// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.base; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; import java.io.OutputStream; import java.io.PrintStream; import java.math.BigInteger; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; import java.util.Locale; import java.util.Random; import java.util.StringTokenizer; import java.util.Vector; import javax.servlet.ServletConfig; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import netscape.security.pkcs.ContentInfo; import netscape.security.pkcs.PKCS7; import netscape.security.pkcs.SignerInfo; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CRLExtensions; import netscape.security.x509.CRLReasonExtension; import netscape.security.x509.CertificateChain; import netscape.security.x509.RevocationReason; import netscape.security.x509.RevokedCertImpl; import netscape.security.x509.X509CertImpl; import org.w3c.dom.Node; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.apps.ICommandQueue; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.IAuthManager; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.certdb.ICertRecord; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.ra.IRegistrationAuthority; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSFileLoader; import com.netscape.cms.servlet.common.CMSGateway; import com.netscape.cms.servlet.common.CMSLoadTemplate; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; import com.netscape.cms.servlet.common.GenErrorTemplateFiller; import com.netscape.cms.servlet.common.GenPendingTemplateFiller; import com.netscape.cms.servlet.common.GenRejectedTemplateFiller; import com.netscape.cms.servlet.common.GenSuccessTemplateFiller; import com.netscape.cms.servlet.common.GenSvcPendingTemplateFiller; import com.netscape.cms.servlet.common.GenUnexpectedErrorTemplateFiller; import com.netscape.cms.servlet.common.ICMSTemplateFiller; import com.netscape.cms.servlet.common.ServletUtils; import com.netscape.cmsutil.util.Utils; import com.netscape.cmsutil.xml.XMLObject; /** * This is the base class of all CS servlet. * * @version $Revision$, $Date$ */ public abstract class CMSServlet extends HttpServlet { /** * */ private static final long serialVersionUID = -3886300199374147160L; // servlet init params // xxxx todo:Should enforce init param value checking! public final static String SUCCESS = "0"; public final static String FAILURE = "1"; public final static String AUTH_FAILURE = "2"; public final static String PROP_ID = "ID"; public final static String PROP_AUTHORITY = "authority"; public final static String PROP_AUTHMGR = "AuthMgr"; public final static String PROP_CLIENTAUTH = "GetClientCert"; public final static String PROP_RESOURCEID = "resourceID"; public final static String AUTHZ_SRC_LDAP = "ldap"; public final static String AUTHZ_SRC_TYPE = "sourceType"; public final static String AUTHZ_CONFIG_STORE = "authz"; public final static String AUTHZ_SRC_XML = "web.xml"; public final static String PROP_AUTHZ_MGR = "AuthzMgr"; public final static String PROP_ACL = "ACLinfo"; public final static String AUTHZ_MGR_BASIC = "BasicAclAuthz"; public final static String AUTHZ_MGR_LDAP = "DirAclAuthz"; private final static String HDR_LANG = "accept-language"; // final error message - if error and exception templates don't work // send out this text string directly to output. public final static String PROP_FINAL_ERROR_MSG = "finalErrorMsg"; public final static String ERROR_MSG_TOKEN = "$ERROR_MSG"; public final static String FINAL_ERROR_MSG = "\n" + "
\n" + "\n" + "The Certificate System has encountered " + "an unrecoverable error.\n" + "
\n" +
"Error Message:
\n" +
"$ERROR_MSG\n" +
"
\n" +
"Please contact your local administrator for assistance.\n" +
"\n" +
"\n";
// properties from configuration.
