: Delivered-To: apmail-geronimo-scm-archive@www.apache.org Received: (qmail 46998 invoked from network); 16 Jul 2009 17:03:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 16 Jul 2009 17:03:12 -0000 Received: (qmail 2913 invoked by uid 500); 16 Jul 2009 17:04:17 -0000 Delivered-To: apmail-geronimo-scm-archive@geronimo.apache.org Received: (qmail 2850 invoked by uid 500); 16 Jul 2009 17:04:17 -0000 Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list scm@geronimo.apache.org Received: (qmail 2841 invoked by uid 99); 16 Jul 2009 17:04:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Jul 2009 17:04:17 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Jul 2009 17:04:13 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 4B0A9238898D; Thu, 16 Jul 2009 17:03:53 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r794752 [2/3] - in /geronimo/server/trunk/plugins/tomcat: geronimo-tomcat6-builder/src/test/java/org/apache/geronimo/tomcat/deployment/ geronimo-tomcat6-builder/src/test/resources/deployables/war4/WEB-INF/ geronimo-tomcat6/src/main/java/org... Date: Thu, 16 Jul 2009 17:03:51 -0000 To: scm@geronimo.apache.org From: djencks@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090716170353.4B0A9238898D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/ServerAuthException.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/ServerAuthException.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/ServerAuthException.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security; + +/** + * @version $Rev$ $Date$ + */ +public enum TomcatAuthStatus { + + SUCCESS, SEND_SUCCESS, SEND_CONTINUE, SEND_FAILURE, FAILURE + +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/TomcatAuthStatus.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security; + +import javax.security.auth.Subject; +import java.security.Principal; + +/** + * @version $Rev$ $Date$ + */ +public interface UserIdentity { + Principal getUserPrincipal(); + Subject getSubject(); +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/UserIdentity.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,142 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication; + +import java.io.IOException; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.util.Base64; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.buf.CharChunk; +import org.apache.tomcat.util.buf.MessageBytes; + +/** + * @version $Rev$ $Date$ + */ +public class BasicAuthenticator implements Authenticator { + private static final byte[] AUTHENTICATE_BYTES = { + (byte) 'W', + (byte) 'W', + (byte) 'W', + (byte) '-', + (byte) 'A', + (byte) 'u', + (byte) 't', + (byte) 'h', + (byte) 'e', + (byte) 'n', + (byte) 't', + (byte) 'i', + (byte) 'c', + (byte) 'a', + (byte) 't', + (byte) 'e' + }; + + + private final LoginService loginService; + private final String realmName; + private final UserIdentity unauthenticatedIdentity; + + public BasicAuthenticator(LoginService loginService, String realmName, UserIdentity unauthenticatedIdentity) { + this.loginService = loginService; + this.realmName = realmName; + this.unauthenticatedIdentity = unauthenticatedIdentity; + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + // Validate any credentials already included with this request + String username = null; + String password = null; + + MessageBytes authorization = + request.getCoyoteRequest().getMimeHeaders() + .getValue("authorization"); + + if (authorization != null) { + authorization.toBytes(); + ByteChunk authorizationBC = authorization.getByteChunk(); + if (authorizationBC.startsWithIgnoreCase("basic ", 0)) { + authorizationBC.setOffset(authorizationBC.getOffset() + 6); + // FIXME: Add trimming + // authorizationBC.trim(); + + CharChunk authorizationCC = authorization.getCharChunk(); + Base64.decode(authorizationBC, authorizationCC); + + // Get username and password + int colon = authorizationCC.indexOf(':'); + if (colon < 0) { + username = authorizationCC.toString(); + } else { + char[] buf = authorizationCC.getBuffer(); + username = new String(buf, 0, colon); + password = new String(buf, colon + 1, + authorizationCC.getEnd() - colon - 1); + } + + authorizationBC.setOffset(authorizationBC.getOffset() - 6); + } + + UserIdentity userIdentity = loginService.login(username, password); + if (userIdentity != null) { + return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); + } + } + + + // Send an "unauthorized" response and an appropriate challenge + if (isAuthMandatory) { + try { + MessageBytes authenticate = + response.getCoyoteResponse().getMimeHeaders() + .addValue(AUTHENTICATE_BYTES, 0, AUTHENTICATE_BYTES.length); + CharChunk authenticateCC = authenticate.getCharChunk(); + authenticateCC.append("Basic realm=\""); + authenticateCC.append(realmName); + authenticateCC.append('\"'); + authenticate.toChars(); + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null); + } catch (IOException e) { + throw new ServerAuthException(e); + } + } + return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity); + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) { + return true; + } + + public String getAuthType() { + return "BASIC"; + } +} \ No newline at end of file Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication; + +import java.security.cert.X509Certificate; +import java.security.Principal; +import java.io.IOException; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.Globals; +import org.apache.catalina.authenticator.Constants; +import org.apache.catalina.util.StringManager; +import org.apache.catalina.util.Base64; +import org.apache.coyote.ActionCode; + +/** + * @version $Rev$ $Date$ + */ +public class ClientCertAuthenticator implements Authenticator { + + protected static final StringManager sm = + StringManager.getManager(Constants.Package); + + private final LoginService loginService; + private final UserIdentity unauthenticatedIdentity; + + public ClientCertAuthenticator(LoginService loginService, UserIdentity unauthenticatedIdentity) { + this.loginService = loginService; + this.unauthenticatedIdentity = unauthenticatedIdentity; + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + X509Certificate certs[] = (X509Certificate[]) + request.getAttribute(Globals.CERTIFICATES_ATTR); + if ((certs == null) || (certs.length < 1)) { + request.getCoyoteRequest().action + (ActionCode.ACTION_REQ_SSL_CERTIFICATE, null); + certs = (X509Certificate[]) + request.getAttribute(Globals.CERTIFICATES_ATTR); + } + try { + if ((certs == null) || (certs.length < 1)) { + if (isAuthMandatory) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, + sm.getString("authenticator.certificates")); + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null); + } else { + return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity); + } + } + + // Authenticate the specified certificate chain + //TODO almost certainly wrong + Principal p = certs[0].getSubjectDN(); + byte[] sig = certs[0].getSignature(); + String cred = new String(Base64.encode(sig)); + UserIdentity userIdentity = loginService.login(p.getName(), cred); + if (userIdentity != null) { + return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); + } + if (isAuthMandatory) { + response.sendError(HttpServletResponse.SC_UNAUTHORIZED, + sm.getString("authenticator.unauthorized")); + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null); + } + } catch (IOException e) { + throw new ServerAuthException(e); + } + return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity); + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException { + return true; + } + + public String getAuthType() { + return "CLIENT-CERT"; + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,323 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication; + +import java.io.IOException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.StringTokenizer; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.util.MD5Encoder; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.UserIdentity; + +/** + * @version $Rev$ $Date$ + */ +public class DigestAuthenticator implements Authenticator { + + private static final MD5Encoder md5Encoder = new MD5Encoder(); + /** + * MD5 message digest provider. + */ + private static final MessageDigest md5Helper; + + static { + try { + md5Helper = MessageDigest.getInstance("MD5"); + } catch (NoSuchAlgorithmException e) { + throw new IllegalStateException(e); + } + + } + + /** + * Private key. + */ + private static final String key = "Catalina"; + + private final LoginService loginService; + private final String realmName; + private final UserIdentity unauthenticatedIdentity; + + public DigestAuthenticator(LoginService loginService, String realmName, UserIdentity unauthenticatedIdentity) { + this.loginService = loginService; + this.realmName = realmName; + this.unauthenticatedIdentity = unauthenticatedIdentity; + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + String authorization = request.getHeader("authorization"); + if (authorization != null) { + UserIdentity userIdentity = findPrincipal(request, authorization); + if (userIdentity != null) { + return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); + } + } + + + + // Send an "unauthorized" response and an appropriate challenge + + // Next, generate a nOnce token (that is a token which is supposed + // to be unique). + if (isAuthMandatory) { + String nOnce = generateNOnce(request); + + setAuthenticateHeader(response, nOnce); + try { + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + } catch (IOException e) { + throw new ServerAuthException(e); + } + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null); + } + return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity); + + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException { + return true; + } + + public String getAuthType() { + return "DIGEST"; + } + + /** + * Parse the specified authorization credentials, and return the + * associated Principal that these credentials authenticate (if any) + * from the specified Realm. If there is no such Principal, return + * null. + * + * @param request HTTP servlet request + * @param authorization Authorization credentials from this request + */ + protected UserIdentity findPrincipal(Request request, + String authorization) { + + //System.out.println("Authorization token : " + authorization); + // Validate the authorization credentials format + if (authorization == null) + return (null); + if (!authorization.startsWith("Digest ")) + return (null); + authorization = authorization.substring(7).trim(); + + // Bugzilla 37132: http://issues.apache.org/bugzilla/show_bug.cgi?id=37132 + String[] tokens = authorization.split(",(?