Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 35722 invoked by uid 500); 9 May 2001 23:42:24 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 35712 invoked by uid 500); 9 May 2001 23:42:21 -0000 Delivered-To: apmail-jakarta-tomcat-4.0-cvs@apache.org Date: 9 May 2001 23:42:19 -0000 Message-ID: <20010509234219.35702.qmail@apache.org> From: craigmcc@apache.org To: jakarta-tomcat-4.0-cvs@apache.org Subject: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp WarpConnector.java craigmcc 01/05/09 16:42:19 Modified: catalina/src/conf server.xml catalina/src/share/org/apache/catalina Connector.java catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java catalina/src/share/org/apache/catalina/connector/http HttpConnector.java catalina/src/share/org/apache/catalina/connector/http10 HttpConnector.java catalina/src/share/org/apache/catalina/connector/warp WarpConnector.java Log: [Servlet 2.3 PFD2, Section 12.8] If a request is being processed on a non-SSL connection, and is subject to a that includes a transport guarantee requiring SSL, automatically redirect the request to a configurable port number (attached to the same Tomcat instance) that is listening on SSL. PR: BugTRAQ #4410795 Revision Changes Path 1.25 +2 -2 jakarta-tomcat-4.0/catalina/src/conf/server.xml Index: server.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/server.xml,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- server.xml 2001/05/08 05:58:43 1.24 +++ server.xml 2001/05/09 23:42:04 1.25 @@ -51,7 +51,7 @@ @@ -81,7 +81,7 @@ 1.5 +20 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java Index: Connector.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- Connector.java 2001/05/08 05:58:43 1.4 +++ Connector.java 2001/05/09 23:42:07 1.5 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v 1.4 2001/05/08 05:58:43 craigmcc Exp $ - * $Revision: 1.4 $ - * $Date: 2001/05/08 05:58:43 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v 1.5 2001/05/09 23:42:07 craigmcc Exp $ + * $Revision: 1.5 $ + * $Date: 2001/05/09 23:42:07 $ * * ==================================================================== * @@ -117,7 +117,7 @@ * normative. * * @author Craig R. McClanahan - * @version $Revision: 1.4 $ $Date: 2001/05/08 05:58:43 $ + * @version $Revision: 1.5 $ $Date: 2001/05/09 23:42:07 $ */ public interface Connector { @@ -174,6 +174,22 @@ * Return descriptive information about this Connector implementation. */ public String getInfo(); + + + /** + * Return the port number to which a request should be redirected if + * it comes in on a non-SSL port and is subject to a security constraint + * with a transport guarantee that requires SSL. + */ + public int getRedirectPort(); + + + /** + * Set the redirect port number. + * + * @param redirectPort The redirect port number (non-SSL to SSL) + */ + public void setRedirectPort(int redirectPort); /** 1.11 +98 -32 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java Index: AuthenticatorBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- AuthenticatorBase.java 2001/03/30 21:38:47 1.10 +++ AuthenticatorBase.java 2001/05/09 23:42:10 1.11 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v 1.10 2001/03/30 21:38:47 craigmcc Exp $ - * $Revision: 1.10 $ - * $Date: 2001/03/30 21:38:47 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v 1.11 2001/05/09 23:42:10 craigmcc Exp $ + * $Revision: 1.11 $ + * $Date: 2001/05/09 23:42:10 $ * * ==================================================================== * @@ -66,6 +66,8 @@ import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.Principal; @@ -118,7 +120,7 @@ * requests. Requests of any other type will simply be passed through. * * @author Craig R. McClanahan - * @version $Revision: 1.10 $ $Date: 2001/03/30 21:38:47 $ + * @version $Revision: 1.11 $ $Date: 2001/05/09 23:42:10 $ */ @@ -168,7 +170,7 @@ /** * The debugging detail level for this component. */ - protected int debug = 0; + protected int debug = 99; /** @@ -473,32 +475,41 @@ log(" Subject to constraint " + constraint); // Enforce any user data constraint for this security constraint + if (debug >= 1) + log(" Calling checkUserData()"); if (!checkUserData(hrequest, hresponse, constraint)) { if (debug >= 1) log(" Failed checkUserData() test"); - ((HttpServletResponse) hresponse.getResponse()).sendError - (HttpServletResponse.SC_FORBIDDEN, - ((HttpServletRequest) hrequest.getRequest()).getRequestURI()); - return; - } - - // Authenticate