Author: gnodet Date: Thu Dec 23 16:12:51 2010 New Revision: 1052310 URL: http://svn.apache.org/viewvc?rev=1052310&view=rev Log: [KARAF-340] Use the authenticated subject to run the webconsole code
Added: karaf/trunk/webconsole/console/ karaf/trunk/webconsole/console/pom.xml karaf/trunk/webconsole/console/src/ karaf/trunk/webconsole/console/src/main/ karaf/trunk/webconsole/console/src/main/java/ karaf/trunk/webconsole/console/src/main/java/org/ karaf/trunk/webconsole/console/src/main/java/org/apache/ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManager.java karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManagerActivator.java Modified: karaf/trunk/assembly/pom.xml karaf/trunk/assembly/src/main/filtered-resources/features.xml karaf/trunk/pom.xml karaf/trunk/webconsole/branding/pom.xml karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java karaf/trunk/webconsole/pom.xml Modified: karaf/trunk/assembly/pom.xml URL: http://svn.apache.org/viewvc/karaf/trunk/assembly/pom.xml?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/assembly/pom.xml (original) +++ karaf/trunk/assembly/pom.xml Thu Dec 23 16:12:51 2010 @@ -189,6 +189,10 @@ </dependency> <dependency> <groupId>org.apache.karaf.webconsole</groupId> + <artifactId>org.apache.karaf.webconsole.console</artifactId> + </dependency> + <dependency> + <groupId>org.apache.karaf.webconsole</groupId> <artifactId>org.apache.karaf.webconsole.features</artifactId> </dependency> <dependency> Modified: karaf/trunk/assembly/src/main/filtered-resources/features.xml URL: http://svn.apache.org/viewvc/karaf/trunk/assembly/src/main/filtered-resources/features.xml?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/assembly/src/main/filtered-resources/features.xml (original) +++ karaf/trunk/assembly/src/main/filtered-resources/features.xml Thu Dec 23 16:12:51 2010 @@ -123,7 +123,7 @@ <feature>http</feature> <bundle>mvn:org.apache.felix/org.apache.felix.metatype/${felix.metatype.version}</bundle> <bundle>mvn:org.apache.karaf.webconsole/org.apache.karaf.webconsole.branding/${project.version}</bundle> - <bundle>mvn:org.apache.felix/org.apache.felix.webconsole/${felix.webconsole.version}</bundle> + <bundle>mvn:org.apache.karaf.webconsole/org.apache.karaf.webconsole.console/${project.version}</bundle> </feature> <feature name="webconsole" version="${project.version}"> <feature version="${project.version}">webconsole-base</feature> Modified: karaf/trunk/pom.xml URL: http://svn.apache.org/viewvc/karaf/trunk/pom.xml?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/pom.xml (original) +++ karaf/trunk/pom.xml Thu Dec 23 16:12:51 2010 @@ -417,6 +417,11 @@ </dependency> <dependency> <groupId>org.apache.karaf.webconsole</groupId> + <artifactId>org.apache.karaf.webconsole.console</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.karaf.webconsole</groupId> <artifactId>org.apache.karaf.webconsole.features</artifactId> <version>${project.version}</version> </dependency> Modified: karaf/trunk/webconsole/branding/pom.xml URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/branding/pom.xml?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/webconsole/branding/pom.xml (original) +++ karaf/trunk/webconsole/branding/pom.xml Thu Dec 23 16:12:51 2010 @@ -42,9 +42,13 @@ <dependencies> <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.webconsole</artifactId> - <scope>provided</scope> + <groupId>org.apache.karaf.webconsole</groupId> + <artifactId>org.apache.karaf.webconsole.console</artifactId> + </dependency> + <dependency> + <groupId>org.apache.felix</groupId> + <artifactId>org.apache.felix.webconsole</artifactId> + <scope>provided</scope> </dependency> <dependency> <groupId>org.slf4j</groupId> @@ -64,8 +68,9 @@ <instructions> <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName> <Bundle-DocURL>http://felix.apache.org/site/apache-karaf.html</Bundle-DocURL> - <Fragment-Host>org.apache.felix.webconsole;bundle-version="[3,4)"</Fragment-Host> + <Fragment-Host>org.apache.karaf.webconsole.console;bundle-version="[2,3)"</Fragment-Host> <Export-Package>!*</Export-Package> + <Import-Package>!org.apache.felix.webconsole*,*</Import-Package> </instructions> </configuration> </plugin> Modified: karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java (original) +++ karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java Thu Dec 23 16:12:51 2010 @@ -17,6 +17,7 @@ package org.apache.karaf.webconsole; import java.io.IOException; +import java.io.UnsupportedEncodingException; import java.security.GeneralSecurityException; import javax.security.auth.Subject; @@ -28,14 +29,25 @@ import javax.security.auth.callback.Unsu import javax.security.auth.login.AccountException; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginContext; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; -import org.apache.felix.webconsole.WebConsoleSecurityProvider; +import org.apache.felix.webconsole.WebConsoleSecurityProvider2; +import org.apache.felix.webconsole.internal.KarafOsgiManager; +import org.apache.felix.webconsole.internal.servlet.Base64; +import org.osgi.service.http.HttpContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class JaasSecurityProvider implements WebConsoleSecurityProvider { +public class JaasSecurityProvider implements WebConsoleSecurityProvider2 { - private