1 |
|
/*
|
|
1 |
|
/*
|
|
1 |
|
/*
|
2 |
|
* License
d to the A
pache Soft
ware Found
ation (ASF
) under on
e or more
|
|
2 |
|
* License
d to the A
pache Soft
ware Found
ation (ASF
) under on
e or more
|
|
2 |
|
* License
d to the A
pache Soft
ware Found
ation (ASF
) under on
e or more
|
3 |
|
* contrib
utor licen
se agreeme
nts. See
the NOTICE
file dist
ributed wi
th
|
|
3 |
|
* contrib
utor licen
se agreeme
nts. See
the NOTICE
file dist
ributed wi
th
|
|
3 |
|
* contrib
utor licen
se agreeme
nts. See
the NOTICE
file dist
ributed wi
th
|
4 |
|
* this wo
rk for add
itional in
formation
regarding
copyright
ownership.
|
|
4 |
|
* this wo
rk for add
itional in
formation
regarding
copyright
ownership.
|
|
4 |
|
* this wo
rk for add
itional in
formation
regarding
copyright
ownership.
|
5 |
|
* The ASF
licenses
this file
to You und
er the Apa
che Licens
e, Version
2.0
|
|
5 |
|
* The ASF
licenses
this file
to You und
er the Apa
che Licens
e, Version
2.0
|
|
5 |
|
* The ASF
licenses
this file
to You und
er the Apa
che Licens
e, Version
2.0
|
6 |
|
* (the "L
icense");
you may no
t use this
file exce
pt in comp
liance wit
h
|
|
6 |
|
* (the "L
icense");
you may no
t use this
file exce
pt in comp
liance wit
h
|
|
6 |
|
* (the "L
icense");
you may no
t use this
file exce
pt in comp
liance wit
h
|
7 |
|
* the Lic
ense. You
may obtai
n a copy o
f the Lice
nse at
|
|
7 |
|
* the Lic
ense. You
may obtai
n a copy o
f the Lice
nse at
|
|
7 |
|
* the Lic
ense. You
may obtai
n a copy o
f the Lice
nse at
|
8 |
|
*
|
|
8 |
|
*
|
|
8 |
|
*
|
9 |
|
* ht
tp://www.a
pache.org/
licenses/L
ICENSE-2.0
|
|
9 |
|
* ht
tp://www.a
pache.org/
licenses/L
ICENSE-2.0
|
|
9 |
|
* ht
tp://www.a
pache.org/
licenses/L
ICENSE-2.0
|
10 |
|
*
|
|
10 |
|
*
|
|
10 |
|
*
|
11 |
|
* Unless
required b
y applicab
le law or
agreed to
in writing
, software
|
|
11 |
|
* Unless
required b
y applicab
le law or
agreed to
in writing
, software
|
|
11 |
|
* Unless
required b
y applicab
le law or
agreed to
in writing
, software
|
12 |
|
* distrib
uted under
the Licen
se is dist
ributed on
an "AS IS
" BASIS,
|
|
12 |
|
* distrib
uted under
the Licen
se is dist
ributed on
an "AS IS
" BASIS,
|
|
12 |
|
* distrib
uted under
the Licen
se is dist
ributed on
an "AS IS
" BASIS,
|
13 |
|
* WITHOUT
WARRANTIE
S OR CONDI
TIONS OF A
NY KIND, e
ither expr
ess or imp
lied.
|
|
13 |
|
* WITHOUT
WARRANTIE
S OR CONDI
TIONS OF A
NY KIND, e
ither expr
ess or imp
lied.
|
|
13 |
|
* WITHOUT
WARRANTIE
S OR CONDI
TIONS OF A
NY KIND, e
ither expr
ess or imp
lied.
|
14 |
|
* See the
License f
or the spe
cific lang
uage gover
ning permi
ssions and
|
|
14 |
|
* See the
License f
or the spe
cific lang
uage gover
ning permi
ssions and
|
|
14 |
|
* See the
License f
or the spe
cific lang
uage gover
ning permi
ssions and
|
15 |
|
* limitat
ions under
the Licen
se.
|
|
15 |
|
* limitat
ions under
the Licen
se.
|
|
15 |
|
* limitat
ions under
the Licen
se.
