This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new 12b8572 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends 12b8572 is described below commit 12b857227b2671c9c871aa324cf5fc25c5d53c9a Author: Michael Osipov <micha...@apache.org> AuthorDate: Wed Aug 21 23:23:19 2019 +0200 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends --- java/org/apache/catalina/GSSRealm.java | 45 ++++++++++++++++ java/org/apache/catalina/realm/CombinedRealm.java | 43 ++++++++++++++++ java/org/apache/catalina/realm/LockOutRealm.java | 13 +++++ java/org/apache/catalina/realm/RealmBase.java | 62 ++++++++++++++++++----- webapps/docs/changelog.xml | 4 ++ 5 files changed, 155 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/GSSRealm.java b/java/org/apache/catalina/GSSRealm.java new file mode 100644 index 0000000..2f4b16f --- /dev/null +++ b/java/org/apache/catalina/GSSRealm.java @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina; + +import java.security.Principal; + +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSName; + +/** + * A <b>GSSRealm</b> is a specialized realm for GSS-based principals. + * + * @deprecated This will be removed in Tomcat 9 and integrated into {@link Realm}. + */ +@Deprecated +public interface GSSRealm extends Realm { + + + // --------------------------------------------------------- Public Methods + + /** + * Try to authenticate using a {@link GSSName} + * + * @param gssName The {@link GSSName} of the principal to look up + * @param gssCredential The {@link GSSCredential} of the principal, may be + * {@code null} + * @return the associated principal, or {@code null} if there is none + */ + public Principal authenticate(GSSName gssName, GSSCredential gssCredential); + +} diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 59511fa..cd64d99 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -26,12 +26,14 @@ import java.util.List; import javax.management.ObjectName; import org.apache.catalina.Container; +import org.apache.catalina.GSSRealm; import org.apache.catalina.Lifecycle; import org.apache.catalina.LifecycleException; import org.apache.catalina.Realm; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -393,6 +395,47 @@ public class CombinedRealm extends RealmBase { return null; } + /** + * {@inheritDoc} + */ + @Override + public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { + Principal authenticatedUser = null; + String username = gssName.toString(); + + for (Realm realm : realms) { + if (log.isDebugEnabled()) { + log.debug(sm.getString("combinedRealm.authStart", + username, realm.getClass().getName())); + } + + if (!(realm instanceof GSSRealm)) { + if (log.isDebugEnabled()) { + log.debug(sm.getString("combinedRealm.authFail", + username, realm.getClass().getName())); + } + + continue; + } + + authenticatedUser = ((GSSRealm) realm).authenticate(gssName, gssCredential); + + if (authenticatedUser == null) { + if (log.isDebugEnabled()) { + log.debug(sm.getString("combinedRealm.authFail", + username, realm.getClass().getName())); + } + } else { + if (log.isDebugEnabled()) { + log.debug(sm.getString("combinedRealm.authSuccess", + username, realm.getClass().getName())); + } + break; + } + } + return authenticatedUser; + } + @Override @Deprecated protected String getName() { diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java index 8bf0691..119c2b6 100644 --- a/java/org/apache/catalina/realm/LockOutRealm.java +++ b/java/org/apache/catalina/realm/LockOutRealm.java @@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -205,6 +206,18 @@ public class LockOutRealm extends CombinedRealm { return null; } + /** + * {@inheritDoc} + */ + @Override + public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { + String username = gssName.toString(); + + Principal authenticatedUser = super.authenticate(gssName, gssCredential); + + return filterLockedAccounts(username, authenticatedUser); + } + /* * Filters authenticated principals to ensure that <code>null</code> is diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index d321c56..807c28b 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -38,10 +38,10 @@ import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.CredentialHandler; import org.apache.catalina.Engine; +import org.apache.catalina.GSSRealm; import org.apache.catalina.Host; import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleState; -import org.apache.catalina.Realm; import org.apache.catalina.Server; import org.apache.catalina.Service; import org.apache.catalina.Wrapper; @@ -71,7 +71,7 @@ import org.ietf.jgss.GSSName; * * @author Craig R. McClanahan */ -public abstract class RealmBase extends LifecycleMBeanBase implements Realm { +public abstract class RealmBase extends LifecycleMBeanBase implements GSSRealm { private static final Log log = LogFactory.getLog(RealmBase.class); @@ -499,16 +499,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { } } - String name = gssName.toString(); - - if (isStripRealmForGss()) { - int i = name.indexOf('@'); - if (i > 0) { - // Zero so we don't leave a zero length name - name = name.substring(0, i); - } - } - return getPrincipal(name, gssCredential); + return getPrincipal(gssName, gssCredential); } } else { log.error(sm.getString("realmBase.gssContextNotEstablished")); @@ -520,6 +511,19 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { /** + * {@inheritDoc} + */ + @Override + public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { + if (gssName == null) { + return null; + } + + return getPrincipal(gssName, gssCredential); + } + + + /** * Execute a periodic task, such as reloading, etc. This method will be * invoked inside the classloading context of this container. Unexpected * throwables will be caught and logged. @@ -1242,6 +1246,11 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { protected abstract Principal getPrincipal(String username); + /** + * @deprecated This will be removed in Tomcat 10. Use + * {@link #getPrincipal(GSSName, GSSCredential)} instead. + */ + @Deprecated protected Principal getPrincipal(String username, GSSCredential gssCredential) { Principal p = getPrincipal(username); @@ -1253,6 +1262,35 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { return p; } + + /** + * Get the principal associated with the specified {@link GSSName}. + * + * @param gssName The GSS name + * @param gssCredential the GSS credential of the principal + * @return the principal associated with the given user name. + */ + protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential) { + String name = gssName.toString(); + + if (isStripRealmForGss()) { + int i = name.indexOf('@'); + if (i > 0) { + // Zero so we don't leave a zero length name + name = name.substring(0, i); + } + } + + Principal p = getPrincipal(name); + + if (p instanceof GenericPrincipal) { + ((GenericPrincipal) p).setGssCredential(gssCredential); + } + + return p; + } + + /** * Return the Server object that is the ultimate parent for the container * with which this Realm is associated. If the server cannot be found (eg diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 119b453..bf708e2 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -52,6 +52,10 @@ CSRF nonce request parameter name to be customized. (schultz) </add> + <add> + <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential) + and friends. (michaelo) + </add> <fix> <bug>63964</bug>: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org