diff options
3 files changed, 50 insertions, 73 deletions
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java index 73fae47fd..1933601db 100644 --- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java @@ -6,8 +6,6 @@ import java.util.ArrayList; import java.util.Enumeration; import java.util.List; -import netscape.security.x509.X509CertImpl; - import org.apache.catalina.realm.RealmBase; import org.apache.commons.lang.StringUtils; @@ -25,6 +23,8 @@ import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.common.AuthCredentials; +import netscape.security.x509.X509CertImpl; + /** * PKI Realm * @@ -47,7 +47,7 @@ public class PKIRealm extends RealmBase { @Override public Principal authenticate(String username, String password) { - logDebug("Authenticating username "+username+" with password."); + CMS.debug("PKIRealm: Authenticating user " + username + " with password."); String auditMessage = null; String auditSubjectID = ILogger.UNIDENTIFIED; String attemptedAuditUID = username; @@ -61,7 +61,7 @@ public class PKIRealm extends RealmBase { creds.set(IPasswdUserDBAuthentication.CRED_PWD, password); IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails - authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); auditSubjectID = authToken.getInString(IAuthToken.USER_ID); // store a message in the signed audit log file @@ -91,7 +91,7 @@ public class PKIRealm extends RealmBase { @Override public Principal authenticate(final X509Certificate certs[]) { - logDebug("Authenticating certificate chain:"); + CMS.debug("PKIRealm: Authenticating certificate chain:"); String auditMessage = null; // get the cert from the ssl client auth @@ -105,7 +105,7 @@ public class PKIRealm extends RealmBase { X509CertImpl certImpls[] = new X509CertImpl[certs.length]; for (int i=0; i<certs.length; i++) { X509Certificate cert = certs[i]; - logDebug(" "+cert.getSubjectDN()); + CMS.debug("PKIRealm: " + cert.getSubjectDN()); // Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl certImpls[i] = new X509CertImpl(cert.getEncoded()); @@ -123,7 +123,7 @@ public class PKIRealm extends RealmBase { // reset it to the one authenticated with authManager auditSubjectID = authToken.getInString(IAuthToken.USER_ID); - logDebug("User ID: "+username); + CMS.debug("PKIRealm: User ID: " + username); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, @@ -181,7 +181,7 @@ public class PKIRealm extends RealmBase { protected IUser getUser(String username) throws EUsrGrpException { IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); IUser user = ugSub.getUser(username); - logDebug("User DN: "+user.getUserDN()); + CMS.debug("PKIRealm: User DN: " + user.getUserDN()); return user; } @@ -192,12 +192,12 @@ public class PKIRealm extends RealmBase { IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); Enumeration<IGroup> groups = ugSub.findGroupsByUser(user.getUserDN(), null); - logDebug("Roles:"); + CMS.debug("PKIRealm: Roles:"); while (groups.hasMoreElements()) { IGroup group = groups.nextElement(); String name = group.getName(); - logDebug(" "+name); + CMS.debug("PKIRealm: " + name); roles.add(name); } @@ -209,19 +209,6 @@ public class PKIRealm extends RealmBase { return null; } - /* - * TODO: Figure out how to do real logging - */ - public void logErr(String msg) { - System.err.println(msg); - CMS.debug("PKIRealm.logErr: " + msg); - } - - public void logDebug(String msg) { - System.out.println("PKIRealm: "+msg); - CMS.debug("PKIRealm.logDebug: " + msg); - } - /** * Signed Audit Log * diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java index bae25b660..b6461abfd 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java @@ -18,6 +18,7 @@ package org.dogtagpki.server.rest; import java.io.IOException; +import java.lang.reflect.Method; import java.security.Principal; import java.util.Locale; @@ -28,6 +29,8 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.jboss.resteasy.core.ResourceMethodInvoker; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; @@ -59,6 +62,13 @@ public class SessionContextInterceptor implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { + ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext + .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); + Method method = methodInvoker.getMethod(); + Class<?