diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-07-31 17:33:00 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-10-25 15:04:00 -0400 |
commit | dcc0f115091c4276870c93097c40b0b00d045bdf (patch) | |
tree | 925d126f37ccea909e9e0cf72dd56cde7b848f5d /base/common/src/com/netscape/cms | |
parent | babc5111c40442e247c99e248832839b15359573 (diff) | |
download | pki-dcc0f115091c4276870c93097c40b0b00d045bdf.tar.gz pki-dcc0f115091c4276870c93097c40b0b00d045bdf.tar.xz pki-dcc0f115091c4276870c93097c40b0b00d045bdf.zip |
Reorganized PKIRealm class.
PKIRealm has been moved from pki-cmscore into pki-cms package because
it's needed by CMSStartServlet which is in the pki-cms package.
Diffstat (limited to 'base/common/src/com/netscape/cms')
-rw-r--r-- | base/common/src/com/netscape/cms/realm/PKIRealm.java | 161 | ||||
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java | 2 |
2 files changed, 162 insertions, 1 deletions
diff --git a/base/common/src/com/netscape/cms/realm/PKIRealm.java b/base/common/src/com/netscape/cms/realm/PKIRealm.java new file mode 100644 index 000000000..f15234527 --- /dev/null +++ b/base/common/src/com/netscape/cms/realm/PKIRealm.java @@ -0,0 +1,161 @@ +package com.netscape.cms.realm; + +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; + +import netscape.security.x509.X509CertImpl; + +import org.apache.catalina.realm.RealmBase; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthManager; +import com.netscape.certsrv.authentication.IAuthSubsystem; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.usrgrp.EUsrGrpException; +import com.netscape.certsrv.usrgrp.IGroup; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cms.servlet.common.AuthCredentials; +import com.netscape.cmscore.authentication.CertUserDBAuthentication; +import com.netscape.cmscore.authentication.PasswdUserDBAuthentication; +import com.netscape.cmscore.realm.PKIPrincipal; + +/** + * PKI Realm + * + * This realm provides an authentication service against PKI user database. + * The realm also provides an authorization service that validates request + * URL's against the access control list defined in the internal database. + */ + +public class PKIRealm extends RealmBase { + + @Override + protected String getName() { + return "PKIRealm"; + } + + @Override + public Principal authenticate(String username, String password) { + logDebug("Authenticating username "+username+" with password."); + + try { + IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthManager authMgr = authSub.getAuthManager(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + + AuthCredentials creds = new AuthCredentials(); + creds.set(PasswdUserDBAuthentication.CRED_UID, username); + creds.set(PasswdUserDBAuthentication.CRED_PWD, password); + + IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails + + return getPrincipal(username, authToken); + + } catch (Throwable e) { + e.printStackTrace(); + } + + return null; + } + + @Override + public Principal authenticate(final X509Certificate certs[]) { + logDebug("Authenticating certificate chain:"); + + try { + X509CertImpl certImpls[] = new X509CertImpl[certs.length]; + for (int i=0; i<certs.length; i++) { + X509Certificate cert = certs[i]; + logDebug(" "+cert.getSubjectDN()); + + // Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl + certImpls[i] = new X509CertImpl(cert.getEncoded()); + } + + IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthManager authMgr = authSub.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); + + AuthCredentials creds = new AuthCredentials(); + creds.set(CertUserDBAuthentication.CRED_CERT, certImpls); + + IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails + + String username = authToken.getInString(CertUserDBAuthentication.TOKEN_USERID); + logDebug("User ID: "+username); + + return getPrincipal(username, authToken); + + } catch (Throwable e) { + e.printStackTrace(); + } + + return null; + } + + @Override + protected Principal getPrincipal(String username) { + return getPrincipal(username, (IAuthToken)null); + } + + protected Principal getPrincipal(String username, IAuthToken authToken) { + + try { + IUser user = getUser(username); + return getPrincipal(user, authToken); + + } catch (Throwable e) { + e.printStackTrace(); + return null; + } + } + + protected Principal getPrincipal(IUser user, IAuthToken authToken) throws EUsrGrpException { + List<String> roles = getRoles(user); + return new PKIPrincipal(user.getUserID(), null, roles, authToken); + } + + protected IUser getUser(String username) throws EUsrGrpException { + IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + IUser user = ugSub.getUser(username); + logDebug("User DN: "+user.getUserDN()); + return user; + } + + protected List<String> getRoles(IUser user) throws EUsrGrpException { + + List<String> roles = new ArrayList<String>(); + + IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + Enumeration<IGroup> groups = ugSub.findGroupsByUser(user.getUserDN()); + + logDebug("Roles:"); + while (groups.hasMoreElements()) { + IGroup group = groups.nextElement(); + + String name = group.getName(); + logDebug(" "+name); + roles.add(name); + } + + return roles; + } + + @Override + protected String getPassword(String username) { + return null; + } + + /* + * TODO: Figure out how to do real logging + */ + public void logErr(String msg) { + System.err.println(msg); + } + + public void logDebug(String msg) { + System.out.println("PKIRealm: "+msg); + } +} diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java index e00f2bdba..8e3a4b5ba 100644 --- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java +++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java @@ -29,8 +29,8 @@ import javax.servlet.http.HttpServletResponse; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.cms.realm.PKIRealm; import com.netscape.cms.tomcat.ProxyRealm; -import com.netscape.cmscore.realm.PKIRealm; import com.netscape.cmsutil.util.Utils; /** |