|
16 |
|
*/
|
|
16 |
|
*/
|
|
16 |
|
*/
|
17 |
|
package or
g.apache.c
atalina.au
thenticato
r;
|
|
17 |
|
package or
g.apache.c
atalina.au
thenticato
r;
|
|
17 |
|
package or
g.apache.c
atalina.au
thenticato
r;
|
18 |
|
|
|
18 |
|
|
|
18 |
|
|
19 |
|
import jav
a.io.IOExc
eption;
|
|
19 |
|
import jav
a.io.IOExc
eption;
|
|
19 |
|
import jav
a.io.IOExc
eption;
|
20 |
|
import jav
a.security
.Principal
;
|
|
20 |
|
import jav
a.security
.Principal
;
|
|
20 |
|
import jav
a.security
.Principal
;
|
21 |
|
import jav
a.security
.cert.X509
Certificat
e;
|
|
21 |
|
import jav
a.security
.cert.X509
Certificat
e;
|
|
21 |
|
import jav
a.security
.cert.X509
Certificat
e;
|
22 |
|
|
|
22 |
|
|
|
22 |
|
|
23 |
|
import jav
ax.servlet
.http.Http
ServletReq
uest;
|
|
23 |
|
import jav
ax.servlet
.http.Http
ServletReq
uest;
|
|
23 |
|
import jav
ax.servlet
.http.Http
ServletReq
uest;
|
24 |
|
import jav
ax.servlet
.http.Http
ServletRes
ponse;
|
|
24 |
|
import jav
ax.servlet
.http.Http
ServletRes
ponse;
|
|
24 |
|
import jav
ax.servlet
.http.Http
ServletRes
ponse;
|
25 |
|
|
|
25 |
|
|
|
25 |
|
|
26 |
|
import org
.apache.ca
talina.con
nector.Req
uest;
|
|
26 |
|
import org
.apache.ca
talina.con
nector.Req
uest;
|
|
26 |
|
import org
.apache.ca
talina.con
nector.Req
uest;
|
27 |
|
|
|
27 |
|
|
|
27 |
|
|
28 |
|
/**
|
|
28 |
|
/**
|
|
28 |
|
/**
|
29 |
|
* An <b>A
uthenticat
or</b> and
<b>Valve<
/b> implem
entation o
f authenti
cation
|
|
29 |
|
* An <b>A
uthenticat
or</b> and
<b>Valve<
/b> implem
entation o
f authenti
cation
|
|
29 |
|
* An <b>A
uthenticat
or</b> and
<b>Valve<
/b> implem
entation o
f authenti
cation
|
30 |
|
* that ut
ilizes SSL
certifica
tes to ide
ntify clie
nt users.
|
|
30 |
|
* that ut
ilizes SSL
certifica
tes to ide
ntify clie
nt users.
|
|
30 |
|
* that ut
ilizes SSL
certifica
tes to ide
ntify clie
nt users.
|
31 |
|
*
|
|
31 |
|
*
|
|
31 |
|
*
|
32 |
|
* @author
Craig R.
McClanahan
|
|
32 |
|
* @author
Craig R.
McClanahan
|
|
32 |
|
* @author
Craig R.
McClanahan
|
33 |
|
*/
|
|
33 |
|
*/
|
|
33 |
|
*/
|
34 |
|
public cla
ss SSLAuth
enticator
extends Au
thenticato
rBase {
|
|
34 |
|
public cla
ss SSLAuth
enticator
extends Au
thenticato
rBase {
|
|
34 |
|
public cla
ss SSLAuth
enticator
extends Au
thenticato
rBase {
|
35 |
|
|
|
35 |
|
|
|
35 |
|
|
36 |
|
// ---
----------
----------
----------
----------
----------
---- Publi
c Methods
|
|
36 |
|
// ---
----------
----------
----------
----------
----------
---- Publi
c Methods
|
|
36 |
|
// ---
----------
----------
----------
----------
----------
---- Publi
c Methods
|
37 |
|
|
|
37 |
|
|
|
37 |
|
|
38 |
|
/**
|
|
38 |
|
/**
|
|
38 |
|
/**
|
39 |
|
* Aut
henticate
the user b
y checking
for the e
xistence o
f a certif
icate
|
|
39 |
|
* Aut
henticate
the user b
y checking
for the e
xistence o
f a certif
icate
|
|
39 |
|
* Aut
henticate
the user b
y checking
for the e
xistence o
f a certif
icate
|
40 |
|
* cha
in, valida
ting it ag
ainst the
trust mana
ger for th
e connecto
r and then
|
|
40 |
|
* cha
in, valida
ting it ag
ainst the
trust mana
ger for th
e connecto
r and then
|
|
40 |
|
* cha
in, valida
ting it ag
ainst the
trust mana
ger for th
e connecto
r and then
|
41 |
|
* val
idating th
e user's i
dentity ag
ainst the
configured
Realm.
