geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xiam...@apache.org
Subject svn commit: r1147719 - in /geronimo/server/trunk: framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/ plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/ plugins/tomcat/geronimo-tomcat7/...
Date Sun, 17 Jul 2011 23:05:18 GMT
Author: xiaming
Date: Sun Jul 17 23:05:17 2011
New Revision: 1147719

URL: http://svn.apache.org/viewvc?rev=1147719&view=rev
Log:
GERONIMO-5651 Enable SPNEGO support, provided by ShengHao Fang

Added:
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
  (with props)
Modified:
    geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SpnegoLoginModule.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java

Modified: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SpnegoLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SpnegoLoginModule.java?rev=1147719&r1=1147718&r2=1147719&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SpnegoLoginModule.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SpnegoLoginModule.java
Sun Jul 17 23:05:17 2011
@@ -168,6 +168,7 @@ public class SpnegoLoginModule implement
                 }
             }
         } catch (GSSException e) {
+            log.error(e.getMessage());
             throw (LoginException) new LoginException().initCause(e);
         }
         return loginSucceeded;

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java?rev=1147719&r1=1147718&r2=1147719&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
(original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
Sun Jul 17 23:05:17 2011
@@ -51,6 +51,7 @@ import org.apache.geronimo.tomcat.securi
 import org.apache.geronimo.tomcat.security.authentication.FormAuthenticator;
 import org.apache.geronimo.tomcat.security.authentication.GenericHeaderAuthenticator;
 import org.apache.geronimo.tomcat.security.authentication.NoneAuthenticator;
+import org.apache.geronimo.tomcat.security.authentication.SpnegoAuthenticator;
 import org.apache.geronimo.tomcat.security.authentication.jaspic.JaspicAuthenticator;
 import org.apache.geronimo.tomcat.security.authentication.jaspic.JaspicCallbackHandler;
 import org.apache.geronimo.tomcat.security.impl.GeronimoIdentityService;
@@ -176,6 +177,8 @@ public abstract class BaseGeronimoContex
             authenticator = new FormAuthenticator(loginService, unauthenticatedIdentity,
loginPage, errorPage);
         } else if ("GENERIC".equalsIgnoreCase(authMethod)) {
             authenticator = new GenericHeaderAuthenticator(loginService, unauthenticatedIdentity);
+        } else if ("SPNEGO".equalsIgnoreCase(authMethod)) {
+            authenticator = new SpnegoAuthenticator(loginService, realmName, unauthenticatedIdentity);
 
         } else {
             authenticator = new NoneAuthenticator(unauthenticatedIdentity);
         }

Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java?rev=1147719&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
(added)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
Sun Jul 17 23:05:17 2011
@@ -0,0 +1,163 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.geronimo.tomcat.security.authentication;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.util.Base64;
+import org.apache.geronimo.tomcat.security.AuthResult;
+import org.apache.geronimo.tomcat.security.Authenticator;
+import org.apache.geronimo.tomcat.security.LoginService;
+import org.apache.geronimo.tomcat.security.ServerAuthException;
+import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
+import org.apache.geronimo.tomcat.security.UserIdentity;
+import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.buf.CharChunk;
+import org.apache.tomcat.util.buf.MessageBytes;
+
+/**
+ * A custom authenticator which provides Spnego Login capabilities in Geronimo. In web.xml
use the
+ * <auth-method>SPNEGO</auth-method> to invoke this authenticator.
+ * 
+ */
+public class SpnegoAuthenticator implements Authenticator {
+
+    private static final String SPNEGO_AUTH = "SPNEGO";
+
+    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
+
+    private final LoginService loginService;
+
+    private final String realmName;
+
+    private final UserIdentity unauthenticatedIdentity;
+
+    public SpnegoAuthenticator(LoginService loginService, String realmName, UserIdentity
unauthenticatedIdentity) {
+        this.loginService = loginService;
+        this.realmName = realmName;
+        this.unauthenticatedIdentity = unauthenticatedIdentity;
+    }
+
+    @Override
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean
isAuthMandatory,
+            UserIdentity cachedIdentity) throws ServerAuthException {
+        // FIXME: Is the logics of basic authorization necessary?
+
+        MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
+
+        // Send an "unauthorized" response and an appropriate challenge (SPNEGO)
+        if (authorization == null) {
+            if (isAuthMandatory) {
+                response.addHeader(WWW_AUTHENTICATE, "Negotiate");
+                try {
+                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+                } catch (IOException e) {
+                    throw new ServerAuthException(e);
+                }
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
+            }
+            return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
+        }
+
+        // Validate any credentials already included with this request
+        String username = null;
+        String password = null;
+
+        authorization.toBytes();
+        ByteChunk authorizationBC = authorization.getByteChunk();
+        if (authorizationBC.startsWithIgnoreCase("basic ", 0)) { // Basic authorization
+            authorizationBC.setOffset(authorizationBC.getOffset() + 6);
+            // FIXME: Add trimming
+            // authorizationBC.trim();
+
+            CharChunk authorizationCC = authorization.getCharChunk();
+            Base64.decode(authorizationBC, authorizationCC);
+
+            // Get username and password
+            int colon = authorizationCC.indexOf(':');
+            if (colon < 0) {
+                username = authorizationCC.toString();
+            } else {
+                char[] buf = authorizationCC.getBuffer();
+                username = new String(buf, 0, colon);
+                password = new String(buf, colon + 1, authorizationCC.getEnd() - colon -
1);
+            }
+
+            authorizationBC.setOffset(authorizationBC.getOffset() - 6);
+        } else if (authorizationBC.startsWithIgnoreCase("negotiate ", 0)) { // Spnego authorization
+            authorizationBC.setOffset(authorizationBC.getOffset() + 10);
+            username = authorizationBC.toString();
+            authorizationBC.setOffset(authorizationBC.getOffset() - 10);
+        }
+
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
+        }
+
+        // Send an "unauthorized" response and an appropriate challenge (BASIC)
+        if (isAuthMandatory) {
+            try {
+                StringBuilder authenticateCC = new StringBuilder();
+                authenticateCC.append("Basic realm=\"");
+                if (realmName == null) {
+                    authenticateCC.append(request.getServerName());
+                    authenticateCC.append(':');
+                    authenticateCC.append(Integer.toString(request.getServerPort()));
+                } else {
+                    authenticateCC.append(realmName);
+                }
+                authenticateCC.append('\"');
+                response.addHeader(WWW_AUTHENTICATE, authenticateCC.toString());
+                response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
+            } catch (IOException e) {
+                throw new ServerAuthException(e);
+            }
+        }
+
+        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
+    }
+
+    @Override
+    public boolean secureResponse(Request request, Response response, AuthResult authResult)
throws ServerAuthException {
+        return true;
+    }
+
+    @Override
+    public String getAuthType() {
+        return SPNEGO_AUTH;
+    }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException
{
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
+        }
+        return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+    }
+
+    @Override
+    public void logout(Request request) throws ServletException {
+    }
+
+}

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/SpnegoAuthenticator.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain



Mime
View raw message