[jboss-cvs] JBossAS SVN: r89024 - in branches/Branch_5_x: testsuite/src/main/org/jboss/test/web/test/ssl and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon May 18 22:12:24 EDT 2009
Author: anil.saldhana at jboss.com
Date: 2009-05-18 22:12:24 -0400 (Mon, 18 May 2009)
New Revision: 89024
Added:
branches/Branch_5_x/testsuite/src/main/org/jboss/test/web/test/ssl/ClientCertJaspiWebUnitTestCase.java
branches/Branch_5_x/testsuite/src/resources/security/jaspi/jaspi-webssl-jboss-beans.xml
branches/Branch_5_x/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java
Modified:
branches/Branch_5_x/testsuite/imports/sections/web.xml
Log:
JBAS-6066: JASPI server auth module for CLIENT-CERT
Modified: branches/Branch_5_x/testsuite/imports/sections/web.xml
===================================================================
--- branches/Branch_5_x/testsuite/imports/sections/web.xml 2009-05-19 02:08:07 UTC (rev 89023)
+++ branches/Branch_5_x/testsuite/imports/sections/web.xml 2009-05-19 02:12:24 UTC (rev 89024)
@@ -347,6 +347,21 @@
<zipfileset dir="${build.resources}/web/jaspi-form-auth" includes="jboss-service.xml"/>
</zip>
+ <!-- war to test CLIENT-CERT auth using JASPI-->
+ <war warfile="${build.lib}/clientcert-jaspi.war"
+ webxml="${build.resources}/web/WEB-INF/clientcert-auth-web.xml">
+ <webinf dir="${build.resources}/security/jaspi/jaspi-web-form.war/WEB-INF">
+ <include name="jboss-web.xml"/>
+ <include name="context.xml"/>
+ </webinf>
+ <classes dir="${build.classes}">
+ <include name="org/jboss/test/web/servlets/ssl/*"/>
+ </classes>
+ <fileset dir="${build.resources}/web/html/ssl">
+ <include name="**/*.html"/>
+ </fileset>
+ </war>
+
<!-- war to test SSL and CLIENT-CERT auth -->
<war warfile="${build.lib}/clientcert-auth.war"
webxml="${build.resources}/web/WEB-INF/clientcert-auth-web.xml">
Copied: branches/Branch_5_x/testsuite/src/main/org/jboss/test/web/test/ssl/ClientCertJaspiWebUnitTestCase.java (from rev 89020, trunk/testsuite/src/main/org/jboss/test/web/test/ssl/ClientCertJaspiWebUnitTestCase.java)
===================================================================
--- branches/Branch_5_x/testsuite/src/main/org/jboss/test/web/test/ssl/ClientCertJaspiWebUnitTestCase.java (rev 0)
+++ branches/Branch_5_x/testsuite/src/main/org/jboss/test/web/test/ssl/ClientCertJaspiWebUnitTestCase.java 2009-05-19 02:12:24 UTC (rev 89024)
@@ -0,0 +1,114 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.web.test.ssl;
+
+import java.net.HttpURLConnection;
+
+import junit.extensions.TestSetup;
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.jboss.test.JBossTestCase;
+import org.jboss.test.JBossTestSetup;
+
+/**
+ * Unit Test the CLIENT-CERT JASPI integration
+ * @author Anil.Saldhana at redhat.com
+ * @since May 18, 2009
+ */
+public class ClientCertJaspiWebUnitTestCase extends JBossTestCase
+{
+ private String baseHttpsNoAuth;
+
+ private static String login_config =
+ "security/jaspi/jaspi-webssl-jboss-beans.xml";
+
+
+ public ClientCertJaspiWebUnitTestCase(String name)
+ {
+ super(name);
+ }
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ baseHttpsNoAuth = "https://" + getServerHost() + ":" + Integer.getInteger("secureweb.port", 8443) + "/";
+ }
+
+ /** Test CLIENT-CERT
+ *
+ * @throws Exception
+ */
+ public void testJASPIClientCert() throws Exception
+ {
+ log.info("+++ testJASPIClientCert");
+ doHttps(baseHttpsNoAuth);
+ }
+
+ public void doHttps(String httpsNoAuth) throws Exception
+ {
+ log.info("+++ testJASPIClientCert, httpsNoAuth="+httpsNoAuth);
+ // Start by accessing the secured index.html of war1
+ HttpClient httpConn = new HttpClient();
+ String url = httpsNoAuth+"clientcert-jaspi/unrestricted/SecureServlet";
+ log.info("Accessing: "+url);
+ GetMethod get = new GetMethod(url);
+ int responseCode = httpConn.executeMethod(get);
+ String status = get.getStatusText();
+ log.debug(status);
+ assertTrue("Get OK("+responseCode+")", responseCode == HttpURLConnection.HTTP_OK);
+ }
+
+ /**
+ * Setup the test suite.