|
|
41 |
|
* val
idating th
e user's i
dentity ag
ainst the
configured
Realm.
|
|
41 |
|
* val
idating th
e user's i
dentity ag
ainst the
configured
Realm.
|
42 |
|
*
|
|
42 |
|
*
|
|
42 |
|
*
|
43 |
|
* @pa
ram reques
t Request
we are pro
cessing
|
|
43 |
|
* @pa
ram reques
t Request
we are pro
cessing
|
|
43 |
|
* @pa
ram reques
t Request
we are pro
cessing
|
44 |
|
* @pa
ram respon
se Respons
e we are c
reating
|
|
44 |
|
* @pa
ram respon
se Respons
e we are c
reating
|
|
44 |
|
* @pa
ram respon
se Respons
e we are c
reating
|
45 |
|
*
|
|
45 |
|
*
|
|
45 |
|
*
|
46 |
|
* @ex
ception IO
Exception
if an inpu
t/output e
rror occur
s
|
|
46 |
|
* @ex
ception IO
Exception
if an inpu
t/output e
rror occur
s
|
|
46 |
|
* @ex
ception IO
Exception
if an inpu
t/output e
rror occur
s
|
47 |
|
*/
|
|
47 |
|
*/
|
|
47 |
|
*/
|
48 |
|
@Overr
ide
|
|
48 |
|
@Overr
ide
|
|
48 |
|
@Overr
ide
|
49 |
|
p
ubli
c
boolean
a
uthenticat
e(Request
request, H
ttpServlet
Response r
esponse)
|
|
49 |
|
p
rote
c
ted
boolean
doA
uthenticat
e(Request
request, H
ttpServlet
Response r
esponse)
|
|
49 |
|
protec
ted boolea
n doAuthen
ticate(Req
uest reque
st, HttpSe
rvletRespo
nse respon
se)
|
50 |
|
throws I
OException
{
|
|
50 |
|
throws I
OException
{
|
|
50 |
|
throws I
OException
{
|
51 |
|
|
|
51 |
|
|
|
51 |
|
|
52 |
|
//
NOTE: We
don't try
to reauthe
nticate us
ing any ex
isting SSO
session,
|
|
52 |
|
//
NOTE: We
don't try
to reauthe
nticate us
ing any ex
isting SSO
session,
|
|
52 |
|
//
NOTE: We
don't try
to reauthe
nticate us
ing any ex
isting SSO
session,
|
53 |
|
//
because t
hat will o
nly work i
f the orig
inal authe
ntication
was
|
|
53 |
|
//
because t
hat will o
nly work i
f the orig
inal authe
ntication
was
|
|
53 |
|
//
because t
hat will o
nly work i
f the orig
inal authe
ntication
was
|
54 |
|
//
BASIC or
FORM, whic
h are less
secure th
an the CLI
ENT-CERT a
uth-type
|
|
54 |
|
//
BASIC or
FORM, whic
h are less
secure th
an the CLI
ENT-CERT a
uth-type
|
|
54 |
|
//
BASIC or
FORM, whic
h are less
secure th
an the CLI
ENT-CERT a
uth-type
|
55 |
|
//
specified
for this
webapp
|
|
55 |
|
//
specified
for this
webapp
|
|
55 |
|
//
specified
for this
webapp
|
56 |
|
//
|
|
56 |
|
//
|
|
56 |
|
//
|
57 |
|
//
Change to
true belo
w to allow
previous
FORM or BA
SIC authen
tications
|
|
57 |
|
//
Change to
true belo
w to allow
previous
FORM or BA
SIC authen
tications
|
|
57 |
|
//
Change to
true belo
w to allow
previous
FORM or BA
SIC authen
tications
|
58 |
|
//
to authen
ticate use
rs for thi
s webapp
|
|
58 |
|
//
to authen
ticate use
rs for thi
s webapp
|
|
58 |
|
//
to authen
ticate use
rs for thi
s webapp
|
59 |
|
//
TODO make
this a co
nfigurable
attribute
(in Singl
eSignOn??)
