Author: remy.maucherat(a)jboss.com
Date: 2009-07-09 12:02:35 -0400 (Thu, 09 Jul 2009)
New Revision: 1131
Modified:
trunk/java/org/apache/catalina/connector/LocalStrings.properties
trunk/java/org/apache/catalina/connector/Request.java
trunk/java/org/apache/catalina/realm/GenericPrincipal.java
trunk/java/org/apache/catalina/realm/JAASRealm.java
trunk/java/org/apache/catalina/realm/JNDIRealm.java
trunk/java/org/apache/catalina/session/LocalStrings.properties
trunk/java/org/apache/catalina/session/StandardSession.java
trunk/webapps/docs/changelog.xml
Log:
- Port: Add logout for JAAS login context.
- Port: Some JNDI realm stuff.
Modified: trunk/java/org/apache/catalina/connector/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/catalina/connector/LocalStrings.properties 2009-07-08 16:00:01
UTC (rev 1130)
+++ trunk/java/org/apache/catalina/connector/LocalStrings.properties 2009-07-09 16:02:35
UTC (rev 1131)
@@ -55,6 +55,7 @@
coyoteRequest.noAsync=The servlet or filters that are being used by this request do not
support async operation
coyoteRequest.servletStack=Current Servlet stack for thread {0}
coyoteRequest.closed=Response has been closed already
+coyoteRequest.logoutfail=Exception logging out user
#
# MapperListener
Modified: trunk/java/org/apache/catalina/connector/Request.java
===================================================================
--- trunk/java/org/apache/catalina/connector/Request.java 2009-07-08 16:00:01 UTC (rev
1130)
+++ trunk/java/org/apache/catalina/connector/Request.java 2009-07-09 16:02:35 UTC (rev
1131)
@@ -3061,6 +3061,7 @@
}
public void logout() throws ServletException {
+ Principal principal = userPrincipal;
userPrincipal = null;
authType = null;
Session session = getSessionInternal(false);
@@ -3068,6 +3069,14 @@
session.setPrincipal(null);
session.setAuthType(null);
}
+ if (principal instanceof GenericPrincipal) {
+ GenericPrincipal gp = (GenericPrincipal) principal;
+ try {
+ gp.logout();
+ } catch (Exception e) {
+ throw new
ServletException(sm.getString("coyoteRequest.logoutfail"), e);
+ }
+ }
}
public DispatcherType getDispatcherType() {
Modified: trunk/java/org/apache/catalina/realm/GenericPrincipal.java
===================================================================
--- trunk/java/org/apache/catalina/realm/GenericPrincipal.java 2009-07-08 16:00:01 UTC
(rev 1130)
+++ trunk/java/org/apache/catalina/realm/GenericPrincipal.java 2009-07-09 16:02:35 UTC
(rev 1131)
@@ -22,6 +22,9 @@
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
+
+import javax.security.auth.login.LoginContext;
+
import org.apache.catalina.Realm;
@@ -65,7 +68,7 @@
* @param roles List of roles (must be Strings) possessed by this user
*/
public GenericPrincipal(Realm realm, String name, String password,
- List roles) {
+ List<String> roles) {
this(realm, name, password, roles, null);
}
@@ -82,8 +85,27 @@
* getUserPrincipal call if not null; if null, this will be returned
*/
public GenericPrincipal(Realm realm, String name, String password,
- List roles, Principal userPrincipal) {
-
+ List<String> roles, Principal userPrincipal) {
+ this(realm, name, password, roles, userPrincipal, null);
+ }
+
+ /**
+ * Construct a new Principal, associated with the specified Realm, for the
+ * specified username and password, with the specified role names
+ * (as Strings).
+ *
+ * @param realm The Realm that owns this principal
+ * @param name The username of the user represented by this Principal
+ * @param password Credentials used to authenticate this user
+ * @param roles List of roles (must be Strings) possessed by this user
+ * @param userPrincipal - the principal to be returned from the request
+ * getUserPrincipal call if not null; if null, this will be returned
+ * @param loginContext - If provided, this will be used to log out the user
+ * at the appropriate time
+ */
+ public GenericPrincipal(Realm realm, String name, String password,
+ List<String> roles, Principal userPrincipal,
+ LoginContext loginContext) {
super();
this.realm = realm;
this.name = name;
@@ -95,6 +117,7 @@
if (this.roles.length > 0)
Arrays.sort(this.roles);
}
+ this.loginContext = loginContext;
}
@@ -160,6 +183,12 @@
}
+ /**
+ * The JAAS LoginContext, if any, used to authenticate this Principal.
+ * Kept so we can call logout().
+ */
+ protected LoginContext loginContext = null;
+
// --------------------------------------------------------- Public Methods
@@ -180,6 +209,23 @@
/**
+ * Calls logout, if necessary, on any associated JAASLoginContext. May in
+ * the future be extended to cover other logout requirements.
+ *
+ * @throws Exception If something goes wrong with the logout. Uses Exception
+ * to allow for future expansion of this method to cover
+ * other logout mechanisms that might throw a different
+ * exception to LoginContext
+ *
+ */
+ public void logout() throws Exception {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+
+
+ /**
* Return a String representation of this object, which exposes only
* information that should be public.