=(?:[^\"]*\"[^\"]*\")+$)"); + + String userName = null; + String realmName = null; + String nOnce = null; + String nc = null; + String cnonce = null; + String qop = null; + String uri = null; + String response = null; + String method = request.getMethod(); + + for (int i = 0; i < tokens.length; i++) { + String currentToken = tokens[i]; + if (currentToken.length() == 0) + continue; + + int equalSign = currentToken.indexOf('='); + if (equalSign < 0) + return null; + String currentTokenName = + currentToken.substring(0, equalSign).trim(); + String currentTokenValue = + currentToken.substring(equalSign + 1).trim(); + if ("username".equals(currentTokenName)) + userName = removeQuotes(currentTokenValue); + if ("realm".equals(currentTokenName)) + realmName = removeQuotes(currentTokenValue, true); + if ("nonce".equals(currentTokenName)) + nOnce = removeQuotes(currentTokenValue); + if ("nc".equals(currentTokenName)) + nc = removeQuotes(currentTokenValue); + if ("cnonce".equals(currentTokenName)) + cnonce = removeQuotes(currentTokenValue); + if ("qop".equals(currentTokenName)) + qop = removeQuotes(currentTokenValue); + if ("uri".equals(currentTokenName)) + uri = removeQuotes(currentTokenValue); + if ("response".equals(currentTokenName)) + response = removeQuotes(currentTokenValue); + } + + if ((userName == null) || (realmName == null) || (nOnce == null) + || (uri == null) || (response == null)) + return null; + + // Second MD5 digest used to calculate the digest : + // MD5(Method + ":" + uri) + String a2 = method + ":" + uri; + //System.out.println("A2:" + a2); + + byte[] buffer = null; + synchronized (md5Helper) { + buffer = md5Helper.digest(a2.getBytes()); + } + String md5a2 = md5Encoder.encode(buffer); + + //TODO this is totally wrong + return loginService.login(userName, md5a2); + + } + + + /** + * Parse the username from the specified authorization string. If none + * can be identified, return null + * + * @param authorization Authorization string to be parsed + */ + protected String parseUsername(String authorization) { + + //System.out.println("Authorization token : " + authorization); + // Validate the authorization credentials format + if (authorization == null) + return (null); + if (!authorization.startsWith("Digest ")) + return (null); + authorization = authorization.substring(7).trim(); + + StringTokenizer commaTokenizer = + new StringTokenizer(authorization, ","); + + while (commaTokenizer.hasMoreTokens()) { + String currentToken = commaTokenizer.nextToken(); + int equalSign = currentToken.indexOf('='); + if (equalSign < 0) + return null; + String currentTokenName = + currentToken.substring(0, equalSign).trim(); + String currentTokenValue = + currentToken.substring(equalSign + 1).trim(); + if ("username".equals(currentTokenName)) + return (removeQuotes(currentTokenValue)); + } + + return (null); + + } + + + /** + * Removes the quotes on a string. RFC2617 states quotes are optional for + * all parameters except realm. + */ + protected static String removeQuotes(String quotedString, + boolean quotesRequired) { + //support both quoted and non-quoted + if (quotedString.length() > 0 && quotedString.charAt(0) != '"' && + !quotesRequired) { + return quotedString; + } else if (quotedString.length() > 2) { + return quotedString.substring(1, quotedString.length() - 1); + } else { + return new String(); + } + } + + /** + * Removes the quotes on a string. + */ + protected static String removeQuotes(String quotedString) { + return removeQuotes(quotedString, false); + } + + /** + * Generate a unique token. The token is generated according to the + * following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":" + * time-stamp ":" private-key ) ). + * + * @param request HTTP Servlet request + */ + protected String generateNOnce(Request request) { + + long currentTime = System.currentTimeMillis(); + + String nOnceValue = request.getRemoteAddr() + ":" + + currentTime + ":" + key; + + byte[] buffer = null; + synchronized (md5Helper) { + buffer = md5Helper.digest(nOnceValue.getBytes()); + } + nOnceValue = md5Encoder.encode(buffer); + + return nOnceValue; + } + + + /** + * Generates the WWW-Authenticate header. + *

+ * The header MUST follow this template : + * 

+     *      WWW-Authenticate    = "WWW-Authenticate" ":" "Digest"
+     *                            digest-challenge
+     * 

+     *      digest-challenge    = 1#( realm | [ domain ] | nOnce |
+     *                  [ digest-opaque ] |[ stale ] | [ algorithm ] )
+     * 

+     *      realm               = "realm" "=" realm-value
+     *      realm-value         = quoted-string
+     *      domain              = "domain" "=" <"> 1#URI <">
+     *      nonce               = "nonce" "=" nonce-value
+     *      nonce-value         = quoted-string
+     *      opaque              = "opaque" "=" quoted-string
+     *      stale               = "stale" "=" ( "true" | "false" )
+     *      algorithm           = "algorithm" "=" ( "MD5" | token )
+     *
+ * + * @param response HTTP Servlet response + * @param nOnce nonce token + */ + protected void setAuthenticateHeader( + Response response, + String nOnce) { + + // Get the realm name + byte[] buffer; + synchronized (md5Helper) { + buffer = md5Helper.digest(nOnce.getBytes()); + } + + String authenticateHeader = "Digest realm=\"" + realmName + "\", " + + "qop=\"auth\", nonce=\"" + nOnce + "\", " + "opaque=\"" + + md5Encoder.encode(buffer) + "\""; + response.setHeader("WWW-Authenticate", authenticateHeader); + + } + +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,437 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Iterator; +import java.util.Locale; +import java.util.Enumeration; + +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.Cookie; +import javax.servlet.RequestDispatcher; + +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.authenticator.Constants; +import org.apache.catalina.authenticator.SavedRequest; +import org.apache.catalina.Session; +import org.apache.catalina.util.StringManager; +import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.buf.CharChunk; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.http.MimeHeaders; +import