diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-21 00:46:26 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-21 00:46:26 +0000 |
| commit | e4459d65fc1eb4369a50e377423e58fca27f9ec3 (patch) | |
| tree | b3dc499893fce2779022a88c931aee41c789090d /pki/base/common | |
| parent | 952d12037313e4fbc4abf4614e8cf6b5d6feb55a (diff) | |
| download | pki-e4459d65fc1eb4369a50e377423e58fca27f9ec3.tar.gz pki-e4459d65fc1eb4369a50e377423e58fca27f9ec3.tar.xz pki-e4459d65fc1eb4369a50e377423e58fca27f9ec3.zip | |
Bugzilla Bug #490489 - Configuration modifications are not replicated between
admins, agents, and end entities
Bugzilla Bug #490483 - Unable to configure CA using "Shared Ports"
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@316 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common')
5 files changed, 467 insertions, 53 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java new file mode 100644 index 00000000..1a94cb29 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class AdminRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "Admin"; + + private FilterConfig config; + + /* Create a new AdminRequestFilter */ + public AdminRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java new file mode 100644 index 00000000..542ca423 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class AgentRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "Agent"; + + private FilterConfig config; + + /* Create a new AgentRequestFilter */ + public AgentRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java new file mode 100644 index 00000000..1f93e080 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java @@ -0,0 +1,131 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class EERequestFilter implements Filter +{ + private static final String HTTP_SCHEME = "http"; + private static final String HTTP_PORT = "http_port"; + private static final String HTTP_ROLE = "EE"; + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "EE"; + + private FilterConfig config; + + /* Create a new EERequestFilter */ + public EERequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_http_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is either "http" or "https" + scheme = request.getScheme(); + if( ( ! scheme.equals( HTTP_SCHEME ) ) && + ( ! scheme.equals( HTTPS_SCHEME ) ) ) { + msg = "The scheme MUST be either '" + HTTP_SCHEME + + "' or '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain either an "http" or an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "http" port passed in as a parameter + param_http_port = config.getInitParameter( HTTP_PORT ); + if( param_http_port == null ) { + msg = "The <param-name> '" + HTTP_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // If the scheme is "http", compare + // the request and param "http" ports; + // otherwise, if the scheme is "https", compare + // the request and param "https" ports + if( scheme.equals( HTTP_SCHEME ) ) { + if( ! param_http_port.equals( request_port ) ) { + msg = "Use HTTP port '" + param_http_port + + "' instead of '" + request_port + + "' when performing " + HTTP_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } else if( scheme.equals( HTTPS_SCHEME ) ) { + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java new file mode 100644 index 00000000..a4788844 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/PassThroughRequestFilter.java @@ -0,0 +1,78 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2009 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class PassThroughRequestFilter implements Filter +{ + /* Create a new PassThroughRequestFilter */ + public PassThroughRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + // Simply pass-through this request without filtering it . . . + // + // NOTE: This "do-nothing" filter is ONLY provided since + // individual servlets can not be "excluded" from within + // the <url-pattern></url-pattern> parameters, thus + // disallowing the use of a '*' wildcard parameter + // on certain filters. + // + // Therefore, since servlets MUST be specified individually + // by such filters, this pass-through filter was created to + // contain those servlets which would otherwise simply be + // "excluded". Although this could also be accomplished + // by merely performing "exclusion by lack of inclusion", + // the existance of a pass-through filter allows the + // EXPLICIT identification of servlets which MUST NOT + // have any filters run against them. + // + + String filterName = getClass().getName(); + + String servlet = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletRequest req = ( HttpServletRequest ) request; + + servlet = req.getServletPath(); + msg = "Excluding filtering on servlet called '" + servlet + "'!"; + CMS.debug( filterName + ": " + msg ); + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index 05309f37..f99cedb5 