tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp WarpConnector.java
Date Wed, 09 May 2001 23:42:19 GMT
craigmcc    01/05/09 16:42:19

  Modified:    catalina/src/conf server.xml
               catalina/src/share/org/apache/catalina Connector.java
               catalina/src/share/org/apache/catalina/authenticator
                        AuthenticatorBase.java
               catalina/src/share/org/apache/catalina/connector/http
                        HttpConnector.java
               catalina/src/share/org/apache/catalina/connector/http10
                        HttpConnector.java
               catalina/src/share/org/apache/catalina/connector/warp
                        WarpConnector.java
  Log:
  [Servlet 2.3 PFD2, Section 12.8]
  
  If a request is being processed on a non-SSL connection, and is subject to
  a <security-constraint> that includes a transport guarantee requiring SSL,
  automatically redirect the request to a configurable port number (attached
  to the same Tomcat instance) that is listening on SSL.
  
  PR: BugTRAQ #4410795
  
  Revision  Changes    Path
  1.25      +2 -2      jakarta-tomcat-4.0/catalina/src/conf/server.xml
  
  Index: server.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/server.xml,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- server.xml	2001/05/08 05:58:43	1.24
  +++ server.xml	2001/05/09 23:42:04	1.25
  @@ -51,7 +51,7 @@
       <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
       <Connector className="org.apache.catalina.connector.http.HttpConnector"
                  port="8080" minProcessors="5" maxProcessors="75"
  -               enableLookups="true"
  +               enableLookups="true" redirectPort="8443"
                  acceptCount="10" debug="0" connectionTimeout="60000"/>
       <!-- Note : To disable connection timeouts, set connectionTimeout value 
        to -1 -->
  @@ -81,7 +81,7 @@
       <!--
       <Connector className="org.apache.catalina.connector.http10.HttpConnector"
                  port="8082" minProcessors="5" maxProcessors="75"
  -               enableLookups="true"
  +               enableLookups="true" redirectPort="8443"
                  acceptCount="10" debug="0"/>
       -->
   
  
  
  
  1.5       +20 -4     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java
  
  Index: Connector.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- Connector.java	2001/05/08 05:58:43	1.4
  +++ Connector.java	2001/05/09 23:42:07	1.5
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
1.4 2001/05/08 05:58:43 craigmcc Exp $
  - * $Revision: 1.4 $
  - * $Date: 2001/05/08 05:58:43 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
1.5 2001/05/09 23:42:07 craigmcc Exp $
  + * $Revision: 1.5 $
  + * $Date: 2001/05/09 23:42:07 $
    *
    * ====================================================================
    *
  @@ -117,7 +117,7 @@
    * normative.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.4 $ $Date: 2001/05/08 05:58:43 $
  + * @version $Revision: 1.5 $ $Date: 2001/05/09 23:42:07 $
    */
   
   public interface Connector {
  @@ -174,6 +174,22 @@
        * Return descriptive information about this Connector implementation.
        */
       public String getInfo();
  +
  +
  +    /**
  +     * Return the port number to which a request should be redirected if
  +     * it comes in on a non-SSL port and is subject to a security constraint
  +     * with a transport guarantee that requires SSL.
  +     */
  +    public int getRedirectPort();
  +
  +
  +    /**
  +     * Set the redirect port number.
  +     *
  +     * @param redirectPort The redirect port number (non-SSL to SSL)
  +     */
  +    public void setRedirectPort(int redirectPort);
   
   
       /**
  
  
  