*/
Modified: trunk/java/org/apache/catalina/realm/JAASRealm.java
===================================================================
--- trunk/java/org/apache/catalina/realm/JAASRealm.java 2009-07-08 16:00:01 UTC (rev
1130)
+++ trunk/java/org/apache/catalina/realm/JAASRealm.java 2009-07-09 16:02:35 UTC (rev
1131)
@@ -426,7 +426,7 @@
log.debug(sm.getString("jaasRealm.loginContextCreated",
username));
// Return the appropriate Principal for this authenticated Subject
- Principal principal = createPrincipal(username, subject);
+ Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure",
username));
return (null);
@@ -487,8 +487,11 @@
* roles, but only if their respective classes match one of the "role
class" classes.
* If a user Principal cannot be constructed, return <code>null</code>.
* @param subject The <code>Subject</code> representing the logged-in
user
+ * @param loginContext Associated with th Princpal so
+ * {@link LoginContext#logout()} can be called later
*/
- protected Principal createPrincipal(String username, Subject subject) {
+ protected Principal createPrincipal(String username, Subject subject,
+ LoginContext loginContext) {
// Prepare to scan the Principals for this Subject
List<String> roles = new ArrayList<String>();
@@ -535,7 +538,8 @@
}
// Return the resulting Principal for our authenticated user
- return new GenericPrincipal(this, username, null, roles, userPrincipal);
+ return new GenericPrincipal(this, username, null, roles, userPrincipal,
+ loginContext);
}
/**
Modified: trunk/java/org/apache/catalina/realm/JNDIRealm.java
===================================================================
--- trunk/java/org/apache/catalina/realm/JNDIRealm.java 2009-07-08 16:00:01 UTC (rev
1130)
+++ trunk/java/org/apache/catalina/realm/JNDIRealm.java 2009-07-09 16:02:35 UTC (rev
1131)
@@ -1420,10 +1420,10 @@
boolean validated = false;
if (hasMessageDigest()) {
- // iPlanet support if the values starts with {SHA1}
+ // Some directories prefix the password with the hash type
// The string is in a format compatible with Base64.encode not
// the Hex encoding of the parent class.
- if (password.startsWith("{SHA}")) {
+ if (password.startsWith("{MD5}") ||
password.startsWith("{SHA}")) {
/* sync since super.digest() does this same thing */
synchronized (this) {
password = password.substring(5);
Modified: trunk/java/org/apache/catalina/session/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/catalina/session/LocalStrings.properties 2009-07-08 16:00:01 UTC
(rev 1130)
+++ trunk/java/org/apache/catalina/session/LocalStrings.properties 2009-07-09 16:02:35 UTC
(rev 1131)
@@ -45,6 +45,7 @@
standardSession.getId.ise=getId: Session already invalidated
standardSession.getMaxInactiveInterval.ise=getMaxInactiveInterval: Session already
invalidated
standardSession.getValueNames.ise=getValueNames: Session already invalidated
+standardSession.logoutfail=Exception logging out user when expiring session
standardSession.notSerializable=Cannot serialize session attribute {0} for session {1}
standardSession.removeAttribute.ise=removeAttribute: Session already invalidated
standardSession.sessionEvent=Session event listener threw exception
Modified: trunk/java/org/apache/catalina/session/StandardSession.java
===================================================================
--- trunk/java/org/apache/catalina/session/StandardSession.java 2009-07-08 16:00:01 UTC
(rev 1130)
+++ trunk/java/org/apache/catalina/session/StandardSession.java 2009-07-09 16:02:35 UTC
(rev 1131)
@@ -52,6 +52,7 @@
import org.apache.catalina.Session;
import org.apache.catalina.SessionEvent;
import org.apache.catalina.SessionListener;
+import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.security.SecurityUtil;
import org.apache.catalina.util.Enumerator;
import org.apache.catalina.util.StringManager;
@@ -727,6 +728,18 @@
fireSessionEvent(Session.SESSION_DESTROYED_EVENT, null);
}
+ // Call the logout method
+ if (principal instanceof GenericPrincipal) {
+ GenericPrincipal gp = (GenericPrincipal) principal;
+ try {
+ gp.logout();
+ } catch (Exception e) {
+ manager.getContainer().getLogger().error(
+ sm.getString("standardSession.logoutfail"),
+ e);
+ }
+ }
+
// We have completed expire of this session
expiring = false;
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2009-07-08 16:00:01 UTC (rev 1130)
+++ trunk/webapps/docs/changelog.xml 2009-07-09 16:02:35 UTC (rev 1131)
@@ -114,6 +114,12 @@
<fix>
JDBC driver cleanup fix, using a hack to define the cleaner component in the
webapp classloader. (markt)
</fix>
+ <fix>
+ <bug>39231</bug>: Call logout on the JAAS login context whenever
possible. (markt)
+ </fix>
+ <fix>
+ <bug>37984</bug>: Strip {MD5} as well as {SHA} from digested
passwords. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">