geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r1000267 - in /geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina: ./ authenticator/ connector/ realm/
Date Wed, 22 Sep 2010 22:49:04 GMT
Author: djencks
Date: Wed Sep 22 22:49:03 2010
New Revision: 1000267

URL: http://svn.apache.org/viewvc?rev=1000267&view=rev
Log:
GERONIMO-5626 initial proposal for improving division of responsibilities in tomcat security

Modified:
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Authenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Realm.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/BasicAuthenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/SSLAuthenticator.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/connector/Request.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/RealmBase.java
    geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/UserDatabaseRealm.java

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Authenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Authenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Authenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Authenticator.java
Wed Sep 22 22:49:03 2010
@@ -21,6 +21,7 @@ package org.apache.catalina;
 import java.io.IOException;
 import java.security.Principal;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.connector.Request;
@@ -53,6 +54,7 @@ public interface Authenticator {
     public boolean authenticate(Request request, HttpServletResponse response,
             LoginConfig config) throws IOException;
     
+    //TODO this is called only from Authenticator instances so should be removed from the
interface
     /**
      * Register an authenticated Principal and authentication type in our
      * request, in the current session (if there is one), and with our
@@ -70,4 +72,8 @@ public interface Authenticator {
     public void register(Request request, HttpServletResponse response,
             Principal principal, String authType,
             String username, String password);
+
+    public void login(String userName, String password, Request request) throws ServletException;
+
+    public void logout(Request request) throws ServletException;
 }

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Realm.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Realm.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Realm.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Realm.java
Wed Sep 22 22:49:03 2010
@@ -161,8 +161,20 @@ public interface Realm {
      * @param principal Principal for whom the role is to be checked
      * @param role Security role to be checked
      */
+    @Deprecated
     public boolean hasRole(Principal principal, String role);
 
+    /**
+     * Return <code>true</code> if the specified Principal has the specified
+     * security role, within the context of this Realm; otherwise return
+     * <code>false</code>.
+     *
+     * @param wrapper wrapper context for evaluating role
+     * @param principal Principal for whom the role is to be checked
+     * @param role Security role to be checked
+     */
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role);
+
         /**
      * Enforce any user data constraint required by the security constraint
      * guarding this request URI.  Return <code>true</code> if this constraint

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Sep 22 22:49:03 2010
@@ -826,6 +826,27 @@ public abstract class AuthenticatorBase 
 
     }
 
+    public void login(String username, String password, Request request) throws ServletException
{
+        Principal principal = doLogin(request, username, password);
+        register(request, request.getResponse(), principal,
+                    getAuthMethod(), username, password);
+    }
+
+    protected abstract String getAuthMethod();
+
+    protected Principal doLogin(Request request, String username, String password) throws
ServletException {
+        Principal p = context.getRealm().authenticate(username, password);
+        if (p == null) {
+            throw new ServletException("could not authenticate");
+        }
+        return p;
+    }
+
+    public void logout(Request request) throws ServletException {
+        register(request, request.getResponse(), null,
+                null, null, null);
+
+    }
 
     /**
      * Start this component and implement the requirements

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Sep 22 22:49:03 2010
@@ -22,6 +22,7 @@ package org.apache.catalina.authenticato
 import java.io.IOException;
 import java.security.Principal;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.connector.Request;
@@ -176,5 +177,9 @@ public class BasicAuthenticator
 
     }
 
+    @Override
+    protected String getAuthMethod() {
+        return Constants.BASIC_METHOD;
+    }
 
 }

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Sep 22 22:49:03 2010
@@ -198,6 +198,11 @@ public class DigestAuthenticator
 
     }
 
+    @Override
+    protected String getAuthMethod() {
+        return Constants.DIGEST_METHOD;
+    }
+
 
     // ------------------------------------------------------ Protected Methods
 

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
Wed Sep 22 22:49:03 2010
@@ -27,6 +27,7 @@ import java.util.Iterator;
 import java.util.Locale;
 
 import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
@@ -297,6 +298,10 @@ public class FormAuthenticator
 
     }
 
+    @Override
+    protected String getAuthMethod() {
+        return Constants.FORM_METHOD;
+    }
 
     // ------------------------------------------------------ Protected Methods
 

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
Wed Sep 22 22:49:03 2010
@@ -102,5 +102,10 @@ public final class NonLoginAuthenticator
 
     }
 
+    @Override
+    protected String getAuthMethod() {
+        return "NONE";
+    }
+
 
 }

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/SSLAuthenticator.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/authenticator/SSLAuthenticator.java
Wed Sep 22 22:49:03 2010
@@ -161,4 +161,9 @@ public class SSLAuthenticator
         return (true);
 
     }
+
+    @Override
+    protected String getAuthMethod() {
+        return Constants.CERT_METHOD;
+    }
 }

