diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-10-02 00:09:36 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-10-02 18:30:40 +0200 |
commit | 017d582ba50fe4ffc4bedf40a5229fb6aa381b37 (patch) | |
tree | bfb149fc5b290bd1ccbb39d2c170cf08a3c9455e /base/server/cms | |
parent | 29801060fa86b6f196ef694c6672d909ea5336e4 (diff) | |
download | pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.tar.gz pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.tar.xz pki-017d582ba50fe4ffc4bedf40a5229fb6aa381b37.zip |
Fixed user search in PasswdUserDBAuthentication.
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/realm/PKIRealm.java | 33 | ||||
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java | 10 |
2 files changed, 20 insertions, 23 deletions
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java index 73fae47fd..1933601db 100644 --- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java @@ -6,8 +6,6 @@ import java.util.ArrayList; import java.util.Enumeration; import java.util.List; -import netscape.security.x509.X509CertImpl; - import org.apache.catalina.realm.RealmBase; import org.apache.commons.lang.StringUtils; @@ -25,6 +23,8 @@ import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.common.AuthCredentials; +import netscape.security.x509.X509CertImpl; + /** * PKI Realm * @@ -47,7 +47,7 @@ public class PKIRealm extends RealmBase { @Override public Principal authenticate(String username, String password) { - logDebug("Authenticating username "+username+" with password."); + CMS.debug("PKIRealm: Authenticating user " + username + " with password."); String auditMessage = null; String auditSubjectID = ILogger.UNIDENTIFIED; String attemptedAuditUID = username; @@ -61,7 +61,7 @@ public class PKIRealm extends RealmBase { creds.set(IPasswdUserDBAuthentication.CRED_PWD, password); IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails - authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); auditSubjectID = authToken.getInString(IAuthToken.USER_ID); // store a message in the signed audit log file @@ -91,7 +91,7 @@ public class PKIRealm extends RealmBase { @Override public Principal authenticate(final X509Certificate certs[]) { - logDebug("Authenticating certificate chain:"); + CMS.debug("PKIRealm: Authenticating certificate chain:"); String auditMessage = null; // get the cert from the ssl client auth @@ -105,7 +105,7 @@ public class PKIRealm extends RealmBase { X509CertImpl certImpls[] = new X509CertImpl[certs.length]; for (int i=0; i<certs.length; i++) { X509Certificate cert = certs[i]; - logDebug(" "+cert.getSubjectDN()); + CMS.debug("PKIRealm: " + cert.getSubjectDN()); // Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl certImpls[i] = new X509CertImpl(cert.getEncoded()); @@ -123,7 +123,7 @@ public class PKIRealm extends RealmBase { // reset it to the one authenticated with authManager auditSubjectID = authToken.getInString(IAuthToken.USER_ID); - logDebug("User ID: "+username); + CMS.debug("PKIRealm: User ID: " + username); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, @@ -181,7 +181,7 @@ public class PKIRealm extends RealmBase { protected IUser getUser(String username) throws EUsrGrpException { IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); IUser user = ugSub.getUser(username); - logDebug("User DN: "+user.getUserDN()); + CMS.debug("PKIRealm: User DN: " + user.getUserDN()); return user; } @@ -192,12 +192,12 @@ public class PKIRealm extends RealmBase { IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); Enumeration<IGroup> groups = ugSub.findGroupsByUser(user.getUserDN(), null); - logDebug("Roles:"); + CMS.debug("PKIRealm: Roles:"); while (groups.hasMoreElements()) { IGroup group = groups.nextElement(); String name = group.getName(); - logDebug(" "+name); + CMS.debug("PKIRealm: " + name); roles.add(name); } @@ -209,19 +209,6 @@ public class PKIRealm extends RealmBase { return null; } - /* - * TODO: Figure out how to do real logging - */ - public void logErr(String msg) { - System.err.println(msg); - CMS.debug("PKIRealm.logErr: " + msg); - } - - public void logDebug(String msg) { - System.out.println("PKIRealm: "+msg); - CMS.debug("PKIRealm.logDebug: " + msg); - } - /** * Signed Audit Log * diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java index bae25b660..b6461abfd 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java @@ -18,6 +18,7 @@ package org.dogtagpki.server.rest; import java.io.IOException; +import java.lang.reflect.Method; import java.security.Principal; import java.util.Locale; @@ -28,6 +29,8 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.jboss.resteasy.core.ResourceMethodInvoker; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; @@ -59,6 +62,13 @@ public class SessionContextInterceptor implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { + ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext + .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); + Method method = methodInvoker.getMethod(); + Class<?> clazz = methodInvoker.getResourceClass(); + + CMS.debug("SessionContextInterceptor: " + clazz.getSimpleName() + "." + method.getName() + "()"); + Principal principal = securityContext.getUserPrincipal(); // If unauthenticated, ignore. |