org.apache.coyote.ActionCode; + +/** + * @version $Rev$ $Date$ + */ +public class FormAuthenticator implements Authenticator { + protected static final StringManager sm = + StringManager.getManager(Constants.Package); + + private final LoginService loginService; + private final UserIdentity unauthenticatedIdentity; + private final String loginPage; + private final String erroryPage; + + public FormAuthenticator(LoginService loginService, UserIdentity unauthenticatedIdentity, String loginPage, String erroryPage) { + this.loginService = loginService; + this.unauthenticatedIdentity = unauthenticatedIdentity; + this.loginPage = loginPage; + this.erroryPage = erroryPage; + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + try { + Session session = request.getSessionInternal(isAuthMandatory); + if (session == null) { + //default identity?? + return new AuthResult(TomcatAuthStatus.SUCCESS, null); + } + if (matchRequest(request, session)) { + // if (log.isDebugEnabled()) + // log.debug("Restore request from session '" + // + session.getIdInternal() + // + "'"); +// UserIdentity userIdentity = (UserIdentity) +// session.getNote(Constants.FORM_PRINCIPAL_NOTE); + // register(request, response, principal, Constants.FORM_METHOD, + // (String) session.getNote(Constants.SESS_USERNAME_NOTE), + // (String) session.getNote(Constants.SESS_PASSWORD_NOTE)); + // If we're caching principals we no longer need the username + // and password in the session, so remove them + // if (cache) { + // session.removeNote(Constants.SESS_USERNAME_NOTE); + // session.removeNote(Constants.SESS_PASSWORD_NOTE); + // } + if (!restoreRequest(request, session)) { +// if (log.isDebugEnabled()) +// log.debug("Proceed to restored request"); +// return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); +// } else { +// if (log.isDebugEnabled()) +// log.debug("Restore of original request failed"); + response.sendError(HttpServletResponse.SC_BAD_REQUEST); + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null); + } + } + UserIdentity userIdentity = (UserIdentity) session.getNote(Constants.FORM_PRINCIPAL_NOTE); + if (userIdentity != null) { + return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); + } + + //we have not yet completed authentication. + // Acquire references to objects we will need to evaluate + MessageBytes uriMB = MessageBytes.newInstance(); + CharChunk uriCC = uriMB.getCharChunk(); + uriCC.setLimit(-1); + String contextPath = request.getContextPath(); + String requestURI = request.getDecodedRequestURI(); + response.setContext(request.getContext()); + + // Is this the action request from the login page? + boolean loginAction = + requestURI.startsWith(contextPath) && + requestURI.endsWith(Constants.FORM_ACTION); + + // No -- Save this request and redirect to the form login page + if (!loginAction) { +// session = request.getSessionInternal(true); +// if (log.isDebugEnabled()) +// log.debug("Save request in session '" + session.getIdInternal() + "'"); + if (!isAuthMandatory) { + return new AuthResult(TomcatAuthStatus.SUCCESS, null); + } + try { + saveRequest(request, session); + } catch (IOException ioe) { +// log.debug("Request body too big to save during authentication"); + response.sendError(HttpServletResponse.SC_BAD_REQUEST, + sm.getString("authenticator.requestBodyTooBig")); + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null); + } + forwardToLoginPage(request, response); + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, unauthenticatedIdentity); + } + + // Yes -- Validate the specified credentials and redirect + // to the error page if they are not correct +// if (characterEncoding != null) { +// request.setCharacterEncoding(characterEncoding); +// } + String username = request.getParameter(Constants.FORM_USERNAME); + String password = request.getParameter(Constants.FORM_PASSWORD); +// if (log.isDebugEnabled()) +// log.debug("Authenticating username '" + username + "'"); + userIdentity = loginService.login(username, password); + if (userIdentity == null) { +// if (isAuthMandatory) { + forwardToErrorPage(request, response); + //TODO right status? + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity); +// } else { +// userIdentity = unauthenticatedIdentity; +// } + } + +// if (log.isDebugEnabled()) +// log.debug("Authentication of '" + username + "' was successful"); + + if (session == null) + session = request.getSessionInternal(false); + if (session == null) { +// if (containerLog.isDebugEnabled()) +// containerLog.debug +// ("User took so long to log on the session expired"); + response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, + sm.getString("authenticator.sessionExpired")); + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity); + } + + // Save the authenticated Principal in our session + session.setNote(Constants.FORM_PRINCIPAL_NOTE, userIdentity); + + // Save the username and password as well + session.setNote(Constants.SESS_USERNAME_NOTE, username); + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + + // Redirect the user to the original request URI (which will cause + // the original request to be restored) + requestURI = savedRequestURL(session); +// if (log.isDebugEnabled()) +// log.debug("Redirecting to original '" + requestURI + "'"); + if (requestURI == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, + sm.getString("authenticator.formlogin")); + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null); + } else { + response.sendRedirect(response.encodeRedirectURL(requestURI)); + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, userIdentity); + } + } catch (IOException e) { + throw