Bugzilla Bug #490489 - Configuration modifications are not replicated between

admins, agents, and end entities
Bugzilla Bug #490483 -  Unable to configure CA using "Shared Ports"


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@316 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

4 files changed, 411 insertions, 0 deletions

diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
new file mode 100644
index 000000000..1a94cb295
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
@@ -0,0 +1,101 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2009 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.filter;
+
+import javax.servlet.http.*;
+import javax.servlet.*;
+import com.netscape.certsrv.apps.*;
+
+public class AdminRequestFilter implements Filter
+{
+    private static final String HTTPS_SCHEME = "https";
+    private static final String HTTPS_PORT = "https_port";
+    private static final String HTTPS_ROLE = "Admin";
+
+    private FilterConfig config;
+    
+    /* Create a new AdminRequestFilter */
+    public AdminRequestFilter() {}
+    
+    public void init( FilterConfig filterConfig )
+                throws ServletException
+    {
+        this.config = filterConfig;
+    }
+    
+    public void doFilter( ServletRequest request, 
+                          ServletResponse response,
+                          FilterChain chain )
+                throws java.io.IOException,
+                       ServletException
+    {
+        String filterName = getClass().getName();
+
+        String scheme = null;
+        int port = 0;
+
+        String request_port = null;
+        String param_https_port = null;
+        String msg = null;
+
+        if( request instanceof HttpServletRequest ) {
+            HttpServletResponse resp = ( HttpServletResponse ) response;
+
+            // RFC 1738:  verify that scheme is "https"
+            scheme = request.getScheme();
+            if( ! scheme.equals( HTTPS_SCHEME ) ) {
+                msg = "The scheme MUST be '" + HTTPS_SCHEME
+                    + "', NOT '" + scheme + "'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg );
+                return;
+            }
+
+            // Always obtain an "https" port from request
+            port = request.getServerPort();
+            request_port = Integer.toString( port );
+
+            // Always obtain the "https" port passed in as a parameter
+            param_https_port = config.getInitParameter( HTTPS_PORT );
+            if( param_https_port == null ) {
+                msg = "The <param-name> '" + HTTPS_PORT
+                    + "' </param-name> " + "MUST be specified in 'web.xml'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg );
+                return;
+            }
+
+            // Compare the request and param "https" ports
+            if( ! param_https_port.equals( request_port ) ) {
+                msg = "Use HTTPS port '" + param_https_port
+                    + "' instead of '" + request_port
+                    + "' when performing " + HTTPS_ROLE + " tasks!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                return;
+            }
+        }
+
+        chain.doFilter( request, response );
+    }
+    
+    public void destroy()
+    {
+    }
+}
+
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
new file mode 100644
index 000000000..542ca4232
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
@@ -0,0 +1,101 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2009 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.filter;
+
+import javax.servlet.http.*;
+import javax.servlet.*;
+import com.netscape.certsrv.apps.*;
+
+public class AgentRequestFilter implements Filter
+{
+    private static final String HTTPS_SCHEME = "https";
+    private static final String HTTPS_PORT = "https_port";
+    private static final String HTTPS_ROLE = "Agent";
+
+    private FilterConfig config;
+    
+    /* Create a new AgentRequestFilter */
+    public AgentRequestFilter() {}
+    
+    public void init( FilterConfig filterConfig )
+                throws ServletException
+    {
+        this.config = filterConfig;
+    }
+    
+    public void doFilter( ServletRequest request, 
+                          ServletResponse response,
+                          FilterChain chain )
+                throws java.io.IOException,
+                       ServletException
+    {
+        String filterName = getClass().getName();
+
+        String scheme = null;
+        int port = 0;
+
+        String request_port = null;
+        String param_https_port = null;
+        String msg = null;
+
+        if( request instanceof HttpServletRequest ) {
+            HttpServletResponse resp = ( HttpServletResponse ) response;
+
+            // RFC 1738:  verify that scheme is "https"
+            scheme = request.getScheme();
+            if( ! scheme.equals( HTTPS_SCHEME ) ) {
+                msg = "The scheme MUST be '" + HTTPS_SCHEME
+                    + "', NOT '" + scheme + "'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg );
+                return;
+            }
+
+            // Always obtain an "https" port from request
+            port = request.getServerPort();
+            request_port = Integer.toString( port );
+
+            // Always obtain the "https" port passed in as a parameter
+            param_https_port = config.getInitParameter( HTTPS_PORT );
+            if( param_https_port == null ) {
+                msg = "The <param-name> '" + HTTPS_PORT
+                    + "' </param-name> " + "MUST be specified in 'web.xml'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg );
+                return;
+            }
+
+            // Compare the request and param "https" ports
+            if( ! param_https_port.equals( request_port ) ) {
+                msg = "Use HTTPS port '" + param_https_port
+                    + "' instead of '" + request_port
+                    + "' when performing " + HTTPS_ROLE + " tasks!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                return;
+            }
+        }
+
+        chain.doFilter( request, response );
+    }
+    
+    public void destroy()
+    {
+    }
+}
+
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
new file mode 100644
index 000000000..1f93e080f
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
@@ -0,0 +1,131 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2009 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.filter;
+
+import javax.servlet.http.*;
+import javax.servlet.*;
+import com.netscape.certsrv.apps.*;
+
+public class EERequestFilter implements Filter
