[jboss-cvs] JBossAS SVN: r89022 - trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Mon May 18 22:06:44 EDT 2009


Author: anil.saldhana at jboss.com
Date: 2009-05-18 22:06:43 -0400 (Mon, 18 May 2009)
New Revision: 89022

Added:
   trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java
Log:
JBAS-6066: JASPI server auth module for CLIENT-CERT

Added: trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java	                        (rev 0)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/jaspi/modules/HTTPClientCertServerAuthModule.java	2009-05-19 02:06:43 UTC (rev 89022)
@@ -0,0 +1,136 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.web.tomcat.security.jaspi.modules;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.Subject;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.Constants;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.util.StringManager;
+import org.apache.coyote.ActionCode;
+import org.jboss.logging.Logger;
+
+/**
+ * @author Anil.Saldhana at redhat.com
+ * @since May 18, 2009
+ */
+public class HTTPClientCertServerAuthModule extends TomcatServerAuthModule
+{
+   private static Logger log = Logger.getLogger(HTTPClientCertServerAuthModule.class);
+
+   protected Context context; 
+
+   protected boolean cache = false;
+
+   private String delgatingLoginContextName;
+
+   public static final String CERTIFICATES_ATTR =
+      "javax.servlet.request.X509Certificate";
+
+   protected static final StringManager sm =
+      StringManager.getManager(Constants.Package);
+
+
+   public HTTPClientCertServerAuthModule()
+   {
+      super(); 
+   }
+
+   public HTTPClientCertServerAuthModule(String delgatingLoginContextName)
+   {
+      super();
+      this.delgatingLoginContextName = delgatingLoginContextName;
+   }
+
+   @Override
+   public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException
+   {
+      throw new RuntimeException("Not Applicable");
+   }
+
+   @Override
+   public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
+   throws AuthException
+   {
+      Request request = (Request) messageInfo.getRequestMessage();
+      Response response = (Response) messageInfo.getResponseMessage();
+
+      Principal principal;
+      context = request.getContext(); 
+
+      X509Certificate certs[] = (X509Certificate[])
+      request.getAttribute(CERTIFICATES_ATTR);
+      if ((certs == null) || (certs.length < 1)) {
+         request.getCoyoteRequest().action
+         (ActionCode.ACTION_REQ_SSL_CERTIFICATE, null);
+         certs = (X509Certificate[])
+         request.getAttribute(CERTIFICATES_ATTR);
+      }
+      if ((certs == null) || (certs.length < 1)) {
+         log.debug("  No certificates included with this request");
+         try
+         {
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+                  sm.getString("authenticator.certificates"));
+         }
+         catch (IOException e)
+         {
+            log.error(e.getLocalizedMessage(),e);
+         }
+         return (AuthStatus.FAILURE);
+      }
+
+      // Authenticate the specified certificate chain
+      principal = context.getRealm().authenticate(certs);
+      if (principal == null) {
+         log.debug("  Realm.authenticate() returned false");
+         try
+         {
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+                  sm.getString("authenticator.unauthorized"));
+         }
+         catch (IOException e)
+         {
+            log.error(e.getLocalizedMessage(),e);
+         }
+         return (AuthStatus.FAILURE);
+      }
+
+      registerWithCallbackHandler(principal, 
+            principal.getName(), 
+            null);
+      // Cache the principal (if requested) and record this authentication
+      /*register(request, response, principal, Constants.CERT_METHOD,
+            null, null);*/
+      return (AuthStatus.SUCCESS); 
+   }  
+}
\ No newline at end of file




More information about the jboss-cvs-commits mailing list