Added AuthMapping annotation.ticket-477-3 ticket-474-7

A new AuthMapping annotation has been added to configure the required authentication methods to acces each REST method. The annotation maps each method into a list of authentication methods in auth.properties. For security reason, most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get installation token from the security domain. Previously the auth.properties files were used to store ACL mappings. Now the ACL mappings have been moved into acl.properties. Ticket #477
author: Endi Sukma Dewata <edewata@redhat.com> 2013-02-01 13:05:38 -0500
committer: Endi Sukma Dewata <edewata@redhat.com> 2013-02-03 00:53:42 -0500
commit: 154bb05e9bbd45eaa3ca8bef8d2a6af076b1790c (patch)
tree: 67f4ede6b83daf696fc211e696d83327134e4a4a /base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
parent: 2ea42ce4cf91053bc91e5722abeb259cd0577510 (diff)
download: pki-ticket-477-3.tar.gz
pki-ticket-477-3.tar.xz
pki-ticket-477-3.zip
1 files changed, 159 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
new file mode 100644
index 000000000..6fd7cdd31
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
@@ -0,0 +1,159 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2013 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authentication;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import org.jboss.resteasy.annotations.interception.Precedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.cmscore.realm.PKIPrincipal;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+@ServerInterceptor
+@Precedence("SECURITY")
+public class AuthInterceptor implements PreProcessInterceptor {
+
+    Properties authProperties;
+
+    @Context
+    ServletContext servletContext;
+
+    @Context
+    SecurityContext securityContext;
+
+    public synchronized void loadAuthProperties() throws IOException {
+
+        if (authProperties != null) return;
+
+        URL url = servletContext.getResource("/WEB-INF/auth.properties");
+        authProperties = new Properties();
+        authProperties.load(url.openStream());
+    }
+
+    @Override
+    public ServerResponse preProcess(
+            HttpRequest request,
+            ResourceMethod resourceMethod
+        ) throws Failure, ForbiddenException {
+
+        Class<?> clazz = resourceMethod.getResourceClass();
+        Method method = resourceMethod.getMethod();
+        System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
+
+        // Get authentication mapping for the method.
+        AuthMapping authMapping = method.getAnnotation(AuthMapping.class);
+
+        // If not available, get authentication mapping for the class.
+        if (authMapping == null) {
+            authMapping = clazz.getAnnotation(AuthMapping.class);
+        }
+
+        String name;
+        if (authMapping == null) {
+            // If not available, use the default mapping.
+            name = "default";
+        } else {
+            // Get the method label
+            name = authMapping.value();
+        }
+
+        System.out.println("AuthInterceptor: mapping name: "+name);
+
+        try {
+            loadAuthProperties();
+
+            String value = authProperties.getProperty(name);
+            Collection<String> authMethods = new HashSet<String>();
+            if (value != null) {
+                for (String v : value.split(",")) {
+                    authMethods.add(v.trim());
+                }
+            }
+
+            System.out.println("AuthInterceptor: required auth methods: "+authMethods);
+
+            Principal principal = securityContext.getUserPrincipal();
+
+            // If unauthenticated, reject request.
+            if (principal == null) {
+                if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) {
+                    System.out.println("AuthInterceptor: anonymous access allowed");
+                    return null;
+                }
+                System.out.println("AuthInterceptor: anonymous access not allowed");
+                throw new ForbiddenException("Anonymous access not allowed.");
+            }
+
+            // If unrecognized principal, reject request.
+            if (!(principal instanceof PKIPrincipal)) {
+                System.out.println("AuthInterceptor: unknown principal");
+                throw new ForbiddenException("Unknown user principal");
+            }
+
+            PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+            IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+            // If missing auth token, reject request.
+            if (authToken == null) {
+                System.out.println("AuthInterceptor: missing authentication token");
+                throw new ForbiddenException("Missing authentication token.");
+            }
+
+            String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+            System.out.println("AuthInterceptor: authentication manager: "+authManager);
+
+            if (authManager == null) {
+                System.out.println("AuthInterceptor: missing authentication manager");
+                throw new ForbiddenException("Missing authentication manager.");
+            }
+
+            if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
+                System.out.println("AuthInterceptor: "+authManager+" allowed");
+                return null;
+            }
+
+            throw new ForbiddenException("Authentication method not allowed.");
+
+        } catch (IOException e) {
+            e.printStackTrace();
+            throw new Failure(e);
+        }
+    }
+}
author	Endi Sukma Dewata <edewata@redhat.com>	2013-02-01 13:05:38 -0500
committer	Endi Sukma Dewata <edewata@redhat.com>	2013-02-03 00:53:42 -0500
commit	154bb05e9bbd45eaa3ca8bef8d2a6af076b1790c (patch)
tree	67f4ede6b83daf696fc211e696d83327134e4a4a /base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
parent	2ea42ce4cf91053bc91e5722abeb259cd0577510 (diff)
download	pki-ticket-477-3.tar.gz pki-ticket-477-3.tar.xz pki-ticket-477-3.zip