This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63681/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6be96ebba4e7056d5c9621bada2c496f8c0a82d0
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Wed Aug 21 23:23:19 2019 +0200
Frist draft
changelog.xml pending
---
java/org/apache/catalina/Realm.java | 13 +++++
java/org/apache/catalina/realm/CombinedRealm.java | 34 ++++++++++++
java/org/apache/catalina/realm/LockOutRealm.java | 12 ++++
java/org/apache/catalina/realm/RealmBase.java | 67 +++++++++++++++++++----
4 files changed, 116 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/catalina/Realm.java
b/java/org/apache/catalina/Realm.java
index a6360cc..412e845 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
/**
* A <b>Realm</b> is a read-only facade for an underlying security realm
@@ -135,6 +137,17 @@ public interface Realm {
/**
+ * Try to authenticate using a {@link GSSName}
+ *
+ * @param gssName The {@link GSSName} of the principal to look up
+ * @param gssCredential The {@link GSSCredential} of the principal, may be
+ * {@code null}
+ * @return the associated principal, or {@code null} if there is none
+ */
+ public Principal authenticate(GSSName gssName, GSSCredential
gssCredential);
+
+
+ /**
* Try to authenticate using {@link X509Certificate}s
*
* @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java
b/java/org/apache/catalina/realm/CombinedRealm.java
index 59511fa..5645457 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -393,6 +394,39 @@ public class CombinedRealm extends RealmBase {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential
gssCredentail) {
+ Principal authenticatedUser = null;
+
+ String username = String.valueOf(gssName);
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart",
+ username, realm.getClass().getName()));
+ }
+
+ authenticatedUser = realm.authenticate(gssName, gssCredentail);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail",
+ username, realm.getClass().getName()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSuccess",
+ username, realm.getClass().getName()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
@Override
@Deprecated
protected String getName() {
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java
b/java/org/apache/catalina/realm/LockOutRealm.java
index b2dc29e..46e6a97 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
@@ -205,6 +206,17 @@ public class LockOutRealm extends CombinedRealm {
return null;
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+ String username = String.valueOf(gssName);
+
+ Principal authenticatedUser = super.authenticate(gssName,
gssCredential);
+ return filterLockedAccounts(username, authenticatedUser);
+ }
+
/*
* Filters authenticated principals to ensure that <code>null</code> is
diff --git a/java/org/apache/catalina/realm/RealmBase.java
b/java/org/apache/catalina/realm/RealmBase.java
index d321c56..f300810 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -499,16 +499,7 @@ public abstract class RealmBase extends LifecycleMBeanBase
implements Realm {
}
}
- String name = gssName.toString();
-
- if (isStripRealmForGss()) {
- int i = name.indexOf('@');
- if (i > 0) {
- // Zero so we don't leave a zero length name
- name = name.substring(0, i);
- }
- }
- return getPrincipal(name, gssCredential);
+ return getPrincipal(gssName, gssCredential);
}
} else {
log.error(sm.getString("realmBase.gssContextNotEstablished"));
@@ -520,6 +511,19 @@ public abstract class RealmBase extends LifecycleMBeanBase
implements Realm {
/**
+ * {@inheritDoc}
+ */
+ @Override
+ public Principal authenticate(GSSName gssName, GSSCredential
gssCredential) {
+ if (gssName == null) {
+ return null;
+ }
+
+ return getPrincipal(gssName, gssCredential);
+ }
+
+
+ /**
* Execute a periodic task, such as reloading, etc. This method will be
* invoked inside the classloading context of this container. Unexpected
* throwables will be caught and logged.
@@ -1253,6 +1257,49 @@ public abstract class RealmBase extends
LifecycleMBeanBase implements Realm {
return p;
}
+
+ /**
+ * Get the principal associated with the specified {@link GSSName}.
+ *
+ * This is a convenience method you can override to obtain a GSS credential
+ * via S4U2self.
+ *
+ * @param gssName The GSS name
+ * @return the principal associated with the given user name.
+ */
+ protected Principal getPrincipal(GSSName gssName) {
+ return getPrincipal(gssName, null);
+ }
+
+
+ /**
+ * Get the principal associated with the specified {@link GSSName}.
+ *
+ * @param gssName The GSS name
+ * @param gssCredential the GSS credential of the principal
+ * @return the principal associated with the given user name.
+ */
+ protected Principal getPrincipal(GSSName gssName, GSSCredential
gssCredential) {
+ String name = String.valueOf(gssName);
+
+ if (isStripRealmForGss()) {
+ int i = name.indexOf('@');
+ if (i > 0) {
+ // Zero so we don't leave a zero length name
+ name = name.substring(0, i);
+ }
+ }
+
+ Principal p = getPrincipal(name);
+
+ if (p instanceof GenericPrincipal) {
+ ((GenericPrincipal) p).setGssCredential(gssCredential);
+ }
+
+ return p;
+ }
+
+
/**
* Return the Server object that is the ultimate parent for the container
* with which this Realm is associated. If the server cannot be found (eg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