|
|
59 |
|
//
TODO make
this a co
nfigurable
attribute
(in Singl
eSignOn??)
|
|
59 |
|
//
TODO make
this a co
nfigurable
attribute
(in Singl
eSignOn??)
|
60 |
|
if
(checkFor
CachedAuth
entication
(request,
response,
false)) {
|
|
60 |
|
if
(checkFor
CachedAuth
entication
(request,
response,
false)) {
|
|
60 |
|
if
(checkFor
CachedAuth
entication
(request,
response,
false)) {
|
61 |
|
return t
rue;
|
|
61 |
|
return t
rue;
|
|
61 |
|
return t
rue;
|
62 |
|
}
|
|
62 |
|
}
|
|
62 |
|
}
|
63 |
|
|
|
63 |
|
|
|
63 |
|
|
64 |
|
//
Retrieve
the certif
icate chai
n for this
client
|
|
64 |
|
//
Retrieve
the certif
icate chai
n for this
client
|
|
64 |
|
//
Retrieve
the certif
icate chai
n for this
client
|
65 |
|
if
(containe
rLog.isDeb
ugEnabled(
)) {
|
|
65 |
|
if
(containe
rLog.isDeb
ugEnabled(
)) {
|
|
65 |
|
if
(containe
rLog.isDeb
ugEnabled(
)) {
|
66 |
|
containe
rLog.debug
(" Looking
up certif
icates");
|
|
66 |
|
containe
rLog.debug
(" Looking
up certif
icates");
|
|
66 |
|
containe
rLog.debug
(" Looking
up certif
icates");
|
67 |
|
}
|
|
67 |
|
}
|
|
67 |
|
}
|
68 |
|
|
|
68 |
|
|
|
68 |
|
|
69 |
|
X5
09Certific
ate certs[
] = getReq
uestCertif
icates(req
uest);
|
|
69 |
|
X5
09Certific
ate certs[
] = getReq
uestCertif
icates(req
uest);
|
|
69 |
|
X5
09Certific
ate certs[
] = getReq
uestCertif
icates(req
uest);
|
70 |
|
|
|
70 |
|
|
|
70 |
|
|
71 |
|
if
((certs =
= null) ||
(certs.le
ngth < 1))
{
|
|
71 |
|
if
((certs =
= null) ||
(certs.le
ngth < 1))
{
|
|
71 |
|
if
((certs =
= null) ||
(certs.le
ngth < 1))
{
|
72 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
|
72 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
|
72 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
73 |
|
cont
ainerLog.d
ebug(" No
certifica
tes includ
ed with th
is request
");
|
|
73 |
|
cont
ainerLog.d
ebug(" No
certifica
tes includ
ed with th
is request
");
|
|
73 |
|
cont
ainerLog.d
ebug(" No
certifica
tes includ
ed with th
is request
");
|
74 |
|
}
|
|
74 |
|
}
|
|
74 |
|
}
|
75 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
|
75 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
|
75 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
76 |
|
sm.getStri
ng("authen
ticator.ce
rtificates
"));
|
|
76 |
|
sm.getStri
ng("authen
ticator.ce
rtificates
"));
|
|
76 |
|
sm.getStri
ng("authen
ticator.ce
rtificates
"));
|
77 |
|
return f
alse;
|
|
77 |
|
return f
alse;
|
|
77 |
|
return f
alse;
|
78 |
|
}
|
|
78 |
|
}
|
|
78 |
|
}
|
79 |
|
|
|
79 |
|
|
|
79 |
|
|
80 |
|
//
Authentic
ate the sp
ecified ce
rtificate
chain
|
|
80 |
|
//
Authentic
ate the sp
ecified ce
rtificate
chain
|
|
