Added proxy realm.

CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.

Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.

Ticket #89

5 files changed, 197 insertions, 7 deletions

diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
index b28f1bd20..4b00dbe3c 100644
--- a/base/common/shared/conf/context.xml
+++ b/base/common/shared/conf/context.xml
@@ -39,8 +39,4 @@
     <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
     -->
 
-    <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" />
-
-    <Realm className="com.netscape.cmscore.realm.PKIRealm" />
-
 </Context>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index dc61b4ca7..f3702d454 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -171,6 +171,8 @@ set(PKI_CERTSRV_JAR ${CMAKE_BINARY_DIR}/dist/pki-certsrv.jar CACHE INTERNAL "pki
 javac(pki-cms-classes
     SOURCES
         com/netscape/cms/*.java
+    EXCLUDE
+        com/netscape/cms/tomcat/*.java
     CLASSPATH
         ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
@@ -192,6 +194,8 @@ jar(pki-cms-jar
         ${CMAKE_BINARY_DIR}/classes
     FILES
         com/netscape/cms/*.class
+    EXCLUDE
+        com/netscape/cms/tomcat/*.class
     DEPENDS
         pki-cms-classes
 )
@@ -249,12 +253,55 @@ if(WITH_JAVADOC)
 endif(WITH_JAVADOC)
 
 
+# build pki-tomcat
+javac(pki-tomcat-classes
+    SOURCES
+        com/netscape/cms/tomcat/*.java
+    CLASSPATH
+        ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
+    OUTPUT_DIR
+        ${CMAKE_BINARY_DIR}/classes
+    DEPENDS
+        pki-cms
+)
+
+jar(pki-tomcat-jar
+    CREATE
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+    INPUT_DIR
+        ${CMAKE_BINARY_DIR}/classes
+    FILES
+        com/netscape/cms/tomcat/*.class
+    DEPENDS
+        pki-tomcat-classes
+)
+
+link(pki-tomcat
+    SOURCE
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+    DEST
+        pki-tomcat-${APPLICATION_VERSION}.jar
+    DEPENDS
+        pki-tomcat-jar
+)
+
+install(
+    FILES
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+    DESTINATION
+        ${JAVA_JAR_INSTALL_DIR}/pki
+)
+
+set(PKI_TOMCAT_JAR ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar CACHE INTERNAL "pki-tomcat jar file")
+
+
 # build pki-cmscore
 javac(pki-cmscore-classes
     SOURCES
         com/netscape/cmscore/*.java
     CLASSPATH
-        ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
+        ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_TOMCAT_JAR}
         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
         ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
         ${APACHE_COMMONS_LANG_JAR}
@@ -264,7 +311,7 @@ javac(pki-cmscore-classes
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/classes
     DEPENDS
-        pki-nsutil pki-cmsutil pki-certsrv pki-cms
+        pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-tomcat
 )
 
 jar(pki-cmscore-jar
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
index a8a4008b7..e00f2bdba 100644
--- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
@@ -29,6 +29,8 @@ import javax.servlet.http.HttpServletResponse;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cms.tomcat.ProxyRealm;
+import com.netscape.cmscore.realm.PKIRealm;
 import com.netscape.cmsutil.util.Utils;
 
 /**
@@ -89,10 +91,16 @@ public class CMSStartServlet extends HttpServlet {
                 }
             }
         }
+
         try {
             CMS.start(path);
         } catch (EBaseException e) {
         }
+
+        // Register realm for this subsystem
+        String context = getServletContext().getContextPath();
+        if (context.startsWith("/")) context = context.substring(1);
+        ProxyRealm.registerRealm(context, new PKIRealm());
     }
 
     public void doGet(HttpServletRequest req, HttpServletResponse res)
diff --git a/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
new file mode 100644
index 000000000..094c0561f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -0,0 +1,139 @@
+package com.netscape.cms.tomcat;
+
+import java.beans.PropertyChangeListener;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Realm;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.ietf.jgss.GSSContext;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class ProxyRealm implements Realm {
+
+    public static Map<String, ProxyRealm> proxies = new HashMap<String, ProxyRealm>();
+
+    public Container container;
+    public Realm realm;
+
+    public ProxyRealm() {
+    }
+
+    @Override
+    public Container getContainer() {
+        return container;
+    }
+
+    @Override
+    public void setContainer(Container container) {
+        this.container = container;
+        if (container instanceof Context) {
+            Context context = (Context)container;
+            proxies.put(context.getBaseName(), this);
+        }
+    }
+
+    public Realm getRealm() {
+        return realm;
+    }
+
+    public void setRealm(Realm realm) {
+        this.realm = realm;
+        realm.setContainer(container);
+    }
+
+    public static void registerRealm(String contextName, Realm realm) {
+        ProxyRealm proxy = proxies.get(contextName);
+        if (proxy == null) return;
+
+        proxy.setRealm(realm);
+    }
+
+    @Override
+    public Principal authenticate(String username, String password) {
+        return realm.authenticate(username, password);
+    }
+
+    @Override
+    public Principal authenticate(X509Certificate certs[]) {
+        return realm.authenticate(certs);
+    }
+
+    @Override
+    public Principal authenticate(
+            String username,
+            String digest,
+            String nonce,
+            String nc,
+            String cnonce,
+            String qop,
+            String realmName,
+            String md5a2
+    ) {
+        return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2);
+    }
+
+    @Override
+    public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+        return realm.authenticate(gssContext, storeCreds);
+    }
+
+    @Override
+    public boolean hasResourcePermission(
+            Request request,
+            Response response,
+            SecurityConstraint[] constraints,
+            Context context
+    ) throws IOException {
+        return realm.hasResourcePermission(request, response, constraints, context);
+    }
+
+    @Override
+    public String getInfo() {
+        return realm.getInfo();
+    }
+
+    @Override
+    public void backgroundProcess() {
+        realm.backgroundProcess();
+    }
+
+    @Override
+    public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
+        return realm.findSecurityConstraints(request, context);
+    }
+
+    @Override
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+        return realm.hasRole(wrapper, principal, role);
+    }
+
+    @Override
+    public boolean hasUserDataPermission(
+            Request request,
+            Response response,
+            SecurityConstraint[] constraint
+    ) throws IOException {
+        return realm.hasUserDataPermission(request,  response, constraint);
+    }
+
+    @Override
+    public void addPropertyChangeListener(PropertyChangeListener listener) {
+        realm.addPropertyChangeListener(listener);
+    }
+
+    @Override
+    public void removePropertyChangeListener(PropertyChangeListener listener) {
+        realm.removePropertyChangeListener(listener);
+    }
+}
diff --git a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
index 6b6af78a7..d1b3dc3f2 100644
--- a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java
+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
@@ -16,7 +16,7 @@
 // All rights reserved.
 // --- END COPYRIGHT BLOCK ---
 
-package com.netscape.cmscore.realm;
+package com.netscape.cms.tomcat;
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;