View | Details | Raw Unified | Return to bug 57708
Collapse All | Expand All

(-)java/org/apache/catalina/Realm.java (+9 lines)
Lines 76-81 Link Here
76
76
77
77
78
    /**
78
    /**
79
     * Return the Principal associated with the specified username, if there
80
     * is one; otherwise return <code>null</code>.
81
     *
82
     * @param username Username of the Principal to look up
83
     */
84
    public Principal authenticate(String username);
85
86
87
    /**
79
     * Return the Principal associated with the specified username and
88
     * Return the Principal associated with the specified username and
80
     * credentials, if there is one; otherwise return <code>null</code>.
89
     * credentials, if there is one; otherwise return <code>null</code>.
81
     *
90
     *
(-)java/org/apache/catalina/authenticator/BasicAuthenticator.java (+15 lines)
Lines 94-99 Link Here
94
            }
94
            }
95
        }
95
        }
96
96
97
        // If we are preauthenticated, run the authorization
98
        String remoteUser = (String)
99
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
100
        if (remoteUser != null) {
101
            if (log.isDebugEnabled())
102
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
103
            principal = context.getRealm().authenticate(remoteUser);
104
            if (principal != null) {
105
                register(request, response, principal,
106
                        HttpServletRequest.BASIC_AUTH, remoteUser, null);
107
                return (true);
108
            }
109
            return (false);
110
        }
111
97
        // Validate any credentials already included with this request
112
        // Validate any credentials already included with this request
98
        MessageBytes authorization =
113
        MessageBytes authorization =
99
            request.getCoyoteRequest().getMimeHeaders()
114
            request.getCoyoteRequest().getMimeHeaders()
(-)java/org/apache/catalina/authenticator/Constants.java (+6 lines)
Lines 60-65 Link Here
60
    public static final String REQ_SSOID_NOTE =
60
    public static final String REQ_SSOID_NOTE =
61
      "org.apache.catalina.request.SSOID";
61
      "org.apache.catalina.request.SSOID";
62
62
63
    /**
64
     * The notes key to track the principal name when the user is
65
     * pre-authenticated, but where tomcat must perform authorization.
66
     */
67
    public static final String REQ_REMOTE_USER_NOTE =
68
      "org.apache.catalina.request.REMOTE_USER";
63
69
64
    // ---------------------------------------------------------- Session Notes
70
    // ---------------------------------------------------------- Session Notes
65
71
(-)java/org/apache/catalina/authenticator/DigestAuthenticator.java (+15 lines)
Lines 238-243 Link Here
238
        }
238
        }
239
        */
239
        */
240
240
241
        // If we are preauthenticated, run the authorization
242
        String remoteUser = (String)
243
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
244
        if (remoteUser != null) {
245
            if (log.isDebugEnabled())
246
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
247
            principal = context.getRealm().authenticate(remoteUser);
248
            if (principal != null) {
249
                register(request, response, principal,
250
                        HttpServletRequest.DIGEST_AUTH, remoteUser, null);
251
                return (true);
252
            }
253
            return (false);
254
        }
255
241
        // Validate any credentials already included with this request
256
        // Validate any credentials already included with this request
242
        String authorization = request.getHeader("authorization");
257
        String authorization = request.getHeader("authorization");
243
        DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
258
        DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
(-)java/org/apache/catalina/authenticator/FormAuthenticator.java (+16 lines)
Lines 160-165 Link Here
160
            }
160
            }
161
        }
161
        }
162
162
163
        // If we are preauthenticated, run the authorization
164
        String remoteUser = (String)
165
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
166
        if (remoteUser != null) {
167
            if (log.isDebugEnabled())
168
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
169
            principal = context.getRealm().authenticate(remoteUser);
170
            if (principal != null) {
171
                session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
172
                register(request, response, principal,
173
                        HttpServletRequest.FORM_AUTH, remoteUser, null);
174
                return (true);
175
            }
176
            return (false);
177
        }
178
163
        // Have we authenticated this user before but have caching disabled?
