tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup Authenticators.properties
Date Tue, 12 Sep 2000 00:10:17 GMT
craigmcc    00/09/11 17:10:16

  Modified:    catalina/src/conf server.xml
               catalina/src/share/org/apache/catalina/authenticator
                        LocalStrings.properties
               catalina/src/share/org/apache/catalina/startup
                        Authenticators.properties
  Added:       catalina/src/share/org/apache/catalina/authenticator
                        SSLAuthenticator.java
  Log:
  Add the initial version of an authenticator for Tomcat 4.0 that implements
  the CLIENT-CERT authentication method.  The following issues remain:
  
  * The chain of certificates returned by JSSE 1.0.2 (which this was tested
    with) implement the javax.security.cert.X509Certificate interface, but
    this does NOT appear to extend java.security.cert.X509Certificate.
    Therefore, the chain of certificates exposed as a request attribute
    ("javax.servlet.request.X509Certificate") is not of the type required
    by the servlet spec.  This is under investigation with the JSSE folks.
  
  * The certificate chain is checked for validity (which checks that today
    is in the date range for that certificate), but it is not
    "verified".  Some of the JSSE documentation implies that this is
    automatically done for you, but this has not been confirmed.  Also,
    due to the base interface discrepancy noted above, you apparently
    cannot use a JSSE TrustManager to verify the chain against a key store
    database.
  
  * This authenticator class only concerns itself with *identifying* the
    client; not authorizing access to resources.  For that, you still need
    to configure a realm.  The username that should be defined in the Realm
    is the value returned by:
  
  	certs[0].getSubjectDN().getName()
  
    (in other words, the principal name of the subject of the first
    certificate in the chain).  It may be that some other mechanism for
    tying a client identity to a set of roles would be more useful.
  
  Revision  Changes    Path
  1.6       +1 -1      jakarta-tomcat-4.0/catalina/src/conf/server.xml
  
  Index: server.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/server.xml,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- server.xml	2000/09/08 22:29:33	1.5
  +++ server.xml	2000/09/12 00:10:06	1.6
  @@ -104,7 +104,7 @@
   <!--
         <Context path="/examples" docBase="examples" debug="0"
                  reloadable="true">
  -	<Logger className="org.apache.tomcat.logger.FileLogger"
  +	<Logger className="org.apache.catalina.logger.FileLogger"
   	        prefix="localhost_examples_log." suffix=".txt"
   		timestamp="true"/>
         </Context>
  
  
  
  1.2       +4 -0      jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/LocalStrings.properties
  
  Index: LocalStrings.properties
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/LocalStrings.properties,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- LocalStrings.properties	2000/08/11 22:39:38	1.1
  +++ LocalStrings.properties	2000/09/12 00:10:09	1.2
  @@ -1,5 +1,9 @@
   authenticator.alreadyStarted=Security Interceptor has already been started
  +authenticator.certificates=No client certificate chain in this request
   authenticator.forbidden=Access to the requested resource has been denied
  +authenticator.invalid=Invalid client certificate chain in this request
  +authenticator.keystore=Exception loading key store
  +authenticator.manager=Exception initializing trust managers
   authenticator.notAuthenticated=Configuration error:  Cannot perform access control without
an authenticated principal
   authenticator.notContext=Configuration error:  Must be attached to a Context
   authenticator.notStarted=Security Interceptor has not yet been started
  
  
  
  1.1                  jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java
  
  Index: SSLAuthenticator.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java,v
1.1 2000/09/12 00:10:10 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/09/12 00:10:10 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer.
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:
   *       "This product includes software developed by the
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */
  
  
  package org.apache.catalina.authenticator;
  
  
  import java.io.IOException;
  import java.security.Principal;
  import javax.security.cert.X509Certificate;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import org.apache.catalina.Globals;
  import org.apache.catalina.HttpRequest;
  import org.apache.catalina.HttpResponse;
  import org.apache.catalina.Lifecycle;
  import org.apache.catalina.LifecycleException;
  import org.apache.catalina.Realm;
  import org.apache.catalina.Session;
  import org.apache.catalina.deploy.LoginConfig;
  
  
  
  /**
   * An <b>Authenticator</b> and <b>Valve</b> implementation of authentication
   * that utilizes SSL certificates to identify client users.
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/09/12 00:10:10 $
   */
  
  public final class SSLAuthenticator
      extends AuthenticatorBase {
  
  
      // ------------------------------------------------------------- Properties
  
  
      /**
       * Descriptive information about this implementation.
       */
      private static final String info =
  	"org.apache.catalina.authenticator.SSLAuthenticator/1.0";
  
