Re: JASPIC Implementation pointers
2015-07-03 15:31 GMT+03:00 Mark Thomas ma...@apache.org: On 03/07/2015 07:37, Fjodor Vershinin wrote: Hi! Unfortunately, commit rearrangement requires some more effort from me, so I haven't finished it yesterday. I need some more time to fix checkstyle errors and so on. OK. I have prepared patchset in https://github.com/fjodorver/tomcat/commits/feature/form_auth branch, some commits are squashed. However I think it's reasonable to save refactoring commits in order to have possibility for tracing code changes and discuss about them. We can change the way users have to configure it. For example, we could say they have to use programmatic configuration via the standard JASPIC interfaces if they want to use non-default settings. I see your point. The best option in my opinion is is to pass this options through LoginConfig/Context in ContextConfig. We can figure out how to set these options in a programmatic way and then refresh the context provider in order to reinitialize authenitcation modules. Why do you say reinitialize? I'd expect a new instance of the module to be created when the web application starts and that instance to be used until it stops (requiring a stop/start to update config happens a lot in Tomcat - not that much configuration is configurable dynamically). Here is the thing: currently we initialize our embedded provider on application startup, if application has login-config in web.xml. So, we need to invent some mechanism to detect, if person wants to use custom provider or embedded one. I have an idea, that login-config is for embedded provider only, so, in case users want to use their custom provider, and do not want to use embedded one, they should avoid using login-config in application config. Another option is unregister Tomcat's default provider, and register custom one. Thanks, Fjodor
svn commit: r1689026 - in /tomcat/trunk/test/org/apache/catalina/authenticator: ResponseDescriptor.java TestJaspicBasicAuthenticator.java
Author: markt Date: Fri Jul 3 14:47:12 2015 New Revision: 1689026 URL: http://svn.apache.org/r1689026 Log: Implemented integration test for JASPIC BASIC authentication Patch by fjodorver Added: tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java (with props) tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java (with props) Added: tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java?rev=1689026view=auto == --- tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java (added) +++ tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java Fri Jul 3 14:47:12 2015 @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.authenticator; + +import java.util.List; +import java.util.Map; + +/** + * This class incorporates test response data + */ +class ResponseDescriptor { +private MapString, ListString headers; +private String body; +private int responseCode; + + +public MapString, ListString getHeaders() { +return headers; +} + + +public void setHeaders(MapString, ListString headers) { +this.headers = headers; +} + + +public String getBody() { +return body; +} + + +public void setBody(String body) { +this.body = body; +} + + +public int getResponseCode() { +return responseCode; +} + + +public void setResponseCode(int responseCode) { +this.responseCode = responseCode; +} +} \ No newline at end of file Propchange: tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java -- svn:eol-style = native Added: tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java?rev=1689026view=auto == --- tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java (added) +++ tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java Fri Jul 3 14:47:12 2015 @@ -0,0 +1,211 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.authenticator; + +import java.io.IOException; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.security.auth.message.config.AuthConfigFactory; + +import org.hamcrest.CoreMatchers; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; + +import org.junit.Test; + +import org.apache.catalina.Context; +import org.apache.catalina.authenticator.jaspic.JaspicAuthenticator; +import org.apache.catalina.authenticator.jaspic.provider.TomcatAuthConfigProvider; +import org.apache.catalina.connector.Request; +import org.apache.catalina.startup.TesterMapRealm; +import org.apache.catalina.startup.TesterServlet; +import
svn commit: r1689034 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
Author: markt Date: Fri Jul 3 14:59:01 2015 New Revision: 1689034 URL: http://svn.apache.org/r1689034 Log: Fix NPE on empty realm name Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java?rev=1689034r1=1689033r2=1689034view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Fri Jul 3 14:59:01 2015 @@ -66,7 +66,7 @@ public abstract class TomcatAuthModule i public String getRealmName() { -return Optional.of(realmName).orElse(DEFAULT_REALM_NAME); +return Optional.ofNullable(realmName).orElse(DEFAULT_REALM_NAME); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JASPIC Implementation pointers
I am working on polishing FORM authentication module code. I will continue with that this evening. JASPIC modules configuration looks more like architectural stuff, so we need to make some decisions how to proceed forward. I think it can be task for next week together SPNEGO authentication module. Thanks, Fjodor 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net: Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? I think it sounds even better, however I would like to allow security configuration only on the provider basis. Provider can be initalized with settings HashMap, which can be passed directly to modules on initialization. And then, modules can set own settings using provided information. -- Thanks, Fjodor -- Thanks, Fjodor
Re: JASPIC Implementation pointers
On 03/07/2015 07:37, Fjodor Vershinin wrote: Hi! Unfortunately, commit rearrangement requires some more effort from me, so I haven't finished it yesterday. I need some more time to fix checkstyle errors and so on. OK. We can change the way users have to configure it. For example, we could say they have to use programmatic configuration via the standard JASPIC interfaces if they want to use non-default settings. I see your point. The best option in my opinion is is to pass this options through LoginConfig/Context in ContextConfig. We can figure out how to set these options in a programmatic way and then refresh the context provider in order to reinitialize authenitcation modules. Why do you say reinitialize? I'd expect a new instance of the module to be created when the web application starts and that instance to be used until it stops (requiring a stop/start to update config happens a lot in Tomcat - not that much configuration is configurable dynamically). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1688911 - /tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
2015-07-03 0:07 GMT+03:00 ma...@apache.org: Author: markt Date: Thu Jul 2 21:07:18 2015 New Revision: 1688911 URL: http://svn.apache.org/r1688911 Log: (empty) Log message =? This looks like a followup to http://svn.apache.org/r1688909 Removing ka = null; line has no effect, as ka variable is not used below. OK with it. Removing socket = null; line has an effect on catch(OutOfMemoryError) clause. An unlikely use case, though. If we keep the socket = null; line , it can be moved into the close() method. Note that it will be this.socket = null; there, as socket argument of the close() method shadows socket field of the class. -if (socket.getPoller().cancelledKey(key, SocketStatus.ERROR, false) != null) { +if (socket.getPoller().cancelledKey(key, socketStatus, false) != null) { OK. The above was a copy-paste fix from extracting common code into as method in r1688909. The error was that socketStatus argument was not used. Best regards, Konstantin Kolinko Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1688911r1=1688910r2=1688911view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu Jul 2 21:07:18 2015 @@ -1756,20 +1756,17 @@ public class NioEndpoint extends Abstrac // Close socket and pool try { close(ka, socket, key, SocketStatus.ERROR); -socket = null; -ka = null; } catch ( Exception x ) { log.error(,x); } } } else if (handshake == -1 ) { close(ka, socket, key, SocketStatus.DISCONNECT); -ka = null; } else { ka.getPoller().add(socket, handshake); } -}catch(CancelledKeyException cx) { -socket.getPoller().cancelledKey(key,null,false); +} catch (CancelledKeyException cx) { +socket.getPoller().cancelledKey(key, null, false); } catch (OutOfMemoryError oom) { try { oomParachuteData = null; @@ -1809,7 +1806,7 @@ public class NioEndpoint extends Abstrac if (ka != null) { ka.setComet(false); } -if (socket.getPoller().cancelledKey(key, SocketStatus.ERROR, false) != null) { +if (socket.getPoller().cancelledKey(key, socketStatus, false) != null) { // SocketWrapper (attachment) was removed from the // key - recycle both. This can only happen once // per attempted closure so it is used to determine - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JASPIC Implementation pointers
