[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a0e8d49197a98b92e28cf30f186f1708658d3159
Author: Michael Osipov
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and
friends
---
java/org/apache/catalina/GSSRealm.java| 45
java/org/apache/catalina/realm/CombinedRealm.java | 43
java/org/apache/catalina/realm/LockOutRealm.java | 13 +
java/org/apache/catalina/realm/RealmBase.java | 62 ++-
webapps/docs/changelog.xml| 4 ++
5 files changed, 155 insertions(+), 12 deletions(-)
diff --git a/java/org/apache/catalina/GSSRealm.java
b/java/org/apache/catalina/GSSRealm.java
new file mode 100644
index 000..9638c2b
--- /dev/null
+++ b/java/org/apache/catalina/GSSRealm.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina;
+
+import java.security.Principal;
+
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
+
+/**
+ * A GSSRealm is a specialized realm for GSS-based usernames.
+ *
+ * @deprecated To be removed in Tomcat 9.0 and integrated into {@link Realm}.
+ */
+@Deprecated
+public interface GSSRealm extends Realm {
+
+
+// - Public Methods
+
+/**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential);
+
+}
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java
b/java/org/apache/catalina/realm/CombinedRealm.java
index 59511fa..cd64d99 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -26,12 +26,14 @@ import java.util.List;
import javax.management.ObjectName;
import org.apache.catalina.Container;
+import org.apache.catalina.GSSRealm;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -393,6 +395,47 @@ public class CombinedRealm extends RealmBase {
return null;
}
+/**
+ * {@inheritDoc}
+ */
+@Override
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+Principal authenticatedUser = null;
+String username = gssName.toString();
+
+for (Realm realm : realms) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authStart",
+username, realm.getClass().getName()));
+}
+
+if (!(realm instanceof GSSRealm)) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authFail",
+username, realm.getClass().getName()));
+}
+
+continue;
+}
+
+authenticatedUser = ((GSSRealm) realm).authenticate(gssName,
gssCredential);
+
+if (authenticatedUser == null) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authFail",
+username, realm.getClass().getName()));
+}
+} else {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authSuccess",
+username, realm.getClass().getName()));
+}
+break;
+}
+}
+return authenticatedUser;
+}
+
@Override
[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63681/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d987d942aecf557133df9399592ebfc0b77f9968
Author: Michael Osipov
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and
friends
---
java/org/apache/catalina/Realm.java | 15 ++
java/org/apache/catalina/realm/CombinedRealm.java | 33 +
java/org/apache/catalina/realm/LockOutRealm.java | 13 +
java/org/apache/catalina/realm/RealmBase.java | 58 +++
webapps/docs/changelog.xml| 4 ++
5 files changed, 113 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/catalina/Realm.java
b/java/org/apache/catalina/Realm.java
index 7785ec2..1acf6e3 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
/**
* A Realm is a read-only facade for an underlying security realm
@@ -117,6 +119,19 @@ public interface Realm extends Contained {
/**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+public default Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+return null;
+}
+
+
+/**
* Try to authenticate using {@link X509Certificate}s
*
* @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java
b/java/org/apache/catalina/realm/CombinedRealm.java
index 6a73b0f..6bbc238 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase {
return null;
}
+/**
+ * {@inheritDoc}
+ */
+@Override
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+Principal authenticatedUser = null;
+String username = gssName.toString();
+
+for (Realm realm : realms) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authStart",
+username, realm.getClass().getName()));
+}
+
+authenticatedUser = realm.authenticate(gssName, gssCredential);
+
+if (authenticatedUser == null) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authFail",
+username, realm.getClass().getName()));
+}
+} else {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authSuccess",
+username, realm.getClass().getName()));
+}
+break;
+}
+}
+return authenticatedUser;
+}
+
@Override
protected String getPassword(String username) {
// This method should never be called
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java
b/java/org/apache/catalina/realm/LockOutRealm.java
index aa4820a..28ce315 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm {
return null;
}
+/**
+ * {@inheritDoc}
+ */
+@Override
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+String username = gssName.toString();
+
+Principal authenticatedUser = super.authenticate(gssName,
gssCredential);
+
+return filterLockedAccounts(username, authenticatedUser);
+}
+
/*
* Filters authenticated principals to ensure that null is
diff --git a/java/org/apache/catalina/realm/RealmBase.java
[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63681/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 90624364edd1115cceb47e7bc4ece5828a0e62d2
Author: Michael Osipov
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and
friends
---
java/org/apache/catalina/Realm.java | 13 +
java/org/apache/catalina/realm/CombinedRealm.java | 33 +
java/org/apache/catalina/realm/LockOutRealm.java | 13 +
java/org/apache/catalina/realm/RealmBase.java | 58 +++
webapps/docs/changelog.xml| 8
5 files changed, 115 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/catalina/Realm.java
b/java/org/apache/catalina/Realm.java
index 7785ec2..6f5d2c7 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
/**
* A Realm is a read-only facade for an underlying security realm
@@ -117,6 +119,17 @@ public interface Realm extends Contained {
/**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential);
+
+
+/**
* Try to authenticate using {@link X509Certificate}s
*
* @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java
b/java/org/apache/catalina/realm/CombinedRealm.java
index 6a73b0f..6bbc238 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase {
return null;
}
+/**
+ * {@inheritDoc}
+ */
+@Override
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+Principal authenticatedUser = null;
+String username = gssName.toString();
+
+for (Realm realm : realms) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authStart",
+username, realm.getClass().getName()));
+}
+
+authenticatedUser = realm.authenticate(gssName, gssCredential);
+
+if (authenticatedUser == null) {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authFail",
+username, realm.getClass().getName()));
+}
+} else {
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("combinedRealm.authSuccess",
+username, realm.getClass().getName()));
+}
+break;
+}
+}
+return authenticatedUser;
+}
+
@Override
protected String getPassword(String username) {
// This method should never be called
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java
b/java/org/apache/catalina/realm/LockOutRealm.java
index aa4820a..28ce315 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm {
return null;
}
+/**
+ * {@inheritDoc}
+ */
+@Override
+public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+String username = gssName.toString();
+
+Principal authenticatedUser = super.authenticate(gssName,
gssCredential);
+
+return filterLockedAccounts(username, authenticatedUser);
+}
+
/*
* Filters authenticated principals to ensure that null is
diff --git a/java/org/apache/catalina/realm/RealmBase.java
