diff options
48 files changed, 1222 insertions, 48 deletions
diff --git a/.classpath b/.classpath index 9886a5236..9befab0fe 100644 --- a/.classpath +++ b/.classpath @@ -8,7 +8,7 @@ <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/common/src"/> <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/common/functional/src"/> <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/java-tools/src"/> - <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/tomcat/src"/> + <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/tomcat7/src"/> <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/cms/src"/> <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/cmscore/src"/> <classpathentry excluding="**/CMakeLists.txt" kind="src" path="base/server/test"/> diff --git a/CMakeLists.txt b/CMakeLists.txt index 6702ac07d..12a7493b3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -14,8 +14,10 @@ string(REGEX REPLACE "^([0-9]+).*" "\\1" APPLICATION_VERSION_MAJOR ${VERSION}) string(REGEX REPLACE "^[0-9]+\\.([0-9]+).*" "\\1" APPLICATION_VERSION_MINOR ${VERSION}) string(REGEX REPLACE "^[0-9]+\\.[0-9]+\\.([0-9]+).*" "\\1" APPLICATION_VERSION_PATCH ${VERSION}) -option(WITH_JAVADOC "Build Javadoc" ON) +option(WITH_TOMCAT7 "Build Tomcat 7" ON) +option(WITH_TOMCAT8 "Build Tomcat 8" ON) option(WITH_SERVER "Build Server" ON) +option(WITH_JAVADOC "Build Javadoc" ON) if (BUILD_DOGTAG_PKI_THEME) set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) diff --git a/base/ca/CMakeLists.txt b/base/ca/CMakeLists.txt index 025f7a132..63e77195a 100644 --- a/base/ca/CMakeLists.txt +++ b/base/ca/CMakeLists.txt @@ -4,6 +4,14 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + # install directories install( DIRECTORY diff --git a/base/ca/tomcat7/CMakeLists.txt b/base/ca/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/ca/tomcat7/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/ca/shared/conf/Catalina/localhost/ca.xml b/base/ca/tomcat7/conf/Catalina/localhost/ca.xml index e838503a6..e838503a6 100644 --- a/base/ca/shared/conf/Catalina/localhost/ca.xml +++ b/base/ca/tomcat7/conf/Catalina/localhost/ca.xml diff --git a/base/ca/tomcat8/CMakeLists.txt b/base/ca/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/ca/tomcat8/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml new file mode 100644 index 000000000..2c045dec7 --- /dev/null +++ b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml @@ -0,0 +1,39 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" + alwaysUseSession="true" + secureRandomProvider="Mozilla-JSS" + secureRandomAlgorithm="pkcs11prng"/> + + <Realm className="com.netscape.cms.tomcat.ProxyRealm" /> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/kra/CMakeLists.txt b/base/kra/CMakeLists.txt index 02bacd132..0197075ba 100644 --- a/base/kra/CMakeLists.txt +++ b/base/kra/CMakeLists.txt @@ -4,6 +4,14 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + # install directories install( DIRECTORY diff --git a/base/kra/tomcat7/CMakeLists.txt b/base/kra/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/kra/tomcat7/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/kra/shared/conf/Catalina/localhost/kra.xml b/base/kra/tomcat7/conf/Catalina/localhost/kra.xml index e838503a6..e838503a6 100644 --- a/base/kra/shared/conf/Catalina/localhost/kra.xml +++ b/base/kra/tomcat7/conf/Catalina/localhost/kra.xml diff --git a/base/kra/tomcat8/CMakeLists.txt b/base/kra/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/kra/tomcat8/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/kra/tomcat8/conf/Catalina/localhost/kra.xml b/base/kra/tomcat8/conf/Catalina/localhost/kra.xml new file mode 100644 index 000000000..2c045dec7 --- /dev/null +++ b/base/kra/tomcat8/conf/Catalina/localhost/kra.xml @@ -0,0 +1,39 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" + alwaysUseSession="true" + secureRandomProvider="Mozilla-JSS" + secureRandomAlgorithm="pkcs11prng"/> + + <Realm className="com.netscape.cms.tomcat.ProxyRealm" /> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/ocsp/CMakeLists.txt b/base/ocsp/CMakeLists.txt index 4a7259b90..de781f8c3 100644 --- a/base/ocsp/CMakeLists.txt +++ b/base/ocsp/CMakeLists.txt @@ -4,6 +4,14 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + # install directories install( DIRECTORY diff --git a/base/ocsp/tomcat7/CMakeLists.txt