179
        // Have we authenticated this user before but have caching disabled?
164
        if (!cache) {
180
        if (!cache) {
165
            session = request.getSessionInternal(true);
181
            session = request.getSessionInternal(true);
(-)java/org/apache/catalina/authenticator/SSLAuthenticator.java (+15 lines)
Lines 65-70 Link Here
65
            return (true);
65
            return (true);
66
        }
66
        }
67
67
68
        // If we are preauthenticated, run the authorization
69
        String remoteUser = (String)
70
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
71
        if (remoteUser != null) {
72
            if (containerLog.isDebugEnabled())
73
            	containerLog.debug("Already authenticated '" + remoteUser + "', authorizing");
74
            principal = context.getRealm().authenticate(remoteUser);
75
            if (principal != null) {
76
                register(request, response, principal,
77
                        HttpServletRequest.CLIENT_CERT_AUTH, remoteUser, null);
78
                return (true);
79
            }
80
            return (false);
81
        }
82
68
        // NOTE: We don't try to reauthenticate using any existing SSO session,
83
        // NOTE: We don't try to reauthenticate using any existing SSO session,
69
        // because that will only work if the original authentication was
84
        // because that will only work if the original authentication was
70
        // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
85
        // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
(-)java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (+15 lines)
Lines 159-164 Link Here
159
            }
159
            }
160
        }
160
        }
161
161
162
        // If we are preauthenticated, run the authorization
163
        String remoteUser = (String)
164
               request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
165
        if (remoteUser != null) {
166
            if (log.isDebugEnabled())
167
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
168
            principal = context.getRealm().authenticate(remoteUser);
169
            if (principal != null) {
170
                register(request, response, principal,
171
                              Constants.SPNEGO_METHOD, remoteUser, null);
172
                return (true);
173
            }
174
            return (false);
175
        }
176
162
        MessageBytes authorization =
177
        MessageBytes authorization =
163
            request.getCoyoteRequest().getMimeHeaders()
178
            request.getCoyoteRequest().getMimeHeaders()
164
            .getValue("authorization");
179
            .getValue("authorization");
(-)java/org/apache/catalina/realm/RealmBase.java (+22 lines)
Lines 416-421 Link Here
416
416
417
417
418
    /**
418
    /**
419
     * Return the Principal associated with the specified username, if there
420
     * is one; otherwise return <code>null</code>.
421
     *
422
     * @param username Username of the Principal to look up
423
     */
424
    @Override
425
    public Principal authenticate(String username) {
426
427
    	if (username == null) {
428
    		return null;
429
    	}
430
431
        if (containerLog.isTraceEnabled()) {
432
            containerLog.trace(sm.getString("realmBase.authenticateSuccess",
433
                                            username));
434
        }
435
436
        return getPrincipal(username);
437
    }
438
439
440
    /**
419
     * Return the Principal associated with the specified username and
441
     * Return the Principal associated with the specified username and
420
     * credentials, if there is one; otherwise return <code>null</code>.
442
     * credentials, if there is one; otherwise return <code>null</code>.
421
     *
443
     *
(-)java/org/apache/coyote/ajp/AbstractAjpProcessor.java (-2 / +18 lines)
Lines 318-323 Link Here
318
318
319
319
320
    /**
320
    /**
321
     * Use Tomcat authorization ?
322
     */
323
    protected boolean tomcatAuthorization = false;
324
    public boolean getTomcatAuthorization() { return tomcatAuthorization; }
325
    public void setTomcatAuthorization(boolean tomcatAuthorization) {
326
        this.tomcatAuthorization = tomcatAuthorization;
327
    }
328
329
330
    /**
321
     * Required secret.
331
     * Required secret.
