summaryrefslogtreecommitdiffstats
path: root/base/common
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-08-21 17:38:29 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-09-05 10:09:41 -0500
commit8eb2eac080c2e9595b506f49f25d2c1718453bbc (patch)
treed63903229b737cf2e8127c02b67dfa62eeb4571a /base/common
parent63ac9595b4b193200e9b7af94f0854361a70eec9 (diff)
downloadpki-8eb2eac080c2e9595b506f49f25d2c1718453bbc.tar.gz
pki-8eb2eac080c2e9595b506f49f25d2c1718453bbc.tar.xz
pki-8eb2eac080c2e9595b506f49f25d2c1718453bbc.zip
Added proxy realm.
CMS engine is a singleton and it's used by PKI realm to authenticate users accessing the subsystem. Since a Tomcat instance may contain multiple subsystems, each having separate realm, the PKI JAR links need to be moved into WEB-INF/lib so that they will run inside separate class loaders. Tomcat also requires that the authenticator and realm classes be available in common/lib. To address this a new package pki-tomcat.jar has been added. The package contains the authenticator and a proxy realm. When the subsystems start running, they will register their own realms into the proxy realms such that the authentications will be forwarded to the appropriate subsystems. Ticket #89
Diffstat (limited to 'base/common')
-rw-r--r--base/common/shared/conf/context.xml4
-rw-r--r--base/common/src/CMakeLists.txt51
-rw-r--r--base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java8
-rw-r--r--base/common/src/com/netscape/cms/tomcat/ProxyRealm.java139
-rw-r--r--base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java (renamed from base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java)2
5 files changed, 197 insertions, 7 deletions
diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
index b28f1bd20..4b00dbe3c 100644
--- a/base/common/shared/conf/context.xml
+++ b/base/common/shared/conf/context.xml
@@ -39,8 +39,4 @@
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
- <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" />
-
- <Realm className="com.netscape.cmscore.realm.PKIRealm" />
-
</Context>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index dc61b4ca7..f3702d454 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -171,6 +171,8 @@ set(PKI_CERTSRV_JAR ${CMAKE_BINARY_DIR}/dist/pki-certsrv.jar CACHE INTERNAL "pki
javac(pki-cms-classes
SOURCES
com/netscape/cms/*.java
+ EXCLUDE
+ com/netscape/cms/tomcat/*.java
CLASSPATH
${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
@@ -192,6 +194,8 @@ jar(pki-cms-jar
${CMAKE_BINARY_DIR}/classes
FILES
com/netscape/cms/*.class
+ EXCLUDE
+ com/netscape/cms/tomcat/*.class
DEPENDS
pki-cms-classes
)
@@ -249,12 +253,55 @@ if(WITH_JAVADOC)
endif(WITH_JAVADOC)
+# build pki-tomcat
+javac(pki-tomcat-classes
+ SOURCES
+ com/netscape/cms/tomcat/*.java
+ CLASSPATH
+ ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
+ OUTPUT_DIR
+ ${CMAKE_BINARY_DIR}/classes
+ DEPENDS
+ pki-cms
+)
+
+jar(pki-tomcat-jar
+ CREATE
+ ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+ INPUT_DIR
+ ${CMAKE_BINARY_DIR}/classes
+ FILES
+ com/netscape/cms/tomcat/*.class
+ DEPENDS
+ pki-tomcat-classes
+)
+
+link(pki-tomcat
+ SOURCE
+ ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+ DEST
+ pki-tomcat-${APPLICATION_VERSION}.jar
+ DEPENDS
+ pki-tomcat-jar
+)
+
+install(
+ FILES
+ ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+ ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+ DESTINATION
+ ${JAVA_JAR_INSTALL_DIR}/pki
+)
+
+set(PKI_TOMCAT_JAR ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar CACHE INTERNAL "pki-tomcat jar file")
+
+
# build pki-cmscore
javac(pki-cmscore-classes
SOURCES
com/netscape/cmscore/*.java
CLASSPATH
- ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
+ ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_TOMCAT_JAR}
${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
${APACHE_COMMONS_LANG_JAR}
@@ -264,7 +311,7 @@ javac(pki-cmscore-classes
OUTPUT_DIR
${CMAKE_BINARY_DIR}/classes
DEPENDS
- pki-nsutil pki-cmsutil pki-certsrv pki-cms
+ pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-tomcat
)
jar(pki-cmscore-jar
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
index a8a4008b7..e00f2bdba 100644
--- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
@@ -29,6 +29,8 @@ import javax.servlet.http.HttpServletResponse;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cms.tomcat.ProxyRealm;
+import com.netscape.cmscore.realm.PKIRealm;
import com.netscape.cmsutil.util.Utils;
/**
@@ -89,10 +91,16 @@ public class CMSStartServlet extends HttpServlet {
}
}
}
+
try {
CMS.start(path);
} catch (EBaseException e) {
}
+
+ // Register realm for this subsystem
+ String context = getServletContext().getContextPath();
+ if (context.startsWith("/")) context = context.substring(1);
+ ProxyRealm.registerRealm(context, new PKIRealm());
}
public void doGet(HttpServletRequest req, HttpServletResponse res)
diff --git a/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
new file mode 100644
index 000000000..094c0561f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -0,0 +1,139 @@
+package com.netscape.cms.tomcat;
+
+import java.beans.PropertyChangeListener;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Realm;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.ietf.jgss.GSSContext;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class ProxyRealm implements Realm {
+
+ public static Map<String, ProxyRealm> proxies = new HashMap<String, ProxyRealm>();
+
+ public Container container;
+ public Realm realm;
+
+ public ProxyRealm() {
+ }
+
+ @Override
+ public Container getContainer() {
+ return container;
+ }
+
+ @Override
+ public void setContainer(Container container) {
+ this.container = container;
+ if (container instanceof Context) {
+ Context context = (Context)container;
+ proxies.put(context.getBaseName(), this);
+ }
+ }
+
+ public Realm getRealm() {
+ return realm;
+ }
+
+ public void setRealm(Realm realm) {
+ this.realm = realm;
+ realm.setContainer(container);
+ }
+
+ public static void registerRealm(String contextName, Realm realm) {
+ ProxyRealm proxy = proxies.get(contextName);
+ if (proxy == null) return;
+
+ proxy.setRealm(realm);
+ }
+
+ @Override
+ public Principal authenticate(String username, String password) {
+ return realm.authenticate(username, password);
+ }
+
+ @Override
+ public Principal authenticate(X509Certificate certs[]) {
+ return realm.authenticate(certs);
+ }
+
+ @Override
+ public Principal authenticate(
+ String username,
+ String digest,
+ String nonce,
+ String nc,
+ String cnonce,
+ String qop,
+ String realmName,
+ String md5a2
+ ) {
+ return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2);
+ }
+
+ @Override
+ public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ return realm.authenticate(gssContext, storeCreds);
+ }
+
+ @Override
+ public boolean hasResourcePermission(
+ Request request,
+ Response response,
+ SecurityConstraint[] constraints,
+ Context context
+ ) throws IOException {
+ return realm.hasResourcePermission(request, response, constraints, context);
+ }
+
+ @Override
+ public String getInfo() {
+ return realm.getInfo();
+ }
+
+ @Override
+ public void backgroundProcess() {
+ realm.backgroundProcess();
+ }
+
+ @Override
+ public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
+ return realm.findSecurityConstraints(request, context);
+ }
+
+ @Override
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+ return realm.hasRole(wrapper, principal, role);
+ }
+
+ @Override
+ public boolean hasUserDataPermission(
+ Request request,
+ Response response,
+ SecurityConstraint[] constraint
+ ) throws IOException {
+ return realm.hasUserDataPermission(request, response, constraint);
+ }
+
+ @Override
+ public void addPropertyChangeListener(PropertyChangeListener listener) {
+ realm.addPropertyChangeListener(listener);
+ }
+
+ @Override
+ public void removePropertyChangeListener(PropertyChangeListener listener) {
+ realm.removePropertyChangeListener(listener);
+ }
+}
diff --git a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
index 6b6af78a7..d1b3dc3f2 100644
--- a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java
+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
@@ -16,7 +16,7 @@
// All rights reserved.
// --- END COPYRIGHT BLOCK ---
-package com.netscape.cmscore.realm;
+package com.netscape.cms.tomcat;
import java.io.IOException;
import java.security.cert.X509Certificate;