Extract common base class for SSLAuthenticatorWithFallback

Two Tomcat version-specific implementations of SSLAuthenticatorWithFallback exist, with much duplicate code. Extract an abstract base class 'AbstractPKIAuthenticator' and implement just the unique bits in the concrete classes. Part of: https://fedorahosted.org/pki/ticket/1359
author: Fraser Tweedale <ftweedal@redhat.com> 2015-12-03 16:09:04 +1100
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-01-21 19:59:17 +1000
commit: 67ac39227e5db83c7a4a7ad72364f3dcd30db05e (patch)
tree: 62fbd3b5a12f71d35676089f405b2d2e42285011 /base/server/tomcat/src
parent: cbcdeddc2e794be3955edf20ea1597e58c443ba6 (diff)
download: pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.tar.gz
pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.tar.xz
pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.zip
1 files changed, 165 insertions, 0 deletions
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java
new file mode 100644
index 000000000..f98377dc2
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java
@@ -0,0 +1,165 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.catalina.Container;
+import org.apache.catalina.Globals;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Authenticator;
+import org.apache.catalina.authenticator.AuthenticatorBase;
+import org.apache.catalina.authenticator.BasicAuthenticator;
+import org.apache.catalina.authenticator.FormAuthenticator;
+import org.apache.catalina.authenticator.SSLAuthenticator;
+import org.apache.catalina.connector.Request;
+
+/**
+ * @author Endi S. Dewata
+ */
+public abstract class AbstractPKIAuthenticator extends AuthenticatorBase {
+
+    public final static String BASIC_AUTHENTICATOR = "BASIC";
+    public final static String FORM_AUTHENTICATOR = "FORM";
+
+    String fallbackMethod = BASIC_AUTHENTICATOR;
+
+    AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
+    AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
+
+    public AbstractPKIAuthenticator() {
+        log("Creating SSL authenticator with fallback");
+    }
+
+    public String getFallbackMethod() {
+        return fallbackMethod;
+    }
+
+    public void setFallbackMethod(String fallbackMethod) {
+        log("Fallback method: "+fallbackMethod);
+        this.fallbackMethod = fallbackMethod;
+
+        if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
+            fallbackAuthenticator = new BasicAuthenticator();
+
+        } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
+            fallbackAuthenticator = new FormAuthenticator();
+        }
+
+    }
+
+    public boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
+        X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
+        boolean result;
+
+        if (certs != null && certs.length > 0) {
+            log("Authenticate with client certificate authentication");
+            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
+                public void setHeader(String name, String value) {
+                    log("SSL auth header: "+name+"="+value);
+                };
+                public void sendError(int code) {
+                    log("SSL auth return code: "+code);
+                }
+            };
+            result = doSubAuthenticate(sslAuthenticator, request, wrapper);
+
+        } else {
+            log("Authenticating with "+fallbackMethod+" authentication");
+            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
+                public void setHeader(String name, String value) {
+                    log("Fallback auth header: "+name+"="+value);
+                };
+                public void sendError(int code) {
+                    log("Fallback auth return code: "+code);
+                }
+            };
+            result = doSubAuthenticate(fallbackAuthenticator, request, wrapper);
+        }
+
+        if (result)
+            return true;
+
+        log("Result: "+result);
+        String realmName = doGetRealmName(request);
+        response.setHeader(AUTH_HEADER_NAME,
+            "Basic realm=\"" + (realmName == null ? REALM_NAME : realmName) + "\"");
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+
+        return false;
+    }
+
+    public abstract boolean doSubAuthenticate(
+        Authenticator auth, Request req, HttpServletResponse resp)
+        throws IOException;
+
+    public abstract String doGetRealmName(Request req);
+
+
+    @Override
+    protected String getAuthMethod() {
+        return HttpServletRequest.CLIENT_CERT_AUTH;
+    };
+
+    @Override
+    public void setContainer(Container container) {
+        log("Setting container");
+        super.setContainer(container);
+        sslAuthenticator.setContainer(container);
+        fallbackAuthenticator.setContainer(container);
+    }
+
+    @Override
+    protected void initInternal() throws LifecycleException {
+        log("Initializing authenticators");
+
+        super.initInternal();
+
+        sslAuthenticator.setAlwaysUseSession(alwaysUseSession);
+        sslAuthenticator.init();
+
+        fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession);
+        fallbackAuthenticator.init();
+    }
+
+    @Override
+    public void startInternal() throws LifecycleException {
+        log("Starting authenticators");
+        super.startInternal();
+        sslAuthenticator.start();
+        fallbackAuthenticator.start();
+    }
+
+    @Override
+    public void stopInternal() throws LifecycleException {
+        log("Stopping authenticators");
+        super.stopInternal();
+        sslAuthenticator.stop();
+        fallbackAuthenticator.stop();
+    }
+
+    public void log(String message) {
+        System.out.println("SSLAuthenticatorWithFallback: "+message);
+    }
+}
author	Fraser Tweedale <ftweedal@redhat.com>	2015-12-03 16:09:04 +1100
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-01-21 19:59:17 +1000
commit	67ac39227e5db83c7a4a7ad72364f3dcd30db05e (patch)
tree	62fbd3b5a12f71d35676089f405b2d2e42285011 /base/server/tomcat/src
parent	cbcdeddc2e794be3955edf20ea1597e58c443ba6 (diff)
download	pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.tar.gz pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.tar.xz pki-67ac39227e5db83c7a4a7ad72364f3dcd30db05e.zip