[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch BZ-63681/8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a0e8d49197a98b92e28cf30f186f1708658d3159 Author: Michael Osipov AuthorDate: Wed Aug 21 23:23:19 2019 +0200 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends --- java/org/apache/catalina/GSSRealm.java| 45 java/org/apache/catalina/realm/CombinedRealm.java | 43 java/org/apache/catalina/realm/LockOutRealm.java | 13 + java/org/apache/catalina/realm/RealmBase.java | 62 ++- webapps/docs/changelog.xml| 4 ++ 5 files changed, 155 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/GSSRealm.java b/java/org/apache/catalina/GSSRealm.java new file mode 100644 index 000..9638c2b --- /dev/null +++ b/java/org/apache/catalina/GSSRealm.java @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina; + +import java.security.Principal; + +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSName; + +/** + * A GSSRealm is a specialized realm for GSS-based usernames. + * + * @deprecated To be removed in Tomcat 9.0 and integrated into {@link Realm}. + */ +@Deprecated +public interface GSSRealm extends Realm { + + +// - Public Methods + +/** + * Try to authenticate using a {@link GSSName} + * + * @param gssName The {@link GSSName} of the principal to look up + * @param gssCredential The {@link GSSCredential} of the principal, may be + * {@code null} + * @return the associated principal, or {@code null} if there is none + */ +public Principal authenticate(GSSName gssName, GSSCredential gssCredential); + +} diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 59511fa..cd64d99 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -26,12 +26,14 @@ import java.util.List; import javax.management.ObjectName; import org.apache.catalina.Container; +import org.apache.catalina.GSSRealm; import org.apache.catalina.Lifecycle; import org.apache.catalina.LifecycleException; import org.apache.catalina.Realm; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -393,6 +395,47 @@ public class CombinedRealm extends RealmBase { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +Principal authenticatedUser = null; +String username = gssName.toString(); + +for (Realm realm : realms) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authStart", +username, realm.getClass().getName())); +} + +if (!(realm instanceof GSSRealm)) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authFail", +username, realm.getClass().getName())); +} + +continue; +} + +authenticatedUser = ((GSSRealm) realm).authenticate(gssName, gssCredential); + +if (authenticatedUser == null) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authFail", +username, realm.getClass().getName())); +} +} else { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authSuccess", +username, realm.getClass().getName())); +} +break; +} +} +return authenticatedUser; +} + @Override
[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch BZ-63681/9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d987d942aecf557133df9399592ebfc0b77f9968 Author: Michael Osipov AuthorDate: Wed Aug 21 23:23:19 2019 +0200 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends --- java/org/apache/catalina/Realm.java | 15 ++ java/org/apache/catalina/realm/CombinedRealm.java | 33 + java/org/apache/catalina/realm/LockOutRealm.java | 13 + java/org/apache/catalina/realm/RealmBase.java | 58 +++ webapps/docs/changelog.xml| 4 ++ 5 files changed, 113 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 7785ec2..1acf6e3 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSName; /** * A Realm is a read-only facade for an underlying security realm @@ -117,6 +119,19 @@ public interface Realm extends Contained { /** + * Try to authenticate using a {@link GSSName} + * + * @param gssName The {@link GSSName} of the principal to look up + * @param gssCredential The {@link GSSCredential} of the principal, may be + * {@code null} + * @return the associated principal, or {@code null} if there is none + */ +public default Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +return null; +} + + +/** * Try to authenticate using {@link X509Certificate}s * * @param certs Array of client certificates, with the first one in diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 6a73b0f..6bbc238 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -32,6 +32,7 @@ import org.apache.catalina.Realm; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +Principal authenticatedUser = null; +String username = gssName.toString(); + +for (Realm realm : realms) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authStart", +username, realm.getClass().getName())); +} + +authenticatedUser = realm.authenticate(gssName, gssCredential); + +if (authenticatedUser == null) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authFail", +username, realm.getClass().getName())); +} +} else { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authSuccess", +username, realm.getClass().getName())); +} +break; +} +} +return authenticatedUser; +} + @Override protected String getPassword(String username) { // This method should never be called diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java index aa4820a..28ce315 100644 --- a/java/org/apache/catalina/realm/LockOutRealm.java +++ b/java/org/apache/catalina/realm/LockOutRealm.java @@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +String username = gssName.toString(); + +Principal authenticatedUser = super.authenticate(gssName, gssCredential); + +return filterLockedAccounts(username, authenticatedUser); +} + /* * Filters authenticated principals to ensure that null is diff --git a/java/org/apache/catalina/realm/RealmBase.java
[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch BZ-63681/9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 90624364edd1115cceb47e7bc4ece5828a0e62d2 Author: Michael Osipov AuthorDate: Wed Aug 21 23:23:19 2019 +0200 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends --- java/org/apache/catalina/Realm.java | 13 + java/org/apache/catalina/realm/CombinedRealm.java | 33 + java/org/apache/catalina/realm/LockOutRealm.java | 13 + java/org/apache/catalina/realm/RealmBase.java | 58 +++ webapps/docs/changelog.xml| 8 5 files changed, 115 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 7785ec2..6f5d2c7 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSName; /** * A Realm is a read-only facade for an underlying security realm @@ -117,6 +119,17 @@ public interface Realm extends Contained { /** + * Try to authenticate using a {@link GSSName} + * + * @param gssName The {@link GSSName} of the principal to look up + * @param gssCredential The {@link GSSCredential} of the principal, may be + * {@code null} + * @return the associated principal, or {@code null} if there is none + */ +public Principal authenticate(GSSName gssName, GSSCredential gssCredential); + + +/** * Try to authenticate using {@link X509Certificate}s * * @param certs Array of client certificates, with the first one in diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 6a73b0f..6bbc238 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -32,6 +32,7 @@ import org.apache.catalina.Realm; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +Principal authenticatedUser = null; +String username = gssName.toString(); + +for (Realm realm : realms) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authStart", +username, realm.getClass().getName())); +} + +authenticatedUser = realm.authenticate(gssName, gssCredential); + +if (authenticatedUser == null) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authFail", +username, realm.getClass().getName())); +} +} else { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authSuccess", +username, realm.getClass().getName())); +} +break; +} +} +return authenticatedUser; +} + @Override protected String getPassword(String username) { // This method should never be called diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java index aa4820a..28ce315 100644 --- a/java/org/apache/catalina/realm/LockOutRealm.java +++ b/java/org/apache/catalina/realm/LockOutRealm.java @@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +String username = gssName.toString(); + +Principal authenticatedUser = super.authenticate(gssName, gssCredential); + +return filterLockedAccounts(username, authenticatedUser); +} + /* * Filters authenticated principals to ensure that null is diff --git a/java/org/apache/catalina/realm/RealmBase.java