  1.11      +98 -32    jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- AuthenticatorBase.java	2001/03/30 21:38:47	1.10
  +++ AuthenticatorBase.java	2001/05/09 23:42:10	1.11
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
1.10 2001/03/30 21:38:47 craigmcc Exp $
  - * $Revision: 1.10 $
  - * $Date: 2001/03/30 21:38:47 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
1.11 2001/05/09 23:42:10 craigmcc Exp $
  + * $Revision: 1.11 $
  + * $Date: 2001/05/09 23:42:10 $
    *
    * ====================================================================
    *
  @@ -66,6 +66,8 @@
   
   
   import java.io.IOException;
  +import java.net.MalformedURLException;
  +import java.net.URL;
   import java.security.MessageDigest;
   import java.security.NoSuchAlgorithmException;
   import java.security.Principal;
  @@ -118,7 +120,7 @@
    * requests.  Requests of any other type will simply be passed through.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.10 $ $Date: 2001/03/30 21:38:47 $
  + * @version $Revision: 1.11 $ $Date: 2001/05/09 23:42:10 $
    */
   
   
  @@ -168,7 +170,7 @@
       /**
        * The debugging detail level for this component.
        */
  -    protected int debug = 0;
  +    protected int debug = 99;
   
   
       /**
  @@ -473,32 +475,41 @@
   	    log(" Subject to constraint " + constraint);
   
   	// Enforce any user data constraint for this security constraint
  +        if (debug >= 1)
  +            log(" Calling checkUserData()");
   	if (!checkUserData(hrequest, hresponse, constraint)) {
   	    if (debug >= 1)
   	        log(" Failed checkUserData() test");
  -            ((HttpServletResponse) hresponse.getResponse()).sendError
  -                (HttpServletResponse.SC_FORBIDDEN,
  -                 ((HttpServletRequest) hrequest.getRequest()).getRequestURI());
  -	    return;
  -	}
  -
  -	// Authenticate based upon the specified login configuration
  -	if (!authenticate(hrequest, hresponse, config)) {
  -	    if (debug >= 1)
  -	        log(" Failed authenticate() test");
               // ASSERT: Authenticator already set the appropriate
               // HTTP status code, so we do not have to do anything special
   	    return;
   	}
   
  +	// Authenticate based upon the specified login configuration
  +        if (constraint.getAuthConstraint()) {
  +            if (debug >= 1)
  +                log(" Calling authenticate()");
  +            if (!authenticate(hrequest, hresponse, config)) {
  +                if (debug >= 1)
  +                    log(" Failed authenticate() test");
  +                // ASSERT: Authenticator already set the appropriate
  +                // HTTP status code, so we do not have to do anything special
  +                return;
  +            }
  +        }
  +
   	// Perform access control based on the specified role(s)
  -	if (!accessControl(hrequest, hresponse, constraint)) {
  -	    if (debug >= 1)
  -	        log(" Failed accessControl() test");
  -            // ASSERT: Access control method has already set the appropriate
  -            // HTTP status code, so we do not have to do anything special
  -	    return;
  -	}
  +        if (constraint.getAuthConstraint()) {
  +            if (debug >= 1)
  +                log(" Calling accessControl()");
  +            if (!accessControl(hrequest, hresponse, constraint)) {
  +                if (debug >= 1)
  +                    log(" Failed accessControl() test");
  +                // ASSERT: AccessControl method has already set the appropriate
  +                // HTTP status code, so we do not have to do anything special
  +                return;
  +            }
  +        }
   
   	// Any and all specified constraints have been satisfied
   	if (debug >= 1)
  @@ -630,22 +641,77 @@
   	throws IOException {
   
   	// Is there a relevant user data constraint?
  -	if (constraint == null)
  +	if (constraint == null) {
  +            if (debug >= 2)
  +		log("  No applicable security constraint defined");
   	    return (true);
  +        }
   	String userConstraint = constraint.getUserConstraint();
  -	if (userConstraint == null)
  +	if (userConstraint == null) {
  +            if (debug >= 2)
  +		log("  No applicable user data constraint defined");
   	    return (true);
  -	if (userConstraint.equals(Constants.NONE_TRANSPORT))
  +        }
  +	if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
  +            if (debug >= 2)
  +                log("  User data constraint has no restrictions");
   	    return (true);
  +        }
   