On 03/07/2015 15:42, Fjodor Vershinin wrote: I am working on polishing FORM authentication module code. I will continue with that this evening. OK. I'm commenting on commits as I apply them. Some of them have suggestions for further improvements. These improvements don't need to be implemented now (if you have time then great). As a minimum there needs to be a TODO comment added to the right place(s) in the code so you can come back to them later. JASPIC modules configuration looks more like architectural stuff, so we need to make some decisions how to proceed forward. What decisions? If you can define these before the weekend that gives folks a few days to think about it before you need answers. I think it can be task for next week together SPNEGO authentication module. SPNEGO is likely to be tricky since setting up a test environment needs server machines and some Windows Server licenses. I have a set of VMs I use for testing SPNEGO. It probably makes sense if you port it and I test it. Mark Thanks, Fjodor 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net: Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? I think it sounds even better, however I would like to allow security configuration only on the provider basis. Provider can be initalized with settings HashMap, which can be passed directly to modules on initialization. And then, modules can set own settings using provided information. -- Thanks, Fjodor - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Early Access builds for JDK 8u60 b21 and JDK 9 b70 are available on java.net
Hi Mark/Mladen, Early Access build for JDK 8u60 b21 http://jdk8.java.net/download.html is available on java.net, summary of changes are listed here. http://www.java.net/download/jdk8u60/changes/jdk8u60-b21.html As we enter the later phases of development for JDK 8u60, please log any show stoppers as soon as possible. Early Access build for JDK 9 b70 https://jdk9.java.net/download/ is available on java.net, summary of changes are listed here http://www.java.net/download/jdk9/changes/jdk9-b70.html. The JDK 9 schedule of record is available on the JDK 9 Project page: http://openjdk.java.net/projects/jdk9 At https://wiki.openjdk.java.net/display/Adoption/JDK+9+Outreach you can find a (preliminary) list of other changes that might affect your project's code in JDK 9, and other things to consider when testing with JDK 9. I'd be curious to know if there is anything on that list you'd consider to have an effect on your project. Please keep in mind that as JEPs and others changes are integrated into (or out of) JDK 9, the list will change over time. Rgds,Rory -- Rgds,Rory O'Donnell Quality Engineering Manager Oracle EMEA , Dublin, Ireland
Re: JASPIC Implementation pointers
On 03/07/2015 13:56, Fjodor Vershinin wrote: 2015-07-03 15:31 GMT+03:00 Mark Thomas ma...@apache.org: On 03/07/2015 07:37, Fjodor Vershinin wrote: Hi! Unfortunately, commit rearrangement requires some more effort from me, so I haven't finished it yesterday. I need some more time to fix checkstyle errors and so on. OK. I have prepared patchset in https://github.com/fjodorver/tomcat/commits/feature/form_auth branch, some commits are squashed. However I think it's reasonable to save refactoring commits in order to have possibility for tracing code changes and discuss about them. OK. I'll hopefully start reviewing and merging those this afternoon. We can change the way users have to configure it. For example, we could say they have to use programmatic configuration via the standard JASPIC interfaces if they want to use non-default settings. I see your point. The best option in my opinion is is to pass this options through LoginConfig/Context in ContextConfig. We can figure out how to set these options in a programmatic way and then refresh the context provider in order to reinitialize authenitcation modules. Why do you say reinitialize? I'd expect a new instance of the module to be created when the web application starts and that instance to be used until it stops (requiring a stop/start to update config happens a lot in Tomcat - not that much configuration is configurable dynamically). Here is the thing: currently we initialize our embedded provider on application startup, if application has login-config in web.xml. Not quite. If the user has defined an authenticator Valve in context.xml or server.xml then that is used and any login-config in web.xml is ignored. So, we need to invent some mechanism to detect, if person wants to use custom provider or embedded one. Or, as currently, simply define an order of preference. I have an idea, that login-config is for embedded provider only, so, in case users want to use their custom provider, and do not want to use embedded one, they should avoid using login-config in application config. Another option is unregister Tomcat's default provider, and register custom one. Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JASPIC Implementation pointers
Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? I think it sounds even better, however I would like to allow security configuration only on the provider basis. Provider can be initalized with settings HashMap, which can be passed directly to modules on initialization. And then, modules can set own settings using provided information. -- Thanks, Fjodor
svn commit: r1689060 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 18:58:24 2015 New Revision: 1689060 URL: http://svn.apache.org/r1689060 Log: Port FORM auth to JASPIC Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689060r1=1689059r2=1689060view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 18:58:24 2015 @@ -16,20 +16,47 @@ */ package org.apache.catalina.authenticator.jaspic.provider.modules; +import java.io.IOException; +import java.io.InputStream; +import java.security.Principal; +import java.util.Enumeration; +import java.util.Iterator; +import java.util.Locale; import java.util.Map; import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.message.AuthException; import javax.security.auth.message.AuthStatus; import javax.security.auth.message.MessageInfo; import javax.security.auth.message.MessagePolicy; +import javax.security.auth.message.callback.CallerPrincipalCallback; +import javax.security.auth.message.callback.GroupPrincipalCallback; +import javax.security.auth.message.callback.PasswordValidationCallback; +import javax.servlet.RequestDispatcher; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.Context; +import org.apache.catalina.Manager; +import org.apache.catalina.Realm; +import org.apache.catalina.Session; +import org.apache.catalina.authenticator.Constants; +import org.apache.catalina.authenticator.SavedRequest; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.realm.GenericPrincipal; +import org.apache.coyote.ActionCode; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.ExceptionUtils; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.buf.CharChunk; +import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.descriptor.web.LoginConfig; +import org.apache.tomcat.util.http.MimeHeaders; /** * This class implements JASPIC FORM-based authentication. @@ -61,8 +88,219 @@ public class FormAuthModule extends Tomc if (!isMandatory(messageInfo)) { return AuthStatus.SUCCESS; } -return AuthStatus.FAILURE; +try { +Request request = (Request) messageInfo.getRequestMessage(); +HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); +// References to objects we will need later +Session session = null; +Principal principal = null; + +// Have we authenticated this user before but have caching disabled? +if (!isCache()) { +session = request.getSessionInternal(true); +if (log.isDebugEnabled()) { +log.debug(Checking for reauthenticate in session + session); +} +String username = (String) session.getNote(Constants.SESS_USERNAME_NOTE); +String password = (String) session.getNote(Constants.SESS_PASSWORD_NOTE); +if ((username != null) (password != null)) { +if (log.isDebugEnabled()) { +log.debug(Reauthenticating username ' + username + '); +} +PasswordValidationCallback passwordCallback = new PasswordValidationCallback( +clientSubject, username, password.toCharArray()); +handler.handle(new Callback[] { passwordCallback }); + +if (!passwordCallback.getResult()) { +forwardToErrorPage(request, response, context.getLoginConfig()); +} +principal = getPrincipal(passwordCallback); +if (principal != null) { +session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); +if (!matchRequest(request)) { +CallerPrincipalCallback principalCallback = new CallerPrincipalCallback( +clientSubject, principal); +GroupPrincipalCallback groupCallback = new GroupPrincipalCallback( +
svn commit: r1689058 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider: ./ modules/