b/base/ocsp/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/ocsp/tomcat7/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/ocsp/shared/conf/Catalina/localhost/ocsp.xml b/base/ocsp/tomcat7/conf/Catalina/localhost/ocsp.xml index e838503a6..e838503a6 100644 --- a/base/ocsp/shared/conf/Catalina/localhost/ocsp.xml +++ b/base/ocsp/tomcat7/conf/Catalina/localhost/ocsp.xml diff --git a/base/ocsp/tomcat8/CMakeLists.txt b/base/ocsp/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/ocsp/tomcat8/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/ocsp/tomcat8/conf/Catalina/localhost/ocsp.xml b/base/ocsp/tomcat8/conf/Catalina/localhost/ocsp.xml new file mode 100644 index 000000000..2c045dec7 --- /dev/null +++ b/base/ocsp/tomcat8/conf/Catalina/localhost/ocsp.xml @@ -0,0 +1,39 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" + alwaysUseSession="true" + secureRandomProvider="Mozilla-JSS" + secureRandomAlgorithm="pkcs11prng"/> + + <Realm className="com.netscape.cms.tomcat.ProxyRealm" /> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt index 01a194a3d..b429c4e80 100644 --- a/base/server/CMakeLists.txt +++ b/base/server/CMakeLists.txt @@ -140,7 +140,14 @@ install( install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") -add_subdirectory(tomcat) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + add_subdirectory(cms) add_subdirectory(cmsbundle) add_subdirectory(cmscore) diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java index 336032dd3..dc8cef68f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java +++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java @@ -18,6 +18,7 @@ package com.netscape.cms.servlet.common; import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -25,13 +26,10 @@ import java.io.InputStreamReader; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; -import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.math.BigInteger; import java.util.Enumeration; -import javax.servlet.ServletOutputStream; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; @@ -531,8 +529,7 @@ public class CMSTemplate extends CMSFile { */ public String getOutput(CMSTemplateParams input) throws IOException { - debugOutputStream out = new debugOutputStream(); - + ByteArrayOutputStream out = new ByteArrayOutputStream(); renderOutput(out, input); return out.toString(); } @@ -572,22 +569,4 @@ public class CMSTemplate extends CMSFile { } } - - private static class debugOutputStream extends ServletOutputStream { - private StringWriter mStringWriter = new StringWriter(); - - public debugOutputStream() { - super(); - } - - public void write(int b) throws IOException { - mStringWriter.write(b); - } - - public String toString() { - return mStringWriter.toString(); - } - - } - } diff --git a/base/server/tomcat/CMakeLists.txt b/base/server/tomcat/CMakeLists.txt deleted file mode 100644 index 555a9329d..000000000 --- a/base/server/tomcat/CMakeLists.txt +++ /dev/null @@ -1,3 +0,0 @@ -project(tomcat) - -add_subdirectory(src) diff --git a/base/server/tomcat7/CMakeLists.txt b/base/server/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..ba02af18d --- /dev/null +++ b/base/server/tomcat7/CMakeLists.txt @@ -0,0 +1,10 @@ +project(server-tomcat7) + +add_subdirectory(src) + +install( + DIRECTORY + conf/ + DESTINATION + ${DATA_INSTALL_DIR}/server/conf/ +) diff --git a/base/server/share/conf/Catalina/localhost/ROOT.xml b/base/server/tomcat7/conf/Catalina/localhost/ROOT.xml index ce98bfa4e..ce98bfa4e 100644 --- a/base/server/share/conf/Catalina/localhost/ROOT.xml +++ b/base/server/tomcat7/conf/Catalina/localhost/ROOT.xml diff --git a/base/server/share/conf/Catalina/localhost/pki.xml b/base/server/tomcat7/conf/Catalina/localhost/pki.xml index ce98bfa4e..ce98bfa4e 100644 --- a/base/server/share/conf/Catalina/localhost/pki.xml +++ b/base/server/tomcat7/conf/Catalina/localhost/pki.xml diff --git a/base/server/share/conf/server.xml b/base/server/tomcat7/conf/server.xml index b9e8860b2..b9e8860b2 100644 --- a/base/server/share/conf/server.xml +++ b/base/server/tomcat7/conf/server.xml diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt index d9808a803..102dec782 100644 --- a/base/server/tomcat/src/CMakeLists.txt +++ b/base/server/tomcat7/src/CMakeLists.txt @@ -44,9 +44,9 @@ find_file(TOMCAT_CATALINA_JAR /usr/share/java/tomcat ) -find_file(TOMCAT_UTIL_JAR +find_file(TOMCAT_UTIL_SCAN_JAR