   	// Validate the request against the user data constraint
  -	if (!request.getRequest().isSecure()) {
  -	    ((HttpServletResponse) response.getResponse()).sendError
  -		(HttpServletResponse.SC_BAD_REQUEST,
  -		 sm.getString("authenticator.userDataConstraint"));
  -	    return (false);
  -	}
  -	return (true);
  +	if (request.getRequest().isSecure()) {
  +            if (debug >= 2)
  +                log("  User data constraint already satisfied");
  +            return (true);
  +        }
  +
  +        // Initialize variables we need to determine the appropriate action
  +        HttpServletRequest hrequest =
  +            (HttpServletRequest) request.getRequest();
  +        HttpServletResponse hresponse =
  +            (HttpServletResponse) response.getResponse();
  +        int redirectPort = request.getConnector().getRedirectPort();
  +
  +        // Is redirecting disabled?
  +        if (redirectPort <= 0) {
  +            if (debug >= 2)
  +                log("  SSL redirect is disabled");
  +            hresponse.sendError
  +                (HttpServletResponse.SC_FORBIDDEN,
  +                 hrequest.getRequestURI());
  +            return (false);
  +        }
  +
  +        // Redirect to the corresponding SSL port
  +        String protocol = "https";
  +        String host = hrequest.getServerName();
  +        StringBuffer file = new StringBuffer(hrequest.getRequestURI());
  +        String requestedSessionId = hrequest.getRequestedSessionId();
  +        if ((requestedSessionId != null) &&
  +            hrequest.isRequestedSessionIdFromURL()) {
  +            file.append(";jsessionid=");
  +            file.append(requestedSessionId);
  +        }
  +        String queryString = hrequest.getQueryString();
  +        if (queryString != null) {
  +            file.append('?');
  +            file.append(queryString);
  +        }
  +        URL url = null;
  +        try {
  +            url = new URL(protocol, host, redirectPort, file.toString());
  +            if (debug >= 2)
  +                log("  Redirecting to " + url.toString());
  +            hresponse.sendRedirect(url.toString());
  +            return (false);
  +        } catch (MalformedURLException e) {
  +            if (debug >= 2)
  +                log("  Cannot create new URL", e);
  +            hresponse.sendError
  +                (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
  +                 hrequest.getRequestURI());
  +            return (false);
  +        }
   
       }
   
  
  
  
  1.15      +34 -4     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java
  
  Index: HttpConnector.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- HttpConnector.java	2001/05/08 05:58:44	1.14
  +++ HttpConnector.java	2001/05/09 23:42:12	1.15
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
1.14 2001/05/08 05:58:44 craigmcc Exp $
  - * $Revision: 1.14 $
  - * $Date: 2001/05/08 05:58:44 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
1.15 2001/05/09 23:42:12 craigmcc Exp $
  + * $Revision: 1.15 $
  + * $Date: 2001/05/09 23:42:12 $
    *
    * ====================================================================
    *
  @@ -95,7 +95,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.14 $ $Date: 2001/05/08 05:58:44 $
  + * @version $Revision: 1.15 $ $Date: 2001/05/09 23:42:12 $
    */
   
   
  @@ -225,6 +225,12 @@
   
   
       /**
  +     * The redirect port for non-SSL to SSL redirects.
  +     */
  +    private int redirectPort = 443;
  +
  +
  +    /**
        * The request scheme that will be set on all requests received
        * through this connector.
        */
  @@ -631,6 +637,30 @@
       public void setProxyPort(int proxyPort) {
   
           this.proxyPort = proxyPort;
  +
  +    }
  +
  +
  +    /**
  +     * Return the port number to which a request should be redirected if
  +     * it comes in on a non-SSL port and is subject to a security constraint
  +     * with a transport guarantee that requires SSL.
  +     */
  +    public int getRedirectPort() {
  +
  +        return (this.redirectPort);
  +
  +    }
  +
  +
  +    /**
  +     * Set the redirect port number.
  +     *
  +     * @param redirectPort The redirect port number (non-SSL to SSL)
  +     */
  +    public void setRedirectPort(int redirectPort) {
  +
  +        this.redirectPort = redirectPort;
   