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -262,7 +262,7 @@ public class CMSEngine implements ICMSEngine { if ((state == 1) && (sd.equals("existing"))) { mSDTimer.cancel(); } - + // initialize the PasswordReader and PasswordWriter String pwdPath = config.getString("passwordFile"); String pwdClass = config.getString("passwordClass"); @@ -282,7 +282,7 @@ public class CMSEngine implements ICMSEngine { if (tsClass != null) { try { mTimeSource = (ITimeSource) - Class.forName(tsClass).newInstance(); + Class.forName(tsClass).newInstance(); } catch (Exception e) { // nothing to do } @@ -293,7 +293,7 @@ public class CMSEngine implements ICMSEngine { } instanceDir = config.getString("instanceRoot"); - + loadDynSubsystems(); java.security.Security.addProvider( @@ -453,7 +453,7 @@ public class CMSEngine implements ICMSEngine { parser.parse(path); NodeList nodes = parser.getDocument().getElementsByTagName("Connector"); String parentName=""; - boolean secure=false; + String name=""; String port=""; for (int i=0; i<nodes.getLength(); i++) { Element n = (Element)nodes.item(i); @@ -463,73 +463,76 @@ public class CMSEngine implements ICMSEngine { if(p != null) { parentName = p.getAttribute("name"); } - secure = n.hasAttribute("sslProtocol"); + name = n.getAttribute("name"); port = n.getAttribute("port"); // The "server.xml" file is parsed from top-to-bottom, and // supports BOTH "Port Separation" (the new default method) // as well as "Shared Ports" (the old legacy method). Since // both methods must be supported, the file structure MUST - // conform to the following format: - // - // <Catalina> - // Shared Ports: Unsecure Port + // conform to ONE AND ONLY ONE of the following formats: // - // Port Separation: Agent Secure Port - // OR - // Shared Ports: Agent, EE, and Admin Secure Port - // </Catalina> + // Port Separation: // - // <CatalinaAdmin> - // Port Separation: Admin Secure Port - // </CatalinaAdmin> + // <Catalina> + // ... + // <!-- Port Separation: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Port Separation: Agent Secure Port --> + // <Connector name="Agent" . . . + // ... + // <!-- Port Separation: Admin Secure Port --> + // <Connector name="Admin" . . . + // ... + // <!-- Port Separation: EE Secure Port --> + // <Connector name="EE" . . . + // ... + // </Catalina> // - // <CatalinaEE> - // Port Separation: Unsecure Port // - // Port Separation: EE Secure Port - // </CatalinaEE> + // Shared Ports: // - // NOTE: If the "Port Separation" method is being used, - // then the "Unsecure Port" specified in the - // "Catalina" section section will be commented out on - // an instance-by-instance basis. - // - // Similarly, if the "Shared Ports" method is being - // used, the entire "CatalinaAdmin" and "CatalinaEE" - // sections will be commented out on an - // instance-by-instance basis. + // <Catalina> + // ... + // <!-- Shared Ports: Unsecure Port --> + // <Connector name="Unsecure" . . . + // ... + // <!-- Shared Ports: Agent, EE, and Admin Secure Port --> + // <Connector name="Secure" . . . + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // <!-- + // <Connector name="Unused" . . . + // --> + // ... + // </Catalina> // if ( parentName.equals("Catalina")) { - - if (secure) { - mServerCertNickname = n.getAttribute("serverCert"); - // Port Separation: Agent Secure Port + if( name.equals( "Unsecure" ) ) { + // Port Separation: Unsecure Port // OR - // Shared Ports: Agent, EE, and Admin Secure Port + // Shared Ports: Unsecure Port + info[EE_NON_SSL][PORT] = port; + } else if( name.equals( "Agent" ) ) { + // Port Separation: Agent Secure Port + info[AGENT][PORT] = port; + } else if( name.equals( "Admin" ) ) { + // Port Separation: Admin Secure Port + info[ADMIN][PORT] = port; + } else if( name.equals( "EE" ) ) { + // Port Separation: EE Secure Port + info[EE_SSL][PORT] = port; + } else if( name.equals( "Secure" ) ) { + // Shared Ports: Agent, EE, and Admin Secure Port info[AGENT][PORT] = port; info[ADMIN][PORT] = port; info[EE_SSL][PORT] = port; - } else { - // Shared Ports: Unsecure Port - info[EE_NON_SSL][PORT] = port; } } - if( parentName.equals("CatalinaEE")) { - if (secure) { - // Port Separation: EE Secure Port - // (overwrites value obtained from Catalina section) - info[EE_SSL][PORT] = port; - } else { - // Port Separation: Unsecure Port - info[EE_NON_SSL][PORT] = port; - } - } - if( parentName.equals("CatalinaAdmin")) { - // Port Separation: Admin Secure Port - // (overwrites value obtained from Catalina section) - info[ADMIN][PORT] = port; - } } } catch (Exception e) { @@ -787,7 +790,7 @@ public class CMSEngine implements ICMSEngine { ISubsystem ss = null; try { - ss = (ISubsystem) Class.forName(classname).newInstance(); + ss = (ISubsystem) Class.forName(classname).newInstance(); } catch (InstantiationException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_LOAD_FAILED_1", id, e.toString())); |