new ServerAuthException(e); + } + + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException { + return true; + } + + public String getAuthType() { + return "FORM"; + } + + /** + * Called to forward to the login page + * + * @param request Request we are processing + * @param response Response we are creating + */ + protected void forwardToLoginPage(Request request, Response response) { + RequestDispatcher disp = request.getRequestDispatcher(loginPage); + try { + disp.forward(request.getRequest(), response.getResponse()); + response.finishResponse(); + } catch (Throwable t) { +// log.warn("Unexpected error forwarding to login page", t); + } + } + + + /** + * Called to forward to the error page + * + * @param request Request we are processing + * @param response Response we are creating + */ + protected void forwardToErrorPage(Request request, Response response) { + RequestDispatcher disp = request.getRequestDispatcher(erroryPage); + try { + disp.forward(request.getRequest(), response.getResponse()); + response.finishResponse(); + } catch (Throwable t) { +// log.warn("Unexpected error forwarding to error page", t); + } + } + + + /** + * Does this request match the saved one (so that it must be the redirect + * we signalled after successful authentication? + * + * @param request The request to be verified + * @param session + */ + protected boolean matchRequest(Request request, Session session) { + + // Is there a saved request? + SavedRequest sreq = (SavedRequest) + session.getNote(Constants.FORM_REQUEST_NOTE); + if (sreq == null) + return (false); + + // Is there a saved principal? + if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) + return (false); + + // Does the request URI match? + String requestURI = request.getRequestURI(); + if (requestURI == null) + return (false); + return (requestURI.equals(sreq.getRequestURI())); + + } + + + /** + * Restore the original request from information stored in our session. + * If the original request is no longer present (because the session + * timed out), return false; otherwise, return + * true. + * + * @param request The request to be restored + * @param session The session containing the saved information + */ + protected boolean restoreRequest(Request request, Session session) + throws IOException { + + // Retrieve and remove the SavedRequest object from our session + SavedRequest saved = (SavedRequest) + session.getNote(Constants.FORM_REQUEST_NOTE); + session.removeNote(Constants.FORM_REQUEST_NOTE); +// session.removeNote(Constants.FORM_PRINCIPAL_NOTE); + if (saved == null) + return (false); + + // Modify our current request to reflect the original one + request.clearCookies(); + Iterator cookies = saved.getCookies(); + while (cookies.hasNext()) { + request.addCookie((Cookie) cookies.next()); + } + + MimeHeaders rmh = request.getCoyoteRequest().getMimeHeaders(); + rmh.recycle(); + boolean cachable = "GET".equalsIgnoreCase(saved.getMethod()) || + "HEAD".equalsIgnoreCase(saved.getMethod()); + Iterator names = saved.getHeaderNames(); + while (names.hasNext()) { + String name = (String) names.next(); + // The browser isn't expecting this conditional response now. + // Assuming that it can quietly recover from an unexpected 412. + // BZ 43687 + if (!("If-Modified-Since".equalsIgnoreCase(name) || + (cachable && "If-None-Match".equalsIgnoreCase(name)))) { + Iterator values = saved.getHeaderValues(name); + while (values.hasNext()) { + rmh.addValue(name).setString((String) values.next()); + } + } + } + + request.clearLocales(); + Iterator locales = saved.getLocales(); + while (locales.hasNext()) { + request.addLocale((Locale) locales.next()); + } + + request.getCoyoteRequest().getParameters().recycle(); + + if ("POST".equalsIgnoreCase(saved.getMethod())) { + ByteChunk body = saved.getBody(); + + if (body != null) { + request.getCoyoteRequest().action + (ActionCode.ACTION_REQ_SET_BODY_REPLAY, body); + + // Set content type + MessageBytes contentType = MessageBytes.newInstance(); + + //If no content type specified, use default for POST + String savedContentType = saved.getContentType(); + if (savedContentType == null) { + savedContentType = "application/x-www-form-urlencoded"; + } + + contentType.setString(savedContentType); + request.getCoyoteRequest().setContentType(contentType); + } + } + request.getCoyoteRequest().method().setString(saved.getMethod()); + + request.getCoyoteRequest().queryString().setString + (saved.getQueryString()); + + request.getCoyoteRequest().requestURI().setString + (saved.getRequestURI()); + return (true); + + } + + + /** + * Save the original request information into our session. + * + * @param request The request to be saved + * @param session The session to contain the saved information + * @throws IOException + */ + protected void saveRequest(Request request, Session session) + throws IOException { + + // Create and populate a SavedRequest object for this request + SavedRequest saved = new SavedRequest(); + Cookie cookies[] = request.getCookies(); + if (cookies != null) { + for (int i = 0; i < cookies.length; i++) + saved.addCookie(cookies[i]); + } + Enumeration names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + Enumeration values = request.getHeaders(name); + while (values.hasMoreElements()) { + String value = (String) values.nextElement(); + saved.addHeader(name, value); + } + } + Enumeration locales = request.getLocales(); + while (locales.hasMoreElements()) { + Locale locale = (Locale) locales.nextElement(); + saved.addLocale(locale); + } + + if ("POST".equalsIgnoreCase(request.getMethod())) { + ByteChunk body = new