NAMES - tomcat-util.jar + tomcat-util-scan.jar PATHS /usr/share/java/tomcat ) @@ -123,7 +123,7 @@ javac(pki-tomcat-classes SOURCES com/netscape/cms/tomcat/*.java CLASSPATH - ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} + ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} OUTPUT_DIR ${CMAKE_BINARY_DIR}/classes ) diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java index 094c0561f..094c0561f 100644 --- a/base/server/tomcat/src/com/netscape/cms/tomcat/ProxyRealm.java +++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java index 20bf85d22..20bf85d22 100644 --- a/base/server/tomcat/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java +++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java diff --git a/base/server/tomcat/src/pki-tomcat.mf b/base/server/tomcat7/src/pki-tomcat.mf index ca8d3bf1b..ca8d3bf1b 100644 --- a/base/server/tomcat/src/pki-tomcat.mf +++ b/base/server/tomcat7/src/pki-tomcat.mf diff --git a/base/server/tomcat8/CMakeLists.txt b/base/server/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..b5f8d7c22 --- /dev/null +++ b/base/server/tomcat8/CMakeLists.txt @@ -0,0 +1,10 @@ +project(server-tomcat8) + +add_subdirectory(src) + +install( + DIRECTORY + conf/ + DESTINATION + ${DATA_INSTALL_DIR}/server/conf/ +) diff --git a/base/server/tomcat8/conf/Catalina/localhost/ROOT.xml b/base/server/tomcat8/conf/Catalina/localhost/ROOT.xml new file mode 100644 index 000000000..e70dd2055 --- /dev/null +++ b/base/server/tomcat8/conf/Catalina/localhost/ROOT.xml @@ -0,0 +1,32 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/server/tomcat8/conf/Catalina/localhost/pki.xml b/base/server/tomcat8/conf/Catalina/localhost/pki.xml new file mode 100644 index 000000000..e70dd2055 --- /dev/null +++ b/base/server/tomcat8/conf/Catalina/localhost/pki.xml @@ -0,0 +1,32 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml new file mode 100644 index 000000000..ce8fc57dc --- /dev/null +++ b/base/server/tomcat8/conf/server.xml @@ -0,0 +1,295 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html + --> + +<!-- DO NOT REMOVE - Begin PKI Status Definitions --> +<!-- CA Status Definitions --> +<!-- +Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ee/ca +Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca +Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ca/ee/ca +Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ca/services +EE Client Auth URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/ca/eeca/ca +PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ca +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- KRA Status Definitions --> +<!-- +Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/kra/ee/kra +Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra +Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/kra/ee/kra +Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra/services +PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- OCSP Status Definitions --> +<!-- +Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp +Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp +Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp +Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services +PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- TKS Status Definitions --> +<!-- +Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tks/ee/tks +Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks +Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/tks/ee/tks +Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks/services +PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- DO NOT REMOVE - End PKI Status Definitions --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> + <!-- Security listener. Documentation at /docs/config/listeners.html + <Listener className="org.apache.catalina.security.SecurityListener" /> + --> + <!--APR library loader. Documentation at /docs/apr.html --> + <!-- The following Listener class has been commented out because this --> + <!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS', --> + <!-- and 'NSS' rather than the 'tomcat-native' module! --> + <!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" --> + + <!