This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63681/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit d987d942aecf557133df9399592ebfc0b77f9968
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Wed Aug 21 23:23:19 2019 +0200

    BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and 
friends
---
 java/org/apache/catalina/Realm.java               | 15 ++++++
 java/org/apache/catalina/realm/CombinedRealm.java | 33 +++++++++++++
 java/org/apache/catalina/realm/LockOutRealm.java  | 13 +++++
 java/org/apache/catalina/realm/RealmBase.java     | 58 +++++++++++++++++++----
 webapps/docs/changelog.xml                        |  4 ++
 5 files changed, 113 insertions(+), 10 deletions(-)

diff --git a/java/org/apache/catalina/Realm.java 
b/java/org/apache/catalina/Realm.java
index 7785ec2..1acf6e3 100644
--- a/java/org/apache/catalina/Realm.java
+++ b/java/org/apache/catalina/Realm.java
@@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSName;
 
 /**
  * A <b>Realm</b> is a read-only facade for an underlying security realm
@@ -117,6 +119,19 @@ public interface Realm extends Contained {
 
 
     /**
+     * Try to authenticate using a {@link GSSName}
+     *
+     * @param gssName The {@link GSSName} of the principal to look up
+     * @param gssCredential The {@link GSSCredential} of the principal, may be
+     *                      {@code null}
+     * @return the associated principal, or {@code null} if there is none
+     */
+    public default Principal authenticate(GSSName gssName, GSSCredential 
gssCredential) {
+        return null;
+    }
+
+
+    /**
      * Try to authenticate using {@link X509Certificate}s
      *
      * @param certs Array of client certificates, with the first one in
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java 
b/java/org/apache/catalina/realm/CombinedRealm.java
index 6a73b0f..6bbc238 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -32,6 +32,7 @@ import org.apache.catalina.Realm;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSName;
 
@@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase {
         return null;
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential 
gssCredential) {
+        Principal authenticatedUser = null;
+        String username = gssName.toString();
+
+        for (Realm realm : realms) {
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("combinedRealm.authStart",
+                        username, realm.getClass().getName()));
+            }
+
+            authenticatedUser = realm.authenticate(gssName, gssCredential);
+
+            if (authenticatedUser == null) {
+                if (log.isDebugEnabled()) {
+                    log.debug(sm.getString("combinedRealm.authFail",
+                            username, realm.getClass().getName()));
+                }
+            } else {
+                if (log.isDebugEnabled()) {
+                    log.debug(sm.getString("combinedRealm.authSuccess",
+                            username, realm.getClass().getName()));
+                }
+                break;
+            }
+        }
+        return authenticatedUser;
+    }
+
     @Override
     protected String getPassword(String username) {
         // This method should never be called
diff --git a/java/org/apache/catalina/realm/LockOutRealm.java 
b/java/org/apache/catalina/realm/LockOutRealm.java
index aa4820a..28ce315 100644
--- a/java/org/apache/catalina/realm/LockOutRealm.java
+++ b/java/org/apache/catalina/realm/LockOutRealm.java
@@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSName;
 
@@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm {
         return null;
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential 
gssCredential) {
+        String username = gssName.toString();
+
+        Principal authenticatedUser = super.authenticate(gssName, 
gssCredential);
+
+        return filterLockedAccounts(username, authenticatedUser);
+    }
+
 
     /*
      * Filters authenticated principals to ensure that <code>null</code> is
diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index aa542a7..91b468f 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -497,16 +497,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
                     }
                 }
 
-                String name = gssName.toString();
-
-                if (isStripRealmForGss()) {
-                    int i = name.indexOf('@');
-                    if (i > 0) {
-                        // Zero so we don't leave a zero length name
-                        name = name.substring(0, i);
-                    }
-                }
-                return getPrincipal(name, gssCredential);
+                return getPrincipal(gssName, gssCredential);
             }
         } else {
             log.error(sm.getString("realmBase.gssContextNotEstablished"));
@@ -518,6 +509,19 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 
 
     /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Principal authenticate(GSSName gssName, GSSCredential 
gssCredential) {
+        if (gssName == null) {
+            return null;
+        }
+
+        return getPrincipal(gssName, gssCredential);
+    }
+
+
+    /**
      * Execute a periodic task, such as reloading, etc. This method will be
      * invoked inside the classloading context of this container. Unexpected
      * throwables will be caught and logged.
@@ -1220,6 +1224,11 @@ public abstract class RealmBase extends 
LifecycleMBeanBase implements Realm {
     protected abstract Principal getPrincipal(String username);
 
 
+    /**
+     * @deprecated This will be removed in Tomcat 10 onwards. Use
+     *             {@link #getPrincipal(GSSName, GSSCredential)} instead.
+     */
+    @Deprecated
     protected Principal getPrincipal(String username,
             GSSCredential gssCredential) {
         Principal p = getPrincipal(username);
@@ -1231,6 +1240,35 @@ public abstract class RealmBase extends 
LifecycleMBeanBase implements Realm {
         return p;
     }
 
+
+    /**
+     * Get the principal associated with the specified {@link GSSName}.
+     *
+     * @param gssName The GSS name
+     * @param gssCredential the GSS credential of the principal
+     * @return the principal associated with the given user name.
+     */
+    protected Principal getPrincipal(GSSName gssName, GSSCredential 
gssCredential) {
+        String name = gssName.toString();
+
+        if (isStripRealmForGss()) {
+            int i = name.indexOf('@');
+            if (i > 0) {
+                // Zero so we don't leave a zero length name
+                name = name.substring(0, i);
+            }
+        }
+
+        Principal p = getPrincipal(name);
+
+        if (p instanceof GenericPrincipal) {
+            ((GenericPrincipal) p).setGssCredential(gssCredential);
+        }
+
+        return p;
+    }
+
+
     /**
      * Return the Server object that is the ultimate parent for the container
      * with which this Realm is associated. If the server cannot be found (eg
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2375a3a..0b7630e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
 <section name="Tomcat 9.0.30 (markt)" rtext="in development">
   <subsection name="Catalina">
     <changelog>
+      <add>
+        <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, 
GSSCredential)
+        and friends. (michaelo)
+      </add>
       <fix>
         <bug>63964</bug>: Correct a regression in the static resource caching
         changes introduced in 9.0.28. URLs constructed from URLs obtained from


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to