[jboss-svn-commits] JBL Code SVN: r36999 - labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/http.

Fri May 13 11:38:46 EDT 2011

Author: dward
Date: 2011-05-13 11:38:46 -0400 (Fri, 13 May 2011)
New Revision: 36999

Modified:
   labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/http/HttpServletSecUtil.java
Log:
Fix for JBESB-2871

Modified: labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/http/HttpServletSecUtil.java
===================================================================

--- labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/http/HttpServletSecUtil.java	2011-05-13 09:46:40 UTC (rev 36998)
+++ labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/http/HttpServletSecUtil.java	2011-05-13 15:38:46 UTC (rev 36999)
@@ -21,20 +21,22 @@
  */
 package org.jboss.soa.esb.http;
 
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.log4j.Logger;
+import org.jboss.soa.esb.listeners.message.MessageDeliverException;
+import org.jboss.soa.esb.message.Message;
+import org.jboss.soa.esb.services.security.PublicCryptoUtil;
 import org.jboss.soa.esb.services.security.auth.AuthenticationRequest;
 import org.jboss.soa.esb.services.security.auth.AuthenticationRequestImpl;
-import org.jboss.soa.esb.services.security.PublicCryptoUtil;
-import org.jboss.soa.esb.message.Message;
-import org.jboss.soa.esb.listeners.message.MessageDeliverException;
 import org.jboss.util.Base64;
-import org.apache.log4j.Logger;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.ServletException;
-import java.util.Set;
-import java.util.HashSet;
-import java.security.Principal;
-
 /**
  * Http Servlet security utilities.
  * 
@@ -45,56 +47,95 @@
     private static final Logger logger = Logger.getLogger(HttpServletSecUtil.class);
 
     public static boolean addAuthDetailsToMessage(HttpServletRequest request, Message message) throws ServletException {
-        Principal userPrincipal = request.getUserPrincipal();
 
-        if(userPrincipal != null) {
-            // It's a logged in user.  Need to get the login details from the Authorization header
-            // and pass it along in the ESB Message sent to the Service...
+            // Need to get the login details from the request
+    		// and pass it along in the ESB Message sent to the Service...
             AuthenticationRequest authRequest = buildAuthenticationRequest(request);
 
-            // Set the AuthenticationRequest on the inbound message...
-            try {
-                return PublicCryptoUtil.INSTANCE.addAuthRequestToMessage(authRequest, message);
-            } catch (MessageDeliverException e) {
-                throw new ServletException("Failed to attach AuthenticationRequest to ESB Message.", e);
+            if (authRequest != null) {
+            	// It's a logged in user. Set the AuthenticationRequest on the inbound message...
+	            try {
+	                return PublicCryptoUtil.INSTANCE.addAuthRequestToMessage(authRequest, message);
+	            } catch (MessageDeliverException e) {
+	                throw new ServletException("Failed to attach AuthenticationRequest to ESB Message.", e);
+	            }
             }
-        }
 
         return false;
     }
 
-    public static AuthenticationRequest buildAuthenticationRequest(HttpServletRequest req) {
-        String authHeader = req.getHeader("Authorization");
+    public static AuthenticationRequest buildAuthenticationRequest(HttpServletRequest req) throws ServletException {
+    	String authType = req.getAuthType();
 
-        if(authHeader == null) {
-            authHeader = req.getHeader("authorization");
-        }
+    	// Handle BASIC auth...
+    	if (HttpServletRequest.BASIC_AUTH.equals(authType)) {
+    		if (req.getUserPrincipal() != null) {
+    			String authHeader = req.getHeader("Authorization");
+    			if(authHeader == null) {
+    				authHeader = req.getHeader("authorization");
+    			}
+    			if(authHeader != null) {
+    				String bas64Data = authHeader.substring(authHeader.indexOf(' ')).trim();
+    				String decodedData = new String(Base64.decode(bas64Data));
+    				String[] authTokens = decodedData.split(":");
+    				Set<Object> credentials = new HashSet<Object>();
 
-        if(authHeader != null) {
-            // Handle BASIC auth...
-            if("BASIC".equals(req.getAuthType())) {
-                String bas64Data = authHeader.substring(authHeader.indexOf(' ')).trim();
-                String decodedData = new String(Base64.decode(bas64Data));
-                String[] authTokens = decodedData.split(":");
-                Set<Object> credentials = new HashSet<Object>();
+    				// The auth tokens are "username:password", so the second token is the
+    				// password, which is the credential in this case...
+    				credentials.add(authTokens[1].toCharArray());
 
-                // The auth tokens are "username:password", so the second token is the
-                // password, which is the credential in this case...
-                credentials.add(authTokens[1].toCharArray());
+    				if(logger.isDebugEnabled()) {
+    					logger.debug("User '" + authTokens[0] + "' authenticated by container using '" + HttpServletRequest.BASIC_AUTH + "' auth.  Forwarding to ESB Service.");
+    				}
+    				return new AuthenticationRequestImpl.Builder(req.getUserPrincipal(), credentials).build();
+    			}
+    		}
+    	}
+    	// Handle CLIENT_CERT auth...
+    	else if (HttpServletRequest.CLIENT_CERT_AUTH.equals(authType)) {
+    		Principal principal = null;
+    		Set<Object> credentials = null;
+    		
+    		Object attr = req.getAttribute("javax.servlet.request.X509Certificate");
+    		if (attr != null) {
+    			X509Certificate[] chain;
+    			if (attr.getClass().isArray()) {
+    				chain = (X509Certificate[])attr;
+    			} else {
+    				chain = new X509Certificate[]{(X509Certificate)attr};
+    			}
+    			for (X509Certificate cert : chain) {
+    				if (cert != null) {
+    					principal = cert.getSubjectX500Principal();
+    					credentials = new HashSet<Object>();
+    					credentials.add(cert);
+    					break;
+    				}
+    			}
+    		}
+    		
+    		if (principal == null) {
+    			if(logger.isDebugEnabled()) {
+    				logger.debug(HttpServletRequest.CLIENT_CERT_AUTH + " specified but principal not available.");
+    			}
+    			return null;
+    		} else if (credentials == null) {
+    			if(logger.isDebugEnabled()) {
+    				logger.debug(HttpServletRequest.CLIENT_CERT_AUTH + " specified but credentials not available.");
+    			}
+    			return null;
+    		}
 
-                if(logger.isDebugEnabled()) {
-                    logger.debug("User '" + authTokens[0] + "' authenticated by container using 'BASIC' auth.  Forwarding to ESB Service.");
-                }
+    		if(logger.isDebugEnabled()) {
+    			logger.debug("User '" + principal.getName() + "' authenticated by container using '" + HttpServletRequest.CLIENT_CERT_AUTH + "' auth.  Forwarding to ESB Service.");
+    		}
+    		return new AuthenticationRequestImpl.Builder(principal, credentials).build();
+    		
+    	} else if (authType != null && logger.isDebugEnabled()) {
+    		logger.debug("Authentication  method '" + authType + "' not supported for passing Authorization token to ESB Security.");
+    	}
+    	// TODO: Add support for Digest auth?
 
-                return new AuthenticationRequestImpl.Builder(req.getUserPrincipal(), credentials).build();
-            } else {
-                if(logger.isDebugEnabled()) {
-                    logger.debug("Authentication  method '" + req.getAuthType() + "' not supported for passing Authorization token to ESB Security.");
-                }
-            }
-            // TODO: Add support for Client-cert and Digest auth?
-        }
-
-        return null;
+    	return null;
     }
 }