based upon the specified login configuration - if (!authenticate(hrequest, hresponse, config)) { - if (debug >= 1) - log(" Failed authenticate() test"); // ASSERT: Authenticator already set the appropriate // HTTP status code, so we do not have to do anything special return; } + // Authenticate based upon the specified login configuration + if (constraint.getAuthConstraint()) { + if (debug >= 1) + log(" Calling authenticate()"); + if (!authenticate(hrequest, hresponse, config)) { + if (debug >= 1) + log(" Failed authenticate() test"); + // ASSERT: Authenticator already set the appropriate + // HTTP status code, so we do not have to do anything special + return; + } + } + // Perform access control based on the specified role(s) - if (!accessControl(hrequest, hresponse, constraint)) { - if (debug >= 1) - log(" Failed accessControl() test"); - // ASSERT: Access control method has already set the appropriate - // HTTP status code, so we do not have to do anything special - return; - } + if (constraint.getAuthConstraint()) { + if (debug >= 1) + log(" Calling accessControl()"); + if (!accessControl(hrequest, hresponse, constraint)) { + if (debug >= 1) + log(" Failed accessControl() test"); + // ASSERT: AccessControl method has already set the appropriate + // HTTP status code, so we do not have to do anything special + return; + } + } // Any and all specified constraints have been satisfied if (debug >= 1) @@ -630,22 +641,77 @@ throws IOException { // Is there a relevant user data constraint? - if (constraint == null) + if (constraint == null) { + if (debug >= 2) + log(" No applicable security constraint defined"); return (true); + } String userConstraint = constraint.getUserConstraint(); - if (userConstraint == null) + if (userConstraint == null) { + if (debug >= 2) + log(" No applicable user data constraint defined"); return (true); - if (userConstraint.equals(Constants.NONE_TRANSPORT)) + } + if (userConstraint.equals(Constants.NONE_TRANSPORT)) { + if (debug >= 2) + log(" User data constraint has no restrictions"); return (true); + } // Validate the request against the user data constraint - if (!request.getRequest().isSecure()) { - ((HttpServletResponse) response.getResponse()).sendError - (HttpServletResponse.SC_BAD_REQUEST, - sm.getString("authenticator.userDataConstraint")); - return (false); - } - return (true); + if (request.getRequest().isSecure()) { + if (debug >= 2) + log(" User data constraint already satisfied"); + return (true); + } + + // Initialize variables we need to determine the appropriate action + HttpServletRequest hrequest = + (HttpServletRequest) request.getRequest(); + HttpServletResponse hresponse = + (HttpServletResponse) response.getResponse(); + int redirectPort = request.getConnector().getRedirectPort(); + + // Is redirecting disabled? + if (redirectPort <= 0) { + if (debug >= 2) + log(" SSL redirect is disabled"); + hresponse.sendError + (HttpServletResponse.SC_FORBIDDEN, + hrequest.getRequestURI()); + return (false); + } + + // Redirect to the corresponding SSL port + String protocol = "https"; + String host = hrequest.getServerName(); + StringBuffer file = new StringBuffer(hrequest.getRequestURI()); + String requestedSessionId = hrequest.getRequestedSessionId(); + if ((requestedSessionId != null) && + hrequest.isRequestedSessionIdFromURL()) { + file.append(";jsessionid="); + file.append(requestedSessionId); + } + String queryString = hrequest.getQueryString(); + if (queryString != null) { + file.append('?'); + file.append(queryString); + } + URL url = null; + try { + url = new URL(protocol, host, redirectPort, file.toString()); + if (debug >= 2) + log(" Redirecting to " + url.toString()); + hresponse.sendRedirect(url.toString()); + return (false); + } catch (MalformedURLException e) { + if (debug >= 2) + log(" Cannot create new URL", e); + hresponse.sendError + (HttpServletResponse.SC_INTERNAL_SERVER_ERROR, + hrequest.getRequestURI()); + return (false); + } } 1.15 +34 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java Index: HttpConnector.