  
      /**
       * Return descriptive information about this Valve implementation.
       */
      public String getInfo() {
  
  	return (this.info);
  
      }
  
  
      // --------------------------------------------------------- Public Methods
  
  
      /**
       * Authenticate the user by checking for the existence of a certificate
       * chain (which should have been made visible by an instance of
       * <code>CertificatesValve</code), and optionally asking a trust
       * manager to validate that we trust this user.
       *
       * @param request Request we are processing
       * @param response Response we are creating
       * @param login Login configuration describing how authentication
       *              should be performed
       *
       * @exception IOException if an input/output error occurs
       */
      public boolean authenticate(HttpRequest request,
  				HttpResponse response,
  				LoginConfig config)
  	throws IOException {
  
  	// Have we already authenticated someone?
  	Principal principal =
  	    ((HttpServletRequest) request.getRequest()).getUserPrincipal();
  	if (principal != null)
  	    return (true);
  
  	// Have we got a cached authenticated Principal?
          // FIXME - what if the user switches certificates in the SSLSession?
  	Session session = null;
  	if (cache)
  	    session = getSession(request);
  	if (session != null) {
  	    principal = session.getPrincipal();
  	    if (principal != null) {
  	        request.setAuthType(Constants.CERT_METHOD);
  		request.setUserPrincipal(principal);
                  return (true);
  	    }
  	}
  
          // Retrieve the certificate chain for this client
          if (debug >= 1)
              log(" Looking up certificates");
          X509Certificate certs[] = (X509Certificate[])
              request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR);
          if ((certs == null) || (certs.length < 1)) {
              if (debug >= 1)
                  log("  No certificates included with this request");
              ((HttpServletResponse) response.getResponse()).
                  sendError(HttpServletResponse.SC_BAD_REQUEST,
                            sm.getString("authenticator.certificates"));
              return (false);
          }
          principal = certs[0].getSubjectDN();
  
          // Check the validity of each certificate in the chain
          for (int i = 0; i < certs.length; i++) {
              if (debug >= 1)
                  log(" Checking validity for '" +
                      certs[i].getSubjectDN().getName() + "'");
              try {
                  certs[i].checkValidity();
              } catch (Exception e) {
                  if (debug >= 1)
                      log("  Validity exception", e);
                  ((HttpServletResponse) response.getResponse()).
                      sendError(HttpServletResponse.SC_FORBIDDEN,
                                sm.getString("authenticator.invalid"));
                  return (false);
              }
          }
  
          // Cache the principal (if requested) and record this authentication
          if (debug >= 1)
              log(" Successfully identified '" + principal.getName() + "'");
          request.setAuthType(Constants.CERT_METHOD);
          request.setUserPrincipal(principal);
          if (cache && (session != null))
              session.setPrincipal(principal);
          return (true);
  
      }
  
  
      // ------------------------------------------------------ Lifecycle Methods
  
  
      /**
       * Initialize the database we will be using for client verification
       * and certificate validation (if any).
       *
       * @exception IllegalStateException if this component has already been
       *  started
       * @exception LifecycleException if this component detects a fatal error
       *  that prevents this component from being used
       */
      public void start() throws LifecycleException {
  
          super.start();
  
      }
  
  
      /**
       * Finalize the database we used for client verification and
       * certificate validation (if any).
       *
       * @exception IllegalStateException if this component has already been
       *  stopped
       * @exception LifecycleException if this component detects a fatal error
       *  that prevents this component from being used
       */
      public void stop() throws LifecycleException {
  
          super.stop();
  
      }
  
  
  }
  
  
  
  1.3       +1 -0      jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Authenticators.properties
  
  Index: Authenticators.properties
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Authenticators.properties,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- Authenticators.properties	2000/08/21 16:05:40	1.2
  +++ Authenticators.properties	2000/09/12 00:10:12	1.3
  @@ -1,3 +1,4 @@
   BASIC=org.apache.catalina.authenticator.BasicAuthenticator
  +CLIENT-CERT=org.apache.catalina.authenticator.SSLAuthenticator
   DIGEST=org.apache.catalina.authenticator.DigestAuthenticator
   FORM=org.apache.catalina.authenticator.FormAuthenticator
  
  
  

Mime
View raw message