322
     */
332
     */
323
    protected String requiredSecret = null;
333
    protected String requiredSecret = null;
Lines 1270-1280 Link Here
1270
                break;
1280
                break;
1271
1281
1272
            case Constants.SC_A_REMOTE_USER :
1282
            case Constants.SC_A_REMOTE_USER :
1273
                if (tomcatAuthentication) {
1283
            	if (tomcatAuthorization) {
1284
                    requestHeaderMessage.getBytes(tmpMB);
1285
            		request.setAttribute(
1286
            				org.apache.catalina.authenticator.Constants.REQ_REMOTE_USER_NOTE,
1287
            				tmpMB.toString());
1288
            	}
1289
            	else if (tomcatAuthentication) {
1274
                    // ignore server
1290
                    // ignore server
1275
                    requestHeaderMessage.getBytes(tmpMB);
1291
                    requestHeaderMessage.getBytes(tmpMB);
1276
                } else {
1292
                } else {
1277
                    requestHeaderMessage.getBytes(request.getRemoteUser());
1293
                	requestHeaderMessage.getBytes(request.getRemoteUser());
1278
                }
1294
                }
1279
                break;
1295
                break;
1280
1296
(-)webapps/docs/config/ajp.xml (-1 / +10 lines)
Lines 436-444 Link Here
436
      <p>If set to <code>true</code>, the authentication will be done in Tomcat.
436
      <p>If set to <code>true</code>, the authentication will be done in Tomcat.
437
      Otherwise, the authenticated principal will be propagated from the native
437
      Otherwise, the authenticated principal will be propagated from the native
438
      webserver and used for authorization in Tomcat.
438
      webserver and used for authorization in Tomcat.
439
      The default value is <code>true</code>.</p>
439
      The default value is <code>true</code>. If
440
      <code>tomcatAuthorization</code> is set to <code>true</code> this
441
      attribute has no effect.</p>
440
    </attribute>
442
    </attribute>
441
443
444
    <attribute name="tomcatAuthorization" required="false">
445
      <p>If set to <code>true</code>, the authenticated principal will be
446
      propagated from the native webserver and considered already authenticated
447
      in Tomcat. Authorization will then be performed by Tomcat as normal.
448
      The default value is <code>false</code>.</p>
449
    </attribute>
450
442
  </attributes>
451
  </attributes>
443
452
444
  </subsection>
453
  </subsection>
(-)webapps/docs/security-howto.xml (-1 / +2 lines)
Lines 287-293 Link Here
287
         rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
287
         rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
288
      configuring these settings.</p>
288
      configuring these settings.</p>
289
289
290
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
290
      <p>The <strong>tomcatAuthentication</strong> and
291
      <strong>tomcatAuthorization</strong> attributes are used with the
291
      AJP connectors to determine if Tomcat should authenticate the user or if
292
      AJP connectors to determine if Tomcat should authenticate the user or if
292
      authentication can be delegated to the reverse proxy that will then pass
293
      authentication can be delegated to the reverse proxy that will then pass
293
      the authenticated username to Tomcat as part of the AJP protocol.</p>
294
      the authenticated username to Tomcat as part of the AJP protocol.</p>
(-)webapps/docs/windows-auth-howto.xml (-1 / +3 lines)
Lines 301-307 Link Here
301
  <li>Configure IIS to use Windows authentication</li>
301
  <li>Configure IIS to use Windows authentication</li>
302
  <li>Configure Tomcat to use the authentication user information from IIS by
302
  <li>Configure Tomcat to use the authentication user information from IIS by
303
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
303
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
304
  AJP connector</a> to <code>false</code>.</li>
304
  AJP connector</a> to <code>false</code>. Alternatively, set the
305
  tomcatAuthorization attribute to <code>true</code> to allow Windows to
306
  authenticate, while Tomcat performs the authorization.</li>
305
  </ol>
307
  </ol>
306
  </subsection>
308
  </subsection>
307
309

Return to bug 57708