View | Details | Raw Unified | Return to bug 57708
Collapse All | Expand All

(-)java/org/apache/catalina/Realm.java (+9 lines)
Lines 76-81 Link Here
76
76
77
77
78
    /**
78
    /**
79
     * Return the Principal associated with the specified username, if there
80
     * is one; otherwise return <code>null</code>.
81
     *
82
     * @param username Username of the Principal to look up
83
     */
84
    public Principal authenticate(String username);
85
86
87
    /**
79
     * Return the Principal associated with the specified username and
88
     * Return the Principal associated with the specified username and
80
     * credentials, if there is one; otherwise return <code>null</code>.
89
     * credentials, if there is one; otherwise return <code>null</code>.
81
     *
90
     *
(-)java/org/apache/catalina/authenticator/BasicAuthenticator.java (+15 lines)
Lines 94-99 Link Here
94
            }
94
            }
95
        }
95
        }
96
96
97
        // If we are preauthenticated, run the authorization
98
        String remoteUser = (String)
99
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
100
        if (remoteUser != null) {
101
            if (log.isDebugEnabled())
102
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
103
            principal = context.getRealm().authenticate(remoteUser);
104
            if (principal != null) {
105
                register(request, response, principal,
106
                        HttpServletRequest.BASIC_AUTH, remoteUser, null);
107
                return (true);
108
            }
109
            return (false);
110
        }
111
97
        // Validate any credentials already included with this request
112
        // Validate any credentials already included with this request
98
        MessageBytes authorization =
113
        MessageBytes authorization =
99
            request.getCoyoteRequest().getMimeHeaders()
114
            request.getCoyoteRequest().getMimeHeaders()
(-)java/org/apache/catalina/authenticator/Constants.java (+6 lines)
Lines 57-62 Link Here
57
    public static final String REQ_SSOID_NOTE =
57
    public static final String REQ_SSOID_NOTE =
58
      "org.apache.catalina.request.SSOID";
58
      "org.apache.catalina.request.SSOID";
59
59
60
    /**
61
     * The notes key to track the principal name when the user is
62
     * pre-authenticated, but where tomcat must perform authorization.
63
     */
64
    public static final String REQ_REMOTE_USER_NOTE =
65
      "org.apache.catalina.request.REMOTE_USER";
60
66
61
    // ---------------------------------------------------------- Session Notes
67
    // ---------------------------------------------------------- Session Notes
62
68
(-)java/org/apache/catalina/authenticator/DigestAuthenticator.java (+15 lines)
Lines 238-243 Link Here
238
        }
238
        }
239
        */
239
        */
240
240
241
        // If we are preauthenticated, run the authorization
242
        String remoteUser = (String)
243
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
244
        if (remoteUser != null) {
245
            if (log.isDebugEnabled())
246
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
247
            principal = context.getRealm().authenticate(remoteUser);
248
            if (principal != null) {
249
                register(request, response, principal,
250
                        HttpServletRequest.DIGEST_AUTH, remoteUser, null);
251
                return (true);
252
            }
253
            return (false);
254
        }
255
241
        // Validate any credentials already included with this request
256
        // Validate any credentials already included with this request
242
        String authorization = request.getHeader("authorization");
257
        String authorization = request.getHeader("authorization");
243
        DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
258
        DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
(-)java/org/apache/catalina/authenticator/FormAuthenticator.java (+16 lines)
Lines 169-174 Link Here
169
            }
169
            }
170
        }
170
        }
171
171
172
        // If we are preauthenticated, run the authorization
173
        String remoteUser = (String)
174
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
175
        if (remoteUser != null) {
176
            if (log.isDebugEnabled())
177
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
178
            principal = context.getRealm().authenticate(remoteUser);
179
            if (principal != null) {
180
                session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
181
                register(request, response, principal,
182
                        HttpServletRequest.FORM_AUTH, remoteUser, null);
183
                return (true);
184
            }
185
            return (false);
186
        }
187
172
        // Have we authenticated this user before but have caching disabled?
