From 2119f1b218e9d68b13496e7042785d9c68753966 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 7 Oct 2013 11:48:54 -0400 Subject: Reorganized server packages. The tomcat, cms, and cmscore packages have been moved from base/common into separate folders in base/server so that they can be built separately. --- .../cms/src/com/netscape/cms/realm/PKIRealm.java | 160 +++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 base/server/cms/src/com/netscape/cms/realm/PKIRealm.java (limited to 'base/server/cms/src/com/netscape/cms/realm/PKIRealm.java') diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java new file mode 100644 index 000000000..b035f53f6 --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java @@ -0,0 +1,160 @@ +package com.netscape.cms.realm; + +import java.security.Principal; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; + +import netscape.security.x509.X509CertImpl; + +import org.apache.catalina.realm.RealmBase; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthManager; +import com.netscape.certsrv.authentication.IAuthSubsystem; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authentication.ICertUserDBAuthentication; +import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; +import com.netscape.certsrv.usrgrp.EUsrGrpException; +import com.netscape.certsrv.usrgrp.IGroup; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cms.servlet.common.AuthCredentials; + +/** + * PKI Realm + * + * This realm provides an authentication service against PKI user database. + * The realm also provides an authorization service that validates request + * URL's against the access control list defined in the internal database. + */ + +public class PKIRealm extends RealmBase { + + @Override + protected String getName() { + return "PKIRealm"; + } + + @Override + public Principal authenticate(String username, String password) { + logDebug("Authenticating username "+username+" with password."); + + try { + IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + IAuthManager authMgr = authSub.getAuthManager(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + + AuthCredentials creds = new AuthCredentials(); + creds.set(IPasswdUserDBAuthentication.CRED_UID, username); + creds.set(IPasswdUserDBAuthentication.CRED_PWD, password); + + IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails + + return getPrincipal(username, authToken); + + } catch (Throwable e) { + e.printStackTrace(); + } + + return null; + } + + @Override + public Principal authenticate(final X509Certificate certs[]) { + logDebug("Authenticating certificate chain:"); + + try { + X509CertImpl certImpls[] = new X509CertImpl[certs.length]; + for (int i=0; i roles = getRoles(user); + return new PKIPrincipal(user.getUserID(), null, roles, authToken); + } + + protected IUser getUser(String username) throws EUsrGrpException { + IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + IUser user = ugSub.getUser(username); + logDebug("User DN: "+user.getUserDN()); + return user; + } + + protected List getRoles(IUser user) throws EUsrGrpException { + + List roles = new ArrayList(); + + IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + Enumeration groups = ugSub.findGroupsByUser(user.getUserDN()); + + logDebug("Roles:"); + while (groups.hasMoreElements()) { + IGroup group = groups.nextElement(); + + String name = group.getName(); + logDebug(" "+name); + roles.add(name); + } + + return roles; + } + + @Override + protected String getPassword(String username) { + return null; + } + + /* + * TODO: Figure out how to do real logging + */ + public void logErr(String msg) { + System.err.println(msg); + } + + public void logDebug(String msg) { + System.out.println("PKIRealm: "+msg); + } +} -- cgit