protected final static String PROP_UNAUTHORIZED_TEMPLATE = "unauthorizedTemplate";
protected final static String UNAUTHORIZED_TEMPLATE = "/GenUnauthorized.template";
protected final static String PROP_SUCCESS_TEMPLATE = "successTemplate";
protected final static String SUCCESS_TEMPLATE = "/GenSuccess.template";
protected final static String PROP_PENDING_TEMPLATE = "pendingTemplate";
protected final static String PENDING_TEMPLATE = "/GenPending.template";
protected final static String PROP_SVC_PENDING_TEMPLATE = "svcpendingTemplate";
protected final static String SVC_PENDING_TEMPLATE = "/GenSvcPending.template";
protected final static String PROP_REJECTED_TEMPLATE = "rejectedTemplate";
protected final static String REJECTED_TEMPLATE = "/GenRejected.template";
protected final static String PROP_ERROR_TEMPLATE = "errorTemplate";
protected final static String ERROR_TEMPLATE = "/GenError.template";
protected final static String PROP_EXCEPTION_TEMPLATE = "unexpectedErrorTemplate";
protected final static String EXCEPTION_TEMPLATE = "/GenUnexpectedError.template";
private final static String PROP_UNAUTHOR_TEMPLATE_FILLER = "unauthorizedTemplateFiller";
protected final static String PROP_SUCCESS_TEMPLATE_FILLER = "successTemplateFiller";
private final static String PROP_ERROR_TEMPLATE_FILLER = "errorTemplateFiller";
private final static String PROP_PENDING_TEMPLATE_FILLER = "pendingTemplateFiller";
private final static String PROP_SVC_PENDING_TEMPLATE_FILLER = "svcpendingTemplateFiller";
private final static String PROP_REJECTED_TEMPLATE_FILLER = "rejectedTemplateFiller";
private final static String PROP_EXCEPTION_TEMPLATE_FILLER = "exceptionTemplateFiller";
protected final static String RA_AGENT_GROUP = "Registration Manager Agents";
protected final static String CA_AGENT_GROUP = "Certificate Manager Agents";
protected final static String KRA_AGENT_GROUP = "Data Recovery Manager Agents";
protected final static String OCSP_AGENT_GROUP = "Online Certificate Status Manager Agents";
protected final static String TRUSTED_RA_GROUP = "Trusted Managers";
protected final static String ADMIN_GROUP = "Administrators";
// default http params NOT to save in request.(config values added to list )
private static final String PROP_DONT_SAVE_HTTP_PARAMS = "dontSaveHttpParams";
private static final String[] DONT_SAVE_HTTP_PARAMS = { "pwd", "password", "passwd",
"challengePassword", "confirmChallengePassword" };
// default http headers to save in request. (config values added to list)
private static final String PROP_SAVE_HTTP_HEADERS = "saveHttpHeaders";
private static final String[] SAVE_HTTP_HEADERS = { "accept-language", "user-agent", };
// request prefixes to distinguish from other request attributes.
public static final String PFX_HTTP_HEADER = "HTTP_HEADER";
public static final String PFX_HTTP_PARAM = "HTTP_PARAM";
public static final String PFX_AUTH_TOKEN = "AUTH_TOKEN";
/* input http params */
protected final static String AUTHMGR_PARAM = "authenticator";
/* fixed credential passed to auth managers */
protected final static String CERT_AUTH_CRED = "sslClientCert";
public static final String CERT_ATTR =
"javax.servlet.request.X509Certificate";
// members.
protected boolean mRenderResult = true;
protected String mFinalErrorMsg = FINAL_ERROR_MSG;
protected Hashtable
*
* @param cmsReq the CS request to pass to template filler if any.
* @param e the unexpected exception
*/
protected void renderException(CMSRequest cmsReq, EBaseException e)
throws IOException {
try {
Locale[] locale = new Locale[1];
CMSLoadTemplate loadTempl =
mTemplates.get(CMSRequest.EXCEPTION);
CMSTemplate template = getTemplate(loadTempl.mTemplateName,
cmsReq.getHttpReq(), locale);
ICMSTemplateFiller filler = loadTempl.mFiller;
CMSTemplateParams templateParams = null;
// When an exception occurs the exit is non-local which probably
// will leave the requestStatus value set to something other
// than CMSRequest.EXCEPTION, so force the requestStatus to
// EXCEPTION since it must be that if we're here.
cmsReq.setStatus(CMSRequest.EXCEPTION);
if (filler != null) {
templateParams = filler.getTemplateParams(
cmsReq, mAuthority, locale[0], e);
}
if (templateParams == null) {
templateParams = new CMSTemplateParams(null, CMS.createArgBlock());
}
if (e != null) {
templateParams.getFixed().set(
ICMSTemplateFiller.EXCEPTION, e.toString(locale[0]));
}
// just output arg blocks as XML
CMS.debug("CMSServlet.java: renderTemplate");
String xmlOutput = cmsReq.getHttpReq().getParameter("xml");
if (xmlOutput != null && xmlOutput.equals("true")) {
CMS.debug("CMSServlet.java: xml parameter detected, returning xml");
outputXML(cmsReq.getHttpResp(), templateParams);
return;
}
ByteArrayOutputStream bos = new ByteArrayOutputStream();
template.renderOutput(bos, templateParams);
cmsReq.getHttpResp().setContentType("text/html");
cmsReq.getHttpResp().setContentLength(bos.size());
bos.writeTo(cmsReq.getHttpResp().getOutputStream());
} catch (Exception ex) {
renderFinalError(cmsReq, ex);
}
}
public void renderFinalError(CMSRequest cmsReq, Exception ex)
throws IOException {
// this template is the last resort for all other unexpected
// errors in other templates so we can only output text.