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/connector/Request.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/connector/Request.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/connector/Request.java
Wed Sep 22 22:49:03 2010
@@ -2257,15 +2257,8 @@ public class Request
         if (realm == null)
             return false;
 
-        // Check for a role alias defined in a <security-role-ref> element
-        if (wrapper != null) {
-            String realRole = wrapper.findSecurityReference(role);
-            if ((realRole != null) && realm.hasRole(userPrincipal, realRole))
-                return true;
-        }
-
         // Check for a role defined directly as a <security-role>
-        return (realm.hasRole(userPrincipal, role));
+        return (realm.hasRole(wrapper, userPrincipal, role));
     }
 
 
@@ -2427,40 +2420,17 @@ public class Request
             throw new ServletException(
                     sm.getString("coyoteRequest.alreadyAuthenticated"));
         }
-        
-        LoginConfig config = context.getLoginConfig();
-        if (config == null) {
-            throw new ServletException(
-                    sm.getString("coyoteRequest.noLoginConfig"));
-        }
-        
-        String authMethod = config.getAuthMethod();
-        if (BASIC_AUTH.equals(authMethod) || FORM_AUTH.equals(authMethod) ||
-                DIGEST_AUTH.equals(authMethod)) {
-            // Methods support user name and password authentication
-            Realm realm = context.getRealm();
-            
-            Principal principal = realm.authenticate(username, password);
-
-            if (principal == null) {
-                throw new ServletException(
-                        sm.getString("coyoteRequest.authFail", username));
-            }
-            // Assume if we have a non-null LoginConfig then we must have an
-            // authenticator
-            context.getAuthenticator().register(this, getResponse(), principal,
-                    authMethod, username, password);
-        } else {
-            throw new ServletException("coyoteRequest.noPasswordLogin");
+        if (context.getAuthenticator() == null) {
+            throw new ServletException("no authenticator");
         }
+        context.getAuthenticator().login(username, password, this);
     }
 
     /**
      * {@inheritDoc}
      */
     public void logout() throws ServletException {
-        context.getAuthenticator().register(this, getResponse(), null,
-                null, null, null);
+        context.getAuthenticator().logout(this);
     }
     
     /**

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/RealmBase.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/RealmBase.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/RealmBase.java
Wed Sep 22 22:49:03 2010
@@ -40,6 +40,7 @@ import org.apache.catalina.LifecycleStat
 import org.apache.catalina.Realm;
 import org.apache.catalina.Server;
 import org.apache.catalina.Service;
+import org.apache.catalina.Wrapper;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.core.ApplicationSessionCookieConfig;
@@ -830,7 +831,28 @@ public abstract class RealmBase extends 
      * @param principal Principal for whom the role is to be checked
      * @param role Security role to be checked
      */
+    @Deprecated
     public boolean hasRole(Principal principal, String role) {
+        return hasRole(null, principal, role);
+    }
+    /**
+     * Return <code>true</code> if the specified Principal has the specified
+     * security role, within the context of this Realm; otherwise return
+     * <code>false</code>.  This method can be overridden by Realm
+     * implementations, but the default is adequate when an instance of
+     * <code>GenericPrincipal</code> is used to represent authenticated
+     * Principals from this Realm.
+     *
+     * @param principal Principal for whom the role is to be checked
+     * @param role Security role to be checked
+     */
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+        // Check for a role alias defined in a <security-role-ref> element
+        if (wrapper != null) {
+            String realRole = wrapper.findSecurityReference(role);
+            if (realRole != null)
+                role = realRole;
+        }
 
         // Should be overridden in JAASRealm - to avoid pretty inefficient conversions
         if ((principal == null) || (role == null) ||

Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/UserDatabaseRealm.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/UserDatabaseRealm.java?rev=1000267&r1=1000266&r2=1000267&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/UserDatabaseRealm.java
(original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/realm/UserDatabaseRealm.java
Wed Sep 22 22:49:03 2010
@@ -31,6 +31,7 @@ import org.apache.catalina.LifecycleExce
 import org.apache.catalina.Role;
 import org.apache.catalina.User;
 import org.apache.catalina.UserDatabase;
+import org.apache.catalina.Wrapper;
 import org.apache.catalina.core.StandardServer;
 import org.apache.catalina.util.LifecycleBase;
 
@@ -135,7 +136,13 @@ public class UserDatabaseRealm
      * @param role Security role to be checked
      */
     @Override
-    public boolean hasRole(Principal principal, String role) {
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+        // Check for a role alias defined in a <security-role-ref> element
+        if (wrapper != null) {
+            String realRole = wrapper.findSecurityReference(role);
+            if (realRole != null)
+                role = realRole;
+        }
         if( principal instanceof GenericPrincipal) {
             GenericPrincipal gp = (GenericPrincipal)principal;
             if(gp.getUserPrincipal() instanceof User) {



Mime
View raw message