From e63e922e6dd616334159c3d11fb3ac7d689bea4b Mon Sep 17 00:00:00 2001 From: markt Date: Sat, 9 Aug 2008 14:32:47 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41407 Add support for CLIENT-CERT authentication to JAAS realm. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@684270 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/realm/JAASCallbackHandler.java | 29 ++++++++++++++-------- .../catalina/realm/JAASMemoryLoginModule.java | 17 +++++++++---- java/org/apache/catalina/realm/JAASRealm.java | 9 +++++-- 3 files changed, 37 insertions(+), 18 deletions(-) diff --git a/java/org/apache/catalina/realm/JAASCallbackHandler.java b/java/org/apache/catalina/realm/JAASCallbackHandler.java index ad6e64328..9b8914b06 100644 --- a/java/org/apache/catalina/realm/JAASCallbackHandler.java +++ b/java/org/apache/catalina/realm/JAASCallbackHandler.java @@ -80,21 +80,22 @@ public class JAASCallbackHandler implements CallbackHandler { /** * Construct a callback handler for DIGEST authentication. * - * @param realm Our associated JAASRealm instance - * @param username Username to be authenticated with - * @param password Password to be authenticated with - * @param nonce Server generated nonce - * @param nc Nonce count - * @param cnonce Client generated nonce - * @param qop Quality of protection aplied to the message - * @param realmName Realm name - * @param md5a2 Second MD5 digest used to calculate the digest + * @param realm Our associated JAASRealm instance + * @param username Username to be authenticated with + * @param password Password to be authenticated with + * @param nonce Server generated nonce + * @param nc Nonce count + * @param cnonce Client generated nonce + * @param qop Quality of protection aplied to the message + * @param realmName Realm name + * @param md5a2 Second MD5 digest used to calculate the digest * MD5(Method + ":" + uri) + * @param authMethod The authentication mehtod in use */ public JAASCallbackHandler(JAASRealm realm, String username, String password, String nonce, String nc, String cnonce, String qop, String realmName, - String md5a2) { + String md5a2, String authMethod) { this(realm, username, password); this.nonce = nonce; this.nc = nc; @@ -102,6 +103,7 @@ public class JAASCallbackHandler implements CallbackHandler { this.qop = qop; this.realmName = realmName; this.md5a2 = md5a2; + this.authMethod = authMethod; } // ----------------------------------------------------- Instance Variables @@ -123,7 +125,6 @@ public class JAASCallbackHandler implements CallbackHandler { */ protected JAASRealm realm = null; - /** * The username to be authenticated with. */ @@ -159,6 +160,10 @@ public class JAASCallbackHandler implements CallbackHandler { */ protected String md5a2; + /** + * The authentication methdod to be used. If null, assume BASIC/FORM. + */ + protected String authMethod; // --------------------------------------------------------- Public Methods @@ -208,6 +213,8 @@ public class JAASCallbackHandler implements CallbackHandler { cb.setText(realmName); } else if (cb.getPrompt().equals("md5a2")) { cb.setText(md5a2); + } else if (cb.getPrompt().equals("authMethod")) { + cb.setText(authMethod); } else { throw new UnsupportedCallbackException(callbacks[i]); } diff --git a/java/org/apache/catalina/realm/JAASMemoryLoginModule.java b/java/org/apache/catalina/realm/JAASMemoryLoginModule.java index 47d3b559c..0e0833e8b 100644 --- a/java/org/apache/catalina/realm/JAASMemoryLoginModule.java +++ b/java/org/apache/catalina/realm/JAASMemoryLoginModule.java @@ -39,6 +39,7 @@ import javax.security.auth.spi.LoginModule; import org.apache.catalina.Context; import org.apache.catalina.Realm; +import org.apache.catalina.authenticator.Constants; import org.apache.catalina.connector.Request; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.util.RequestUtil; @@ -310,7 +311,7 @@ public class JAASMemoryLoginModule extends MemoryRealm implements LoginModule, R // Set up our CallbackHandler requests if (callbackHandler == null) throw new LoginException("No CallbackHandler specified"); - Callback callbacks[] = new Callback[8]; + Callback callbacks[] = new Callback[9]; callbacks[0] = new NameCallback("Username: "); callbacks[1] = new PasswordCallback("Password: ", false); callbacks[2] = new TextInputCallback("nonce"); @@ -319,6 +320,7 @@ public class JAASMemoryLoginModule extends MemoryRealm implements LoginModule, R callbacks[5] = new TextInputCallback("qop"); callbacks[6] = new TextInputCallback("realmName"); callbacks[7] = new TextInputCallback("md5a2"); + callbacks[8] = new TextInputCallback("authMethod"); // Interact with the user to retrieve the username and password String username = null; @@ -329,6 +331,7 @@ public class JAASMemoryLoginModule extends MemoryRealm implements LoginModule, R String qop = null; String realmName = null; String md5a2 = null; + String authMethod = null; try { callbackHandler.handle(callbacks); @@ -341,6 +344,7 @@ public class JAASMemoryLoginModule extends MemoryRealm implements LoginModule, R qop = ((TextInputCallback) callbacks[5]).getText(); realmName = ((TextInputCallback) callbacks[6]).getText(); md5a2 = ((TextInputCallback) callbacks[7]).getText(); + authMethod = ((TextInputCallback) callbacks[8]).getText(); } catch (IOException e) { throw new LoginException(e.toString()); } catch (UnsupportedCallbackException e) { @@ -348,13 +352,16 @@ public class JAASMemoryLoginModule extends MemoryRealm implements LoginModule, R } // Validate the username and password we have received - if (md5a2 == null) { - // Not using DIGEST + if (authMethod == null) { + // BASIC or FORM principal = super.authenticate(username, password); - } else { - // Must be using DIGEST + } else if (authMethod.equals(Constants.DIGEST_METHOD)) { principal = super.authenticate(username, password, nonce, nc, cnonce, qop, realmName, md5a2); + } else if (authMethod.equals(Constants.CERT_METHOD)) { + principal = super.getPrincipal(username); + } else { + throw new LoginException("Unknown authentication method"); } log.debug("login " + username + " " + principal); diff --git a/java/org/apache/catalina/realm/JAASRealm.java b/java/org/apache/catalina/realm/JAASRealm.java index bc163116a..a8714b929 100644 --- a/java/org/apache/catalina/realm/JAASRealm.java +++ b/java/org/apache/catalina/realm/JAASRealm.java @@ -34,6 +34,7 @@ import javax.security.auth.login.LoginException; import org.apache.catalina.Container; import org.apache.catalina.LifecycleException; +import org.apache.catalina.authenticator.Constants; import org.apache.catalina.util.StringManager; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -337,13 +338,15 @@ public class JAASRealm * @param realmName Realm name * @param md5a2 Second MD5 digest used to calculate the digest * MD5(Method + ":" + uri) + * @param authMethod The authentication scheme in use */ public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2) { return authenticate(username, new JAASCallbackHandler(this, username, clientDigest, nonce, - nc, cnonce, qop, realmName, md5a2)); + nc, cnonce, qop, realmName, md5a2, + Constants.DIGEST_METHOD)); } @@ -467,7 +470,9 @@ public class JAASRealm */ protected Principal getPrincipal(String username) { - return (null); + return authenticate(username, + new JAASCallbackHandler(this, username, null, null, null, null, + null, null, null, Constants.CERT_METHOD)); } -- 2.11.0