HttpServletResponse httpResp = cmsReq.getHttpResp();
httpResp.setContentType("text/html");
ServletOutputStream out = httpResp.getOutputStream();
// replace $ERRORMSG with exception message if included.
String finalErrMsg = mFinalErrorMsg;
int tokenIdx = mFinalErrorMsg.indexOf(ERROR_MSG_TOKEN);
if (tokenIdx != -1) {
finalErrMsg =
mFinalErrorMsg.substring(0, tokenIdx) +
ex.toString() +
mFinalErrorMsg.substring(
tokenIdx + ERROR_MSG_TOKEN.length());
}
out.println(finalErrMsg);
return;
}
/**
* Invalidates a SSL Session. So client auth will happen again.
*/
protected static void invalidateSSLSession(HttpServletRequest httpReq) {
/*
try {
s = (SSLSocket) ((HTTPRequest) httpReq).getConnection().getSocket();
} catch (ClassCastException e) {
CMS.getLogger().log(
ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_WARN,
CMS.getLogMessage("CMSGW_SSL_NO_INVALIDATE"));
// ignore.
return;
}
try {
s.invalidateSession();
s.resetHandshake();
}catch (SocketException se) {
}
*/
return;
}
/**
* construct a authentication credentials to pass into authentication
* manager.
*/
public static AuthCredentials getAuthCreds(
IAuthManager authMgr, IArgBlock argBlock, X509Certificate clientCert)
throws EBaseException {
// get credentials from http parameters.
String[] reqCreds = authMgr.getRequiredCreds();
AuthCredentials creds = new AuthCredentials();
for (int i = 0; i < reqCreds.length; i++) {
String reqCred = reqCreds[i];
if (reqCred.equals(IAuthManager.CRED_SSL_CLIENT_CERT)) {
// cert could be null;
creds.set(reqCred, new X509Certificate[] { clientCert }
);
} else {
String value = argBlock.getValueAsString(reqCred);
creds.set(reqCred, value); // value could be null;
}
}
// Inserted by bskim
creds.setArgBlock(argBlock);
// Insert end
return creds;
}
/**
* get ssl client authenticated certificate
*/
protected X509Certificate
getSSLClientCertificate(HttpServletRequest httpReq)
throws EBaseException {
X509Certificate cert = null;
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_INFO,
CMS.getLogMessage("CMSGW_GETTING_SSL_CLIENT_CERT"));
// iws60 support Java Servlet Spec V2.2, attribute
// javax.servlet.request.X509Certificate now contains array
// of X509Certificates instead of one X509Certificate object
X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR);
if (allCerts == null || allCerts.length == 0) {
throw new EBaseException("You did not provide a valid certificate for this operation");
}
cert = allCerts[0];
if (cert == null) {
// just don't have a cert.
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL"));
return null;
}
// convert to sun's x509 cert interface.
try {
byte[] certEncoded = cert.getEncoded();
cert = new X509CertImpl(certEncoded);
} catch (CertificateEncodingException e) {
mLogger.log(
ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL_ENCODE", e.getMessage()));
return null;
} catch (CertificateException e) {
mLogger.log(
ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_SSL_CL_CERT_FAIL_DECODE", e.getMessage()));
return null;
}
return cert;
}
/**
* get a template based on result status.