Author: markt Date: Fri Jul 3 18:54:29 2015 New Revision: 1689058 URL: http://svn.apache.org/r1689058 Log: Make the Context available to the auth modules. Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java?rev=1689058r1=1689057r2=1689058view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java Fri Jul 3 18:54:29 2015 @@ -26,6 +26,7 @@ import javax.security.auth.message.Messa import javax.security.auth.message.config.ServerAuthConfig; import javax.security.auth.message.config.ServerAuthContext; +import org.apache.catalina.Context; import org.apache.catalina.Realm; import org.apache.catalina.authenticator.jaspic.provider.modules.BasicAuthModule; import org.apache.catalina.authenticator.jaspic.provider.modules.DigestAuthModule; @@ -41,17 +42,20 @@ public class TomcatAuthConfig implements private String appContext; private CallbackHandler handler; private TomcatServerAuthContext tomcatServerAuthContext; -private Realm realm; + +private Context context; private LoginConfig loginConfig; +private Realm realm; public TomcatAuthConfig(String layer, String appContext, CallbackHandler callbackHandler, -Realm realm, LoginConfig loginConfig) { +Context context) { this.messageLayer = layer; this.appContext = appContext; this.handler = callbackHandler; -this.realm = realm; -this.loginConfig = loginConfig; +this.context = context; +this.realm = context.getRealm(); +this.loginConfig = context.getLoginConfig(); } @@ -108,13 +112,13 @@ public class TomcatAuthConfig implements String authMethod = getAuthMethod(); switch (authMethod) { case BASIC: { -return new BasicAuthModule(); +return new BasicAuthModule(context); } case DIGEST: { -return new DigestAuthModule(realm); +return new DigestAuthModule(context); } case FORM: { -return new FormAuthModule(); +return new FormAuthModule(context); } default: { throw new AuthException( Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java?rev=1689058r1=1689057r2=1689058view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java Fri Jul 3 18:54:29 2015 @@ -26,24 +26,20 @@ import javax.security.auth.message.confi import javax.security.auth.message.config.ServerAuthConfig; import org.apache.catalina.Context; -import org.apache.catalina.Realm; -import org.apache.tomcat.util.descriptor.web.LoginConfig; /** - * Tomcat's context based JASPIC authentication provider. It returns authentication - * modules depending on context login-config setup. + * Tomcat's context based JASPIC authentication provider. It returns + * authentication modules depending on context login-config setup. */ public class TomcatAuthConfigProvider implements AuthConfigProvider { private MapString, String providerProperties; private ServerAuthConfig serverAuthConfig; -private Realm realm; -private LoginConfig loginConfig; +private Context context; public TomcatAuthConfigProvider(Context context) { -this.realm = context.getRealm(); -this.loginConfig = context.getLoginConfig(); +this.context = context; } @@ -66,7 +62,7 @@ public class TomcatAuthConfigProvider im public synchronized ServerAuthConfig getServerAuthConfig(String layer, String appContext,
svn commit: r1689056 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider: TomcatAuthConfig.java modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 18:49:45 2015 New Revision: 1689056 URL: http://svn.apache.org/r1689056 Log: Added dummy FORM auth module Patch by fjodorver Added: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (with props) Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java?rev=1689056r1=1689055r2=1689056view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java Fri Jul 3 18:49:45 2015 @@ -29,6 +29,7 @@ import javax.security.auth.message.confi import org.apache.catalina.Realm; import org.apache.catalina.authenticator.jaspic.provider.modules.BasicAuthModule; import org.apache.catalina.authenticator.jaspic.provider.modules.DigestAuthModule; +import org.apache.catalina.authenticator.jaspic.provider.modules.FormAuthModule; import org.apache.catalina.authenticator.jaspic.provider.modules.TomcatAuthModule; import org.apache.tomcat.util.descriptor.web.LoginConfig; import org.apache.tomcat.util.res.StringManager; @@ -112,6 +113,9 @@ public class TomcatAuthConfig implements case DIGEST: { return new DigestAuthModule(realm); } +case FORM: { +return new FormAuthModule(); +} default: { throw new AuthException( sm.getString(authenticator.jaspic.unknownAuthType, authMethod)); Added: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689056view=auto == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (added) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 18:49:45 2015 @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.authenticator.jaspic.provider.modules; + +import java.util.Map; + +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.message.AuthException; +import javax.security.auth.message.AuthStatus; +import javax.security.auth.message.MessageInfo; +import javax.security.auth.message.MessagePolicy; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; + +/** + * This class implements JASPIC FORM-based authentication. + */ +public class FormAuthModule extends TomcatAuthModule { +private static final Log log = LogFactory.getLog(FormAuthModule.class); + +private Class?[] supportedMessageTypes = new Class[] { HttpServletRequest.class, +HttpServletResponse.class }; + +private String landingPage; + + +public FormAuthModule() { +} + + +public FormAuthModule(String landingPage) { +this.landingPage = landingPage; +} + + +@SuppressWarnings(rawtypes) +@Override +public void initializeModule(MessagePolicy requestPolicy, MessagePolicy responsePolicy, +CallbackHandler handler, Map options) throws AuthException { +} + + +@Override +public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, +Subject serviceSubject) throws AuthException { +if (!isMandatory(messageInfo)) { +return AuthStatus.SUCCESS; +} +return AuthStatus.FAILURE; + +} + + +@Override +public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) +
svn commit: r1689062 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java
Author: markt Date: Fri Jul 3 19:04:23 2015 New Revision: 1689062 URL: http://svn.apache.org/r1689062 Log: Port FORM auth unit test for JASPIC Patch by fjodorver Added: tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java (with props) Added: tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java?rev=1689062view=auto == --- tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java (added) +++ tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java Fri Jul 3 19:04:23 2015 @@ -0,0 +1,769 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.authenticator; + +import java.io.File; +import java.io.IOException; +import java.util.List; +import java.util.StringTokenizer; + +import javax.security.auth.message.config.AuthConfigFactory; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.junit.Ignore; +import org.junit.Test; + +import org.apache.catalina.Context; +import org.apache.catalina.authenticator.jaspic.JaspicAuthenticator; +import org.apache.catalina.authenticator.jaspic.provider.TomcatAuthConfigProvider; +import org.apache.catalina.startup.SimpleHttpClient; +import org.apache.catalina.startup.TesterMapRealm; +import org.apache.catalina.startup.TesterServlet; +import org.apache.catalina.startup.Tomcat; +import org.apache.catalina.startup.TomcatBaseTest; +import org.apache.tomcat.util.descriptor.web.LoginConfig; +import org.apache.tomcat.util.descriptor.web.SecurityCollection; +import org.apache.tomcat.util.descriptor.web.SecurityConstraint; +import org.apache.tomcat.websocket.server.WsContextListener; + +/* + * Test FORM authentication for sessions that do and do not use cookies. + * + * 1. A client that can accept and respond to a Set-Cookie for JSESSIONID + *will be able to maintain its authenticated session, no matter whether + *the session ID is changed once, many times, or not at all. + * + * 2. A client that cannot accept cookies will only be able to maintain a + *persistent session IF the server sends the correct (current) jsessionid + *as a path parameter appended to ALL urls within its response. That is + *achievable with servlets, jsps, jstl (all of which which can ask for an + *encoded url to be inserted into the dynamic web page). It cannot work + *with static html. + *note: this test class uses the Tomcat sample jsps, which conform. + * + * 3. Therefore, any webapp that MIGHT need to authenticate a client that + *does not accept cookies MUST generate EVERY protected resource url + *dynamically (so that it will include the current session ID). + * + * 4. Any webapp that cannot satisfy case 3 MUST turn off + *changeSessionIdOnAuthentication for its Context and thus degrade the + *session fixation protection for ALL of its clients. + *note from MarkT: Not sure I agree with this. If the URLs aren't + * being encoded, then the session is going to break regardless of + * whether or not the session ID changes. + * + * Unlike a proper browser, this unit test class does a quite lot of + * screen-scraping and cheating of headers and urls (not very elegant, + * but it makes no claims to generality). + * + */ +public class TestJaspicFormAuthenticator extends TomcatBaseTest { + +// these should really be singletons to be type-safe, +// we are in a unit test and don't need to paranoid. +protected static final boolean USE_100_CONTINUE = true; +protected static final boolean NO_100_CONTINUE = !USE_100_CONTINUE; + +protected static final boolean CLIENT_USE_COOKIES = true; +protected static final boolean CLIENT_NO_COOKIES = !CLIENT_USE_COOKIES; + +