188
        // Have we authenticated this user before but have caching disabled?
173
        if (!cache) {
189
        if (!cache) {
174
            session = request.getSessionInternal(true);
190
            session = request.getSessionInternal(true);
(-)java/org/apache/catalina/authenticator/SSLAuthenticator.java (+15 lines)
Lines 65-70 Link Here
65
            return (true);
65
            return (true);
66
        }
66
        }
67
67
68
        // If we are preauthenticated, run the authorization
69
        String remoteUser = (String)
70
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
71
        if (remoteUser != null) {
72
            if (containerLog.isDebugEnabled())
73
            	containerLog.debug("Already authenticated '" + remoteUser + "', authorizing");
74
            principal = context.getRealm().authenticate(remoteUser);
75
            if (principal != null) {
76
                register(request, response, principal,
77
                        HttpServletRequest.CLIENT_CERT_AUTH, remoteUser, null);
78
                return (true);
79
            }
80
            return (false);
81
        }
82
68
        // NOTE: We don't try to reauthenticate using any existing SSO session,
83
        // NOTE: We don't try to reauthenticate using any existing SSO session,
69
        // because that will only work if the original authentication was
84
        // because that will only work if the original authentication was
70
        // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
85
        // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
(-)java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (+15 lines)
Lines 159-164 Link Here
159
            }
159
            }
160
        }
160
        }
161
161
162
        // If we are preauthenticated, run the authorization
163
        String remoteUser = (String)
164
                       request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
165
        if (remoteUser != null) {
166
            if (log.isDebugEnabled())
167
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
168
            principal = context.getRealm().authenticate(remoteUser);
169
            if (principal != null) {
170
                register(request, response, principal,
171
                              Constants.SPNEGO_METHOD, remoteUser, null);
172
                return (true);
173
            }
174
            return (false);
175
        }
176
162
        MessageBytes authorization =
177
        MessageBytes authorization =
163
            request.getCoyoteRequest().getMimeHeaders()
178
            request.getCoyoteRequest().getMimeHeaders()
164
            .getValue("authorization");
179
            .getValue("authorization");
(-)java/org/apache/catalina/realm/RealmBase.java (+22 lines)
Lines 416-421 Link Here
416
416
417
417
418
    /**
418
    /**
419
     * Return the Principal associated with the specified username, if there
420
     * is one; otherwise return <code>null</code>.
421
     *
422
     * @param username Username of the Principal to look up
423
     */
424
    @Override
425
    public Principal authenticate(String username) {
426
427
    	if (username == null) {
428
    		return null;
429
    	}
430
431
        if (containerLog.isTraceEnabled()) {
432
            containerLog.trace(sm.getString("realmBase.authenticateSuccess",
433
                                            username));
434
        }
435
436
        return getPrincipal(username);
437
    }
438
439
440
    /**
419
     * Return the Principal associated with the specified username and
441
     * Return the Principal associated with the specified username and
420
     * credentials, if there is one; otherwise return <code>null</code>.
442
     * credentials, if there is one; otherwise return <code>null</code>.
421
     *
443
     *
(-)java/org/apache/coyote/ajp/AjpProcessor.java (-2 / +18 lines)
Lines 303-308 Link Here
303
303
304
304
305
    /**
305
    /**
306
     * Use Tomcat authorization ?
307
     */
308
    protected boolean tomcatAuthorization = true;
309
    public boolean getTomcatAuthorization() { return tomcatAuthorization; }
310
    public void setTomcatAuthorization(boolean tomcatAuthorization) {
311
        this.tomcatAuthorization = tomcatAuthorization;
312
    }
313
314
315
    /**
306
     * Required secret.
316
     * Required secret.