-- Prevent memory leaks due to use of particular java/javax APIs--> + <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL/TLS HTTP/1.1 Connector on port [PKI_UNSECURE_PORT] + --> + + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" + port="[PKI_UNSECURE_PORT]" + protocol="HTTP/1.1" + redirectPort="[PKI_SECURE_PORT]" + maxHttpHeaderSize="8192" + acceptCount="100" + maxThreads="150" + minSpareThreads="25" + enableLookups="false" + connectionTimeout="20000" + disableUploadTimeout="true" + /> + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="[PKI_SECURE_PORT]" /> + --> + + <!-- Define a SSL/TLS HTTP/1.1 Connector on port [PKI_SECURE_PORT] + This connector uses the NIO implementation that requires the JSSE + style configuration. When using the APR/native implementation, the + OpenSSL style configuration is required as described in the APR/native + documentation --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The following 'keys' (and their assigned values) are exclusive to + the 'tomcatjss' JSSE module: + + 'enableOCSP' + 'ocspResponderURL' + 'ocspResponderCertNickname' + 'ocspCacheSize' + 'ocspMinCacheEntryDuration' + 'ocspMaxCacheEntryDuration' + 'ocspTimeout' + 'strictCiphers' + 'clientauth' (ALL lowercase) + 'sslOptions' + 'ssl2Ciphers' + 'ssl3Ciphers' + 'tlsCiphers' + 'sslVersionRangeStream' + 'sslVersionRangeDatagram' + 'sslRangeCiphers' + 'serverCertNickFile' + 'passwordFile' + 'passwordClass' + 'certdbDir' + + and are referenced via the value of the 'sslImplementationName' key. + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientauth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" + port="[PKI_SECURE_PORT]" + protocol="org.apache.coyote.http11.Http11Protocol" + SSLEnabled="true" + sslProtocol="SSL" + scheme="https" + secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" + enableLookups="false" disableUploadTimeout="true" + sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" + strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" + sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" + sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" + sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" + protocol="AJP/1.3" + redirectPort="[PKI_AJP_REDIRECT_PORT]" + address="127.0.0.1" /> +[PKI_CLOSE_AJP_PORT_COMMENT] + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- Use the LockOutRealm to prevent attempts to guess user passwords + via a brute-force attack --> + <!-- + <Realm className="org.apache.catalina.realm.LockOutRealm"> + --> + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <!-- + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + </Realm> + --> + + <Host name="localhost" appBase="[PKI_INSTANCE_PATH]/webapps" + unpackWARs="true" autoDeploy="true"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html + Note: The pattern used is equivalent to using pattern="common" --> + [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log" suffix=".txt" + pattern="common" resolveHosts="false"/> + [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] + + </Host> + </Engine> + </Service> +</Server> diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt new file mode 100644 index 000000000..102dec782 --- /dev/null +++ b/base/server/tomcat8/src/CMakeLists.txt @@ -0,0 +1,158 @@ +project(pki-tomcat) + +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(COMMONS_CODEC_JAR + NAMES + commons-codec.jar + PATHS + /usr/share/java +) + +find_file(COMMONS_HTTPCLIENT_JAR + NAMES + commons-httpclient.jar + PATHS + /usr/share/java +) + +find_file(APACHE_COMMONS_LANG_JAR + NAMES + apache-commons-lang.jar + PATHS + /usr/share/java +) + +find_file(TOMCAT_CATALINA_JAR + NAMES + catalina.jar + PATHS + /usr/share/java/tomcat +) + +find_file(TOMCAT_UTIL_SCAN_JAR + NAMES + tomcat-util-scan.jar + PATHS + /usr/share/java/tomcat +) + +find_file(SERVLET_JAR + NAMES + servlet.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(VELOCITY_JAR + NAMES + velocity.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(XALAN_JAR + NAMES + xalan-j2.