[Bug 58095] Empty script tag results in generated jsp having a self-closing script tag, which is invalid and results in rendering issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=58095 --- Comment #3 from Christopher Schultz ch...@christopherschultz.net --- I'm not sure this is a Tomcat issue, but I'm not sure exactly how Tomcat does its XML parsing, etc. I know that I've seen this problem with other XML-oriented HTML-handling software as well. A specific case in point: Apache Cocoon will take a script/script pair in an XSLT and generate script/ in the output. We have to use the same tricks like scriptxsl:commentboo!/xsl:comment/script in order to prevent the XML serializer from coalescing the tags together. The problem is likely to be that the XML serializer doesn't realize that there are certain HTML tags that cannot be self-closing (and script is the only one I know of of-hand). As far as XML is concerned, script/script (with no child elements) is equivalent to script/, so this behavior is completely acceptable. But since this is really HTML, those rules sometimes don't apply. Have you tried using application/xhtml+xml as your content type? If you do that, the browser might use an XML parsed instead of an HTML parser, *and* you are likely to get the benefit of using avoiding a quirks rendering more and instead use a standards-compliant parser *and* renderer. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689063 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:07:30 2015 New Revision: 1689063 URL: http://svn.apache.org/r1689063 Log: Remove unnecessary code Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689063r1=1689062r2=1689063view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:07:30 2015 @@ -54,7 +54,6 @@ import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.buf.ByteChunk; -import org.apache.tomcat.util.buf.CharChunk; import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.descriptor.web.LoginConfig; import org.apache.tomcat.util.http.MimeHeaders; @@ -179,9 +178,6 @@ public class FormAuthModule extends Tomc } // Acquire references to objects we will need to evaluate -MessageBytes uriMB = MessageBytes.newInstance(); -CharChunk uriCC = uriMB.getCharChunk(); -uriCC.setLimit(-1); String contextPath = request.getContextPath(); String requestURI = request.getDecodedRequestURI(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689064 - /tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Author: markt Date: Fri Jul 3 19:07:52 2015 New Revision: 1689064 URL: http://svn.apache.org/r1689064 Log: Remove unnecessary code Thanks to fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1689064r1=1689063r2=1689064view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Fri Jul 3 19:07:52 2015 @@ -38,7 +38,6 @@ import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.buf.ByteChunk; -import org.apache.tomcat.util.buf.CharChunk; import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.descriptor.web.LoginConfig; import org.apache.tomcat.util.http.MimeHeaders; @@ -208,9 +207,6 @@ public class FormAuthenticator } // Acquire references to objects we will need to evaluate -MessageBytes uriMB = MessageBytes.newInstance(); -CharChunk uriCC = uriMB.getCharChunk(); -uriCC.setLimit(-1); String contextPath = request.getContextPath(); String requestURI = request.getDecodedRequestURI(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JASPIC Implementation pointers
On 03/07/2015 15:42, Fjodor Vershinin wrote: I am working on polishing FORM authentication module code. I will continue with that this evening. OK. I'm commenting on commits as I apply them. Some of them have suggestions for further improvements. These improvements don't need to be implemented now (if you have time then great). As a minimum there needs to be a TODO comment added to the right place(s) in the code so you can come back to them later. Ok, thank you. JASPIC modules configuration looks more like architectural stuff, so we need to make some decisions how to proceed forward. What decisions? If you can define these before the weekend that gives folks a few days to think about it before you need answers. For example the way how we handle module configurations. What do you think about my proposal to use Provider based config? I think it can be task for next week together SPNEGO authentication module. SPNEGO is likely to be tricky since setting up a test environment needs server machines and some Windows Server licenses. I have a set of VMs I use for testing SPNEGO. It probably makes sense if you port it and I test it. Let's do that way. Thanks, Fjodor 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net: Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? I think it sounds even better, however I would like to allow security configuration only on the provider basis. Provider can be initalized with settings HashMap, which can be passed directly to modules on initialization. And then, modules can set own settings using provided information. -- Thanks, Fjodor - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Thanks, Fjodor
svn commit: r1689061 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:00:51 2015 New Revision: 1689061 URL: http://svn.apache.org/r1689061 Log: Validation extracted to separate method, in order to make exception handling easier Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689061r1=1689060r2=1689061view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:00:51 2015 @@ -27,6 +27,7 @@ import java.util.Map; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.message.AuthException; import javax.security.auth.message.AuthStatus; import javax.security.auth.message.MessageInfo; @@ -89,213 +90,217 @@ public class FormAuthModule extends Tomc return AuthStatus.SUCCESS; } try { +return validate(messageInfo, clientSubject); +} catch (Exception e) { +throw new AuthException(e.getMessage()); +} +} -Request request = (Request) messageInfo.getRequestMessage(); -HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); -// References to objects we will need later -Session session = null; -Principal principal = null; - -// Have we authenticated this user before but have caching disabled? -if (!isCache()) { -session = request.getSessionInternal(true); -if (log.isDebugEnabled()) { -log.debug(Checking for reauthenticate in session + session); -} -String username = (String) session.getNote(Constants.SESS_USERNAME_NOTE); -String password = (String) session.getNote(Constants.SESS_PASSWORD_NOTE); -if ((username != null) (password != null)) { -if (log.isDebugEnabled()) { -log.debug(Reauthenticating username ' + username + '); -} -PasswordValidationCallback passwordCallback = new PasswordValidationCallback( -clientSubject, username, password.toCharArray()); -handler.handle(new Callback[] { passwordCallback }); -if (!passwordCallback.getResult()) { -forwardToErrorPage(request, response, context.getLoginConfig()); -} -principal = getPrincipal(passwordCallback); -if (principal != null) { -session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); -if (!matchRequest(request)) { -CallerPrincipalCallback principalCallback = new CallerPrincipalCallback( -clientSubject, principal); -GroupPrincipalCallback groupCallback = new GroupPrincipalCallback( -clientSubject, context.getRealm().getRoles(principal)); -handler.handle(new Callback[] { principalCallback, groupCallback }); -return AuthStatus.SUCCESS; -} -} -if (log.isDebugEnabled()) { -log.debug(Reauthentication failed, proceed normally); -} -} +private AuthStatus validate(MessageInfo messageInfo, Subject clientSubject) throws IOException, +UnsupportedCallbackException { +Request request = (Request) messageInfo.getRequestMessage(); +HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); +// References to objects we will need later +Session session = null; +Principal principal = null; + +// Have we authenticated this user before but have caching disabled? +if (!isCache()) { +session = request.getSessionInternal(true); +if (log.isDebugEnabled()) { +log.debug(Checking for reauthenticate in session + session); } - -// Is this the re-submit of the original request URI after -// successful -// authentication? If so, forward the *original* request instead. -if
