Return-Path: <remm@exoffice.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 88916 invoked from network); 3 May 2000 01:15:09 -0000
Received: from unknown (HELO mail.exoffice.com) (root@207.33.160.102)
  by locus.apache.org with SMTP; 3 May 2000 01:15:09 -0000
Received: from blue (fwin.exoffice.com [207.33.160.97])
	by mail.exoffice.com (8.9.3/8.9.3) with SMTP id SAA20053
	for <tomcat-dev@jakarta.apache.org>; Tue, 2 May 2000 18:15:27 -0700
Message-ID: <010801bfb49c$ef355190$2901a8c0@exoffice.com>
From: "Remy Maucherat" <remm@exoffice.com>
To: <tomcat-dev@jakarta.apache.org>
References: <NDBBJEEMIKODGFAJCIGMOECACKAA.jimcook@iname.com>
 <390E5F5E.216B77FB@eng.sun.com>
Subject: [Catalina] [Patch] Basic security
Date: Tue, 2 May 2000 18:14:30 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0105_01BFB462.42BF9630"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

------=_NextPart_000_0105_01BFB462.42BF9630
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

This patch enables HTTP Basic authentication in Catalina, and fixes a
cosmetic issue.

Here is a summary of what the patch addresses :
- Fix to the load-on-startup bug (the added function in StandardContext is
no longer necessary now)
- Added parsing of the SecurityConstraint and SecurityCollection data
structures in ContextConfig
- XML Mapper cannot handle object factories (like
SecurityConstraint.createCollection), so SecurityCollection is now a
standard JavaBean. I probably could have written a new XMLaction, though ...
- Added support for LoginConfig in the XML
- I use the brand new Xerces Base64 decoder to unencode the HTTP
authorization string (original classname : org.apache.xerces.utils.Base64)
- Fixed the memory realm hasRole function (ClassCastException)
- It works :-) HttpServletRequest.getUserPrincipal works, too (tested with
Slide / OpenDAV).
- I also include a web.xml patch, which uses the new XML elements

Remy

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/conf/web.xml,v
retrieving revision 1.5
diff -r1.5 web.xml
47a52,73
>
> <security-role>
> <role-name>tomcat</role-name>
> </security-role>
>
> <security-constraint>
> <auth-role>tomcat</auth-role>
> <security-collection>
> <name>test</name>
> <method>OPTIONS</method>
> <method>GET</method>
> <method>PROPFIND</method>
> <pattern>/*</pattern>
> </security-collection>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>tomcat</realm-name>
> <login-page>/login.html</login-page>
> <error-page>/error.html</error-page>
> </login-config>

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/core/StandardContext.java,v
retrieving revision 1.15
diff -r1.15 StandardContext.java
324a325,342
> * Set the login configuration descriptor for this web application.
> *
> * @param authMethod Authentication method to use, if any
> * @param realmName Realm name to use in security challenges
> * @param loginPage Context-relative URI of the login page
> * @param errorPage Context-relative URI of the error page
> */
> public void setLoginConfig(String authMethod, String realmName,
> String loginPage, String errorPage) {
>
> LoginConfig newLoginConfig =
> new LoginConfig(authMethod, realmName, loginPage, errorPage);
> setLoginConfig(newLoginConfig);
>
> }
>
>
> /**

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/core/StandardWrapper.java,v
retrieving revision 1.8
diff -r1.8 StandardWrapper.java
278,295d277
<
< /**
< * This should not be necessary, but XmlMapper does not seem to find
< * the version of setLoadOnStartup with an "int" argument.
< *
< * @param value New load-on-startup value
< */
< public void setLoadOnStartup(String value) {
<
< try {
< setLoadOnStartup(Integer.parseInt(value));
< } catch (NumberFormatException e) {
< setLoadOnStartup(0);
< }
<
< }
<
<

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/deploy/SecurityCollection.java,v
retrieving revision 1.1
diff -r1.1 SecurityCollection.java
107a108,117
> /**
> * Construct a new security collection instance without default values.
> */
> public SecurityCollection() {
>
> super();
>
> }
>
>
149a160,189
> * Return the security constraint we are attached to.
> */
> public void setConstraint(SecurityConstraint constraint) {
>
> if (constraint != null) {
>
> Enumeration patternsList = this.patterns.keys();
> while (patternsList.hasMoreElements()) {
> String currentPattern = (String) patternsList.nextElement();
> constraint.removePattern(currentPattern);
> }
>
> }
>
> this.constraint = constraint;
>
> if (constraint != null) {
>
> Enumeration patternsList = this.patterns.keys();
> while (patternsList.hasMoreElements()) {
> String currentPattern = (String) patternsList.nextElement();
> constraint.addPattern(currentPattern, this);
> }
>
> }
>
> }
>
>
> /**
158a199,208
> /**
> * Return the name of this web resource collection.
> */
> public void setName(String name) {
>
> this.name = name;
>
> }
>
>
189c239,241
< constraint.addPattern(pattern, this);
---
> if (constraint != null) {
> constraint.addPattern(pattern, this);
> }
287c339,341
< constraint.removePattern(pattern);
---
> if (constraint != null) {
> constraint.removePattern(pattern);
> }