307
     */
317
     */
308
    private String requiredSecret = null;
318
    private String requiredSecret = null;
Lines 1162-1172 Link Here
1162
                break;
1172
                break;
1163
1173
1164
            case Constants.SC_A_REMOTE_USER :
1174
            case Constants.SC_A_REMOTE_USER :
1165
                if (tomcatAuthentication) {
1175
            	if (tomcatAuthorization) {
1176
                    requestHeaderMessage.getBytes(tmpMB);
1177
            		request.setAttribute(
1178
            				org.apache.catalina.authenticator.Constants.REQ_REMOTE_USER_NOTE,
1179
            				tmpMB.toString());
1180
            	}
1181
            	else if (tomcatAuthentication) {
1166
                    // ignore server
1182
                    // ignore server
1167
                    requestHeaderMessage.getBytes(tmpMB);
1183
                    requestHeaderMessage.getBytes(tmpMB);
1168
                } else {
1184
                } else {
1169
                    requestHeaderMessage.getBytes(request.getRemoteUser());
1185
                	requestHeaderMessage.getBytes(request.getRemoteUser());
1170
                }
1186
                }
1171
                break;
1187
                break;
1172
1188
(-)webapps/docs/config/ajp.xml (-1 / +10 lines)
Lines 430-438 Link Here
430
      <p>If set to <code>true</code>, the authentication will be done in Tomcat.
430
      <p>If set to <code>true</code>, the authentication will be done in Tomcat.
431
      Otherwise, the authenticated principal will be propagated from the native
431
      Otherwise, the authenticated principal will be propagated from the native
432
      webserver and used for authorization in Tomcat.
432
      webserver and used for authorization in Tomcat.
433
      The default value is <code>true</code>.</p>
433
      The default value is <code>true</code>. If
434
      <code>tomcatAuthorization</code> is set to <code>true</code> this
435
      attribute has no effect.</p>
434
    </attribute>
436
    </attribute>
435
437
438
    <attribute name="tomcatAuthorization" required="false">
439
      <p>If set to <code>true</code>, the authenticated principal will be
440
      propagated from the native webserver and considered already authenticated
441
      in Tomcat. Authorization will then be performed by Tomcat as normal.
442
      The default value is <code>false</code>.</p>
443
    </attribute>
444
436
  </attributes>
445
  </attributes>
437
446
438
  </subsection>
447
  </subsection>
(-)webapps/docs/security-howto.xml (-1 / +2 lines)
Lines 287-293 Link Here
287
         rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
287
         rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
288
      configuring these settings.</p>
288
      configuring these settings.</p>
289
289
290
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
290
      <p>The <strong>tomcatAuthentication</strong> and
291
      <strong>tomcatAuthorization</strong> attributes are used with the
291
      AJP connectors to determine if Tomcat should authenticate the user or if
292
      AJP connectors to determine if Tomcat should authenticate the user or if
292
      authentication can be delegated to the reverse proxy that will then pass
293
      authentication can be delegated to the reverse proxy that will then pass
293
      the authenticated username to Tomcat as part of the AJP protocol.</p>
294
      the authenticated username to Tomcat as part of the AJP protocol.</p>
(-)webapps/docs/windows-auth-howto.xml (-1 / +3 lines)
Lines 301-307 Link Here
301
  <li>Configure IIS to use Windows authentication</li>
301
  <li>Configure IIS to use Windows authentication</li>
302
  <li>Configure Tomcat to use the authentication user information from IIS by
302
  <li>Configure Tomcat to use the authentication user information from IIS by
303
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
303
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
304
  AJP connector</a> to <code>false</code>.</li>
304
  AJP connector</a> to <code>false</code>. Alternatively, set the
305
  tomcatAuthorization attribute to <code>true</code> to allow Windows to
306
  authenticate, while Tomcat performs the authorization.</li>
305
  </ol>
307
  </ol>
306
  </subsection>
308
  </subsection>
307
309

Return to bug 57708