svn commit: r1689067 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:15:06 2015 New Revision: 1689067 URL: http://svn.apache.org/r1689067 Log: Added realm and login-config fields to FormAuthModule Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689067r1=1689066r2=1689067view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:15:06 2015 @@ -69,9 +69,14 @@ public class FormAuthModule extends Tomc private String landingPage; +private Realm realm; +private LoginConfig loginConfig; + public FormAuthModule(Context context) { super(context); +this.realm = context.getRealm(); +this.loginConfig = context.getLoginConfig(); } @@ -121,7 +126,7 @@ public class FormAuthModule extends Tomc handler.handle(new Callback[] { passwordCallback }); if (!passwordCallback.getResult()) { -forwardToErrorPage(request, response, context.getLoginConfig()); +forwardToErrorPage(request, response); } principal = getPrincipal(passwordCallback); if (principal != null) { @@ -153,7 +158,7 @@ public class FormAuthModule extends Tomc CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, principal); GroupPrincipalCallback groupCallback = new GroupPrincipalCallback(clientSubject, -context.getRealm().getRoles(principal)); +realm.getRoles(principal)); handler.handle(new Callback[] { principalCallback, groupCallback }); // If we're caching principals we no longer needgetPrincipal the @@ -185,7 +190,6 @@ public class FormAuthModule extends Tomc boolean loginAction = requestURI.startsWith(contextPath) requestURI.endsWith(Constants.FORM_ACTION); -LoginConfig config = context.getLoginConfig(); // No -- Save this request and redirect to the form login page if (!loginAction) { @@ -201,7 +205,7 @@ public class FormAuthModule extends Tomc sm.getString(authenticator.requestBodyTooBig)); return AuthStatus.FAILURE; } -forwardToLoginPage(request, response, config); +forwardToLoginPage(request, response); return AuthStatus.SEND_CONTINUE; } @@ -221,7 +225,7 @@ public class FormAuthModule extends Tomc } principal = realm.authenticate(username, password); if (principal == null) { -forwardToErrorPage(request, response, config); +forwardToErrorPage(request, response); return AuthStatus.FAILURE; } @@ -335,21 +339,18 @@ public class FormAuthModule extends Tomc * * @param request Request we are processing * @param response Response we are populating - * @param config Login configuration describing how authentication should be - *performed * @throws IOException If the forward to the login page fails and the call * to {@link HttpServletResponse#sendError(int, String)} throws * an {@link IOException} */ -protected void forwardToLoginPage(Request request, HttpServletResponse response, -LoginConfig config) throws IOException { +protected void forwardToLoginPage(Request request, HttpServletResponse response) throws IOException { if (log.isDebugEnabled()) { log.debug(sm.getString(formAuthenticator.forwardLogin, request.getRequestURI(), -request.getMethod(), config.getLoginPage(), context.getName())); +request.getMethod(), loginConfig.getLoginPage(), context.getName())); } -String loginPage = config.getLoginPage(); +String loginPage = loginConfig.getLoginPage(); if (loginPage == null || loginPage.length() == 0) { String msg = sm.getString(formAuthenticator.noLoginPage, context.getName()); log.warn(msg); @@ -398,17 +399,15 @@ public class FormAuthModule extends Tomc * Called to forward to the error page * * @param request Request we are processing - * @param response Response we are populating - * @param config Login configuration describing how authentication should be - *performed - *
svn commit: r1689068 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:19:00 2015 New Revision: 1689068 URL: http://svn.apache.org/r1689068 Log: Extracted principal callbacks handling Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689068r1=1689067r2=1689068view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:19:00 2015 @@ -132,11 +132,7 @@ public class FormAuthModule extends Tomc if (principal != null) { session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); if (!matchRequest(request)) { -CallerPrincipalCallback principalCallback = new CallerPrincipalCallback( -clientSubject, principal); -GroupPrincipalCallback groupCallback = new GroupPrincipalCallback( -clientSubject, context.getRealm().getRoles(principal)); -handler.handle(new Callback[] { principalCallback, groupCallback }); +handlePrincipalCallbacks(clientSubject, principal); return AuthStatus.SUCCESS; } } @@ -155,11 +151,7 @@ public class FormAuthModule extends Tomc log.debug(Restore request from session ' + session.getIdInternal() + '); } principal = (Principal) session.getNote(Constants.FORM_PRINCIPAL_NOTE); -CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, -principal); -GroupPrincipalCallback groupCallback = new GroupPrincipalCallback(clientSubject, -realm.getRoles(principal)); -handler.handle(new Callback[] { principalCallback, groupCallback }); +handlePrincipalCallbacks(clientSubject, principal); // If we're caching principals we no longer needgetPrincipal the // username @@ -190,7 +182,6 @@ public class FormAuthModule extends Tomc boolean loginAction = requestURI.startsWith(contextPath) requestURI.endsWith(Constants.FORM_ACTION); - // No -- Save this request and redirect to the form login page if (!loginAction) { session = request.getSessionInternal(true); @@ -304,6 +295,16 @@ public class FormAuthModule extends Tomc } +private void handlePrincipalCallbacks(Subject clientSubject, Principal principal) +throws IOException, UnsupportedCallbackException { +CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, +principal); +GroupPrincipalCallback groupCallback = new GroupPrincipalCallback(clientSubject, context +.getRealm().getRoles(principal)); +handler.handle(new Callback[] { principalCallback, groupCallback }); +} + + private boolean isCache() { return true; } @@ -343,7 +344,8 @@ public class FormAuthModule extends Tomc * to {@link HttpServletResponse#sendError(int, String)} throws * an {@link IOException} */ -protected void forwardToLoginPage(Request request, HttpServletResponse response) throws IOException { +protected void forwardToLoginPage(Request request, HttpServletResponse response) +throws IOException { if (log.isDebugEnabled()) { log.debug(sm.getString(formAuthenticator.forwardLogin, request.getRequestURI(), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689069 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:20:20 2015 New Revision: 1689069 URL: http://svn.apache.org/r1689069 Log: Extracted expired session handling Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689069r1=1689068r2=1689069view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:20:20 2015 @@ -204,11 +204,12 @@ public class FormAuthModule extends Tomc // credentials // and redirect to the error page if they are not correct request.getResponse().sendAcknowledgement(); -Realm realm = context.getRealm(); + // TODO fix character encoding // if (characterEncoding != null) { // request.setCharacterEncoding(characterEncoding); // } + String username = request.getParameter(Constants.FORM_USERNAME); String password = request.getParameter(Constants.FORM_PASSWORD); if (log.isDebugEnabled()) { @@ -228,25 +229,7 @@ public class FormAuthModule extends Tomc session = request.getSessionInternal(false); } if (session == null) { -// if (containerLog.isDebugEnabled()) { -// containerLog.debug -// (User took so long to log on the session expired); -// } -if (landingPage == null) { -response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, -sm.getString(authenticator.sessionExpired)); -} else { -// Make the authenticator think the user originally -// requested -// the landing page -String uri = request.getContextPath() + landingPage; -SavedRequest saved = new SavedRequest(); -saved.setMethod(GET); -saved.setRequestURI(uri); -saved.setDecodedRequestURI(uri); - request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, saved); -response.sendRedirect(response.encodeRedirectURL(uri)); -} +handleSessionExpired(request, response); return AuthStatus.FAILURE; } @@ -295,6 +278,25 @@ public class FormAuthModule extends Tomc } +private void handleSessionExpired(Request request, HttpServletResponse response) +throws IOException { +if (landingPage == null) { +response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, +sm.getString(authenticator.sessionExpired)); +return; +} +// Make the authenticator think the user originally +// requested +// the landing page +String uri = request.getContextPath() + landingPage; +SavedRequest saved = new SavedRequest(); +saved.setMethod(GET); +saved.setRequestURI(uri); +saved.setDecodedRequestURI(uri); +request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, saved); +} + + private void handlePrincipalCallbacks(Subject clientSubject, Principal principal) throws IOException, UnsupportedCallbackException { CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689073 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:49:08 2015 New Revision: 1689073 URL: http://svn.apache.org/r1689073 Log: Extracted is login action request check Removed password validation callback, because we can use Realm