*/
protected CMSTemplate getTemplate(
String templateName, HttpServletRequest httpReq, Locale[] locale)
throws EBaseException, IOException {
// this converts to system dependent file seperator char.
if (mServletConfig == null) {
CMS.debug("CMSServlet:getTemplate() - mServletConfig is null!");
return null;
}
if (mServletConfig.getServletContext() == null) {
}
if (templateName == null) {
}
String realpath =
mServletConfig.getServletContext().getRealPath("/" + templateName);
if (realpath == null) {
mLogger.log(
ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE,
CMS.getLogMessage("CMSGW_NO_FIND_TEMPLATE", templateName));
throw new ECMSGWException(CMS.getLogMessage("CMSGW_ERROR_DISPLAY_TEMPLATE"));
}
File realpathFile = new File(realpath);
File templateFile =
getLangFile(httpReq, realpathFile, locale);
String charSet = httpReq.getCharacterEncoding();
if (charSet == null) {
charSet = "UTF8";
}
CMSTemplate template =
(CMSTemplate) mFileLoader.getCMSFile(templateFile, charSet);
return template;
}
/**
* log according to authority category.
*/
protected void log(int event, int level, String msg) {
mLogger.log(event, mLogCategory, level,
"Servlet " + mId + ": " + msg);
}
protected void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, mLogCategory, level,
"Servlet " + mId + ": " + msg);
}
/**
* get http parameters not to save from configuration.
*/
protected void getDontSaveHttpParams(ServletConfig sc) {
String dontSaveParams = null;
try {
for (int i = 0; i < DONT_SAVE_HTTP_PARAMS.length; i++) {
mDontSaveHttpParams.addElement(DONT_SAVE_HTTP_PARAMS[i]);
}
dontSaveParams = sc.getInitParameter(
PROP_DONT_SAVE_HTTP_PARAMS);
if (dontSaveParams != null) {
StringTokenizer params =
new StringTokenizer(dontSaveParams, ",");
while (params.hasMoreTokens()) {
String param = params.nextToken();
mDontSaveHttpParams.addElement(param);
}
}
} catch (Exception e) {
// should never happen
log(ILogger.LL_WARN,
CMS.getLogMessage("CMSGW_NO_CONFIG_VALUE", PROP_DONT_SAVE_HTTP_PARAMS, e.toString()));
// default just in case.
for (int i = 0; i < DONT_SAVE_HTTP_PARAMS.length; i++) {
mDontSaveHttpParams.addElement(DONT_SAVE_HTTP_PARAMS[i]);
}
return;
}
}
/**
* get http headers to save from configuration.
*/
protected void getSaveHttpHeaders(ServletConfig sc) {
try {
// init save http headers. default will always be saved.
for (int i = 0; i < SAVE_HTTP_HEADERS.length; i++) {
mSaveHttpHeaders.addElement(SAVE_HTTP_HEADERS[i]);
}
// now get from config file if there's more.
String saveHeaders =
sc.getInitParameter(PROP_SAVE_HTTP_HEADERS);
if (saveHeaders != null) {
StringTokenizer headers =
new StringTokenizer(saveHeaders, ",");
while (headers.hasMoreTokens()) {
String hdr = headers.nextToken();
mSaveHttpHeaders.addElement(hdr);
}
}
} catch (Exception e) {
// should never happen
log(ILogger.LL_WARN, CMS.getLogMessage("CMSGW_NO_CONFIG_VALUE", PROP_SAVE_HTTP_HEADERS, e.toString()));
return;
}
}
/**
* save http headers in a IRequest.
*/
protected void saveHttpHeaders(
HttpServletRequest httpReq, IRequest req)
throws EBaseException {
Hashtable
*
*
*
*
*
* @param msg signed audit log message
*/
protected void audit(String msg) {
// in this case, do NOT strip preceding/trailing whitespace
// from passed-in String parameters
if (mSignedAuditLogger == null) {
return;
}
mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
null,
ILogger.S_SIGNED_AUDIT,
ILogger.LL_SECURITY,
msg);
}
/**
* Signed Audit Log Subject ID
*
* This method is inherited by all extended "CMSServlet"s,
* and is called to obtain the "SubjectID" for
* a signed audit log message.
*
*
* @return id string containing the signed audit log message SubjectID
*/
protected String auditSubjectID() {
// if no signed audit object exists, bail
if (mSignedAuditLogger == null) {
return null;
}
CMS.debug("CMSServlet: in auditSubjectID");
String subjectID = null;
// Initialize subjectID
SessionContext auditContext = SessionContext.getExistingContext();
CMS.debug("CMSServlet: auditSubjectID auditContext " + auditContext);
if (auditContext != null) {
subjectID = (String)
auditContext.get(SessionContext.USER_ID);
CMS.debug("CMSServlet auditSubjectID: subjectID: " + subjectID);
if (subjectID != null) {
subjectID = subjectID.trim();
} else {
subjectID = ILogger.NONROLEUSER;
}
} else {
subjectID = ILogger.UNIDENTIFIED;
}
return subjectID;
}
/**
* Signed Audit Log Group ID
*
* This method is inherited by all extended "CMSServlet"s,
* and is called to obtain the "gid" for
* a signed audit log message.