+{
+    private static final String HTTP_SCHEME = "http";
+    private static final String HTTP_PORT = "http_port";
+    private static final String HTTP_ROLE = "EE";
+    private static final String HTTPS_SCHEME = "https";
+    private static final String HTTPS_PORT = "https_port";
+    private static final String HTTPS_ROLE = "EE";
+
+    private FilterConfig config;
+    
+    /* Create a new EERequestFilter */
+    public EERequestFilter() {}
+    
+    public void init( FilterConfig filterConfig )
+                throws ServletException
+    {
+        this.config = filterConfig;
+    }
+    
+    public void doFilter( ServletRequest request, 
+                          ServletResponse response,
+                          FilterChain chain )
+                throws java.io.IOException,
+                       ServletException
+    {
+        String filterName = getClass().getName();
+
+        String scheme = null;
+        int port = 0;
+
+        String request_port = null;
+        String param_http_port = null;
+        String param_https_port = null;
+        String msg = null;
+
+        if( request instanceof HttpServletRequest ) {
+            HttpServletResponse resp = ( HttpServletResponse ) response;
+
+            // RFC 1738:  verify that scheme is either "http" or "https"
+            scheme = request.getScheme();
+            if( ( ! scheme.equals( HTTP_SCHEME ) ) &&
+                ( ! scheme.equals( HTTPS_SCHEME ) ) ) {
+                msg = "The scheme MUST be either '" + HTTP_SCHEME
+                    + "' or '" + HTTPS_SCHEME
+                    + "', NOT '" + scheme + "'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg );
+                return; 
+            }
+
+            // Always obtain either an "http" or an "https" port from request
+            port = request.getServerPort();
+            request_port = Integer.toString( port );
+
+            // Always obtain the "http" port passed in as a parameter
+            param_http_port = config.getInitParameter( HTTP_PORT );
+            if( param_http_port == null ) {
+                msg = "The <param-name> '" + HTTP_PORT
+                    + "' </param-name> " + "MUST be specified in 'web.xml'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg );
+                return; 
+            }
+
+            // Always obtain the "https" port passed in as a parameter
+            param_https_port = config.getInitParameter( HTTPS_PORT );
+            if( param_https_port == null ) {
+                msg = "The <param-name> '" + HTTPS_PORT
+                    + "' </param-name> " + "MUST be specified in 'web.xml'!";
+                CMS.debug( filterName + ":  " + msg );
+                resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg );
+                return; 
+            }
+
+            // If the scheme is "http", compare
+            // the request and param "http" ports;
+            // otherwise, if the scheme is "https", compare
+            // the request and param "https" ports
+            if( scheme.equals( HTTP_SCHEME ) ) {
+                if( ! param_http_port.equals( request_port ) ) {
+                    msg = "Use HTTP port '" + param_http_port
+                        + "' instead of '" + request_port
+                        + "' when performing " + HTTP_ROLE + " tasks!";
+                    CMS.debug( filterName + ":  " + msg );
+                    resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                    return; 
+                }
+            } else if( scheme.equals( HTTPS_SCHEME ) ) {
+                if( ! param_https_port.equals( request_port ) ) {
+                    msg = "Use HTTPS port '" + param_https_port
+                        + "' instead of '" + request_port
+                        + "' when performing " + HTTPS_ROLE + " tasks!";
+                    CMS.debug( filterName + ":  " + msg );
+                    resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+                    return; 
+                }
+            }
+        }
+
+        chain.doFilter( request, response );
+    }
+    
+    public void destroy()
+    {
+    }
+}
+
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java
new file mode 100644
index 000000000..a47888442
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java
@@ -0,0 +1,78 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2009 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.filter;
+
+import javax.servlet.http.*;
+import javax.servlet.*;
+import com.netscape.certsrv.apps.*;
+
+public class PassThroughRequestFilter implements Filter
+{
+    /* Create a new PassThroughRequestFilter */
+    public PassThroughRequestFilter() {}
+    
+    public void init( FilterConfig filterConfig )
+                throws ServletException
+    {
+    }
+    
+    public void doFilter( ServletRequest request, 
+                          ServletResponse response,
+                          FilterChain chain )
+                throws java.io.IOException,
+                       ServletException
+    {
+        // Simply pass-through this request without filtering it . . .
+        //
+        // NOTE:  This "do-nothing" filter is ONLY provided since
+        //        individual servlets can not be "excluded" from within
+        //        the <url-pattern></url-pattern> parameters, thus
+        //        disallowing the use of a '*' wildcard parameter
+        //        on certain filters.
+        //
+        //        Therefore, since servlets MUST be specified individually
+        //        by such filters, this pass-through filter was created to
+        //        contain those servlets which would otherwise simply be
+        //        "excluded".  Although this could also be accomplished
+        //        by merely performing "exclusion by lack of inclusion",
+        //        the existance of a pass-through filter allows the
+        //        EXPLICIT identification of servlets which MUST NOT
+        //        have any filters run against them.
+        //
+
+        String filterName = getClass().getName();
+
+        String servlet = null;
+        String msg = null;
+
+        if( request instanceof HttpServletRequest ) {
+            HttpServletRequest req = ( HttpServletRequest ) request;
+
+            servlet = req.getServletPath();
+            msg = "Excluding filtering on servlet called '" + servlet + "'!";
+            CMS.debug( filterName + ":  " + msg );
+        }
+
+        chain.doFilter( request, response );
+    }
+    
+    public void destroy()
+    {
+    }
+}
+