80 |
|
//
Authentic
ate the sp
ecified ce
rtificate
chain
|
81 |
|
Pr
incipal pr
incipal =
context.ge
tRealm().a
uthenticat
e(certs);
|
|
81 |
|
Pr
incipal pr
incipal =
context.ge
tRealm().a
uthenticat
e(certs);
|
|
81 |
|
Pr
incipal pr
incipal =
context.ge
tRealm().a
uthenticat
e(certs);
|
82 |
|
if
(principa
l == null)
{
|
|
82 |
|
if
(principa
l == null)
{
|
|
82 |
|
if
(principa
l == null)
{
|
83 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
|
83 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
|
83 |
|
if (cont
ainerLog.i
sDebugEnab
led()) {
|
84 |
|
cont
ainerLog.d
ebug(" Re
alm.authen
ticate() r
eturned fa
lse");
|
|
84 |
|
cont
ainerLog.d
ebug(" Re
alm.authen
ticate() r
eturned fa
lse");
|
|
84 |
|
cont
ainerLog.d
ebug(" Re
alm.authen
ticate() r
eturned fa
lse");
|
85 |
|
}
|
|
85 |
|
}
|
|
85 |
|
}
|
86 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
|
86 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
|
86 |
|
response
.sendError
(HttpServl
etResponse
.SC_UNAUTH
ORIZED,
|
87 |
|
sm.getStr
ing("authe
nticator.u
nauthorize
d"));
|
|
87 |
|
sm.getStr
ing("authe
nticator.u
nauthorize
d"));
|
|
87 |
|
sm.getStr
ing("authe
nticator.u
nauthorize
d"));
|
88 |
|
return
(
false
)
;
|
|
88 |
|
return
false
;
|
|
88 |
|
return f
alse;
|
89 |
|
}
|
|
89 |
|
}
|
|
89 |
|
}
|
90 |
|
|
|
90 |
|
|
|
90 |
|
|
91 |
|
//
Cache the
principal
(if reque
sted) and
record thi
s authenti
cation
|
|
91 |
|
//
Cache the
principal
(if reque
sted) and
record thi
s authenti
cation
|
|
91 |
|
//
Cache the
principal
(if reque
sted) and
record thi
s authenti
cation
|
92 |
|
re
gister(req
uest, resp
onse, prin
cipal,
|
|
92 |
|
re
gister(req
uest, resp
onse, prin
cipal,
|
|
92 |
|
re
gister(req
uest, resp
onse, prin
cipal,
|
93 |
|
Http
ServletReq
uest.CLIEN
T_CERT_AUT
H, null, n
ull);
|
|
93 |
|
Http
ServletReq
uest.CLIEN
T_CERT_AUT
H, null, n
ull);
|
|
93 |
|
Http
ServletReq
uest.CLIEN
T_CERT_AUT
H, null, n
ull);
|
94 |
|
return
(
true
)
;
|
|
94 |
|
return
true
;
|
|
94 |
|
re
turn true;
|
95 |
|
|
|
95 |
|
|
|
95 |
|
|
96 |
|
}
|
|
96 |
|
}
|
|
96 |
|
}
|
97 |
|
|
|
97 |
|
|
|
97 |
|
|
98 |
|
|
|
98 |
|
|
|
98 |
|
|
99 |
|
@Overr
ide
|
|
99 |
|
@Overr
ide
|
|
99 |
|
@Overr
ide
|
100 |
|
protec
ted String
getAuthMe
thod() {
|
|
100 |
|
protec
ted String
getAuthMe
thod() {
|
|
100 |
|
protec
ted String
getAuthMe
thod() {
|
101 |
|
re
turn HttpS
ervletRequ
est.CLIENT
_CERT_AUTH
;
|
|
101 |
|
re
turn HttpS
ervletRequ
est.CLIENT
_CERT_AUTH
;
|
|
101 |
|
re
turn HttpS
ervletRequ
est.CLIENT
_CERT_AUTH
;
|
102 |
|
}
|
|
102 |
|
}
|
|
102 |
|
}
|
103 |
|
}
|
|
103 |
|
}
|
|
103 |
|
}
|