[tomcat] branch BZ-63681/8.5.x created (now 6be96eb)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[tomcat] branch BZ-63681/8.5.x created (now 6be96eb)

markt
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


      at 6be96eb  Frist draft

This branch includes the following new commits:

     new 6be96eb  Frist draft

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[tomcat] 01/01: Frist draft

markt
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 6be96ebba4e7056d5c9621bada2c496f8c0a82d0
Author: Michael Osipov <[hidden email]>
AuthorDate: Wed Aug 21 23:23:19 2019 +0200

    Frist draft
   
    changelog.xml pending
---
 java/org/apache/catalina/Realm.java               | 13 +++++
 java/org/apache/catalina/realm/CombinedRealm.java | 34 ++++++++++++
 java/org/apache/catalina/realm/LockOutRealm.java  | 12 ++++
 java/org/apache/catalina/realm/RealmBase.java     | 67 +++++++++++++++++++----
 4 files changed, 116 insertions(+), 10 deletions(-)

diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java
index a6360cc..412e845 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
 
 /**
  * A <b>Realm</b> is a read-only facade for an underlying security realm
@@ -135,6 +137,17 @@ public interface Realm {
 
 
     /**
+     * Try to authenticate using a {@link GSSName}
+     *
+     * @param gssName The {@link GSSName} of the principal to look up
+     * @param gssCredential The {@link GSSCredential} of the principal, may be
+     *                      {@code null}
+     * @return the associated principal, or {@code null} if there is none
+     */
+    public Principal authenticate(GSSName gssName, GSSCredential gssCredential);
+
+
+    /**
      * Try to authenticate using {@link X509Certificate}s
      *
      * @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index 59511fa..5645457 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSName;
 
@@ -393,6 +394,39 @@ public class CombinedRealm extends RealmBase {
         return null;
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential gssCredentail) {
+        Principal authenticatedUser = null;
+
+        String username = String.valueOf(gssName);
+
+        for (Realm realm : realms) {
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("combinedRealm.authStart",
+                        username, realm.getClass().getName()));
+            }
+
+            authenticatedUser = realm.authenticate(gssName, gssCredentail);
+
+            if (authenticatedUser == null) {
+                if (log.isDebugEnabled()) {
+                    log.debug(sm.getString("combinedRealm.authFail",
+                            username, realm.getClass().getName()));
+                }
+            } else {
+                if (log.isDebugEnabled()) {
+                    log.debug(sm.getString("combinedRealm.authSuccess",
+                            username, realm.getClass().getName()));
+                }
+                break;
+            }
+        }
+        return authenticatedUser;
+    }
+
     @Override
     @Deprecated
     protected String getName() {
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java
index b2dc29e..46e6a97 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSName;
 
@@ -205,6 +206,17 @@ public class LockOutRealm extends CombinedRealm {
         return null;
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+        String username = String.valueOf(gssName);
+
+        Principal authenticatedUser = super.authenticate(gssName, gssCredential);
+        return filterLockedAccounts(username, authenticatedUser);
+    }
+
 
     /*
      * Filters authenticated principals to ensure that <code>null</code> is
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index d321c56..f300810 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -499,16 +499,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
                     }
                 }
 
-                String name = gssName.toString();
-
-                if (isStripRealmForGss()) {
-                    int i = name.indexOf('@');
-                    if (i > 0) {
-                        // Zero so we don't leave a zero length name
-                        name = name.substring(0, i);
-                    }
-                }
-                return getPrincipal(name, gssCredential);
+                return getPrincipal(gssName, gssCredential);
             }
         } else {
             log.error(sm.getString("realmBase.gssContextNotEstablished"));
@@ -520,6 +511,19 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
 
 
     /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
+        if (gssName == null) {
+            return null;
+        }
+
+        return getPrincipal(gssName, gssCredential);
+    }
+
+
+    /**
      * Execute a periodic task, such as reloading, etc. This method will be
      * invoked inside the classloading context of this container. Unexpected
      * throwables will be caught and logged.
@@ -1253,6 +1257,49 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
         return p;
     }
 
+
+    /**
+     * Get the principal associated with the specified {@link GSSName}.
+     *
+     * This is a convenience method you can override to obtain a GSS credential
+     * via S4U2self.
+     *
+     * @param gssName The GSS name
+     * @return the principal associated with the given user name.
+     */
+    protected Principal getPrincipal(GSSName gssName) {
+        return getPrincipal(gssName, null);
+    }
+
+
+    /**
+     * Get the principal associated with the specified {@link GSSName}.
+     *
+     * @param gssName The GSS name
+     * @param gssCredential the GSS credential of the principal
+     * @return the principal associated with the given user name.
+     */
+    protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential) {
+        String name = String.valueOf(gssName);
+
+        if (isStripRealmForGss()) {
+            int i = name.indexOf('@');
+            if (i > 0) {
+                // Zero so we don't leave a zero length name
+                name = name.substring(0, i);
+            }
+        }
+
+        Principal p = getPrincipal(name);
+
+        if (p instanceof GenericPrincipal) {
+            ((GenericPrincipal) p).setGssCredential(gssCredential);
+        }
+
+        return p;
+    }
+
+
     /**
      * Return the Server object that is the ultimate parent for the container
      * with which this Realm is associated. If the server cannot be found (eg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]