Refactored certificate processors.

The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463
author: Endi S. Dewata <edewata@redhat.com> 2015-09-28 22:37:02 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2015-09-30 15:27:20 +0200
commit: b1559af37ddb6c9dfeb25ae69cb220a0139005c9 (patch)
tree: 265ca612391f711d120932c8904e7f167ba66c14 /base/server/cms/src/com/netscape/cms/servlet/processors
parent: 6a1606ee52022e2abc023efc5be155f4fe76e84b (diff)
download: pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.tar.gz
pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.tar.xz
pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.zip
1 files changed, 47 insertions, 17 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 5f6f45cb8..e3b3d3497 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EAuthException;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.IAuthzSubsystem;
@@ -358,10 +359,14 @@ public class CAProcessor extends Processor {
      *   authenticate for renewal - more to add necessary params/values
      *   to the session context
      */
-    public IAuthToken authenticate(IProfileAuthenticator authenticator,
-            HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException
+    public IAuthToken authenticate(
+            IProfileAuthenticator authenticator,
+            HttpServletRequest request,
+            IRequest origReq,
+            SessionContext context,
+            AuthCredentials credentials) throws EBaseException
     {
-        IAuthToken authToken = authenticate(authenticator, request);
+        IAuthToken authToken = authenticate(authenticator, request, credentials);
         // For renewal, fill in necessary params
         if (authToken != null) {
             String ouid = origReq.getExtDataInString("auth_token.uid");
@@ -417,18 +422,23 @@ public class CAProcessor extends Processor {
         return authToken;
     }
 
-    public IAuthToken authenticate(IProfileAuthenticator authenticator,
-            HttpServletRequest request) throws EBaseException {
-        AuthCredentials credentials = new AuthCredentials();
+    public IAuthToken authenticate(
+            IProfileAuthenticator authenticator,
+            HttpServletRequest request,
+            AuthCredentials credentials) throws EBaseException {
 
-        // build credential
-        Enumeration<String> authNames = authenticator.getValueNames();
+        if (credentials == null) {
+            credentials = new AuthCredentials();
 
-        if (authNames != null) {
-            while (authNames.hasMoreElements()) {
-                String authName = authNames.nextElement();
+            // build credential
+            Enumeration<String> authNames = authenticator.getValueNames();
 
-                credentials.set(authName, request.getParameter(authName));
+            if (authNames != null) {
+                while (authNames.hasMoreElements()) {
+                    String authName = authNames.nextElement();
+
+                    credentials.set(authName, request.getParameter(authName));
+                }
             }
         }
 
@@ -447,8 +457,13 @@ public class CAProcessor extends Processor {
         return authToken;
     }
 
-    public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator,
-            SessionContext context, boolean isRenewal) throws EBaseException {
+    public IAuthToken authenticate(
+            HttpServletRequest request,
+            IRequest origReq,
+            IProfileAuthenticator authenticator,
+            SessionContext context,
+            boolean isRenewal,
+            AuthCredentials credentials) throws EBaseException {
         startTiming("profile_authentication");
 
         IAuthToken authToken = null;
@@ -475,12 +490,27 @@ public class CAProcessor extends Processor {
             String auditMessage = null;
             try {
                 if (isRenewal) {
-                    authToken = authenticate(authenticator, request, origReq, context);
+                    authToken = authenticate(authenticator, request, origReq, context, credentials);
                 } else {
-                    authToken = authenticate(authenticator, request);
+                    authToken = authenticate(authenticator, request, credentials);
                 }
+
+            } catch (EAuthException e) {
+                CMS.debug("CAProcessor: authentication error: " + e);
+
+                authSubjectID += " : " + uid_cred;
+                auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        authSubjectID,
+                        ILogger.FAILURE,
+                        authMgrID,
+                        uid_attempted_cred);
+                audit(auditMessage);
+
+                throw e;
+
             } catch (EBaseException e) {
-                CMS.debug("CertProcessor: authentication error " + e.toString());
+                CMS.debug(e);
 
                 authSubjectID += " : " + uid_cred;
                 auditMessage = CMS.getLogMessage(
author	Endi S. Dewata <edewata@redhat.com>	2015-09-28 22:37:02 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2015-09-30 15:27:20 +0200
commit	b1559af37ddb6c9dfeb25ae69cb220a0139005c9 (patch)
tree	265ca612391f711d120932c8904e7f167ba66c14 /base/server/cms/src/com/netscape/cms/servlet/processors
parent	6a1606ee52022e2abc023efc5be155f4fe76e84b (diff)
download	pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.tar.gz pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.tar.xz pki-b1559af37ddb6c9dfeb25ae69cb220a0139005c9.zip