directly Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689073r1=1689072r2=1689073view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:49:08 2015 @@ -107,7 +107,7 @@ public class FormAuthModule extends Tomc HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); // Have we authenticated this user before but have caching disabled? -if (!isCache()) { +if (!isCache()) { //TODO Ask is it required? May be principal must be always cached Session session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug(Checking for reauthenticate in session + session); @@ -118,21 +118,18 @@ public class FormAuthModule extends Tomc if (log.isDebugEnabled()) { log.debug(Reauthenticating username ' + username + '); } -PasswordValidationCallback passwordCallback = new PasswordValidationCallback( -clientSubject, username, password.toCharArray()); -handler.handle(new Callback[] { passwordCallback }); - -if (!passwordCallback.getResult()) { +Principal principal = realm.authenticate(username, password); +if (principal == null) { forwardToErrorPage(request, response); +return AuthStatus.FAILURE; } -Principal principal = getPrincipal(passwordCallback); -if (principal != null) { -session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); -if (!isMatchingSavedRequest(request)) { -handlePrincipalCallbacks(clientSubject, principal); -return AuthStatus.SUCCESS; -} + +session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); +if (!isMatchingSavedRequest(request)) { +handlePrincipalCallbacks(clientSubject, principal); +return AuthStatus.SUCCESS; } + if (log.isDebugEnabled()) { log.debug(Reauthentication failed, proceed normally); } @@ -146,14 +143,7 @@ public class FormAuthModule extends Tomc return submitSavedRequest(clientSubject, request, response); } -String contextPath = request.getContextPath(); -String requestURI = request.getDecodedRequestURI(); - -// Is this the action request from the login page? -boolean loginAction = requestURI.startsWith(contextPath) - requestURI.endsWith(Constants.FORM_ACTION); - -if (!loginAction) { +if (!isLoginActionRequest(request)) { return handleNoLoginAction(request, response); } @@ -597,10 +587,11 @@ public class FormAuthModule extends Tomc SavedRequest saved = new SavedRequest(); Cookie cookies[] = request.getCookies(); if (cookies != null) { -for (int i = 0; i cookies.length; i++) { -saved.addCookie(cookies[i]); +for (Cookie cookie : cookies) { +saved.addCookie(cookie); } } + EnumerationString names = request.getHeaderNames(); while (names.hasMoreElements()) { String name = names.nextElement(); @@ -666,4 +657,12 @@ public class FormAuthModule extends Tomc return (sb.toString()); } + + +private boolean isLoginActionRequest(Request request) { +String contextPath = request.getContextPath(); +String requestURI = request.getDecodedRequestURI(); +return requestURI.startsWith(contextPath) requestURI.endsWith(Constants.FORM_ACTION); +} + } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689077 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:58:28 2015 New Revision: 1689077 URL: http://svn.apache.org/r1689077 Log: Enabled character encoding Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689077r1=1689076r2=1689077view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:58:28 2015 @@ -68,6 +68,7 @@ public class FormAuthModule extends Tomc HttpServletResponse.class }; private String landingPage; +private String characterEncoding; private Realm realm; private LoginConfig loginConfig; @@ -222,10 +223,9 @@ public class FormAuthModule extends Tomc request.getResponse().sendAcknowledgement(); -// TODO fix character encoding -// if (characterEncoding != null) { -// request.setCharacterEncoding(characterEncoding); -// } +if (characterEncoding != null) { +request.setCharacterEncoding(characterEncoding); +} String username = request.getParameter(Constants.FORM_USERNAME); String password = request.getParameter(Constants.FORM_PASSWORD); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689078 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules: BasicAuthModule.java DigestAuthModule.java FormAuthModule.java TomcatAuthModule.java
Author: markt Date: Fri Jul 3 20:00:56 2015 New Revision: 1689078 URL: http://svn.apache.org/r1689078 Log: JASPIC callback management moved to parent class Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java Fri Jul 3 20:00:56 2015 @@ -29,8 +29,6 @@ import javax.security.auth.message.AuthE import javax.security.auth.message.AuthStatus; import javax.security.auth.message.MessageInfo; import javax.security.auth.message.MessagePolicy; -import javax.security.auth.message.callback.CallerPrincipalCallback; -import javax.security.auth.message.callback.GroupPrincipalCallback; import javax.security.auth.message.callback.PasswordValidationCallback; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -91,14 +89,7 @@ public class BasicAuthModule extends Tom if (!passwordCallback.getResult()) { sendUnauthorizedError(response, realmName); } - -GenericPrincipal principal = getPrincipal(passwordCallback); - -CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, -principal); -GroupPrincipalCallback groupCallback = new GroupPrincipalCallback(clientSubject, -principal.getRoles()); -handler.handle(new Callback[] { principalCallback, groupCallback }); +handlePrincipalCallbacks(clientSubject, getPrincipal(passwordCallback)); return AuthStatus.SUCCESS; } catch (Exception e) { Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java Fri Jul 3 20:00:56 2015 @@ -25,15 +25,12 @@ import java.util.LinkedHashMap; import java.util.Map; import javax.security.auth.Subject; -import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.message.AuthException; import javax.security.auth.message.AuthStatus; import javax.security.auth.message.MessageInfo; import javax.security.auth.message.MessagePolicy; -import javax.security.auth.message.callback.CallerPrincipalCallback; -import javax.security.auth.message.callback.GroupPrincipalCallback; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -259,11 +256,7 @@ public class DigestAuthModule extends To } try { -CallerPrincipalCallback principalCallback = new CallerPrincipalCallback(clientSubject, -principal); -String[] roles = realm.getRoles(principal); -GroupPrincipalCallback groupCallback = new GroupPrincipalCallback(clientSubject, roles); -handler.handle(new Callback[] { principalCallback, groupCallback }); +handlePrincipalCallbacks(clientSubject, principal); } catch (IOException | UnsupportedCallbackException e) { throw new AuthException(e.getMessage()); } Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++
Re: JASPIC Implementation pointers
On 03/07/2015 18:55, Fjodor Vershinin wrote: On 03/07/2015 15:42, Fjodor Vershinin wrote: I am working on polishing FORM authentication module code. I will continue with that this evening. OK. I'm commenting on commits as I apply them. Some of them have suggestions for further improvements. These improvements don't need to be implemented now (if you have time then great). As a minimum there needs to be a TODO comment added to the right place(s) in the code so you can come back to them later. Ok, thank you. JASPIC modules configuration looks more like architectural stuff, so we need to make some decisions how to proceed forward. What decisions? If you can define these before the weekend that gives folks a few days to think about it before you need answers. For example the way how we handle module configurations. What do you think about my proposal to use Provider based config? I'll start a new thread for that. One topic per thread is easier for other people to follow. Mark I think it can be task for next week together SPNEGO authentication module. SPNEGO is likely to be tricky since setting up a test environment needs server machines and some Windows Server licenses. I have a set of VMs I use for testing SPNEGO. It probably makes sense if you port it and I test it. Let's do that way. Thanks, Fjodor 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net: Another option would be to define a jaspic element for server.xml / context.xml that is nested in a Context and if present takes precedence for JASPIC config. For that to work modules would have to: - have zero arg constructors - be fully configurable via setters - use simple types for their property setters How feasible is that? I think it sounds even better, however I would like to allow security configuration only on the provider basis. Provider can be initalized with settings HashMap, which can be passed directly to modules on initialization. And then, modules can set own settings using provided information. -- Thanks, Fjodor - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689071 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:23:18 2015 New Revision: 1689071 URL: http://svn.apache.org/r1689071 Log: Extracted login and non-login actions Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689071r1=1689070r2=1689071view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:23:18 2015 @@ -182,27 +182,54 @@ public