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/deploy/SecurityConstraint.java,v
retrieving revision 1.1
diff -r1.1 SecurityConstraint.java
286c286,288
< // Check all defined patterns
---
> System.out.println("Checking " + uri + " with method " + method);
>
> // Check all defined patterns
357c359
< patterns.put(pattern, collection);
---
> patterns.put(pattern, collection);


===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/realm/MemoryRealm.java,v
retrieving revision 1.3
diff -r1.3 MemoryRealm.java
303a304
>
310a312
>
313,315c315,318
< MemoryRealmPrincipal item =
< (MemoryRealmPrincipal) items.nextElement();
< if (name.equals(item.getName())) {
---
> String item =
> (String) items.nextElement();
>
> if (name.equals(item)) {

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/security/HttpBasicAuth.java,v
retrieving revision 1.6
diff -r1.6 HttpBasicAuth.java
75a76
> import org.apache.tomcat.util.Base64;
93a95,100
> // --------------------------------------------------------------
Constants
>
>
> private static final Base64 base64Helper = new Base64();
>
>
116c123
< // Validate any credentials already included with this request
---
> // Validate any credentials already included with this request
120a128,129
> System.out.println("Authorization : " + authorization);
>
133a143,144
> System.out.println("Realm name : " + realmName);
>
161c172,173
< String unencoded = authorization; // FIXME - Base64 Decoder needed!
---
> String unencoded = new
String(base64Helper.decode(authorization.getBytes()));
>
166c178,179
< String password = unencoded.substring(colon + 1);
---
> // Remove spaces appended at the end of the password (is it a bug ?)
> String password = unencoded.substring(colon + 1).trim();

===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomca
t/startup/ContextConfig.java,v
retrieving revision 1.6
diff -r1.6 ContextConfig.java
231c231,233
< mapper.addRule("web-app/context-param",
---
> mapper.setDebug(999);
>
> mapper.addRule("web-app/context-param",
269c271,280
< ; // FIXME - web-app/login-config
---
> mapper.addRule("web-app/login-config",
> mapper.methodSetter("setLoginConfig", 4));
> mapper.addRule("web-app/login-config/auth-method",
> mapper.methodParam(0));
> mapper.addRule("web-app/login-config/realm-name",
> mapper.methodParam(1));
> mapper.addRule("web-app/login-config/login-page",
> mapper.methodParam(2));
> mapper.addRule("web-app/login-config/error-page",
> mapper.methodParam(3));
289c300,321
< ; // FIXME - web-app/security-constraint
---
> mapper.addRule("web-app/security-constraint",
> mapper.objectCreate("org.apache.tomcat.deploy.SecurityConstraint"));
> mapper.addRule("web-app/security-constraint",
> mapper.addChild("addConstraint",
> "org.apache.tomcat.deploy.SecurityConstraint"));
> mapper.addRule("web-app/security-constraint/user-constraint",
> mapper.methodSetter("setUserConstraint", 0));
> mapper.addRule("web-app/security-constraint/auth-role",
> mapper.methodSetter("addAuthRole", 0));
> mapper.addRule("web-app/security-constraint/security-collection",
> mapper.objectCreate("org.apache.tomcat.deploy.SecurityCollection"));
> mapper.addRule("web-app/security-constraint/security-collection",
> mapper.addChild("addCollection",
> "org.apache.tomcat.deploy.SecurityCollection"));
> mapper.addRule("web-app/security-constraint/security-collection",
> mapper.setParent("setConstraint"));
> mapper.addRule("web-app/security-constraint/security-collection/name",
> mapper.methodSetter("setName", 0));
> mapper.addRule("web-app/security-constraint/security-collection/method",
> mapper.methodSetter("addMethod", 0));
> mapper.addRule("web-app/security-constraint/security-collection/pattern",
> mapper.methodSetter("addPattern", 0));
308a341
> String[] argTypes = { "int" };
310c343
< mapper.methodSetter("setLoadOnStartup", 0));
---
> mapper.methodSetter("setLoadOnStartup", 0, argTypes));

------=_NextPart_000_0105_01BFB462.42BF9630--