diff options
Diffstat (limited to 'base')
10 files changed, 115 insertions, 53 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java index 95f1f4c20..3c1e50b7c 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java @@ -138,6 +138,7 @@ public class CertRequestService extends PKIService implements CertRequestResourc CMS.debug("enrollCert: bad request data: " + e); throw new BadRequestException(e.toString()); } catch (EBaseException e) { + CMS.debug(e); throw new PKIException(e); } catch (Exception e) { CMS.debug(e); diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java index d55b5b4e1..2b914e856 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java +++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java @@ -37,6 +37,7 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; +import com.netscape.certsrv.base.ResourceMessage; import com.netscape.certsrv.profile.ProfileAttribute; import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.profile.ProfileOutput; @@ -48,7 +49,7 @@ import com.netscape.certsrv.profile.ProfileOutput; @XmlRootElement(name = "CertEnrollmentRequest") @XmlAccessorType(XmlAccessType.FIELD) -public class CertEnrollmentRequest { +public class CertEnrollmentRequest extends ResourceMessage { private static final String PROFILE_ID = "profileId"; private static final String RENEWAL = "renewal"; @@ -286,7 +287,7 @@ public class CertEnrollmentRequest { @Override public int hashCode() { final int prime = 31; - int result = 1; + int result = super.hashCode(); result = prime * result + ((inputs == null) ? 0 : inputs.hashCode()); result = prime * result + ((outputs == null) ? 0 : outputs.hashCode()); result = prime * result + ((profileId == null) ? 0 : profileId.hashCode()); @@ -301,7 +302,7 @@ public class CertEnrollmentRequest { public boolean equals(Object obj) { if (this == obj) return true; - if (obj == null) + if (!super.equals(obj)) return false; if (getClass() != obj.getClass()) return false; @@ -346,8 +347,6 @@ public class CertEnrollmentRequest { before.setProfileId("caUserCert"); before.setRenewal(false); - //Simulate a "caUserCert" Profile enrollment - ProfileInput certReq = before.createInput("KeyGenInput"); certReq.addAttribute(new ProfileAttribute("cert_request_type", "crmf", null)); certReq.addAttribute(new ProfileAttribute( @@ -371,6 +370,9 @@ public class CertEnrollmentRequest { submitter.addAttribute(new ProfileAttribute("requestor_email", "admin@redhat.com", null)); submitter.addAttribute(new ProfileAttribute("requestor_phone", "650-555-5555", null)); + before.setAttribute("uid", "testuser"); + before.setAttribute("pwd", "password"); + String xml = before.toXML(); System.out.println(xml); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index f1a147eb4..e5daf78fd 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.request.INotify; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestStatus; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmsutil.ldap.LDAPUtil; @@ -51,26 +52,31 @@ public class CertProcessor extends CAProcessor { super(id, locale); } - protected void setCredentialsIntoContext(HttpServletRequest request, IProfileAuthenticator authenticator, + protected void setCredentialsIntoContext( + HttpServletRequest request, + AuthCredentials creds, + IProfileAuthenticator authenticator, IProfileContext ctx) { - Enumeration<String> authIds = authenticator.getValueNames(); - - if (authIds != null) { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authNames not null"); - while (authIds.hasMoreElements()) { - String authName = authIds.nextElement(); - - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName:" + - authName); - if (request.getParameter(authName) != null) { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName found in request"); - ctx.set(authName, request.getParameter(authName)); - } else { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName not found in request"); - } + + Enumeration<String> names = authenticator.getValueNames(); + if (names == null) { + CMS.debug("CertProcessor: No authenticator credentials required"); + return; + } + + CMS.debug("CertProcessor: Authentication credentials:"); + while (names.hasMoreElements()) { + String name = names.nextElement(); + + Object value; + if (creds == null) { + value = request.getParameter(name); + } else { + value = creds.get(name); } - } else { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authIds` null"); + + if (value == null) continue; + ctx.set(name, value.toString()); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java index c94ee1496..be6d22c57 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cms.servlet.request.CMSRequestDAO; @@ -169,13 +170,23 @@ public class CertRequestDAO extends CMSRequestDAO { CertRequestInfos ret = new CertRequestInfos(); + AuthCredentials credentials = new AuthCredentials(); + String