       }
   
  
  
  
  1.6       +34 -4     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java
  
  Index: HttpConnector.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- HttpConnector.java	2001/05/08 05:58:44	1.5
  +++ HttpConnector.java	2001/05/09 23:42:14	1.6
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
1.5 2001/05/08 05:58:44 craigmcc Exp $
  - * $Revision: 1.5 $
  - * $Date: 2001/05/08 05:58:44 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
1.6 2001/05/09 23:42:14 craigmcc Exp $
  + * $Revision: 1.6 $
  + * $Date: 2001/05/09 23:42:14 $
    *
    * ====================================================================
    *
  @@ -94,7 +94,7 @@
    * purposes.  Not intended to be the final solution.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.5 $ $Date: 2001/05/08 05:58:44 $
  + * @version $Revision: 1.6 $ $Date: 2001/05/09 23:42:14 $
    */
   
   
  @@ -224,6 +224,12 @@
   
   
       /**
  +     * The redirect port for non-SSL to SSL redirects.
  +     */
  +    private int redirectPort = 443;
  +
  +
  +    /**
        * The request scheme that will be set on all requests received
        * through this connector.
        */
  @@ -602,6 +608,30 @@
       public void setProxyPort(int proxyPort) {
   
           this.proxyPort = proxyPort;
  +
  +    }
  +
  +
  +    /**
  +     * Return the port number to which a request should be redirected if
  +     * it comes in on a non-SSL port and is subject to a security constraint
  +     * with a transport guarantee that requires SSL.
  +     */
  +    public int getRedirectPort() {
  +
  +        return (this.redirectPort);
  +
  +    }
  +
  +
  +    /**
  +     * Set the redirect port number.
  +     *
  +     * @param redirectPort The redirect port number (non-SSL to SSL)
  +     */
  +    public void setRedirectPort(int redirectPort) {
  +
  +        this.redirectPort = redirectPort;
   
       }
   
  
  
  
  1.11      +21 -1     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java
  
  Index: WarpConnector.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- WarpConnector.java	2001/05/08 05:58:44	1.10
  +++ WarpConnector.java	2001/05/09 23:42:17	1.11
  @@ -78,7 +78,7 @@
    * @author <a href="mailto:pier.fumagalli@eng.sun.com">Pier Fumagalli</a>
    * @author Copyright &copy; 1999, 2000 <a href="http://www.apache.org">The
    *         Apache Software Foundation.
  - * @version CVS $Id: WarpConnector.java,v 1.10 2001/05/08 05:58:44 craigmcc Exp $
  + * @version CVS $Id: WarpConnector.java,v 1.11 2001/05/09 23:42:17 craigmcc Exp $
    */
   public class WarpConnector implements Connector, Lifecycle, Runnable {
   
  @@ -104,6 +104,8 @@
   
       // -------------------------------------------------------- BEAN PROPERTIES
   
  +    /** The port to which non-SSL requests should be redirected for SSL */
  +    private int redirectPort = 443;
       /** Wether requests received through this connector are secure. */
       private boolean secure=false;
       /** The scheme to be set on requests received through this connector. */
  @@ -241,6 +243,24 @@
       }
   
       // ----------------------------------------------------------- BEAN METHODS
  +
  +    /**
  +     * Return the port number to which a request should be redirected if
  +     * it comes in on a non-SSL port and is subject to a security constraint
  +     * with a transport guarantee that requires SSL.
  +     */
  +    public int getRedirectPort() {
  +        return (this.redirectPort);
  +    }
  +
  +    /**
  +     * Set the redirect port number.
  +     *
  +     * @param redirectPort The redirect port number (non-SSL to SSL)
  +     */
  +    public void setRedirectPort(int redirectPort) {
  +        this.redirectPort = redirectPort;
  +    }
   
       /**
        * Return the secure connection flag that will be assigned to requests
  
  
  

Mime
View raw message