diff options
author | Ade Lee <alee@redhat.com> | 2013-04-12 12:25:01 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-04-16 12:11:33 -0400 |
commit | 898f5330dd38266ca378e16e5fd44f8ddc87d507 (patch) | |
tree | be4bb879cdab6f3ed686f56db95eeebe8df9a49b /base | |
parent | 2fcbc293f6020f22aff0052cce5993d43c6ca2ed (diff) | |
download | pki-898f5330dd38266ca378e16e5fd44f8ddc87d507.tar.gz pki-898f5330dd38266ca378e16e5fd44f8ddc87d507.tar.xz pki-898f5330dd38266ca378e16e5fd44f8ddc87d507.zip |
Added tokenAuthenticate to admin interface
Modified code to use this interface by default. Added required
migration script code.
Ticket 546
Diffstat (limited to 'base')
3 files changed, 131 insertions, 26 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 7528c310d..2150a1dba 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -1786,6 +1786,19 @@ </servlet> <servlet> + <servlet-name> caTokenAuthenticate-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + </servlet> + + <servlet> <servlet-name> caProxyProfileSubmit </servlet-name> <servlet-class> com.netscape.cms.servlet.base.ProxyServlet </servlet-class> <init-param><param-name> destServlet </param-name> @@ -2352,6 +2365,11 @@ </servlet-mapping> <servlet-mapping> + <servlet-name> caTokenAuthenticate-admin </servlet-name> + <url-pattern> /admin/ca/tokenAuthenticate </url-pattern> + </servlet-mapping> + + <servlet-mapping> <servlet-name> caUpdateOCSPConfig </servlet-name> <url-pattern> /ee/ca/updateOCSPConfig </url-pattern> </servlet-mapping> diff --git a/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java index 923b05019..99abad7eb 100644 --- a/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java +++ b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java @@ -18,6 +18,7 @@ package com.netscape.cms.authentication; import java.io.ByteArrayInputStream; +import java.io.IOException; import java.util.Enumeration; import java.util.Locale; import java.util.Vector; @@ -136,30 +137,36 @@ public class TokenAuthentication implements IAuthManager, String sessionId = (String) authCred.get(CRED_SESSION_ID); String givenHost = (String) authCred.get("clientHost"); - String auth_host = sconfig.getString("securitydomain.host"); - int auth_port = sconfig.getInteger("securitydomain.httpseeport"); + String authHost = sconfig.getString("securitydomain.host"); + int authAdminPort = sconfig.getInteger("securitydomain.httpsadminport"); + int authEEPort = sconfig.getInteger("securitydomain.httpseeport"); + String authURL = "/ca/admin/ca/tokenAuthenticate"; + + String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost; + CMS.debug("TokenAuthentication: content=" + content); - HttpClient httpclient = new HttpClient(); String c = null; try { - JssSSLSocketFactory factory = new JssSSLSocketFactory(); - httpclient = new HttpClient(factory); - String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost; - CMS.debug("TokenAuthentication: content=" + content); - httpclient.connect(auth_host, auth_port); - HttpRequest httprequest = new HttpRequest(); - httprequest.setMethod(HttpRequest.POST); - httprequest.setURI("/ca/ee/ca/tokenAuthenticate"); - httprequest.setHeader("user-agent", "HTTPTool/1.0"); - httprequest.setHeader("content-length", "" + content.length()); - httprequest.setHeader("content-type", - "application/x-www-form-urlencoded"); - httprequest.setContent(content); - HttpResponse httpresponse = httpclient.send(httprequest); - - c = httpresponse.getContent(); + c = sendAuthRequest(authHost, authAdminPort, authURL, content); + // in case where the new interface does not exist, EE will return a badly + // formatted response which will throw an exception during parsing + if (c != null) { + @SuppressWarnings("unused") + XMLObject parser = new XMLObject(new ByteArrayInputStream(c.getBytes())); + } } catch (Exception e) { - CMS.debug("TokenAuthentication authenticate Exception=" + e.toString()); + + CMS.debug("TokenAuthenticate: failed to contact admin host:port " + + authHost + ":" + authAdminPort + " " + e); + CMS.debug("TokenAuthenticate: attempting ee port " + authEEPort); + authURL = "/ca/ee/ca/tokenAuthenticate"; + try { + c = sendAuthRequest(authHost, authEEPort, authURL, content); + } catch (IOException e1) { + CMS.debug("TokenAuthenticate: failed to contact EE host:port " + + authHost + ":" + authAdminPort + " " + e1); + throw new EBaseException(e1.getMessage()); + } } if (c != null) { @@ -204,6 +211,29 @@ public class TokenAuthentication implements IAuthManager, return authToken; } + private String sendAuthRequest(String authHost, int authPort, String authUrl, String content) + throws IOException { + HttpClient httpclient = new HttpClient(); + String c = null; + + JssSSLSocketFactory