Repository: juddi Updated Branches: refs/heads/master 3e1322f34 -> 53d6f2d2c
JUDDI-920 this should enable http based authentication Project: http://git-wip-us.apache.org/repos/asf/juddi/repo Commit: http://git-wip-us.apache.org/repos/asf/juddi/commit/86d58ae4 Tree: http://git-wip-us.apache.org/repos/asf/juddi/tree/86d58ae4 Diff: http://git-wip-us.apache.org/repos/asf/juddi/diff/86d58ae4 Branch: refs/heads/master Commit: 86d58ae417563ea973a970b76914352becb31fb8 Parents: 3e1322f Author: Alex <[email protected]> Authored: Sat Jan 17 10:55:02 2015 -0500 Committer: Alex <[email protected]> Committed: Sat Jan 17 10:55:02 2015 -0500 ---------------------------------------------------------------------- .../juddi/api/impl/AuthenticatedService.java | 290 ++++++++++--------- .../java/org/apache/juddi/config/Property.java | 5 + .../v3/auth/HTTPContainerAuthenticator.java | 8 +- .../juddi/v3/auth/HTTPHeaderAuthenticator.java | 8 +- 4 files changed, 171 insertions(+), 140 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/juddi/blob/86d58ae4/juddi-core/src/main/java/org/apache/juddi/api/impl/AuthenticatedService.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/api/impl/AuthenticatedService.java b/juddi-core/src/main/java/org/apache/juddi/api/impl/AuthenticatedService.java index 532d6eb..7a4c334 100644 --- a/juddi-core/src/main/java/org/apache/juddi/api/impl/AuthenticatedService.java +++ b/juddi-core/src/main/java/org/apache/juddi/api/impl/AuthenticatedService.java @@ -14,7 +14,6 @@ * limitations under the License. * */ - package org.apache.juddi.api.impl; import java.util.Date; @@ -36,163 +35,190 @@ import org.apache.juddi.v3.auth.AuthenticatorFactory; import org.apache.juddi.v3.error.AuthTokenRequiredException; import org.apache.juddi.v3.error.AuthTokenExpiredException; import org.apache.juddi.v3.error.ErrorMessage; +import org.apache.juddi.v3.error.UnknownUserException; import org.uddi.v3_service.DispositionReportFaultMessage; -/**Although this class is abstract, it provides token validation +/** + * Although this class is abstract, it provides token validation + * * @author <a href="mailto:[email protected]";>Jeff Faath</a> - * - * @author <a href="mailto:[email protected]";>Alex O'Ree</a> - modified to include token expiration validation + * + * @author <a href="mailto:[email protected]";>Alex O'Ree</a> - modified to + * include token expiration validation */ public abstract class AuthenticatedService { - public static final int AUTHTOKEN_ACTIVE = 1; - public static final int AUTHTOKEN_RETIRED = 0; - static final Log logger = LogFactory.getLog(AuthenticatedService.class); + + public static final int AUTHTOKEN_ACTIVE = 1; + public static final int AUTHTOKEN_RETIRED = 0; + static final Log logger = LogFactory.getLog(AuthenticatedService.class); /** * the node id of this server instance, as loaded from the config file */ - protected static String node = "UNDEFINED_NODE_NAME"; - protected String baseUrlSSL="UNDEFINED"; - protected String baseUrl="UNDEFINED"; - - public AuthenticatedService(){ + protected static String node = "UNDEFINED_NODE_NAME"; + protected String baseUrlSSL = "UNDEFINED"; + protected String baseUrl = "UNDEFINED"; + + public AuthenticatedService() { try { node = AppConfig.getConfiguration().getString(Property.JUDDI_NODE_ID, "UNDEFINED_NODE_NAME"); - node=node.trim(); - baseUrlSSL=AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL_SECURE, Property.DEFAULT_BASE_URL_SECURE); - baseUrlSSL=AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL, Property.DEFAULT_BASE_URL); + node = node.trim(); + baseUrlSSL = AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL_SECURE, Property.DEFAULT_BASE_URL_SECURE); + baseUrlSSL = AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL, Property.DEFAULT_BASE_URL); } catch (ConfigurationException ex) { logger.fatal(null, ex); } } - - + @Resource protected WebServiceContext ctx; - public UddiEntityPublisher getEntityPublisher(EntityManager em, String authInfo) throws DispositionReportFaultMessage { - - if (authInfo == null || authInfo.length() == 0) - throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthRequired")); - - org.apache.juddi.model.AuthToken modelAuthToken = em.find(org.apache.juddi.model.AuthToken.class, authInfo); - if (modelAuthToken == null) - throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); - - int allowedMinutesOfInactivity = 0; - try { - allowedMinutesOfInactivity = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_TIMEOUT, 0); - } catch (ConfigurationException ce) { - logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from " - + "the application's configuration. No automatic timeout token invalidation will occur. " - + ce.getMessage(), ce); - } - int maxMinutesOfAge = 0; - try { - maxMinutesOfAge = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_EXPIRATION, 0); - } catch (ConfigurationException ce) { - logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from " - + "the application's configuration. No automatic timeout token invalidation will occur. " - + ce.getMessage(), ce); - } - Date now = new Date(); - // 0 or negative means token does not expire - if (allowedMinutesOfInactivity > 0) { - // expire tokens after # minutes of inactivity - // compare the time in milli-seconds - if (now.getTime() > modelAuthToken.getLastUsed().getTime() + allowedMinutesOfInactivity * 60000l) { - logger.info("AUDIT: FAILTURE Token " + modelAuthToken.getAuthToken() + " expired due to inactivity "+getRequestorsIPAddress()); - modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); - } - } - if (maxMinutesOfAge > 0) { - // expire tokens when max age is reached - // compare the time in milli-seconds - if (now.getTime() > modelAuthToken.getCreated().getTime() + maxMinutesOfAge * 60000l) { - - logger.info("AUDIT: FAILURE - Token " + modelAuthToken.getAuthorizedName() + " expired due to old age " + getRequestorsIPAddress()); - modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); - } - } - - if (modelAuthToken.getTokenState() == AUTHTOKEN_RETIRED){ - - throw new AuthTokenExpiredException(new ErrorMessage("errors.auth.AuthTokenExpired")); + + public UddiEntityPublisher getEntityPublisher(EntityManager em, String authInfo) throws DispositionReportFaultMessage { + boolean useAuthInfo = true; + try { + useAuthInfo = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTHENTICATOR_USE_TOKEN, true); + } catch (ConfigurationException ex) { + } - if (ctx !=null){ - try{ - boolean check=true; - try{ - check=AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP, true); + if (useAuthInfo) { + + if (authInfo == null || authInfo.length() == 0) { + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthRequired")); + } + + org.apache.juddi.model.AuthToken modelAuthToken = em.find(org.apache.juddi.model.AuthToken.class, authInfo); + if (modelAuthToken == null) { + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + } + + int allowedMinutesOfInactivity = 0; + try { + allowedMinutesOfInactivity = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_TIMEOUT, 0); + } catch (ConfigurationException ce) { + logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from " + + "the application's configuration. No automatic timeout token invalidation will occur. " + + ce.getMessage(), ce); + } + int maxMinutesOfAge = 0; + try { + maxMinutesOfAge = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_EXPIRATION, 0); + } catch (ConfigurationException ce) { + logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from " + + "the application's configuration. No automatic timeout token invalidation will occur. " + + ce.getMessage(), ce); } - catch (ConfigurationException ex){ - logger.warn("Error loading config property " + Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP + - " Enforcing Same IP for Auth Tokens will be enabled by default", ex); + Date now = new Date(); + // 0 or negative means token does not expire + if (allowedMinutesOfInactivity > 0) { + // expire tokens after # minutes of inactivity + // compare the time in milli-seconds + if (now.getTime() > modelAuthToken.getLastUsed().getTime() + allowedMinutesOfInactivity * 60000l) { + logger.info("AUDIT: FAILTURE Token " + modelAuthToken.getAuthToken() + " expired due to inactivity " + getRequestorsIPAddress()); + modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); + } } - if (check){ - MessageContext mc = ctx.getMessageContext(); - HttpServletRequest req = null; - if (mc!=null){ - req=(HttpServletRequest)mc.get(MessageContext.SERVLET_REQUEST); - } - if (req!=null && - modelAuthToken.getIPAddress()!=null && - modelAuthToken.getIPAddress()!=null && - !modelAuthToken.getIPAddress().equalsIgnoreCase(req.getRemoteAddr())) - { - modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); - logger.error("AUDIT FAILURE - Security Alert - Attempt to use issued auth token from a different IP address, user " + - modelAuthToken.getAuthorizedName() + ", issued IP " + modelAuthToken.getIPAddress() + - ", attempted use from " + req.getRemoteAddr() + ", forcing reauthentication."); + if (maxMinutesOfAge > 0) { + // expire tokens when max age is reached + // compare the time in milli-seconds + if (now.getTime() > modelAuthToken.getCreated().getTime() + maxMinutesOfAge * 60000l) { + + logger.info("AUDIT: FAILURE - Token " + modelAuthToken.getAuthorizedName() + " expired due to old age " + getRequestorsIPAddress()); + modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); + } + } + + if (modelAuthToken.getTokenState() == AUTHTOKEN_RETIRED) { + + throw new AuthTokenExpiredException(new ErrorMessage("errors.auth.AuthTokenExpired")); + } + if (ctx != null) { + try { + boolean check = true; + try { + check = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP, true); + } catch (ConfigurationException ex) { + logger.warn("Error loading config property " + Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP + + " Enforcing Same IP for Auth Tokens will be enabled by default", ex); + } + if (check) { + MessageContext mc = ctx.getMessageContext(); + HttpServletRequest req = null; + if (mc != null) { + req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST); + } + if (req != null + && modelAuthToken.getIPAddress() != null + && modelAuthToken.getIPAddress() != null + && !modelAuthToken.getIPAddress().equalsIgnoreCase(req.getRemoteAddr())) { + modelAuthToken.setTokenState(AUTHTOKEN_RETIRED); + logger.error("AUDIT FAILURE - Security Alert - Attempt to use issued auth token from a different IP address, user " + + modelAuthToken.getAuthorizedName() + ", issued IP " + modelAuthToken.getIPAddress() + + ", attempted use from " + req.getRemoteAddr() + ", forcing reauthentication."); + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + //invalidate the token, someone's intercepted it or it was reused on another ip + } + } + } catch (Exception ex) { + if (ex instanceof AuthTokenRequiredException) { + throw (AuthTokenRequiredException) ex; + } + logger.error("unexpected error caught looking up requestor's ip address", ex); + } + + } + Authenticator authenticator = AuthenticatorFactory.getAuthenticator(); + UddiEntityPublisher entityPublisher = authenticator.identify(authInfo, modelAuthToken.getAuthorizedName(), ctx); + + // Must make sure the returned publisher has all the necessary fields filled + if (entityPublisher == null) { + logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress()); throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); - //invalidate the token, someone's intercepted it or it was reused on another ip - } } - } - catch (Exception ex){ - if (ex instanceof AuthTokenRequiredException) - throw (AuthTokenRequiredException)ex; - logger.error("unexpected error caught looking up requestor's ip address", ex); - } - - } - Authenticator authenticator = AuthenticatorFactory.getAuthenticator(); - UddiEntityPublisher entityPublisher = authenticator.identify(authInfo, modelAuthToken.getAuthorizedName(), ctx); - - // Must make sure the returned publisher has all the necessary fields filled - if (entityPublisher == null) { - logger.warn("AUDIT FAILURE - Auth token invalided, publisher does not exist "+ getRequestorsIPAddress()); - throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); - } - if (entityPublisher.getAuthorizedName() == null){ - logger.warn("AUDIT FAILURE - Auth token invalided, username does exist"+ getRequestorsIPAddress()); - throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + if (entityPublisher.getAuthorizedName() == null) { + logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress()); + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + } + // Auth token is being used. Adjust appropriate values so that it's internal 'expiration clock' is reset. + modelAuthToken.setLastUsed(new Date()); + modelAuthToken.setNumberOfUses(modelAuthToken.getNumberOfUses() + 1); + return entityPublisher; + } else { + //use non-token based authentication + Authenticator authenticator = AuthenticatorFactory.getAuthenticator(); + UddiEntityPublisher entityPublisher = authenticator.identify(null, null, ctx); + // Must make sure the returned publisher has all the necessary fields filled + if (entityPublisher == null) { + logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress()); + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + } + if (entityPublisher.getAuthorizedName() == null) { + logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress()); + throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid")); + } + return entityPublisher; + } - // Auth token is being used. Adjust appropriate values so that it's internal 'expiration clock' is reset. - modelAuthToken.setLastUsed(new Date()); - modelAuthToken.setNumberOfUses(modelAuthToken.getNumberOfUses() + 1); - - return entityPublisher; - - } + + } /** - * Attempts to get the requestor's ip address from the servlet context, defaults to null it it can't be - * retrieved + * Attempts to get the requestor's ip address from the servlet context, + * defaults to null it it can't be retrieved + * * @return requestor's ip address or null if it's not available */ - public String getRequestorsIPAddress() - { - try { - MessageContext mc = ctx.getMessageContext(); - HttpServletRequest req = null; - if (mc != null) { - req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST); - } - if (req != null) { - return req.getRemoteAddr(); + public String getRequestorsIPAddress() { + try { + MessageContext mc = ctx.getMessageContext(); + HttpServletRequest req = null; + if (mc != null) { + req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST); + } + if (req != null) { + return req.getRemoteAddr(); + } + } catch (Exception ex) { + logger.debug("Error caught looking up the requestor's ip address", ex); } - } catch (Exception ex) { - logger.debug("Error caught looking up the requestor's ip address", ex); - } - return null; + return null; } } http://git-wip-us.apache.org/repos/asf/juddi/blob/86d58ae4/juddi-core/src/main/java/org/apache/juddi/config/Property.