static final Logger LOG = LoggerFactory.getLogger(WebConsoleSecurityProvider.class); + private static final Logger LOG = LoggerFactory.getLogger(JaasSecurityProvider.class); + + private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; + + private static final String HEADER_AUTHORIZATION = "Authorization"; + + private static final String AUTHENTICATION_SCHEME_BASIC = "Basic"; private String realm; @@ -48,6 +60,10 @@ public class JaasSecurityProvider implem } public Object authenticate(final String username, final String password) { + return doAuthenticate( username, password ); + } + + public Subject doAuthenticate(final String username, final String password) { try { Subject subject = new Subject(); LoginContext loginContext = new LoginContext(realm, subject, new CallbackHandler() { @@ -80,4 +96,89 @@ public class JaasSecurityProvider implem public boolean authorize(Object o, String s) { return true; } + + public boolean authenticate( HttpServletRequest request, HttpServletResponse response ) + { + // Return immediately if the header is missing + String authHeader = request.getHeader( HEADER_AUTHORIZATION ); + if ( authHeader != null && authHeader.length() > 0 ) + { + + // Get the authType (Basic, Digest) and authInfo (user/password) + // from the header + authHeader = authHeader.trim(); + int blank = authHeader.indexOf( ' ' ); + if ( blank > 0 ) + { + String authType = authHeader.substring( 0, blank ); + String authInfo = authHeader.substring( blank ).trim(); + + // Check whether authorization type matches + if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) ) + { + try + { + String srcString = base64Decode( authInfo ); + int i = srcString.indexOf( ':' ); + String username = srcString.substring( 0, i ); + String password = srcString.substring( i + 1 ); + + // authenticate + Subject subject = doAuthenticate( username, password ); + if ( subject != null ) + { + // as per the spec, set attributes + request.setAttribute( HttpContext.AUTHENTICATION_TYPE, HttpServletRequest.BASIC_AUTH ); + request.setAttribute( HttpContext.REMOTE_USER, username ); + + // set web console user attribute + request.setAttribute( WebConsoleSecurityProvider2.USER_ATTRIBUTE, username ); + + // set the JAAS subject + request.setAttribute( KarafOsgiManager.SUBJECT_RUN_AS, subject ); + + // succeed + return true; + } + } + catch ( Exception e ) + { + // Ignore + } + } + } + } + + // request authentication + try + { + response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" ); + response.setStatus( HttpServletResponse.SC_UNAUTHORIZED ); + response.setContentLength( 0 ); + response.flushBuffer(); + } + catch ( IOException ioe ) + { + // failed sending the response ... cannot do anything about it + } + + // inform HttpService that authentication failed + return false; + } + + + private static String base64Decode( String srcString ) + { + byte[] transformed = Base64.decodeBase64(srcString); + try + { + return new String( transformed, "ISO-8859-1" ); + } + catch ( UnsupportedEncodingException uee ) + { + return new String( transformed ); + } + } + + } Added: karaf/trunk/webconsole/console/pom.xml URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/console/pom.xml?rev=1052310&view=auto ============================================================================== --- karaf/trunk/webconsole/console/pom.xml (added) +++ karaf/trunk/webconsole/console/pom.xml Thu Dec 23 16:12:51 2010 @@ -0,0 +1,160 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + + <!-- + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.karaf.webconsole</groupId> + <artifactId>webconsole</artifactId> + <version>2.1.99-SNAPSHOT</version> + </parent> + + <artifactId>org.apache.karaf.webconsole.console</artifactId> + <packaging>bundle</packaging> + <name>Apache Karaf :: Web Console :: Console</name> + + <description>Apache Felix webconsole rebundled with small security related changes. + </description> + + <properties> + <appendedResourcesDirectory>${basedir}/../../etc/appended-resources</appendedResourcesDirectory> + </properties> + + <dependencies> + <dependency> + <groupId>org.apache.geronimo.specs</groupId> + <artifactId>geronimo-servlet_2.5_spec</artifactId> + </dependency> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.core</artifactId> + </dependency> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.compendium</artifactId> + </dependency> + <dependency> + <groupId>org.apache.felix</groupId> + <artifactId>org.apache.felix.webconsole</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>commons-fileupload</groupId> + <artifactId>commons-fileupload</artifactId> + <version>1.1.1</version> + <scope>provided</scope> + <optional>true</optional> + </dependency> + <dependency> + <groupId>commons-io</groupId> + <artifactId>commons-io</artifactId> + <version>1.4</version> + <scope>provided</scope> + <optional>true</optional> + </dependency> + <dependency> + <groupId>org.json</groupId> + <artifactId>json</artifactId> + <version>20070829</version> + <scope>provided</scope> + <optional>true</optional> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <version>${felix.plugin.version}</version> + <extensions>true</extensions> + <configuration> + <instructions> + <Bundle-SymbolicName> + ${artifactId} + </Bundle-SymbolicName> + <Bundle-Vendor> + The Apache Software Foundation + </Bundle-Vendor> + <Bundle-DocURL> + http://felix.apache.org/site/apache-felix-web-console.html + </Bundle-DocURL> + <Bundle-Activator> + org.apache.felix.webconsole.internal.KarafOsgiManagerActivator + </Bundle-Activator> + <Export-Package> + org.apache.felix.webconsole;version=3.1.2 + </Export-Package> + <Private-Package> + !org.apache.felix.webconsole, + org.apache.felix.webconsole.