ByteChunk(); + body.setLimit(request.getConnector().getMaxSavePostSize()); + + byte[] buffer = new byte[4096]; + int bytesRead; + InputStream is = request.getInputStream(); + + while ((bytesRead = is.read(buffer)) >= 0) { + body.append(buffer, 0, bytesRead); + } + saved.setContentType(request.getContentType()); + saved.setBody(body); + } + + saved.setMethod(request.getMethod()); + saved.setQueryString(request.getQueryString()); + saved.setRequestURI(request.getRequestURI()); + + // Stash the SavedRequest in our session for later use + session.setNote(Constants.FORM_REQUEST_NOTE, saved); + + } + + + /** + * Return the request URI (with the corresponding query string, if any) + * from the saved request so that we can redirect to it. + * + * @param session Our current session + */ + protected String savedRequestURL(Session session) { + + SavedRequest saved = + (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); + if (saved == null) + return (null); + StringBuffer sb = new StringBuffer(saved.getRequestURI()); + if (saved.getQueryString() != null) { + sb.append('?'); + sb.append(saved.getQueryString()); + } + return (sb.toString()); + + } + +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,53 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication; + +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; + +/** + * @version $Rev$ $Date$ + */ +public class NoneAuthenticator implements Authenticator { + + private final AuthResult unauthenticated; + + public NoneAuthenticator(UserIdentity unauthenticatedIdentity) { + unauthenticated = new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity); + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + return unauthenticated; + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException { + return true; + } + + public String getAuthType() { + return "NONE"; + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,140 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication.jaspic; + +import java.util.Map; +import java.util.Set; +import java.util.Arrays; +import java.security.Principal; + +import javax.security.auth.message.config.ServerAuthContext; +import javax.security.auth.message.config.ServerAuthConfig; +import javax.security.auth.message.MessageInfo; +import javax.security.auth.message.AuthStatus; +import javax.security.auth.message.AuthException; +import javax.security.auth.message.callback.CallerPrincipalCallback; +import javax.security.auth.message.callback.GroupPrincipalCallback; +import javax.security.auth.Subject; + +import org.apache.geronimo.tomcat.security.Authenticator; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.ServerAuthException; +import org.apache.geronimo.tomcat.security.TomcatAuthStatus; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.geronimo.tomcat.security.IdentityService; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; + +/** + * @version $Rev$ $Date$ + */ +public class JaspicAuthenticator implements Authenticator { + private static final String MESSAGE_INFO_KEY = "org.apache.geronimo.tomcat.jaspic.message.info"; + + private final ServerAuthConfig serverAuthConfig; + private final Map authProperties; + private final Subject serviceSubject; + private final JaspicCallbackHandler callbackHandler; + private final IdentityService identityService; + + public JaspicAuthenticator(ServerAuthConfig serverAuthConfig, Map authProperties, Subject serviceSubject, JaspicCallbackHandler callbackHandler, IdentityService identityService) { + this.serverAuthConfig = serverAuthConfig; + this.authProperties = authProperties; + this.serviceSubject = serviceSubject; + this.callbackHandler = callbackHandler; + this.identityService = identityService; + } + + public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException { + try { + MessageInfo messageInfo = new JaspicMessageInfo(request, response, isAuthMandatory); + request.setNote(MESSAGE_INFO_KEY, messageInfo); + String authContextId = serverAuthConfig.getAuthContextID(messageInfo); + ServerAuthContext authContext = serverAuthConfig.getAuthContext(authContextId, serviceSubject, authProperties); + Subject clientSubject = new Subject(); + + AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, serviceSubject); + if (authStatus == AuthStatus.SEND_CONTINUE) + return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null); + if (authStatus == AuthStatus.SEND_FAILURE) + return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null); + + if (authStatus == AuthStatus.SUCCESS) { + Set ids = clientSubject.getPrivateCredentials(UserIdentity.class); + UserIdentity userIdentity; + if (ids.size() > 0) { + userIdentity = ids.iterator().next(); + } else { + CallerPrincipalCallback principalCallback = callbackHandler.getThreadCallerPrincipalCallback(); + if (principalCallback == null) throw new NullPointerException("No CallerPrincipalCallback"); + Principal principal = principalCallback.getPrincipal(); + if (principal == null) { + String principalName = principalCallback.getName(); + Set principals = principalCallback.getSubject().getPrincipals(); + for (Principal p : principals) { + if (p.getName().equals(principalName)) { + principal = p; + break; + } + } + if (principal == null) { + //TODO not clear what to do here. + return new AuthResult(TomcatAuthStatus.SUCCESS, null); + } + } + GroupPrincipalCallback groupPrincipalCallback = callbackHandler.getThreadGroupPrincipalCallback(); + String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups(); + userIdentity = identityService.newUserIdentity(clientSubject, principal, Arrays.asList(groups)); + } + return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity); + } + if (authStatus == AuthStatus.SEND_SUCCESS) { + //we are processing a message in a secureResponse dialog. + return new AuthResult(TomcatAuthStatus.SEND_SUCCESS, null); + } + //should not happen + throw new NullPointerException("No AuthStatus returned"); + } catch (AuthException e) { + throw new ServerAuthException(e); + } + } + + public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException { + JaspicMessageInfo messageInfo = (JaspicMessageInfo)request.getNote(MESSAGE_INFO_KEY); + if (messageInfo==null) throw new NullPointerException("MeesageInfo from request missing: " + request); + try + { + String authContextId = serverAuthConfig.getAuthContextID(messageInfo); + ServerAuthContext authContext = serverAuthConfig.getAuthContext(authContextId,serviceSubject,authProperties); + // TODO authContext.cleanSubject(messageInfo,validatedUser.getUserIdentity().getSubject()); + AuthStatus status = authContext.secureResponse(messageInfo,serviceSubject); + return (AuthStatus.SEND_SUCCESS.equals(status)); + } + catch (AuthException e) + { + throw new ServerAuthException(e); + } + } + + public String getAuthType() { + return "JASPIC"; + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication.jaspic; + +import java.io.IOException; + +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.message.callback.CallerPrincipalCallback; +import javax.security.auth.message.callback.GroupPrincipalCallback; +import javax.security.auth.message.callback.PasswordValidationCallback; +import javax.security.auth.message.callback.CertStoreCallback; +import javax.security.auth.message.callback.PrivateKeyCallback; +import javax.security.auth.message.callback.SecretKeyCallback; +import javax.security.auth.message.callback.TrustStoreCallback; +import javax.security.auth.Subject; + +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.UserIdentity; + +/** + * @version $Rev$ $Date$ + */ +public class JaspicCallbackHandler implements CallbackHandler { + private final LoginService loginService; + + private final ThreadLocal callerPrincipals = new ThreadLocal(); + private final ThreadLocal groupPrincipals = new ThreadLocal(); + + public JaspicCallbackHandler(LoginService loginService) { + this.loginService = loginService; + } + + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback callback : callbacks) { + // jaspi to server communication + if (callback instanceof CallerPrincipalCallback) { + callerPrincipals.set((CallerPrincipalCallback) callback); + } else if (callback instanceof GroupPrincipalCallback) { + groupPrincipals.set((GroupPrincipalCallback) callback); + } else if (callback instanceof PasswordValidationCallback) { + PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback; + Subject subject = passwordValidationCallback.getSubject(); + + UserIdentity user = loginService.login(passwordValidationCallback.getUsername(), new String(passwordValidationCallback.getPassword())); + + if (user != null) { + passwordValidationCallback.setResult(true); + passwordValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals()); + passwordValidationCallback.getSubject().getPrivateCredentials().add(user); + } + } + // server to jaspi communication + // TODO implement these + else if (callback instanceof CertStoreCallback) { + } else if (callback instanceof PrivateKeyCallback) { + } else if (callback instanceof SecretKeyCallback) { + } else if (callback instanceof TrustStoreCallback) { + } else { + throw new UnsupportedCallbackException(callback); + } + } + } + + public CallerPrincipalCallback getThreadCallerPrincipalCallback() { + CallerPrincipalCallback callerPrincipalCallback = callerPrincipals.get(); + callerPrincipals.remove(); + return callerPrincipalCallback; + } + + public GroupPrincipalCallback getThreadGroupPrincipalCallback() { + GroupPrincipalCallback groupPrincipalCallback = groupPrincipals.get(); + groupPrincipals.remove(); + return groupPrincipalCallback; + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,73 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.authentication.jaspic; + +import java.util.Map; +import java.util.HashMap; + +import javax.security.auth.message.MessageInfo; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; + +/** + * @version $Rev$ $Date$ + */ +public class JaspicMessageInfo implements MessageInfo { + private static final String MANDATORY_KEY = "javax.security.auth.message.MessagePolicy.isMandatory"; + + private final Map map = new HashMap(); + private HttpServletRequest request; + private HttpServletResponse response; + + public JaspicMessageInfo() { + } + + public JaspicMessageInfo(Request request, Response response, boolean authMandatory) { + this.request = request; + this.response = response; + map.put(MANDATORY_KEY, authMandatory); + } + + public Map getMap() { + return map; + } + + public Object getRequestMessage() { + return request; + } + + public Object getResponseMessage() { + return response; + } + + public void setRequestMessage(Object request) { + if (!(request instanceof HttpServletRequest)) throw new IllegalArgumentException("Request in not a servlet request but " + request.getClass().getName()); + this.request = (HttpServletRequest) request; + } + + public void setResponseMessage(Object response) { + if (!