summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-10-09 05:04:52 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-10-18 16:46:22 -0500
commit98ad9c109ec41d0977d4249ac5e41dcf4c484a22 (patch)
treef7176772ea56313065e06a734b9cf26e993fcf31
parent4300459bff057ba50093f735ee9289868e258215 (diff)
downloadpki-98ad9c109ec41d0977d4249ac5e41dcf4c484a22.tar.gz
pki-98ad9c109ec41d0977d4249ac5e41dcf4c484a22.tar.xz
pki-98ad9c109ec41d0977d4249ac5e41dcf4c484a22.zip
Added PKIPrincipal.
Previously in PKIRealm the authentication token was stored in a thread local variable. This does not work for multiple operations executed using the same session because each operation may be handled by different threads. A new PKIPrincipal has been added to store the authentication token so that the threads can get the correct token for the session. Ticket #357
-rw-r--r--base/common/src/com/netscape/cmscore/realm/PKIPrincipal.java29
-rw-r--r--base/common/src/com/netscape/cmscore/realm/PKIRealm.java57
2 files changed, 60 insertions, 26 deletions
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIPrincipal.java b/base/common/src/com/netscape/cmscore/realm/PKIPrincipal.java
new file mode 100644
index 000000000..6f806e3e9
--- /dev/null
+++ b/base/common/src/com/netscape/cmscore/realm/PKIPrincipal.java
@@ -0,0 +1,29 @@
+package com.netscape.cmscore.realm;
+
+import java.util.List;
+
+import org.apache.catalina.realm.GenericPrincipal;
+
+import com.netscape.certsrv.authentication.IAuthToken;
+
+/**
+ * @author Endi S. Dewata
+ */
+
+public class PKIPrincipal extends GenericPrincipal {
+
+ IAuthToken authToken;
+
+ public PKIPrincipal(String name, String password, List<String> roles, IAuthToken authToken) {
+ super(name, password, roles);
+ this.authToken = authToken;
+ }
+
+ public PKIPrincipal(String name, String password, List<String> roles) {
+ this(name, password, roles, null);
+ }
+
+ public IAuthToken getAuthToken() {
+ return authToken;
+ }
+}
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIRealm.java
index 53b31131c..9b4b97c2a 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIRealm.java
@@ -18,7 +18,6 @@ import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
-import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import com.netscape.certsrv.apps.CMS;
@@ -48,7 +47,6 @@ public class PKIRealm extends RealmBase {
public final static String PROP_AUTH_FILE_PATH = "/WEB-INF/auth.properties";
public final static int EXPRESSION_SIZE = 2;
- ThreadLocal<IAuthToken> authToken = new ThreadLocal<IAuthToken>();
Properties authzProperties;
public PKIRealm() {
@@ -84,10 +82,9 @@ public class PKIRealm extends RealmBase {
creds.set(PasswdUserDBAuthentication.CRED_UID, username);
creds.set(PasswdUserDBAuthentication.CRED_PWD, password);
- IAuthToken token = authMgr.authenticate(creds); // throws exception if authentication fails
- authToken.set(token);
+ IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails
- return getPrincipal(username);
+ return getPrincipal(username, authToken);
} catch (Throwable e) {
e.printStackTrace();
@@ -116,13 +113,12 @@ public class PKIRealm extends RealmBase {
AuthCredentials creds = new AuthCredentials();
creds.set(CertUserDBAuthentication.CRED_CERT, certImpls);
- IAuthToken token = authMgr.authenticate(creds); // throws exception if authentication fails
- authToken.set(token);
+ IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails
- String username = token.getInString(CertUserDBAuthentication.TOKEN_USERID);
+ String username = authToken.getInString(CertUserDBAuthentication.TOKEN_USERID);
logDebug("User ID: "+username);
- return getPrincipal(username);
+ return getPrincipal(username, authToken);
} catch (Throwable e) {
e.printStackTrace();
@@ -133,9 +129,14 @@ public class PKIRealm extends RealmBase {
@Override
protected Principal getPrincipal(String username) {
+ return getPrincipal(username, (IAuthToken)null);
+ }
+
+ protected Principal getPrincipal(String username, IAuthToken authToken) {
+
try {
IUser user = getUser(username);
- return getPrincipal(user);
+ return getPrincipal(user, authToken);
} catch (Throwable e) {
e.printStackTrace();
@@ -143,9 +144,9 @@ public class PKIRealm extends RealmBase {
}
}
- protected Principal getPrincipal(IUser user) throws EUsrGrpException {
+ protected Principal getPrincipal(IUser user, IAuthToken authToken) throws EUsrGrpException {
List<String> roles = getRoles(user);
- return new GenericPrincipal(user.getUserID(), null, roles);
+ return new PKIPrincipal(user.getUserID(), null, roles, authToken);
}
protected IUser getUser(String username) throws EUsrGrpException {
@@ -249,22 +250,26 @@ public class PKIRealm extends RealmBase {
}
}
- IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
- IAuthToken token = authToken.get();
-
- logDebug("Auth token:");
- Enumeration<String> names = token.getElements();
- while (names.hasMoreElements()) {
- String name = names.nextElement();
- Object value = token.get(name);
- logDebug(" " + name +": " + value);
- }
+ Principal principal = request.getUserPrincipal();
+ if (principal instanceof PKIPrincipal) {
+ PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+ IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+ logDebug("Auth token:");
+ Enumeration<String> names = authToken.getElements();
+ while (names.hasMoreElements()) {
+ String name = names.nextElement();
+ Object value = authToken.get(name);
+ logDebug(" " + name +": " + value);
+ }
- logDebug("Resource: " + resource);
- logDebug("Operation: " + operation);
+ logDebug("Resource: " + resource);
+ logDebug("Operation: " + operation);
- AuthzToken authzToken = mAuthz.authorize("DirAclAuthz", token, resource, operation);
- if (authzToken != null) return true;
+ IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
+ AuthzToken authzToken = mAuthz.authorize("DirAclAuthz", authToken, resource, operation);
+ if (authzToken != null) return true;
+ }
} catch (Throwable e) {
e.printStackTrace();