class FormAuthModule extends Tomc boolean loginAction = requestURI.startsWith(contextPath) requestURI.endsWith(Constants.FORM_ACTION); -// No -- Save this request and redirect to the form login page if (!loginAction) { -session = request.getSessionInternal(true); -if (log.isDebugEnabled()) { -log.debug(Save request in session ' + session.getIdInternal() + '); -} -try { -saveRequest(request, session); -} catch (IOException ioe) { -log.debug(Request body too big to save during authentication); -response.sendError(HttpServletResponse.SC_FORBIDDEN, -sm.getString(authenticator.requestBodyTooBig)); -return AuthStatus.FAILURE; -} -forwardToLoginPage(request, response); -return AuthStatus.SEND_CONTINUE; -} - -// Yes -- Acknowledge the request, validate the specified -// credentials -// and redirect to the error page if they are not correct +return handleNoLoginAction(request, response); +} + +return handleLoginAction(request, response); +} + + +/** + * Save this request and redirect to the form login page + * + * @param request + * @param response + * @return + * @throws IOException + */ +private AuthStatus handleNoLoginAction(Request request, HttpServletResponse response) +throws IOException { +Session session = request.getSessionInternal(true); +if (log.isDebugEnabled()) { +log.debug(Save request in session ' + session.getIdInternal() + '); +} +try { +saveRequest(request, session); +} catch (IOException ioe) { +log.debug(Request body too big to save during authentication); +response.sendError(HttpServletResponse.SC_FORBIDDEN, +sm.getString(authenticator.requestBodyTooBig)); +return AuthStatus.FAILURE; +} + +forwardToLoginPage(request, response); +return AuthStatus.SEND_CONTINUE; +} + + +/** + * Acknowledge the request, validate the specified and redirect to the error + * page if they are not correct + * + * @param request + * @param response + * @return + * @throws IOException + */ +private AuthStatus handleLoginAction(Request request, HttpServletResponse response) +throws IOException { + request.getResponse().sendAcknowledgement(); // TODO fix character encoding @@ -215,7 +242,7 @@ public class FormAuthModule extends Tomc if (log.isDebugEnabled()) { log.debug(Authenticating username ' + username + '); } -principal = realm.authenticate(username, password); +Principal principal = realm.authenticate(username, password); if (principal == null) { forwardToErrorPage(request, response); return AuthStatus.FAILURE; @@ -225,9 +252,7 @@ public class FormAuthModule extends Tomc log.debug(Authentication of ' + username + ' was successful); } -if (session == null) { -session = request.getSessionInternal(false); -} +Session session = request.getSessionInternal(false); if (session == null) { handleSessionExpired(request, response); return AuthStatus.FAILURE; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689080 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 20:03:51 2015 New Revision: 1689080 URL: http://svn.apache.org/r1689080 Log: Change session id on authenication field added Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689080r1=1689079r2=1689080view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 20:03:51 2015 @@ -70,6 +70,8 @@ public class FormAuthModule extends Tomc private Realm realm; private LoginConfig loginConfig; +private boolean changeSessionIdOnAuthenication = true; + public FormAuthModule(Context context) { super(context); @@ -392,7 +394,7 @@ public class FormAuthModule extends Tomc private boolean getChangeSessionIdOnAuthentication() { -return true;// FIXME +return changeSessionIdOnAuthenication ; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689070 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:21:17 2015 New Revision: 1689070 URL: http://svn.apache.org/r1689070 Log: Meaningful name for variable Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689070r1=1689069r2=1689070view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:21:17 2015 @@ -242,11 +242,11 @@ public class FormAuthModule extends Tomc // Redirect the user to the original request URI (which will cause // the original request to be restored) -requestURI = savedRequestURL(session); +String savedRequestUrl = savedRequestURL(session); if (log.isDebugEnabled()) { -log.debug(Redirecting to original ' + requestURI + '); +log.debug(Redirecting to original ' + savedRequestUrl + '); } -if (requestURI == null) { +if (savedRequestUrl == null) { if (landingPage == null) { response.sendError(HttpServletResponse.SC_BAD_REQUEST, sm.getString(authenticator.formlogin)); @@ -267,7 +267,7 @@ public class FormAuthModule extends Tomc // to // use. Response internalResponse = request.getResponse(); -String location = response.encodeRedirectURL(requestURI); +String location = response.encodeRedirectURL(savedRequestUrl); if (HTTP/1.1.equals(request.getProtocol())) { internalResponse.sendRedirect(location, HttpServletResponse.SC_SEE_OTHER); } else { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689072 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 19:32:52 2015 New Revision: 1689072 URL: http://svn.apache.org/r1689072 Log: extracted sending saved request Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689072r1=1689071r2=1689072view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:32:52 2015 @@ -105,13 +105,10 @@ public class FormAuthModule extends Tomc UnsupportedCallbackException { Request request = (Request) messageInfo.getRequestMessage(); HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); -// References to objects we will need later -Session session = null; -Principal principal = null; // Have we authenticated this user before but have caching disabled? if (!isCache()) { -session = request.getSessionInternal(true); +Session session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug(Checking for reauthenticate in session + session); } @@ -128,10 +125,10 @@ public class FormAuthModule extends Tomc if (!passwordCallback.getResult()) { forwardToErrorPage(request, response); } -principal = getPrincipal(passwordCallback); +Principal principal = getPrincipal(passwordCallback); if (principal != null) { session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); -if (!matchRequest(request)) { +if (!isMatchingSavedRequest(request)) { handlePrincipalCallbacks(clientSubject, principal); return AuthStatus.SUCCESS; } @@ -145,36 +142,10 @@ public class FormAuthModule extends Tomc // Is this the re-submit of the original request URI after // successful // authentication? If so, forward the *original* request instead. -if (matchRequest(request)) { -session = request.getSessionInternal(true); -if (log.isDebugEnabled()) { -log.debug(Restore request from session ' + session.getIdInternal() + '); -} -principal = (Principal) session.getNote(Constants.FORM_PRINCIPAL_NOTE); -handlePrincipalCallbacks(clientSubject, principal); - -// If we're caching principals we no longer needgetPrincipal the -// username -// and password in the session, so remove them -if (isCache()) { -session.removeNote(Constants.SESS_USERNAME_NOTE); -session.removeNote(Constants.SESS_PASSWORD_NOTE); -} -if (restoreRequest(request, session)) { -if (log.isDebugEnabled()) { -log.debug(Proceed to restored request); -} -return AuthStatus.SUCCESS; -} else { -if (log.isDebugEnabled()) { -log.debug(Restore of original request failed); -} -response.sendError(HttpServletResponse.SC_BAD_REQUEST); -return AuthStatus.FAILURE; -} +if (isMatchingSavedRequest(request)) { +return submitSavedRequest(clientSubject, request, response); } -// Acquire references to objects we will need to evaluate String contextPath = request.getContextPath(); String requestURI = request.getDecodedRequestURI(); @@ -190,6 +161,37 @@ public class FormAuthModule extends Tomc } +private AuthStatus submitSavedRequest(Subject clientSubject, Request request, +HttpServletResponse response) throws IOException, UnsupportedCallbackException { +Session session = request.getSessionInternal(true); +if (log.isDebugEnabled()) { +log.debug(Restore request from session ' + session.getIdInternal() + '); +} +Principal principal = (Principal) session.getNote(Constants.FORM_PRINCIPAL_NOTE); +handlePrincipalCallbacks(clientSubject, principal); + +// If we're caching principals we no longer need getPrincipal the +// username +// and password in the session, so remove them +if (isCache()) { +session.removeNote(Constants.SESS_USERNAME_NOTE); +
svn commit: r1689082 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