uid = data.getAttribute("uid"); + if (uid != null) { + credentials.set("uid", uid); + } + String password = data.getAttribute("pwd"); + if (password != null) { + credentials.set("pwd", password); + } + HashMap<String, Object> results = null; if (data.isRenewal()) { RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale); - results = processor.processRenewal(data, request); + results = processor.processRenewal(data, request, credentials); } else { EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale); - results = processor.processEnrollment(data, request); + results = processor.processEnrollment(data, request, credentials); } IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index ce57e1fc3..eac435922 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -37,6 +37,7 @@ import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.profile.ProfileAttribute; import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; import com.netscape.cmsutil.ldap.LDAPUtil; @@ -97,8 +98,11 @@ public class EnrollmentProcessor extends CertProcessor { * @param cmsReq the object holding the request and response information * @exception EBaseException an error has occurred */ - public HashMap<String, Object> processEnrollment(CertEnrollmentRequest data, HttpServletRequest request) - throws EBaseException { + public HashMap<String, Object> processEnrollment( + CertEnrollmentRequest data, + HttpServletRequest request, + AuthCredentials credentials) + throws EBaseException { try { if (CMS.debugOn()) { @@ -131,7 +135,7 @@ public class EnrollmentProcessor extends CertProcessor { IProfileAuthenticator authenticator = profile.getAuthenticator(); if (authenticator != null) { CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); + setCredentialsIntoContext(request, credentials, authenticator, ctx); } // for ssl authentication; pass in servlet for retrieving ssl client certificates @@ -142,7 +146,7 @@ public class EnrollmentProcessor extends CertProcessor { CMS.debug("EnrollmentProcessor: set sslClientCertProvider"); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, null, authenticator, context, false); + IAuthToken authToken = authenticate(request, null, authenticator, context, false, credentials); // authentication success, now authorize authorize(profileId, profile, authToken); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 5ebbbff8f..7e34e4d5e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; import com.netscape.certsrv.profile.IProfileContext; import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; @@ -63,7 +64,10 @@ public class RenewalProcessor extends CertProcessor { * Things to note: * * the renew request will contain the original profile instead of the new */ - public HashMap<String, Object> processRenewal(CertEnrollmentRequest data, HttpServletRequest request) + public HashMap<String, Object> processRenewal( + CertEnrollmentRequest data, + HttpServletRequest request, + AuthCredentials credentials) throws EBaseException { try { if (CMS.debugOn()) { @@ -170,14 +174,14 @@ public class RenewalProcessor extends CertProcessor { if (authenticator != null) { CMS.debug("RenewalSubmitter: authenticator " + authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); + setCredentialsIntoContext(request, credentials, authenticator, ctx); } // for renewal, this will override or add auth info to the profile context if (origAuthenticator != null) { CMS.debug("RenewalSubmitter: for renewal, original authenticator " + origAuthenticator.getName() + " found"); - setCredentialsIntoContext(request, origAuthenticator, ctx); + setCredentialsIntoContext(request, credentials, origAuthenticator, ctx); } // for renewal, input needs to be retrieved from the orig req record @@ -197,7 +201,7 @@ public class RenewalProcessor extends CertProcessor { context.put("origSubjectDN", origSubjectDN); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, origReq, authenticator, context, true); + IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials); // authentication success, now authorize authorize(profileId, renewProfile, authToken); diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java index 32ae0fcc8..b4d5fa9c8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java +++ b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java @@ -54,7 +54,7 @@ public class AuthCredentials implements IAuthCredentials { */ public void set(String name, Object cred) throws EAuthException { if (cred == null) { - throw new EAuthException("AuthCredentials.set()"); + throw new EAuthException("Missing credential: " + name); } authCreds.put(name, cred); diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 5f6f45cb8..e3b3d3497 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.IAuthzSubsystem; @@ -358,10 +359,14 @@ public class CAProcessor extends Processor { * authenticate for renewal - more to add necessary params/values * to the session context */ - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException + public IAuthToken authenticate( + IProfileAuthenticator authenticator, + HttpServletRequest request, + IRequest origReq, + SessionContext context, + AuthCredentials credentials) throws EBaseException { - IAuthToken authToken = authenticate(authenticator, request); + IAuthToken authToken = authenticate(authenticator, request, credentials); // For renewal, fill in necessary params if (authToken != null) { String ouid = origReq.getExtDataInString("auth_token.uid"); @@ -417,18 +422,23 @@ public class CAProcessor extends Processor { return authToken; } - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request) throws EBaseException { - AuthCredentials credentials = new AuthCredentials(); + public IAuthToken authenticate( + IProfileAuthenticator authenticator, + HttpServletRequest request, + AuthCredentials credentials) throws EBaseException { - // build credential - Enumeration<String> authNames = authenticator.getValueNames(); + if (credentials == null) { + credentials = new AuthCredentials(); - if (authNames != null) { - while (authNames.hasMoreElements()) { - String authName = authNames.nextElement(); + // build credential + Enumeration<String> authNames = authenticator.getValueNames(); - credentials.set(authName, request.getParameter(authName)); + if (authNames != null) { + while (authNames.hasMoreElements()) { + String authName = authNames.nextElement(); + + credentials.set(authName, request.getParameter(authName)); + } } } @@ -447,8 +457,13 @@ public class CAProcessor extends Processor { return authToken; } - public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator, - SessionContext context, boolean isRenewal) throws EBaseException { + public IAuthToken authenticate( + HttpServletRequest request, + IRequest origReq, + IProfileAuthenticator authenticator, + SessionContext context, + boolean isRenewal, + AuthCredentials credentials) throws EBaseException { startTiming("profile_authentication"); IAuthToken authToken = null; @@ -475,12 +490,27 @@ public class CAProcessor extends Processor { String auditMessage = null; try { if (isRenewal) { - authToken = authenticate(authenticator, request, origReq, context); + authToken = authenticate(authenticator, request, origReq, context, credentials); } else { - authToken = authenticate(authenticator, request); + authToken = authenticate(authenticator, request, credentials); } + + } catch (EAuthException e) { + CMS.debug("CAProcessor: authentication error: " + e); + + authSubjectID += " : " + uid_cred; + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + authSubjectID, + ILogger.FAILURE, + authMgrID, + uid_attempted_cred); + audit(auditMessage); + + throw e; + } catch (EBaseException e) { - CMS.debug("CertProcessor: authentication error " + e.toString()); + CMS.debug(e); authSubjectID += " : " + uid_cred; auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java index b64819e4c..69b9d9ccd 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java @@ -221,7 +221,7 @@ public class ProfileSubmitServlet extends ProfileServlet { } CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale); - return processor.processEnrollment(data, request); + return processor.processEnrollment(data, request, null); } public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException { @@ -248,7 +248,7 @@ public class ProfileSubmitServlet extends ProfileServlet { //only used in renewal data.setSerialNum(request.getParameter("serial_num")); - return processor.processRenewal(data, request); + return processor.processRenewal(data, request, null); } private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) { diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java index 137edb5c5..8e2c59c26 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java @@ -195,6 +195,8 @@ public class AuthSubsystem implements IAuthSubsystem { while (instances.hasMoreElements()) { String insName = instances.nextElement(); + CMS.debug("AuthSubsystem: initializing authentication manager " + insName); + String implName = c.getString(insName + "." + PROP_PLUGIN); AuthMgrPlugin plugin = mAuthMgrPlugins.get(implName); @@ -233,6 +235,7 @@ public class AuthSubsystem implements IAuthSubsystem { throw new EAuthException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL", className), e); } catch (EBaseException e) { + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString())); // Skip the authenticaiton instance if // it is mis-configurated. This give @@ -240,6 +243,7 @@ public class AuthSubsystem implements IAuthSubsystem { // fix the problem via console } catch (Throwable e) { + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString())); // Skip the authenticaiton instance if // it is mis-configurated. This give |