(response instanceof HttpServletResponse)) throw new IllegalArgumentException("response in not a servlet response but " + response.getClass().getName()); + this.response = (HttpServletResponse) response; + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,52 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.impl; + +import java.security.Principal; +import java.security.AccessControlContext; +import java.util.List; + +import javax.security.auth.Subject; + +import org.apache.geronimo.tomcat.security.IdentityService; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.geronimo.tomcat.security.jacc.JACCUserIdentity; +import org.apache.geronimo.security.ContextManager; + +/** + * @version $Rev$ $Date$ + */ +public class GeronimoIdentityService implements IdentityService { + public Object associate(UserIdentity userIdentity) { + Subject subject = userIdentity == null? ContextManager.EMPTY: userIdentity.getSubject(); + ContextManager.setCallers(subject, subject); + return null; + } + + public void dissociate(Object previous) { + ContextManager.clearCallers(); + } + + public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, List groups) { + AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal, groups); + return new JACCUserIdentity(subject, userPrincipal, groups, acc); + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.impl; + +import java.security.Principal; + +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.Subject; + +import org.apache.geronimo.tomcat.security.LoginService; +import org.apache.geronimo.tomcat.security.UserIdentity; +import org.apache.geronimo.tomcat.security.IdentityService; +import org.apache.geronimo.security.jaas.ConfigurationFactory; +import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler; +import org.apache.geronimo.security.ContextManager; + +/** + * @version $Rev$ $Date$ + */ +public class GeronimoLoginService implements LoginService { + + private final ConfigurationFactory configurationFactory; + private final IdentityService identityService; + + public GeronimoLoginService(ConfigurationFactory configurationFactory, IdentityService identityService) { + this.configurationFactory = configurationFactory; + this.identityService = identityService; + } + + public UserIdentity login(String userName, String password) { + CallbackHandler callbackHandler = new PasswordCallbackHandler(userName, password.toCharArray()); + try { + LoginContext loginContext = ContextManager.login(configurationFactory.getConfigurationName(), callbackHandler, configurationFactory.getConfiguration()); + Subject establishedSubject = loginContext.getSubject(); + Principal userPrincipal = ContextManager.getCurrentPrincipal(establishedSubject); + return identityService.newUserIdentity(establishedSubject, userPrincipal, null); + } catch (LoginException e) { + return null; + } + } + + public void logout(UserIdentity userIdentity) { + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,80 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.jacc; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.Realm; +import org.apache.geronimo.tomcat.security.Authorizer; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.UserIdentity; + +import javax.security.jacc.WebUserDataPermission; +import javax.security.jacc.WebResourcePermission; +import java.security.AccessControlContext; +import java.security.AccessControlException; + +/** + * @version $Rev$ $Date$ + */ +public class JACCAuthorizer implements Authorizer { + + private final AccessControlContext defaultACC; + + public JACCAuthorizer(AccessControlContext defaultACC) { + this.defaultACC = defaultACC; + } + + public Object getConstraints(Request request) { + return null; + } + + public boolean hasUserDataPermissions(Request request, Object constraints) { + try { + defaultACC.checkPermission(new WebUserDataPermission(request)); + return true; + } catch (AccessControlException e) { + return false; + } + } + + public boolean isAuthMandatory(Request request, Object constraints) { + try { + defaultACC.checkPermission(new WebResourcePermission(request)); + return false; + } catch (AccessControlException e) { + return true; + } + } + + public boolean hasResourcePermissions(Request request, AuthResult authResult, Object constraints, UserIdentity userIdentity) { + if (!(userIdentity instanceof JACCUserIdentity)) { + return false; + } + + AccessControlContext acc = ((JACCUserIdentity)userIdentity).getAccessControlContext(); + try { + acc.checkPermission(new WebResourcePermission(request)); + return true; + } catch (AccessControlException e) { + return false; + } + } +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCAuthorizer.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java?rev=794752&view=auto ============================================================================== --- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java (added) +++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java Thu Jul 16 17:03:50 2009 @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.geronimo.tomcat.security.jacc; + +import java.security.AccessControlContext; + +import org.apache.catalina.connector.Request; +import org.apache.geronimo.tomcat.security.AuthResult; +import org.apache.geronimo.tomcat.security.UserIdentity; + +/** + * @version $Rev$ $Date$ + */ +public class JACCEJBWebServiceAuthorizer extends JACCAuthorizer { + + public JACCEJBWebServiceAuthorizer(AccessControlContext defaultACC) { + super(defaultACC); + } + + @Override + public boolean hasResourcePermissions(Request request, AuthResult authResult, Object constraints, UserIdentity userIdentity) { + return true; + } + +} Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java ------------------------------------------------------------------------------ svn:keywords = Date Revision Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCEJBWebServiceAuthorizer.java ------------------------------------------------------------------------------ svn:mime-type = text/plain