*, + </Private-Package> + <Import-Package> + org.apache.felix.scr;version=1.0;resolution:=optional, + org.osgi.service.http, + org.apache.felix.shell; + org.osgi.service.*;resolution:=optional, + javax.portlet;resolution:=optional, + javax.servlet.*;version=2.4, + * + </Import-Package> + <DynamicImport-Package> + org.apache.felix.bundlerepository, + org.osgi.service.obr + </DynamicImport-Package> + <Embed-Dependency> + <!-- Webconsole --> + org.apache.felix.webconsole;inline=**, + + <!-- Import/Export-Package parsing --> + org.apache.felix.utils;inline=org/apache/felix/utils/manifest/**, + org.apache.felix.framework;inline=org/apache/felix/framework/util/VersionRange**, + + <!-- ServiceTracker --> + org.osgi.compendium; + inline=org/osgi/util/tracker/*, + + <!-- Required for JSON data transfer --> + json, + + <!-- File Upload functionality --> + commons-fileupload, + + <!-- Required by FileUpload and Util --> + commons-io + </Embed-Dependency> + + <_removeheaders> + Embed-Dependency,Private-Package,Include-Resource + </_removeheaders> + </instructions> + </configuration> + </plugin> + </plugins> + </build> + + +</project> Added: karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManager.java URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManager.java?rev=1052310&view=auto ============================================================================== --- karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManager.java (added) +++ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManager.java Thu Dec 23 16:12:51 2010 @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.felix.webconsole.internal; + +import java.io.IOException; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import javax.security.auth.Subject; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; + +import org.apache.felix.webconsole.internal.servlet.OsgiManager; +import org.osgi.framework.BundleContext; + +public class KarafOsgiManager extends OsgiManager { + + public static final String SUBJECT_RUN_AS = "karaf.subject.runas"; + + public KarafOsgiManager(BundleContext bundleContext) { + super(bundleContext); + } + + @Override + public void service(final ServletRequest req, final ServletResponse res) throws ServletException, IOException { + Object obj = req.getAttribute(SUBJECT_RUN_AS); + if (obj instanceof Subject) { + try { + Subject.doAs((Subject) obj, new PrivilegedExceptionAction<Object>() { + public Object run() throws Exception { + doService(req, res); + return null; + } + }); + } catch (PrivilegedActionException e) { + Exception cause = e.getException(); + if (cause instanceof ServletException) { + throw (ServletException) cause; + } + if (cause instanceof IOException) { + throw (IOException) cause; + } + throw new ServletException(cause); + } + } else { + super.service(req, res); + } + } + + protected void doService(final ServletRequest req, final ServletResponse res) throws ServletException, IOException { + super.service(req, res); + } +} Added: karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManagerActivator.java URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManagerActivator.java?rev=1052310&view=auto ============================================================================== --- karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManagerActivator.java (added) +++ karaf/trunk/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/KarafOsgiManagerActivator.java Thu Dec 23 16:12:51 2010 @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.felix.webconsole.internal; + + +import org.osgi.framework.BundleActivator; +import org.osgi.framework.BundleContext; + + +/** + * This is the main, starting class of the Bundle. It initializes and disposes + * the Apache Web Console upon bundle lifecycle requests. + */ +public class KarafOsgiManagerActivator implements BundleActivator +{ + + private KarafOsgiManager osgiManager; + + + /** + * @see org.osgi.framework.BundleActivator#start(org.osgi.framework.BundleContext) + */ + public void start( BundleContext bundleContext ) + { + osgiManager = new KarafOsgiManager( bundleContext ); + } + + + /** + * @see org.osgi.framework.BundleActivator#stop(org.osgi.framework.BundleContext) + */ + public void stop( BundleContext arg0 ) + { + if ( osgiManager != null ) + { + osgiManager.dispose(); + } + } + +} Modified: karaf/trunk/webconsole/pom.xml URL: http://svn.apache.org/viewvc/karaf/trunk/webconsole/pom.xml?rev=1052310&r1=1052309&r2=1052310&view=diff ============================================================================== --- karaf/trunk/webconsole/pom.xml (original) +++ karaf/trunk/webconsole/pom.xml Thu Dec 23 16:12:51 2010 @@ -33,9 +33,10 @@ <name>Apache Karaf :: Web Console</name> <modules> + <module>console</module> + <module>branding</module> <module>features</module> <module>gogo</module> - <module>branding</module> <module>admin</module> </modules>