summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2015-09-28 22:37:02 +0200
committerMatthew Harmsen <mharmsen@redhat.com>2015-09-30 11:54:04 -0600
commit8a7fbb03f8317a881032e098b6360018878ac280 (patch)
treefe79157ad6a0c2a9b32eab358a3fb136daf49359 /base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
parentfe956dab8709e7c2bf892b7a87f5c170baedd679 (diff)
downloadpki-8a7fbb03f8317a881032e098b6360018878ac280.tar.gz
pki-8a7fbb03f8317a881032e098b6360018878ac280.tar.xz
pki-8a7fbb03f8317a881032e098b6360018878ac280.zip
Refactored certificate processors.
The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java')
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java64
1 files changed, 47 insertions, 17 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 5f6f45cb8..e3b3d3497 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.IAuthzSubsystem;
@@ -358,10 +359,14 @@ public class CAProcessor extends Processor {
* authenticate for renewal - more to add necessary params/values
* to the session context
*/
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ IRequest origReq,
+ SessionContext context,
+ AuthCredentials credentials) throws EBaseException
{
- IAuthToken authToken = authenticate(authenticator, request);
+ IAuthToken authToken = authenticate(authenticator, request, credentials);
// For renewal, fill in necessary params
if (authToken != null) {
String ouid = origReq.getExtDataInString("auth_token.uid");
@@ -417,18 +422,23 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(IProfileAuthenticator authenticator,
- HttpServletRequest request) throws EBaseException {
- AuthCredentials credentials = new AuthCredentials();
+ public IAuthToken authenticate(
+ IProfileAuthenticator authenticator,
+ HttpServletRequest request,
+ AuthCredentials credentials) throws EBaseException {
- // build credential
- Enumeration<String> authNames = authenticator.getValueNames();
+ if (credentials == null) {
+ credentials = new AuthCredentials();
- if (authNames != null) {
- while (authNames.hasMoreElements()) {
- String authName = authNames.nextElement();
+ // build credential
+ Enumeration<String> authNames = authenticator.getValueNames();
- credentials.set(authName, request.getParameter(authName));
+ if (authNames != null) {
+ while (authNames.hasMoreElements()) {
+ String authName = authNames.nextElement();
+
+ credentials.set(authName, request.getParameter(authName));
+ }
}
}
@@ -447,8 +457,13 @@ public class CAProcessor extends Processor {
return authToken;
}
- public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator,
- SessionContext context, boolean isRenewal) throws EBaseException {
+ public IAuthToken authenticate(
+ HttpServletRequest request,
+ IRequest origReq,
+ IProfileAuthenticator authenticator,
+ SessionContext context,
+ boolean isRenewal,
+ AuthCredentials credentials) throws EBaseException {
startTiming("profile_authentication");
IAuthToken authToken = null;
@@ -475,12 +490,27 @@ public class CAProcessor extends Processor {
String auditMessage = null;
try {
if (isRenewal) {
- authToken = authenticate(authenticator, request, origReq, context);
+ authToken = authenticate(authenticator, request, origReq, context, credentials);
} else {
- authToken = authenticate(authenticator, request);
+ authToken = authenticate(authenticator, request, credentials);
}
+
+ } catch (EAuthException e) {
+ CMS.debug("CAProcessor: authentication error: " + e);
+
+ authSubjectID += " : " + uid_cred;
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+ authSubjectID,
+ ILogger.FAILURE,
+ authMgrID,
+ uid_attempted_cred);
+ audit(auditMessage);
+
+ throw e;
+
} catch (EBaseException e) {
- CMS.debug("CertProcessor: authentication error " + e.toString());
+ CMS.debug(e);
authSubjectID += " : " + uid_cred;
auditMessage = CMS.getLogMessage(
generated by cgit (git 2.34.1) at 2024-06-13 02:18:27 +0000