factory = new JssSSLSocketFactory(); + httpclient = new HttpClient(factory); + httpclient.connect(authHost, authPort); + HttpRequest httprequest = new HttpRequest(); + httprequest.setMethod(HttpRequest.POST); + httprequest.setURI(authUrl); + httprequest.setHeader("user-agent", "HTTPTool/1.0"); + httprequest.setHeader("content-length", "" + content.length()); + httprequest.setHeader("content-type", + "application/x-www-form-urlencoded"); + httprequest.setContent(content); + + HttpResponse httpresponse = httpclient.send(httprequest); + c = httpresponse.getContent(); + + return c; + } + /** * get the list of authentication credential attribute names * required by this authentication manager. Generally used by diff --git a/base/server/upgrade/10.0.1/02-CloningInterfaceChanges b/base/server/upgrade/10.0.1/02-CloningInterfaceChanges index 524978d4d..6b3f6b6f5 100755 --- a/base/server/upgrade/10.0.1/02-CloningInterfaceChanges +++ b/base/server/upgrade/10.0.1/02-CloningInterfaceChanges @@ -21,7 +21,7 @@ import os import sys -import xml.etree.ElementTree as ET +from lxml import etree as ET import pki.upgrade class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): @@ -32,7 +32,7 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> <init-param> <param-name> GetClientCert </param-name> - <param-value> true </param-value> + <param-value> false </param-value> </init-param> <init-param> <param-name> authority </param-name> @@ -44,11 +44,11 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): </init-param> <init-param> <param-name> interface </param-name> - <param-value> agent </param-value> + <param-value> admin </param-value> </init-param> <init-param> <param-name> AuthMgr </param-name> - <param-value> certUserDBAuthMgr </param-value> + <param-value> TokenAuth </param-value> </init-param> <init-param> <param-name> AuthzMgr </param-name> @@ -66,6 +66,33 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): <url-pattern> /admin/ca/updateDomainXML </url-pattern> </servlet-mapping> """ + tokenAuthenticateServletData = """ + <servlet> + <servlet-name> caTokenAuthenticate-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param> + <param-name> GetClientCert </param-name> + <param-value> false </param-value> + </init-param> + <init-param> + <param-name> authority </param-name> + <param-value> ca </param-value> + </init-param> + <init-param> + <param-name> ID </param-name> + <param-value> caTokenAuthenticate </param-value> + </init-param> + <init-param> + <param-name> interface </param-name> + <param-value> admin </param-value> + </init-param> + </servlet>""" + + tokenAuthenticateMappingData = """ + <servlet-mapping> + <servlet-name> caTokenAuthenticate-admin </servlet-name> + <url-pattern> /admin/ca/tokenAuthenticate </url-pattern> + </servlet-mapping>""" def __init__(self): @@ -83,6 +110,7 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): if subsystem == "ca": self.modify_update_number_range(subsystem) self.modify_update_domain_xml() + self.modify_token_authenticate() if subsystem == "kra": self.modify_update_number_range(subsystem) @@ -124,15 +152,44 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet): name = servlet.find('servlet-name').text.strip() if name == 'caUpdateDomainXML-admin': found = True + if name == 'caUpdateDomainXML': + index = list(self.root).index(servlet) + 1 if not found: servlet = ET.fromstring(self.updateDomainServletData) - self.root.append(servlet) + self.root.insert(index, servlet) found = False for mapping in self.doc.findall('.//servlet-mapping'): name = mapping.find('servlet-name').text.strip() if name == 'caUpdateDomainXML-admin': found = True + if name == 'caUpdateDomainXML': + index = list(self.root).index(mapping) + 1 if not found: mapping = ET.fromstring(self.updateDomainMappingData) - self.root.append(mapping) + self.root.insert(index, mapping) + + + def modify_token_authenticate(self): + #add caTokenAuthenticate-admin servlet and mapping + found = False + for servlet in self.doc.findall('.//servlet'): + name = servlet.find('servlet-name').text.strip() + if name == 'caTokenAuthenticate-admin': + found = True + if name == 'caTokenAuthenticate': + index = list(self.root).index(servlet) + 1 + if not found: + servlet = ET.fromstring(self.tokenAuthenticateServletData) + self.root.insert(index, servlet) + + found = False + for mapping in self.doc.findall('.//servlet-mapping'): + name = mapping.find('servlet-name').text.strip() + if name == 'caTokenAuthenticate-admin': + found = True + if name == 'caTokenAuthenticate': + index = list(self.root).index(mapping) + 1 + if not found: + mapping = ET.fromstring(self.tokenAuthenticateMappingData) + self.root.insert(index, mapping) |