> clazz = methodInvoker.getResourceClass(); + + CMS.debug("SessionContextInterceptor: " + clazz.getSimpleName() + "." + method.getName() + "()"); + Principal principal = securityContext.getUserPrincipal(); // If unauthenticated, ignore. diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java index 692dc49d6..07092aa07 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java @@ -17,12 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.authentication; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.EInvalidCredentials; @@ -38,10 +32,11 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.ldapconn.LdapAnonConnFactory; -import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.usrgrp.UGSubsystem; -import com.netscape.cmscore.util.Debug; + +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPException; /** * Certificate Server admin authentication. @@ -64,8 +59,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu private String mName = null; private String mImplName = null; private IConfigStore mConfig; - private String mBaseDN = null; - private LdapBoundConnFactory mConnFactory = null; private LdapAnonConnFactory mAnonConnFactory = null; private ILogger mLogger = CMS.getLogger(); @@ -94,8 +87,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu if (ldapinfo == null && CMS.isPreOpMode()) return; - mBaseDN = dbs.getBaseDN(); - mConnFactory = new LdapBoundConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo, dbs.getLdapAuthInfo()); mAnonConnFactory = new LdapAnonConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo); log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_AUTH_INIT_AUTH", mName)); @@ -124,76 +115,66 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu // make sure the required credentials are provided String uid = (String) authCred.get(CRED_UID); - CMS.debug("Authentication: UID=" + uid); + CMS.debug("PasswdUserDBAuthentication: UID: " + uid); if (uid == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_MISSING_UID")); throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID)); } - String pwd = (String) authCred.get(CRED_PWD); + String pwd = (String) authCred.get(CRED_PWD); if (pwd == null) { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NULL_PW", uid)); throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD)); } + // don't allow anonymous binding if (pwd == "") { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_EMPTY_PW", uid)); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } - String userdn = null; - LDAPConnection conn = null; + UGSubsystem ug = UGSubsystem.getInstance(); + IUser user; + + try { + user = ug.getUser(uid); + } catch (EBaseException e) { + CMS.debug(e); + // not a user in our user/group database. + log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString())); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage()); + } + + if (user == null) { + CMS.debug("PasswdUserDBAuthentication: User not found: " + uid); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", + "Failure in User Group subsystem.")); + } + + String userdn = user.getUserDN(); + CMS.debug("PasswdUserDBAuthentication: DN: " + userdn); + LDAPConnection anonConn = null; try { - conn = mConnFactory.getConn(); - // do anonymous search for the user's dn. - LDAPSearchResults res = conn.search(mBaseDN, - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false); - - if (res.hasMoreElements()) { - LDAPEntry entry = (LDAPEntry) res.nextElement(); - - userdn = entry.getDN(); - } - if (userdn == null) { - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NOT_FOUND", uid)); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } anonConn = mAnonConnFactory.getConn(); anonConn.authenticate(userdn, pwd); + } catch (LDAPException e) { log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_AUTH_FAILED", uid, e.toString())); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } finally { - if (conn != null) - mConnFactory.returnConn(conn); if (anonConn != null) mAnonConnFactory.returnConn(anonConn); } - UGSubsystem ug = UGSubsystem.getInstance(); - authToken.set(TOKEN_USERDN, userdn); authToken.set(CRED_UID, uid); // return original uid for info - IUser user = null; - - try { - user = ug.getUser(uid); - } catch (EBaseException e) { - if (Debug.ON) - e.printStackTrace(); - // not a user in our user/group database. - log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString())); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage()); - } - if (user == null) { - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", - "Failure in User Group subsystem.")); - } authToken.set(TOKEN_USERDN, user.getUserDN()); authToken.set(TOKEN_USERID, user.getUserID()); + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid)); return authToken; @@ -241,7 +222,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu public void shutdown() { try { // disconnect all outstanding connections in the factory - if (mConnFactory != null) mConnFactory.reset(); if (mAnonConnFactory != null) mAnonConnFactory.reset(); } catch (ELdapException e) { log(ILogger.LL_FAILURE, e.toString()); |