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(XERCES_JAR + NAMES + xerces-j2.jar + PATHS + ${JAVA_LIB_INSTALL_DIR} + /usr/share/java +) + +find_file(JAXRS_API_JAR + NAMES + jaxrs-api.jar + PATHS + ${RESTEASY_LIB} +) + +find_file(RESTEASY_JAXRS_JAR + NAMES + resteasy-jaxrs.jar + PATHS + ${RESTEASY_LIB} +) + +find_file(RESTEASY_ATOM_PROVIDER_JAR + NAMES + resteasy-atom-provider.jar + PATHS + ${RESTEASY_LIB} +) + +find_file(HTTPCLIENT_JAR + NAMES + httpclient.jar + PATHS + /usr/share/java/httpcomponents +) + +find_file(HTTPCORE_JAR + NAMES + httpcore.jar + PATHS + /usr/share/java/httpcomponents +) + +# build pki-tomcat +javac(pki-tomcat-classes + SOURCES + com/netscape/cms/tomcat/*.java + CLASSPATH + ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} + OUTPUT_DIR + ${CMAKE_BINARY_DIR}/classes +) + +configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/pki-tomcat.mf + ${CMAKE_CURRENT_BINARY_DIR}/pki-tomcat.mf +) + +jar(pki-tomcat-jar + CREATE + ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar + OPTIONS + m + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-tomcat.mf + INPUT_DIR + ${CMAKE_BINARY_DIR}/classes + FILES + com/netscape/cms/tomcat/*.class + DEPENDS + pki-tomcat-classes +) + +install( + FILES + ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar + DESTINATION + ${JAVA_JAR_INSTALL_DIR}/pki +) + +set(PKI_TOMCAT_JAR ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar CACHE INTERNAL "pki-tomcat jar file") diff --git a/base/server/tomcat8/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat8/src/com/netscape/cms/tomcat/ProxyRealm.java new file mode 100644 index 000000000..044563233 --- /dev/null +++ b/base/server/tomcat8/src/com/netscape/cms/tomcat/ProxyRealm.java @@ -0,0 +1,145 @@ +package com.netscape.cms.tomcat; + +import java.beans.PropertyChangeListener; +import java.io.IOException; +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.HashMap; +import java.util.Map; + +import org.apache.catalina.Container; +import org.apache.catalina.Context; +import org.apache.catalina.CredentialHandler; +import org.apache.catalina.Realm; +import org.apache.catalina.Wrapper; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.tomcat.util.descriptor.web.SecurityConstraint; +import org.ietf.jgss.GSSContext; + +/** + * @author Endi S. Dewata + */ +public class ProxyRealm implements Realm { + + public static Map<String, ProxyRealm> proxies = new HashMap<String, ProxyRealm>(); + + public Container container; + public Realm realm; + + public ProxyRealm() { + } + + @Override + public Container getContainer() { + return container; + } + + @Override + public void setContainer(Container container) { + this.container = container; + if (container instanceof Context) { + Context context = (Context)container; + proxies.put(context.getBaseName(), this); + } + } + + public Realm getRealm() { + return realm; + } + + public void setRealm(Realm realm) { + this.realm = realm; + realm.setContainer(container); + } + + public static void registerRealm(String contextName, Realm realm) { + ProxyRealm proxy = proxies.get(contextName); + if (proxy == null) return; + + proxy.setRealm(realm); + } + + @Override + public Principal authenticate(String username, String password) { + return realm.authenticate(username, password); + } + + @Override + public Principal authenticate(X509Certificate certs[]) { + return realm.authenticate(certs); + } + + @Override + public Principal authenticate( + String username, + String digest, + String nonce, + String nc, + String cnonce, + String qop, + String realmName, + String md5a2 + ) { + return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2); + } + + @Override + public Principal authenticate(GSSContext gssContext, boolean storeCreds) { + return realm.authenticate(gssContext, storeCreds); + } + + @Override + public boolean hasResourcePermission( + Request request, + Response response, + SecurityConstraint[] constraints, + Context context + ) throws IOException { + return realm.hasResourcePermission(request, response, constraints, context); + } + + @Override + public void backgroundProcess() { + realm.backgroundProcess(); + } + + @Override + public SecurityConstraint[] findSecurityConstraints(Request request, Context context) { + return realm.findSecurityConstraints(request, context); + } + + @Override + public boolean hasRole(Wrapper wrapper, Principal principal, String role) { + return realm.hasRole(wrapper, principal, role); + } + + @Override + public boolean hasUserDataPermission( + Request request, + Response response, + SecurityConstraint[] constraint + ) throws IOException { + return realm.hasUserDataPermission(request, response, constraint); + } + + @Override + public void addPropertyChangeListener(PropertyChangeListener listener) { + realm.addPropertyChangeListener(listener); + } + + @Override + public void removePropertyChangeListener(PropertyChangeListener listener) { + realm.removePropertyChangeListener(listener); + } + + @Override + public CredentialHandler getCredentialHandler() { + return realm.getCredentialHandler(); + } + + @Override + public void setCredentialHandler(CredentialHandler handler) { + realm.setCredentialHandler(handler); + } +} diff --git a/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java new file mode 100644 index 000000000..3678791b9 --- /dev/null +++ b/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java @@ -0,0 +1,168 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.tomcat; + +import java.io.IOException; +import java.security.cert.X509Certificate; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpServletResponseWrapper; + +import org.apache.catalina.Container; +import org.apache.catalina.Globals; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.authenticator.AuthenticatorBase; +import org.apache.catalina.authenticator.BasicAuthenticator; +import org.apache.catalina.authenticator.FormAuthenticator; +import org.apache.catalina.authenticator.SSLAuthenticator; +import org.apache.catalina.connector.Request; + +/** + * @author Endi S. Dewata + */ +public class SSLAuthenticatorWithFallback extends AuthenticatorBase { + + public final static String BASIC_AUTHENTICATOR = "BASIC"; + public final static String FORM_AUTHENTICATOR = "FORM"; + + String fallbackMethod = BASIC_AUTHENTICATOR; + + AuthenticatorBase sslAuthenticator = new SSLAuthenticator(); + AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator(); + + public SSLAuthenticatorWithFallback() { + log("Creating SSL authenticator with fallback"); + } + + public String getFallbackMethod() { + return fallbackMethod; + } + + public void setFallbackMethod(String fallbackMethod) { + log("Fallback method: "+fallbackMethod); + this.fallbackMethod = fallbackMethod; + + if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) { + fallbackAuthenticator = new BasicAuthenticator(); + + } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) { + fallbackAuthenticator = new FormAuthenticator(); + } + + } + + @Override + public boolean authenticate(Request request, HttpServletResponse response) throws IOException { + + X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR); + boolean result; + + if (certs != null && certs.length > 0) { + log("Authenticate with client certificate authentication"); + HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { + public void setHeader(String name, String value) { + log("SSL auth header: "+name+"="+value); + }; + public void sendError(int code) { + log("SSL auth return code: "+code); + } + }; + result = sslAuthenticator.authenticate(request, wrapper); + + } else { + log("Authenticating with "+fallbackMethod+" authentication"); + HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { + public void setHeader(String name, String value) { + log("Fallback auth header: "+name+"="+value); + }; + public void sendError(int code) { + log("Fallback auth return code: "+code); + } + }; + result = fallbackAuthenticator.authenticate(request, wrapper); + } + + if (result) + return true; + + log("Result: "+result); + String realmName = AuthenticatorBase.getRealmName(request.getContext()); + + + StringBuilder value = new StringBuilder(16); + value.append("Basic realm=\""); + if (realmName != null) { + value.append(REALM_NAME); + } else { + value.append(realmName); + } + value.append('\"'); + response.setHeader(AUTH_HEADER_NAME, value.toString()); + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + + return false; + } + + @Override + protected String getAuthMethod() { + return HttpServletRequest.CLIENT_CERT_AUTH; + }; + + @Override + public void setContainer(Container container) { + log("Setting container"); + super.setContainer(container); + sslAuthenticator.setContainer(container); + fallbackAuthenticator.setContainer(container); + } + + @Override + protected void initInternal() throws LifecycleException { + log("Initializing authenticators"); + + super.initInternal(); + + sslAuthenticator.setAlwaysUseSession(alwaysUseSession); + sslAuthenticator.init(); + + fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession); + fallbackAuthenticator.init(); + } + + @Override + public void startInternal() throws LifecycleException { + log("Starting authenticators"); + super.startInternal(); + sslAuthenticator.start(); + fallbackAuthenticator.start(); + } + + @Override + public void stopInternal() throws LifecycleException { + log("Stopping authenticators"); + super.stopInternal(); + sslAuthenticator.stop(); + fallbackAuthenticator.stop(); + } + + public void log(String message) { + System.out.println("SSLAuthenticatorWithFallback: "+message); + } +} diff --git a/base/server/tomcat8/src/pki-tomcat.mf b/base/server/tomcat8/src/pki-tomcat.mf new file mode 100644 index 000000000..ca8d3bf1b --- /dev/null +++ b/base/server/tomcat8/src/pki-tomcat.mf @@ -0,0 +1,3 @@ +Name: pki-tomcat +Specification-Version: ${APPLICATION_VERSION} +Implementation-Version: ${VERSION} diff --git a/base/tks/CMakeLists.txt b/base/tks/CMakeLists.txt index 4b17ca0c8..8bdf2258e 100644 --- a/base/tks/CMakeLists.txt +++ b/base/tks/CMakeLists.txt @@ -4,6 +4,14 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + # install directories install( DIRECTORY diff --git a/base/tks/tomcat7/CMakeLists.txt b/base/tks/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/tks/tomcat7/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/tks/shared/conf/Catalina/localhost/tks.xml b/base/tks/tomcat7/conf/Catalina/localhost/tks.xml index e838503a6..e838503a6 100644 --- a/base/tks/shared/conf/Catalina/localhost/tks.xml +++ b/base/tks/tomcat7/conf/Catalina/localhost/tks.xml diff --git a/base/tks/tomcat8/CMakeLists.txt b/base/tks/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/tks/tomcat8/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/tks/tomcat8/conf/Catalina/localhost/tks.xml b/base/tks/tomcat8/conf/Catalina/localhost/tks.xml new file mode 100644 index 000000000..2c045dec7 --- /dev/null +++ b/base/tks/tomcat8/conf/Catalina/localhost/tks.xml @@ -0,0 +1,39 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" + alwaysUseSession="true" + secureRandomProvider="Mozilla-JSS" + secureRandomAlgorithm="pkcs11prng"/> + + <Realm className="com.netscape.cms.tomcat.ProxyRealm" /> + + <Resources allowLinking="true" /> + +</Context> diff --git a/base/tps/CMakeLists.txt b/base/tps/CMakeLists.txt index dac32876c..516d42640 100644 --- a/base/tps/CMakeLists.txt +++ b/base/tps/CMakeLists.txt @@ -6,6 +6,14 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) +if(WITH_TOMCAT7) + add_subdirectory(tomcat7) +endif(WITH_TOMCAT7) + +if(WITH_TOMCAT8) + add_subdirectory(tomcat8) +endif(WITH_TOMCAT8) + # install manual pages install( DIRECTORY diff --git a/base/tps/tomcat7/CMakeLists.txt b/base/tps/tomcat7/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/tps/tomcat7/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/tps/shared/conf/Catalina/localhost/tps.xml b/base/tps/tomcat7/conf/Catalina/localhost/tps.xml index d80c1296d..d80c1296d 100644 --- a/base/tps/shared/conf/Catalina/localhost/tps.xml +++ b/base/tps/tomcat7/conf/Catalina/localhost/tps.xml diff --git a/base/tps/tomcat8/CMakeLists.txt b/base/tps/tomcat8/CMakeLists.txt new file mode 100644 index 000000000..5c324e441 --- /dev/null +++ b/base/tps/tomcat8/CMakeLists.txt @@ -0,0 +1,6 @@ +install( + DIRECTORY + conf/ + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/ +) diff --git a/base/tps/tomcat8/conf/Catalina/localhost/tps.xml b/base/tps/tomcat8/conf/Catalina/localhost/tps.xml new file mode 100644 index 000000000..def403c22 --- /dev/null +++ b/base/tps/tomcat8/conf/Catalina/localhost/tps.xml @@ -0,0 +1,39 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<Context docBase="/usr/share/pki/tps/webapps/tps" crossContext="true"> + + <Manager + secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> + + <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" + alwaysUseSession="true" + secureRandomProvider="Mozilla-JSS" + secureRandomAlgorithm="pkcs11prng"/> + + <Realm className="com.netscape.cms.tomcat.ProxyRealm" /> + + <Resources allowLinking="true" /> + +</Context> diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec index 47a08a84c..09128cce5 100644 --- a/specs/dogtag-pki.spec +++ b/specs/dogtag-pki.spec @@ -22,8 +22,12 @@ ExcludeArch: ppc ppc64 ppcle ppc64le s390 s390x %if 0%{?rhel} %define tomcatjss_version 7.1.0-5 %else +%if 0%{?fedora} >= 23 +%define tomcatjss_version 7.1.2 +%else %define tomcatjss_version 7.1.1 %endif +%endif Requires: apache-commons-codec %if 0%{?fedora} >= 