KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > apache > catalina > authenticator > SSLAuthenticator


1 /*
2  * Licensed to the Apache Software Foundation (ASF) under one or more
3  * contributor license agreements. See the NOTICE file distributed with
4  * this work for additional information regarding copyright ownership.
5  * The ASF licenses this file to You under the Apache License, Version 2.0
6  * (the "License"); you may not use this file except in compliance with
7  * the License. You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17
18
19 package org.apache.catalina.authenticator;
20
21
22 import java.io.IOException JavaDoc;
23 import java.security.Principal JavaDoc;
24 import java.security.cert.X509Certificate JavaDoc;
25
26 import javax.servlet.http.HttpServletResponse JavaDoc;
27
28 import org.apache.coyote.ActionCode;
29 import org.apache.catalina.Globals;
30 import org.apache.catalina.LifecycleException;
31 import org.apache.catalina.connector.Request;
32 import org.apache.catalina.connector.Response;
33 import org.apache.catalina.deploy.LoginConfig;
34
35
36
37 /**
38  * An <b>Authenticator</b> and <b>Valve</b> implementation of authentication
39  * that utilizes SSL certificates to identify client users.
40  *
41  * @author Craig R. McClanahan
42  * @version $Revision: 467222 $ $Date: 2006-10-24 05:17:11 +0200 (mar., 24 oct. 2006) $
43  */
44
45 public class SSLAuthenticator
46     extends AuthenticatorBase {
47
48
49     // ------------------------------------------------------------- Properties
50
51
52     /**
53      * Descriptive information about this implementation.
54      */
55     protected static final String JavaDoc info =
56         "org.apache.catalina.authenticator.SSLAuthenticator/1.0";
57
58
59     /**
60      * Return descriptive information about this Valve implementation.
61      */
62     public String JavaDoc getInfo() {
63
64         return (info);
65
66     }
67
68
69     // --------------------------------------------------------- Public Methods
70
71
72     /**
73      * Authenticate the user by checking for the existence of a certificate
74      * chain, and optionally asking a trust manager to validate that we trust
75      * this user.
76      *
77      * @param request Request we are processing
78      * @param response Response we are creating
79      * @param config Login configuration describing how authentication
80      * should be performed
81      *
82      * @exception IOException if an input/output error occurs
83      */
84     public boolean authenticate(Request request,
85                                 Response JavaDoc response,
86                                 LoginConfig config)
87         throws IOException JavaDoc {
88
89         // Have we already authenticated someone?
90 Principal JavaDoc principal = request.getUserPrincipal();
91         //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
92 if (principal != null) {
93             if (containerLog.isDebugEnabled())
94                 containerLog.debug("Already authenticated '" + principal.getName() + "'");
95             // Associate the session with any existing SSO session in order
96 // to get coordinated session invalidation at logout
97 String JavaDoc ssoId = (String JavaDoc) request.getNote(Constants.REQ_SSOID_NOTE);
98             if (ssoId != null)
99                 associate(ssoId, request.getSessionInternal(true));
100             return (true);
101         }
102
103         // NOTE: We don't try to reauthenticate using any existing SSO session,
104 // because that will only work if the original authentication was
105 // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
106 // specified for this webapp
107 //
108 // Uncomment below to allow previous FORM or BASIC authentications
109 // to authenticate users for this webapp
110 // TODO make this a configurable attribute (in SingleSignOn??)
111 /*
112         // Is there an SSO session against which we can try to reauthenticate?
113         if (ssoId != null) {
114             if (log.isDebugEnabled())
115                 log.debug("SSO Id " + ssoId + " set; attempting " +
116                           "reauthentication");
117             // Try to reauthenticate using data cached by SSO. If this fails,
118             // either the original SSO logon was of DIGEST or SSL (which
119             // we can't reauthenticate ourselves because there is no
120             // cached username and password), or the realm denied
121             // the user's reauthentication for some reason.
122             // In either case we have to prompt the user for a logon
123             if (reauthenticateFromSSO(ssoId, request))
124                 return true;
125         }
126         */
127
128         // Retrieve the certificate chain for this client
129 if (containerLog.isDebugEnabled())
130             containerLog.debug(" Looking up certificates");
131
132         X509Certificate JavaDoc certs[] = (X509Certificate JavaDoc[])
133             request.getAttribute(Globals.CERTIFICATES_ATTR);
134         if ((certs == null) || (certs.length < 1)) {
135             request.getCoyoteRequest().action
136                               (ActionCode.ACTION_REQ_SSL_CERTIFICATE, null);
137             certs = (X509Certificate JavaDoc[])
138                 request.getAttribute(Globals.CERTIFICATES_ATTR);
139         }
140         if ((certs == null) || (certs.length < 1)) {
141             if (containerLog.isDebugEnabled())
142                 containerLog.debug(" No certificates included with this request");
143             response.sendError(HttpServletResponse.SC_BAD_REQUEST,
144                                sm.getString("authenticator.certificates"));
145             return (false);
146         }
147
148         // Authenticate the specified certificate chain
149 principal = context.getRealm().authenticate(certs);
150         if (principal == null) {
151             if (containerLog.isDebugEnabled())
152                 containerLog.debug(" Realm.authenticate() returned false");
153             response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
154                                sm.getString("authenticator.unauthorized"));
155             return (false);
156         }
157
158         // Cache the principal (if requested) and record this authentication
159 register(request, response, principal, Constants.CERT_METHOD,
160                  null, null);
161         return (true);
162
163     }
164
165
166     // ------------------------------------------------------ Lifecycle Methods
167
168
169     /**
170      * Initialize the database we will be using for client verification
171      * and certificate validation (if any).
172      *
173      * @exception LifecycleException if this component detects a fatal error
174      * that prevents this component from being used
175      */
176     public void start() throws LifecycleException {
177
178         super.start();
179
180     }
181
182
183     /**
184      * Finalize the database we used for client verification and
185      * certificate validation (if any).
186      *
187      * @exception LifecycleException if this component detects a fatal error
188      * that prevents this component from being used
189      */
190     public void stop() throws LifecycleException {
191
192         super.stop();
193
194     }
195
196
197 }
198
Popular Tags