001: /*
002: * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java,v 1.11 2002/06/09 02:19:41 remm Exp $
003: * $Revision: 1.11 $
004: * $Date: 2002/06/09 02:19:41 $
005: *
006: * ====================================================================
007: *
008: * The Apache Software License, Version 1.1
009: *
010: * Copyright (c) 1999 The Apache Software Foundation. All rights
011: * reserved.
012: *
013: * Redistribution and use in source and binary forms, with or without
014: * modification, are permitted provided that the following conditions
015: * are met:
016: *
017: * 1. Redistributions of source code must retain the above copyright
018: * notice, this list of conditions and the following disclaimer.
019: *
020: * 2. Redistributions in binary form must reproduce the above copyright
021: * notice, this list of conditions and the following disclaimer in
022: * the documentation and/or other materials provided with the
023: * distribution.
024: *
025: * 3. The end-user documentation included with the redistribution, if
026: * any, must include the following acknowlegement:
027: * "This product includes software developed by the
028: * Apache Software Foundation (http://www.apache.org/)."
029: * Alternately, this acknowlegement may appear in the software itself,
030: * if and wherever such third-party acknowlegements normally appear.
031: *
032: * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
033: * Foundation" must not be used to endorse or promote products derived
034: * from this software without prior written permission. For written
035: * permission, please contact apache@apache.org.
036: *
037: * 5. Products derived from this software may not be called "Apache"
038: * nor may "Apache" appear in their names without prior written
039: * permission of the Apache Group.
040: *
041: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
042: * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
043: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
044: * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
045: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
046: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
047: * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
048: * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
049: * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
050: * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
051: * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
052: * SUCH DAMAGE.
053: * ====================================================================
054: *
055: * This software consists of voluntary contributions made by many
056: * individuals on behalf of the Apache Software Foundation. For more
057: * information on the Apache Software Foundation, please see
058: * <http://www.apache.org/>.
059: *
060: * [Additional notices, if required by prior licensing conditions]
061: *
062: */
063:
064: package org.apache.catalina.authenticator;
065:
066: import java.io.IOException;
067: import java.security.Principal;
068: import java.security.cert.X509Certificate;
069: import javax.servlet.http.HttpServletRequest;
070: import javax.servlet.http.HttpServletResponse;
071: import org.apache.catalina.Globals;
072: import org.apache.catalina.HttpRequest;
073: import org.apache.catalina.HttpResponse;
074: import org.apache.catalina.Lifecycle;
075: import org.apache.catalina.LifecycleException;
076: import org.apache.catalina.Realm;
077: import org.apache.catalina.Session;
078: import org.apache.catalina.deploy.LoginConfig;
079:
080: /**
081: * An <b>Authenticator</b> and <b>Valve</b> implementation of authentication
082: * that utilizes SSL certificates to identify client users.
083: *
084: * @author Craig R. McClanahan
085: * @version $Revision: 1.11 $ $Date: 2002/06/09 02:19:41 $
086: */
087:
088: public class SSLAuthenticator extends AuthenticatorBase {
089:
090: // ------------------------------------------------------------- Properties
091:
092: /**
093: * Descriptive information about this implementation.
094: */
095: protected static final String info = "org.apache.catalina.authenticator.SSLAuthenticator/1.0";
096:
097: /**
098: * Return descriptive information about this Valve implementation.
099: */
100: public String getInfo() {
101:
102: return (this .info);
103:
104: }
105:
106: // --------------------------------------------------------- Public Methods
107:
108: /**
109: * Authenticate the user by checking for the existence of a certificate
110: * chain (which should have been made visible by an instance of
111: * <code>CertificatesValve</code), and optionally asking a trust
112: * manager to validate that we trust this user.
113: *
114: * @param request Request we are processing
115: * @param response Response we are creating
116: * @param login Login configuration describing how authentication
117: * should be performed
118: *
119: * @exception IOException if an input/output error occurs
120: */
121: public boolean authenticate(HttpRequest request,
122: HttpResponse response, LoginConfig config)
123: throws IOException {
124:
125: // Have we already authenticated someone?
126: Principal principal = ((HttpServletRequest) request
127: .getRequest()).getUserPrincipal();
128: if (principal != null) {
129: if (debug >= 1)
130: log("Already authenticated '" + principal.getName()
131: + "'");
132: return (true);
133: }
134:
135: // Retrieve the certificate chain for this client
136: HttpServletResponse hres = (HttpServletResponse) response
137: .getResponse();
138: if (debug >= 1)
139: log(" Looking up certificates");
140: X509Certificate certs[] = (X509Certificate[]) request
141: .getRequest().getAttribute(Globals.CERTIFICATES_ATTR);
142: if ((certs == null) || (certs.length < 1)) {
143: if (debug >= 1)
144: log(" No certificates included with this request");
145: hres.sendError(HttpServletResponse.SC_BAD_REQUEST, sm
146: .getString("authenticator.certificates"));
147: return (false);
148: }
149:
150: // Authenticate the specified certificate chain
151: principal = context.getRealm().authenticate(certs);
152: if (principal == null) {
153: if (debug >= 1)
154: log(" Realm.authenticate() returned false");
155: hres.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm
156: .getString("authenticator.unauthorized"));
157: return (false);
158: }
159:
160: // Cache the principal (if requested) and record this authentication
161: register(request, response, principal, Constants.CERT_METHOD,
162: null, null);
163: return (true);
164:
165: }
166:
167: // ------------------------------------------------------ Lifecycle Methods
168:
169: /**
170: * Initialize the database we will be using for client verification
171: * and certificate validation (if any).
172: *
173: * @exception LifecycleException if this component detects a fatal error
174: * that prevents this component from being used
175: */
176: public void start() throws LifecycleException {
177:
178: super .start();
179:
180: }
181:
182: /**
183: * Finalize the database we used for client verification and
184: * certificate validation (if any).
185: *
186: * @exception LifecycleException if this component detects a fatal error
187: * that prevents this component from being used
188: */
189: public void stop() throws LifecycleException {
190:
191: super.stop();
192:
193: }
194:
195: }
|