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/config/Property.java b/juddi-core/src/main/java/org/apache/juddi/config/Property.java index 139a5c5..e855a46 100644 --- a/juddi-core/src/main/java/org/apache/juddi/config/Property.java +++ b/juddi-core/src/main/java/org/apache/juddi/config/Property.java @@ -85,6 +85,11 @@ public interface Property { public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule"; /** + * Whether not the token is used with each transition, default should be true + */ + public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]"; + + /** * This points to the class of the authenticator */ public final static String JUDDI_AUTHENTICATOR = "juddi.auth.authenticator.class"; http://git-wip-us.apache.org/repos/asf/juddi/blob/86d58ae4/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPContainerAuthenticator.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPContainerAuthenticator.java b/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPContainerAuthenticator.java index 35b3123..e003aa3 100644 --- a/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPContainerAuthenticator.java +++ b/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPContainerAuthenticator.java @@ -47,7 +47,7 @@ public class HTTPContainerAuthenticator implements Authenticator { } @Override - public UddiEntityPublisher identify(String authInfo, String authorizedName, WebServiceContext ctx) throws AuthenticationException, FatalErrorException { + public UddiEntityPublisher identify(String authInfoNotused, String authorizedNameNotused, WebServiceContext ctx) throws AuthenticationException, FatalErrorException { int MaxBindingsPerService = -1; int MaxServicesPerBusiness = -1; int MaxTmodels = -1; @@ -62,7 +62,7 @@ public class HTTPContainerAuthenticator implements Authenticator { MaxServicesPerBusiness = -1; MaxTmodels = -1; MaxBusinesses = -1; - log.error("config exception! " + authorizedName, ex); + log.error("config exception! ", ex); } EntityManager em = PersistenceManager.getEntityManager(); EntityTransaction tx = em.getTransaction(); @@ -89,9 +89,9 @@ public class HTTPContainerAuthenticator implements Authenticator { tx.begin(); Publisher publisher = em.find(Publisher.class, user); if (publisher == null) { - log.warn("Publisher \"" + authorizedName + "\" was not found, adding the publisher in on the fly."); + log.warn("Publisher \"" + user + "\" was not found, adding the publisher in on the fly."); publisher = new Publisher(); - publisher.setAuthorizedName(authorizedName); + publisher.setAuthorizedName(user); publisher.setIsAdmin("false"); publisher.setIsEnabled("true"); publisher.setMaxBindingsPerService(MaxBindingsPerService); http://git-wip-us.apache.org/repos/asf/juddi/blob/86d58ae4/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPHeaderAuthenticator.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPHeaderAuthenticator.java b/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPHeaderAuthenticator.java index 902d1e5..99e79d9 100644 --- a/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPHeaderAuthenticator.java +++ b/juddi-core/src/main/java/org/apache/juddi/v3/auth/HTTPHeaderAuthenticator.java @@ -54,7 +54,7 @@ public class HTTPHeaderAuthenticator implements Authenticator { } @Override - public UddiEntityPublisher identify(String authInfo, String authorizedName, WebServiceContext ctx) throws AuthenticationException, FatalErrorException { + public UddiEntityPublisher identify(String notusedauthtoken, String notusedusername, WebServiceContext ctx) throws AuthenticationException, FatalErrorException { int MaxBindingsPerService = -1; int MaxServicesPerBusiness = -1; int MaxTmodels = -1; @@ -71,7 +71,7 @@ public class HTTPHeaderAuthenticator implements Authenticator { MaxServicesPerBusiness = -1; MaxTmodels = -1; MaxBusinesses = -1; - log.error("config exception! " + authorizedName, ex); + log.error("config exception! ", ex); } if (http_header_name == null) { throw new UnknownUserException(new ErrorMessage("errors.auth.NoPublisher", "misconfiguration!")); @@ -94,9 +94,9 @@ public class HTTPHeaderAuthenticator implements Authenticator { tx.begin(); Publisher publisher = em.find(Publisher.class, user); if (publisher == null) { - log.warn("Publisher \"" + authorizedName + "\" was not found, adding the publisher in on the fly."); + log.warn("Publisher \"" + user + "\" was not found, adding the publisher in on the fly."); publisher = new Publisher(); - publisher.setAuthorizedName(authorizedName); + publisher.setAuthorizedName(user); publisher.setIsAdmin("false"); publisher.setIsEnabled("true"); publisher.setMaxBindingsPerService(MaxBindingsPerService); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