+ */
+ public static Test suite() throws Exception
+ {
+ TestSuite suite = new TestSuite();
+ suite.addTest(new TestSuite(ClientCertJaspiWebUnitTestCase.class));
+
+ // Create an initializer for the test suite
+ TestSetup wrapper = new JBossTestSetup(suite)
+ {
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ redeploy("clientcert-jaspi.war");
+ redeploy(getResourceURL(login_config));
+ flushAuthCache();
+ }
+
+ @Override
+ protected void tearDown() throws Exception
+ {
+ undeploy(getResourceURL(login_config));
+ undeploy("clientcert-jaspi.war");
+ super.tearDown();
+ }
+ };
+ return wrapper;
+ }
+}
\ No newline at end of file
Copied: branches/Branch_5_x/testsuite/src/resources/security/jaspi/jaspi-webssl-jboss-beans.xml (from rev 89020, trunk/testsuite/src/resources/security/jaspi/jaspi-webssl-jboss-beans.xml)
===================================================================
--- branches/Branch_5_x/testsuite/src/resources/security/jaspi/jaspi-webssl-jboss-beans.xml (rev 0)
+++ branches/Branch_5_x/testsuite/src/resources/security/jaspi/jaspi-webssl-jboss-beans.xml 2009-05-19 02:12:24 UTC (rev 89024)
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+NOTE: the securityDomain attribute in the BaseCertLoginModule refers to a JaasSecurityDomain
+mbean service in the tomcat-ssl custom configuration deploy directory.
+-->
+
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+ <application-policy xmlns="urn:jboss:security-beans:1.0" name="jaspi-test">
+ <authentication-jaspi>
+ <login-module-stack name="lm-stack">
+ <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
+ flag = "required">
+ <module-option name="password-stacking">useFirstPass</module-option>
+ <module-option name="securityDomain">java:/jaas/jbosstest-ssl</module-option>
+ </login-module>
+ <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
+ flag = "required">
+ <module-option name="password-stacking">useFirstPass</module-option>
+ <module-option name="usersProperties">ssl-users.properties</module-option>
+ <module-option name="rolesProperties">ssl-roles.properties</module-option>
+ <module-option name="roleGroupSeperator">:</module-option>
+ </login-module>
+ </login-module-stack>
+ <auth-module code="org.jboss.web.tomcat.security.jaspi.modules.HTTPClientCertServerAuthModule" login-module-stack-ref="lm-stack"/>
+ </authentication-jaspi>
+ </application-policy>
+
+</deployment>
Copied: branches/Branch_5_x/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java (from rev 89022, trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java)
===================================================================
--- branches/Branch_5_x/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java (rev 0)
+++ branches/Branch_5_x/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java 2009-05-19 02:12:24 UTC (rev 89024)
@@ -0,0 +1,137 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.web.tomcat.security.jaspi.modules;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.Subject;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.Constants;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.util.StringManager;
+import org.apache.coyote.ActionCode;
+import org.jboss.logging.Logger;
+
+/**
+ * Server Auth Module for HTTP CLIENT-CERT
+ * @author Anil.Saldhana at redhat.com
+ * @since May 18, 2009
+ */
+public class HTTPClientCertServerAuthModule extends TomcatServerAuthModule
+{
+ private static Logger log = Logger.getLogger(HTTPClientCertServerAuthModule.class);
+
+ protected Context context;
+
+ protected boolean cache = false;
+
+ private String delgatingLoginContextName;
+
+ public static final String CERTIFICATES_ATTR =
+ "javax.servlet.request.X509Certificate";
+
+ protected static final StringManager sm =
+ StringManager.getManager(Constants.Package);
+
+
+ public HTTPClientCertServerAuthModule()
+ {
+ super();
+ }
+
+ public HTTPClientCertServerAuthModule(String delgatingLoginContextName)
+ {
+ super();
+ this.delgatingLoginContextName = delgatingLoginContextName;
+ }
+
+ @Override
+ public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException
+ {
+ throw new RuntimeException("Not Applicable");
+ }
+
+ @Override
+ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
+ throws AuthException
+ {
+ Request request = (Request) messageInfo.getRequestMessage();
+ Response response = (Response) messageInfo.getResponseMessage();
+
+ Principal principal;
+ context = request.getContext();
+
+ X509Certificate certs[] = (X509Certificate[])
+ request.getAttribute(CERTIFICATES_ATTR);
+ if ((certs == null) || (certs.length < 1)) {
+ request.getCoyoteRequest().action
+ (ActionCode.ACTION_REQ_SSL_CERTIFICATE, null);
+ certs = (X509Certificate[])
+ request.getAttribute(CERTIFICATES_ATTR);
+ }
+ if ((certs == null) || (certs.length < 1)) {
+ log.debug(" No certificates included with this request");
+ try
+ {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+ sm.getString("authenticator.certificates"));
+ }
+ catch (IOException e)
+ {
+ log.error(e.getLocalizedMessage(),e);
+ }
+ return (AuthStatus.FAILURE);
+ }
+
+ // Authenticate the specified certificate chain
+ principal = context.getRealm().authenticate(certs);
+ if (principal == null) {
+ log.debug(" Realm.authenticate() returned false");
+ try
+ {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+ sm.getString("authenticator.unauthorized"));
+ }
+ catch (IOException e)
+ {
+ log.error(e.getLocalizedMessage(),e);
+ }
+ return (AuthStatus.FAILURE);
+ }
+
+ registerWithCallbackHandler(principal,
+ principal.getName(),
+ null);
+ // Cache the principal (if requested) and record this authentication
+ /*register(request, response, principal, Constants.CERT_METHOD,
+ null, null);*/
+ return (AuthStatus.SUCCESS);
+ }
+}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list