Author: markt Date: Fri Jul 3 20:08:18 2015 New Revision: 1689082 URL: http://svn.apache.org/r1689082 Log: Extracted saved authentication handling to separate method Patch by fjodorver Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689082r1=1689081r2=1689082view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 20:08:18 2015 @@ -106,32 +106,8 @@ public class FormAuthModule extends Tomc Request request = (Request) messageInfo.getRequestMessage(); HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); -// Have we authenticated this user before but have caching disabled? -if (!cachePrincipalsInSession) { -Session session = request.getSessionInternal(true); -if (log.isDebugEnabled()) { -log.debug(Checking for reauthenticate in session + session); -} -String username = (String) session.getNote(Constants.SESS_USERNAME_NOTE); -String password = (String) session.getNote(Constants.SESS_PASSWORD_NOTE); -if ((username != null) (password != null)) { -if (log.isDebugEnabled()) { -log.debug(Reauthenticating username ' + username + '); -} -Principal principal = realm.authenticate(username, password); -if (principal == null) { -forwardToErrorPage(request, response); -return AuthStatus.FAILURE; -} - -session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); -if (isMatchingSavedRequest(request)) { -return submitSavedRequest(clientSubject, request, response); -} - -handlePrincipalCallbacks(clientSubject, principal); -return AuthStatus.SUCCESS; -} +if (!cachePrincipalsInSession isUserAuthenicatedBefore(request)) { +return handleSavedCredentials(clientSubject, request, response); } // Is this the re-submit of the original request URI after @@ -149,6 +125,43 @@ public class FormAuthModule extends Tomc } +private AuthStatus handleSavedCredentials(Subject clientSubject, Request request, +HttpServletResponse response) throws IOException, UnsupportedCallbackException { +Session session = request.getSessionInternal(true); +if (log.isDebugEnabled()) { +log.debug(Checking for reauthenticate in session + session); +} + +String username = (String) session.getNote(Constants.SESS_USERNAME_NOTE); +String password = (String) session.getNote(Constants.SESS_PASSWORD_NOTE); +if (log.isDebugEnabled()) { +log.debug(Reauthenticating username ' + username + '); +} + +Principal principal = realm.authenticate(username, password); +if (principal == null) { +forwardToErrorPage(request, response); +return AuthStatus.FAILURE; +} + +session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); +if (isMatchingSavedRequest(request)) { +return submitSavedRequest(clientSubject, request, response); +} + +handlePrincipalCallbacks(clientSubject, principal); +return AuthStatus.SUCCESS; +} + + +private boolean isUserAuthenicatedBefore(Request request) { +Session session = request.getSessionInternal(true); +String username = (String) session.getNote(Constants.SESS_USERNAME_NOTE); +String password = (String) session.getNote(Constants.SESS_PASSWORD_NOTE); +return username != null password != null; +} + + private AuthStatus submitSavedRequest(Subject clientSubject, Request request, HttpServletResponse response) throws IOException, UnsupportedCallbackException { Session session = request.getSessionInternal(true); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JASPIC configuration
On 03/07/2015 18:55, Fjodor Vershinin wrote: For example the way how we handle module configurations. What do you think about my proposal to use Provider based config? OK. We need the configuration settings in the ServerAuthModule implementations. It is pretty clear from the API that those settings are meant to be passed via the options Map in initialize(). initialize() is called from the constructor of TomcatServerAuthContext. The options Map is an argument that constructor. Question 1 why pass in the module and all the other parameters to the constructor when you coudl configure the module before calling the constructor and just pass in the configured module? That constructor is called from TomcatAuthConfig.getAuthContext() which passes in a properties Map. It looks as if the intention is that that properties map contains the configuration settings for the module(s). It would be reasonable to create a new Map, add those properties, add any internal properties (like the Realm name) and pass the newly created Map to the module. That has the added bonus (hopefully - it depends exactly on the properties) of isolating the module form any later changes the caller may make. TomcatAuthConfig.getAuthContext() is called from JaspicAuthenticator.authenticate(). A quick aside here. How many of the calls in that method might change their return values between different requests? Any that will not would be better placed in start() for better performance. Getting back to configuration, the JaspicAuthenticator has the authProperties Map. If this Map were populated with the necessary configuration settings, we can now see a path to getting this to the ServerAuthModule where they are required. server.xml is processed by the Digester. Understanding how that works can take a little while. The short version is is uses introspection to set properties on objects and we can use this to set configuration settings on the JaspicAuthenticator - in exactly the same way as we currently do for the BasicAuthenticator, DigestAuthenticator etc. This has the added bonus that as long as we keep the attribute names the same, users can migrate their settings to use JASPIC simply by changing the name of the Authenticator class they specify in server.xml / context.xml. For this to work, we need to be able to put all the configuration settings for JaspicAuthenticator in the authProperties Map. Luckily we don;t need to define every possible setting - the digest supports generic methods. If you add setProperty(String, String) and getProperty(String) methods to the JaspicAuthenticator then the Digester will do the rest. With all the information above you should have what you need to get settings from a JaspicAuthenticator in server.xml / context.xml all the way to the ServerAuthModule. If you need any help - particularly around the digester or configuring the authenticator in server.xml / context.xml just ask. Finally, feel free to ignore all of the above and go a different route but be prepared to justify why you think the different route is beter. HTH and have a good weekend, Mark P.S. Congratulations on passing your mid-term. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1689075 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules: FormAuthModule.java TomcatAuthModule.java
Author: markt Date: Fri Jul 3 19:57:38 2015 New Revision: 1689075 URL: http://svn.apache.org/r1689075 Log: Principal cache settings moved into parent class Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689075r1=1689074r2=1689075view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java Fri Jul 3 19:57:38 2015 @@ -107,7 +107,7 @@ public class FormAuthModule extends Tomc HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); // Have we authenticated this user before but have caching disabled? -if (!isCache()) { //TODO Ask is it required? May be principal must be always cached +if (!cachePrincipalsInSession) { Session session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug(Checking for reauthenticate in session + session); @@ -125,14 +125,12 @@ public class FormAuthModule extends Tomc } session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); -if (!isMatchingSavedRequest(request)) { -handlePrincipalCallbacks(clientSubject, principal); -return AuthStatus.SUCCESS; +if (isMatchingSavedRequest(request)) { +return submitSavedRequest(clientSubject, request, response); } -if (log.isDebugEnabled()) { -log.debug(Reauthentication failed, proceed normally); -} +handlePrincipalCallbacks(clientSubject, principal); +return AuthStatus.SUCCESS; } } @@ -163,7 +161,7 @@ public class FormAuthModule extends Tomc // If we're caching principals we no longer need getPrincipal the // username // and password in the session, so remove them -if (isCache()) { +if (cachePrincipalsInSession) { session.removeNote(Constants.SESS_USERNAME_NOTE); session.removeNote(Constants.SESS_PASSWORD_NOTE); } @@ -324,11 +322,6 @@ public class FormAuthModule extends Tomc } -private boolean isCache() { -return true; -} - - @Override public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { Modified: tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java?rev=1689075r1=1689074r2=1689075view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java Fri Jul 3 19:57:38 2015 @@ -51,6 +51,8 @@ public abstract class TomcatAuthModule i protected Context context; +protected boolean cachePrincipalsInSession = true; + public TomcatAuthModule(Context context) { this.context = context; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JASPIC Implementation pointers
Hi! Unfortunately, commit rearrangement requires some more effort from me, so I haven't finished it yesterday. I need some more time to fix checkstyle errors and so on. We can change the way users have to configure it. For example, we could say they have to use programmatic configuration via the standard JASPIC interfaces if they want to use non-default settings. I see your point. The best option in my opinion is is to pass this options through LoginConfig/Context in ContextConfig. We can figure out how to set these options in a programmatic way and then refresh the context provider in order to reinitialize authenitcation modules. Thanks, Fjodor