Author: remy.maucherat(a)jboss.com Date: 2012-04-12 10:22:08 -0400 (Thu, 12 Apr 2012) New Revision: 2019 Modified: trunk/java/org/apache/catalina/valves/LocalStrings.properties trunk/java/org/apache/catalina/valves/SSLValve.java trunk/webapps/docs/changelog.xml Log: AS7-4469: Rebase SSL valve. Modified: trunk/java/org/apache/catalina/valves/LocalStrings.properties =================================================================== --- trunk/java/org/apache/catalina/valves/LocalStrings.properties 2012-04-10 01:06:26 UTC (rev 2018) +++ trunk/java/org/apache/catalina/valves/LocalStrings.properties 2012-04-12 14:22:08 UTC (rev 2019) @@ -29,6 +29,10 @@ # Remote IP valve remoteIpValve.syntax=Invalid regular expressions [{0}] provided. +# SSL valve +sslValve.certError=Failed to process certificate string [{0}] to create a java.security.cert.X509Certificate object +sslValve.invalidProvider=The SSL provider specified on the connector associated with this request of [{0}] is invalid. The certificate data could not be processed. + # HTTP status reports http.100=The client may continue ({0}). http.101=The server is switching protocols according to the "Upgrade" header ({0}). Modified: trunk/java/org/apache/catalina/valves/SSLValve.java =================================================================== --- trunk/java/org/apache/catalina/valves/SSLValve.java 2012-04-10 01:06:26 UTC (rev 2018) +++ trunk/java/org/apache/catalina/valves/SSLValve.java 2012-04-12 14:22:08 UTC (rev 2019) @@ -14,102 +14,116 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.catalina.valves; +import java.io.ByteArrayInputStream; import java.io.IOException; -import java.io.ByteArrayInputStream; - +import java.security.NoSuchProviderException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import javax.servlet.ServletException; -import org.apache.catalina.valves.ValveBase; +import org.apache.catalina.Globals; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; -import org.apache.catalina.util.StringManager; +import org.apache.tomcat.util.buf.EncodingToCharset; +import org.jboss.logging.Logger; -/* - * Valve to fill the SSL informations in the request - * mod_header is used to fill the headers and the valve - * will fill the parameters of the request. +/** + * When using mod_proxy_http, the client SSL information is not included in the + * protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL + * information available to Tomcat, some additional configuration is required. + * In httpd, mod_headers is used to add the SSL information as HTTP headers. In + * Tomcat, this valve is used to read the information from the HTTP headers and + * insert it into the request.<p> + * + * <b>Note: Ensure that the headers are always set by httpd for all requests to + * prevent a client spoofing SSL information by sending fake headers. </b><p> + * * In httpd.conf add the following: - * <IfModule ssl_module> + * <pre> + * &lt;IfModule ssl_module&gt; * RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" * RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" * RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" * RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" - * </IfModule> + * &lt;/IfModule&gt; + * </pre> * - * @author Jean-Frederic Clere - * @version $Revision$, $Date$ + * In server.xml, configure this valve under the Engine element in server.xml: + * <pre> + * &lt;Engine ...&gt; + * &lt;Valve className="org.apache.catalina.valves.SSLValve" /&gt; + * &lt;Host ... /&gt; + * &lt;/Engine&gt; + * </pre> */ +public class SSLValve extends ValveBase { -public class SSLValve - extends ValveBase { -/* - private static final String info = - "SSLValve/1.0"; - protected static StringManager sm = - StringManager.getManager(Constants.Package); - public String getInfo() { - return (info); + private static Logger log = Logger.getLogger(SSLValve.class); + + //------------------------------------------------------ Constructor + public SSLValve() { } - public String toString() { - StringBuffer sb = new StringBuffer("SSLValve["); - if (container != null) - sb.append(container.getName()); - sb.append("]"); - return (sb.toString()); - } - */ + public String mygetHeader(Request request, String header) { String strcert0 = request.getHeader(header); - if (strcert0 == null) + if (strcert0 == null) { return null; + } /* mod_header writes "(null)" when the ssl variable is no filled */ - if ("(null)".equals(strcert0)) + if ("(null)".equals(strcert0)) { return null; + } return strcert0; - } + } + + @Override public void invoke(Request request, Response response) throws IOException, ServletException { - /* mod_header converts the '\n' into ' ' so we have to rebuild the client certificate */ String strcert0 = mygetHeader(request, "ssl_client_cert"); if (strcert0 != null && strcert0.length()>28) { String strcert1 = strcert0.replace(' ', '\n'); String strcert2 = strcert1.substring(28, strcert1.length()-26); - String strcert3 = new String("-----BEGIN CERTIFICATE-----\n"); + String strcert3 = "-----BEGIN CERTIFICATE-----\n"; String strcert4 = strcert3.concat(strcert2); String strcerts = strcert4.concat("\n-----END CERTIFICATE-----\n"); - // ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes("UTF-8")); - ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes()); + ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes(EncodingToCharset.ISO_8859_1)); X509Certificate jsseCerts[] = null; + String providerName = (String) request.getConnector().getProperty( + "clientCertProvider"); try { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); + CertificateFactory cf; + if (providerName == null) { + cf = CertificateFactory.getInstance("X.509"); + } else { + cf = CertificateFactory.getInstance("X.509", providerName); + } X509Certificate cert = (X509Certificate) cf.generateCertificate(bais); jsseCerts = new X509Certificate[1]; jsseCerts[0] = cert; } catch (java.security.cert.CertificateException e) { - System.out.println("SSLValve failed " + strcerts); - System.out.println("SSLValve failed " + e); + log.warn(sm.getString("sslValve.certError", strcerts), e); + } catch (NoSuchProviderException e) { + log.error(sm.getString("sslValve.invalidProvider", providerName), e); } - request.setAttribute("javax.servlet.request.X509Certificate", jsseCerts); + request.setAttribute(Globals.CERTIFICATES_ATTR, jsseCerts); } strcert0 = mygetHeader(request, "ssl_cipher"); if (strcert0 != null) { - request.setAttribute("javax.servlet.request.cipher_suite", strcert0); + request.setAttribute(Globals.CIPHER_SUITE_ATTR, strcert0); } strcert0 = mygetHeader(request, "ssl_session_id"); if (strcert0 != null) { - request.setAttribute("javax.servlet.request.ssl_session", strcert0); + request.setAttribute(Globals.SSL_SESSION_ID_ATTR, strcert0); } strcert0 = mygetHeader(request, "ssl_cipher_usekeysize"); if (strcert0 != null) { - request.setAttribute("javax.servlet.request.key_size", strcert0); + request.setAttribute(Globals.KEY_SIZE_ATTR, Integer.valueOf(strcert0)); } getNext().invoke(request, response); } + } Modified: trunk/webapps/docs/changelog.xml =================================================================== --- trunk/webapps/docs/changelog.xml 2012-04-10 01:06:26 UTC (rev 2018) +++ trunk/webapps/docs/changelog.xml 2012-04-12 14:22:08 UTC (rev 2019) @@ -31,6 +31,9 @@ <add> Protocol upgrade API. (remm) </add> + <fix> + <jboss-jira>AS7-4469</jboss-jira>: Rebase SSL valve used by mod_headers. (remm) + </fix> </changelog> </subsection> <subsection name="Jasper">