21 @@ -118,6 +122,7 @@ rm -rf %{buildroot} %changelog * Thu Apr 9 2015 Dogtag Team <pki-devel@redhat.com> 10.2.3-0.1 - Reverted version number back to 10.2.3-0.1 +- Added support for Tomcat 8. * Mon Apr 6 2015 Dogtag Team <pki-devel@redhat.com> 10.3.0-0.1 - Updated version number to 10.3.0-0.1 diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 5117695a1..4c24ed6e4 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -1,8 +1,36 @@ +# Python %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +# Tomcat +%if 0%{?fedora} >= 23 +%define with_tomcat7 0 +%define with_tomcat8 1 +%else +# 0%{?rhel} || 0%{?fedora} <= 22 +%define with_tomcat7 1 +%define with_tomcat8 0 +%endif + +# RESTEasy +%if 0%{?rhel} +%define resteasy_lib /usr/share/java/resteasy-base +%else +# 0%{?fedora} +%define resteasy_lib /usr/share/java/resteasy +%endif + +# Dogtag +%bcond_without server +%bcond_without javadoc + +# ignore unpackaged files from native 'tpsclient' +# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app +%define _unpackaged_files_terminate_build 0 + + Name: pki-core Version: 10.2.3 Release: 0.1%{?dist} @@ -11,12 +39,6 @@ URL: http://pki.fedoraproject.org/ License: GPLv2 Group: System Environment/Daemons -%bcond_without server -%bcond_without javadoc -# ignore unpackaged files from native 'tpsclient' -# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app -%define _unpackaged_files_terminate_build 0 - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: cmake >= 2.8.9-1 @@ -39,7 +61,7 @@ BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} +%if 0%{?rhel} # 'resteasy-base' is a subset of the complete set of # 'resteasy' packages and consists of what is needed to # support the PKI Restful interface on RHEL platforms @@ -50,7 +72,7 @@ BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 BuildRequires: resteasy-base-jackson-provider >= 3.0.6-1 %else -%if 0%{?fedora} >= 22 +%if 0%{?fedora} >= 22 # Starting from Fedora 22, resteasy packages were split into # subpackages. BuildRequires: resteasy-atom-provider >= 3.0.6-7 @@ -80,7 +102,11 @@ BuildRequires: systemd-units %if 0%{?rhel} BuildRequires: tomcatjss >= 7.1.0-5 %else -BuildRequires: tomcatjss >= 7.1.1 +%if 0%{?fedora} >= 23 +BuildRequires: tomcatjss >= 7.1.2 +%else +BuildRequires: tomcatjss >= 7.1.1 +%endif %endif # additional build requirements needed to build native 'tpsclient' @@ -245,7 +271,7 @@ Requires: python-ldap Requires: python-lxml Requires: python-requests >= 1.1.0-3 -%if 0%{?rhel} +%if 0%{?rhel} # 'resteasy-base' is a subset of the complete set of # 'resteasy' packages and consists of what is needed to # support the PKI Restful interface on RHEL platforms @@ -256,7 +282,7 @@ Requires: resteasy-base-jaxrs >= 3.0.6-1 Requires: resteasy-base-jaxrs-api >= 3.0.6-1 Requires: resteasy-base-jackson-provider >= 3.0.6-1 %else -%if 0%{?fedora} >= 22 +%if 0%{?fedora} >= 22 # Starting from Fedora 22, resteasy packages were split into # subpackages. Requires: resteasy-atom-provider >= 3.0.6-7 @@ -333,7 +359,7 @@ Requires: pki-base = %{version}-%{release} Requires: pki-tools = %{version}-%{release} Requires: policycoreutils-python -%if 0%{?fedora} >= 21 +%if 0%{?fedora} >= 21 Requires: selinux-policy-targeted >= 3.13.1-9 %else # 0%{?rhel} || 0%{?fedora} < 21 @@ -364,8 +390,12 @@ Requires(postun): systemd-units %if 0%{?rhel} Requires: tomcatjss >= 7.1.0-5 %else +%if 0%{?fedora} >= 23 +Requires: tomcatjss >= 7.1.2 +%else Requires: tomcatjss >= 7.1.1 %endif +%endif %description -n pki-server The PKI Server Framework is required by the following four PKI subsystems: @@ -603,10 +633,15 @@ cd build -DBUILD_PKI_CORE:BOOL=ON \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -%if 0%{?rhel} - -DRESTEASY_LIB=/usr/share/java/resteasy-base \ -%else - -DRESTEASY_LIB=/usr/share/java/resteasy \ +%if ! %{with_tomcat7} + -DWITH_TOMCAT7:BOOL=OFF \ +%endif +%if ! %{with_tomcat8} + -DWITH_TOMCAT8:BOOL=OFF \ +%endif + -DRESTEASY_LIB=%{resteasy_lib} \ +%if ! %{with server} + -DWITH_SERVER:BOOL=OFF \ %endif %if ! %{with server} -DWITH_SERVER:BOOL=OFF \ @@ -907,6 +942,7 @@ systemctl daemon-reload %changelog * Thu Apr 9 2015 Dogtag Team <pki-devel@redhat.com> 10.2.3-0.1 - Reverted version number back to 10.2.3-0.1 +- Added support for Tomcat 8. * Mon Apr 6 2015 Dogtag Team <pki-devel@redhat.com> 10.3.0-0.1 - Updated version number to 10.3.0-0.1 |