*
*
* @return id string containing the signed audit log message SubjectID
*/
protected String auditGroupID() {
// if no signed audit object exists, bail
if (mSignedAuditLogger == null) {
return null;
}
CMS.debug("CMSServlet: in auditGroupID");
String groupID = null;
// Initialize groupID
SessionContext auditContext = SessionContext.getExistingContext();
CMS.debug("CMSServlet: auditGroupID auditContext " + auditContext);
if (auditContext != null) {
groupID = (String)
auditContext.get(SessionContext.GROUP_ID);
CMS.debug("CMSServlet auditGroupID: groupID: " + groupID);
if (groupID != null) {
groupID = groupID.trim();
} else {
groupID = ILogger.NONROLEUSER;
}
} else {
groupID = ILogger.UNIDENTIFIED;
}
return groupID;
}
/**
* Signed Audit Groups
*
* This method is called to extract all "groups" associated
* with the "auditSubjectID()".
*
*
* @param SubjectID string containing the signed audit log message SubjectID
* @return a delimited string of groups associated
* with the "auditSubjectID()"
*/
private String auditGroups(String SubjectID) {
// if no signed audit object exists, bail
if (mSignedAuditLogger == null) {
return null;
}
if ((SubjectID == null) ||
(SubjectID.equals(ILogger.UNIDENTIFIED))) {
return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
}
Enumeration
*
*
* @exception EBaseException an error has occurred
*/
public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName)
throws EBaseException {
String auditMessage = null;
String auditSubjectID = ILogger.UNIDENTIFIED;
String auditAuthMgrID = ILogger.UNIDENTIFIED;
String auditUID = ILogger.UNIDENTIFIED;
// ensure that any low-level exceptions are reported
// to the signed audit log and stored as failures
try {
String getClientCert = mGetClientCert;
IArgBlock httpArgs = CMS.createArgBlock(toHashtable(httpReq));
SessionContext ctx = SessionContext.getContext();
String ip = httpReq.getRemoteAddr();
CMS.debug("IP: " + ip);
if (ip != null) {
ctx.put(SessionContext.IPADDRESS, ip);
}
if (authMgrName != null) {
CMS.debug("AuthMgrName: " + authMgrName);
ctx.put(SessionContext.AUTH_MANAGER_ID, authMgrName);
}
// put locale into session context
ctx.put(SessionContext.LOCALE, getLocale(httpReq));
//
// check ssl client authentication if specified.
//
X509Certificate clientCert = null;
if (getClientCert != null && getClientCert.equals("true")) {
CMS.debug("CMSServlet: retrieving SSL certificate");
clientCert = getSSLClientCertificate(httpReq);
}
//
// check authentication by auth manager if any.
//
if (authMgrName == null) {
// Fixed Blackflag Bug #613900: Since this code block does
// NOT actually constitute an authentication failure, but
// rather the case in which a given servlet has been correctly
// configured to NOT require an authentication manager, the
// audit message called LOGGING_SIGNED_AUDIT_AUTH_FAIL has
// been removed.