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- HttpConnector.java 2001/05/08 05:58:44 1.14 +++ HttpConnector.java 2001/05/09 23:42:12 1.15 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v 1.14 2001/05/08 05:58:44 craigmcc Exp $ - * $Revision: 1.14 $ - * $Date: 2001/05/08 05:58:44 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v 1.15 2001/05/09 23:42:12 craigmcc Exp $ + * $Revision: 1.15 $ + * $Date: 2001/05/09 23:42:12 $ * * ==================================================================== * @@ -95,7 +95,7 @@ * * @author Craig R. McClanahan * @author Remy Maucherat - * @version $Revision: 1.14 $ $Date: 2001/05/08 05:58:44 $ + * @version $Revision: 1.15 $ $Date: 2001/05/09 23:42:12 $ */ @@ -225,6 +225,12 @@ /** + * The redirect port for non-SSL to SSL redirects. + */ + private int redirectPort = 443; + + + /** * The request scheme that will be set on all requests received * through this connector. */ @@ -631,6 +637,30 @@ public void setProxyPort(int proxyPort) { this.proxyPort = proxyPort; + + } + + + /** + * Return the port number to which a request should be redirected if + * it comes in on a non-SSL port and is subject to a security constraint + * with a transport guarantee that requires SSL. + */ + public int getRedirectPort() { + + return (this.redirectPort); + + } + + + /** + * Set the redirect port number. + * + * @param redirectPort The redirect port number (non-SSL to SSL) + */ + public void setRedirectPort(int redirectPort) { + + this.redirectPort = redirectPort; } 1.6 +34 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java Index: HttpConnector.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- HttpConnector.java 2001/05/08 05:58:44 1.5 +++ HttpConnector.java 2001/05/09 23:42:14 1.6 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v 1.5 2001/05/08 05:58:44 craigmcc Exp $ - * $Revision: 1.5 $ - * $Date: 2001/05/08 05:58:44 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v 1.6 2001/05/09 23:42:14 craigmcc Exp $ + * $Revision: 1.6 $ + * $Date: 2001/05/09 23:42:14 $ * * ==================================================================== * @@ -94,7 +94,7 @@ * purposes. Not intended to be the final solution. * * @author Craig R. McClanahan - * @version $Revision: 1.5 $ $Date: 2001/05/08 05:58:44 $ + * @version $Revision: 1.6 $ $Date: 2001/05/09 23:42:14 $ */ @@ -224,6 +224,12 @@ /** + * The redirect port for non-SSL to SSL redirects. + */ + private int redirectPort = 443; + + + /** * The request scheme that will be set on all requests received * through this connector. */ @@ -602,6 +608,30 @@ public void setProxyPort(int proxyPort) { this.proxyPort = proxyPort; + + } + + + /** + * Return the port number to which a request should be redirected if + * it comes in on a non-SSL port and is subject to a security constraint + * with a transport guarantee that requires SSL. + */ + public int getRedirectPort() { + + return (this.redirectPort); + + } + + + /** + * Set the redirect port number. + * + * @param redirectPort The redirect port number (non-SSL to SSL) + */ + public void setRedirectPort(int redirectPort) { + + this.redirectPort = redirectPort; } 1.11 +21 -1 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java Index: WarpConnector.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- WarpConnector.java 2001/05/08 05:58:44 1.10 +++ WarpConnector.java 2001/05/09 23:42:17 1.11 @@ -78,7 +78,7 @@ * @author Pier Fumagalli * @author Copyright © 1999, 2000 The * Apache Software Foundation. - * @version CVS $Id: WarpConnector.java,v 1.10 2001/05/08 05:58:44 craigmcc Exp $ + * @version CVS $Id: WarpConnector.java,v 1.11 2001/05/09 23:42:17 craigmcc Exp $ */ public class WarpConnector implements Connector, Lifecycle, Runnable { @@ -104,6 +104,8 @@ // -------------------------------------------------------- BEAN PROPERTIES + /** The port to which non-SSL requests should be redirected for SSL */ + private int redirectPort = 443; /** Wether requests received through this connector are secure. */ private boolean secure=false; /** The scheme to be set on requests received through this connector. */ @@ -241,6 +243,24 @@ } // ----------------------------------------------------------- BEAN METHODS + + /** + * Return the port number to which a request should be redirected if + * it comes in on a non-SSL port and is subject to a security constraint + * with a transport guarantee that requires SSL. + */ + public int getRedirectPort() { + return (this.redirectPort); + } + + /** + * Set the redirect port number. + * + * @param redirectPort The redirect port number (non-SSL to SSL) + */ + public void setRedirectPort(int redirectPort) { + this.redirectPort = redirectPort; + } /** * Return the secure connection flag that will be assigned to requests