CMS.debug("CMSServlet: no authMgrName");
return null;
} else {
// save the "Subject DN" of this certificate in case it
// must be audited as an authentication failure
if (clientCert == null) {
CMS.debug("CMSServlet: no client certificate found");
} else {
String certUID = clientCert.getSubjectDN().getName();
CMS.debug("CMSServlet: certUID=" + certUID);
if (certUID != null) {
certUID = certUID.trim();
if (!(certUID.equals(""))) {
// reset the "auditUID"
auditUID = certUID;
}
}
}
// reset the "auditAuthMgrID"
auditAuthMgrID = authMgrName;
}
AuthToken authToken = CMSGateway.checkAuthManager(httpReq,
httpArgs,
clientCert,
authMgrName);
if (authToken == null) {
return null;
}
String userid = authToken.getInString(IAuthToken.USER_ID);
CMS.debug("CMSServlet: userid=" + userid);
if (userid != null) {
ctx.put(SessionContext.USER_ID, userid);
}
// reset the "auditSubjectID"
auditSubjectID = auditSubjectID();
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
auditSubjectID,
ILogger.SUCCESS,
auditAuthMgrID);
audit(auditMessage);
return authToken;
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTH_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditAuthMgrID,
auditUID);
audit(auditMessage);
// rethrow the specific exception to be handled later
throw eAudit1;
}
}
public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
String exp) throws EBaseException {
AuthzToken authzToken = null;
String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditACLResource = resource;
String auditOperation = "enroll";
try {
authzToken = mAuthz.authorize(authzMgrName, authToken, exp);
if (authzToken != null) {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
auditSubjectID,
ILogger.SUCCESS,
auditACLResource,
auditOperation);
audit(auditMessage);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditSubjectID,
ILogger.SUCCESS,
auditGroupID);
audit(auditMessage);
} else {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditACLResource,
auditOperation);
audit(auditMessage);
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditSubjectID,
ILogger.FAILURE,
auditGroupID);
audit(auditMessage);
}
return authzToken;
} catch (Exception e) {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditACLResource,
auditOperation);
audit(auditMessage);
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditSubjectID,
ILogger.FAILURE,
auditGroupID);
audit(auditMessage);
throw new EBaseException(e.toString());
}
}
/**
* Authorize must occur after Authenticate
*
*
*
* @param authzMgrName string representing the name of the authorization
* manager
* @param authToken the authentication token
* @param resource a string representing the ACL resource id as defined in
* the ACL resource list
* @param operation a string representing one of the operations as defined
* within the ACL statement (e. g. - "read" for an ACL statement containing
* "(read,write)")
* @exception EBaseException an error has occurred
* @return the authorization token
*/
public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
String resource, String operation)
throws EBaseException {
String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditID = auditSubjectID;
String auditACLResource = resource;
String auditOperation = operation;
SessionContext auditContext = SessionContext.getExistingContext();
String authManagerId = null;
if (auditContext != null) {
authManagerId = (String) auditContext.get(SessionContext.AUTH_MANAGER_ID);
if (authManagerId != null && authManagerId.equals("TokenAuth")) {
if (auditSubjectID.equals(ILogger.NONROLEUSER) ||
auditSubjectID.equals(ILogger.UNIDENTIFIED)) {
CMS.debug("CMSServlet: in authorize... TokenAuth auditSubjectID unavailable, changing to auditGroupID");
auditID = auditGroupID;
}
}
}
// "normalize" the "auditACLResource" value
if (auditACLResource != null) {
auditACLResource = auditACLResource.trim();
}
// "normalize" the "auditOperation" value
if (auditOperation != null) {
auditOperation = auditOperation.trim();
}
if (authzMgrName == null) {
// Fixed Blackflag Bug #613900: Since this code block does
// NOT actually constitute an authorization failure, but
// rather the case in which a given servlet has been correctly
// configured to NOT require an authorization manager, the
// audit message called LOGGING_SIGNED_AUDIT_AUTHZ_FAIL and
// the audit message called LOGGING_SIGNED_AUDIT_ROLE_ASSUME
// (marked as a failure) have been removed.
return null;
}
try {
AuthzToken authzTok = mAuthz.authorize(authzMgrName,
authToken,
resource,
operation);
if (authzTok != null) {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
auditSubjectID,
ILogger.SUCCESS,
auditACLResource,
auditOperation);
audit(auditMessage);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditID,
ILogger.SUCCESS,
auditGroups(auditSubjectID));
audit(auditMessage);
} else {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditACLResource,
auditOperation);
audit(auditMessage);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditID,
ILogger.FAILURE,
auditGroups(auditSubjectID));
audit(auditMessage);
}
return authzTok;
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditACLResource,
auditOperation);
audit(auditMessage);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditID,
ILogger.FAILURE,
auditGroups(auditSubjectID));
audit(auditMessage);
return null;
} catch (Exception eAudit1) {
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
auditSubjectID,
ILogger.FAILURE,
auditACLResource,
auditOperation);
audit(auditMessage);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
auditSubjectID,
ILogger.FAILURE,
auditGroups(auditSubjectID));
audit(auditMessage);
return null;
}
}
/**
* Signed Audit Log
*
* This method is inherited by all extended "CMSServlet"s,
* and is called to store messages to the signed audit log.
*