Attachment #32569 for bug #57708

View | Details | Raw Unified | Return to bug 57708
Collapse All | Expand All

Lines 76-81 Link Here

(-)java/org/apache/catalina/Realm.java (+9 lines)
76		76
77		77
78	/**	78	/**
		79	* Return the Principal associated with the specified username, if there
		80	* is one; otherwise return <code>null</code>.
		81	*
		82	* @param username Username of the Principal to look up
		83	*/
		84	public Principal authenticate(String username);
		85
		86
		87	/**
79	* Return the Principal associated with the specified username and	88	* Return the Principal associated with the specified username and
80	* credentials, if there is one; otherwise return <code>null</code>.	89	* credentials, if there is one; otherwise return <code>null</code>.
81	*	90	*




            }
        }

        // If we are preauthenticated, run the authorization
        String remoteUser = (String)
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
        if (remoteUser != null) {
            if (log.isDebugEnabled())
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
            principal = context.getRealm().authenticate(remoteUser);
            if (principal != null) {
                register(request, response, principal,
                        HttpServletRequest.BASIC_AUTH, remoteUser, null);
                return (true);
            }
            return (false);
        }

        // Validate any credentials already included with this request
        MessageBytes authorization =
            request.getCoyoteRequest().getMimeHeaders()

Lines 57-62 Link Here

(-)java/org/apache/catalina/authenticator/Constants.java (+6 lines)
57	public static final String REQ_SSOID_NOTE =	57	public static final String REQ_SSOID_NOTE =
58	"org.apache.catalina.request.SSOID";	58	"org.apache.catalina.request.SSOID";
59		59
		60	/**
		61	* The notes key to track the principal name when the user is
		62	* pre-authenticated, but where tomcat must perform authorization.
		63	*/
		64	public static final String REQ_REMOTE_USER_NOTE =
		65	"org.apache.catalina.request.REMOTE_USER";
60		66
61	// ---------------------------------------------------------- Session Notes	67	// ---------------------------------------------------------- Session Notes
62		68




        }
        */

        // If we are preauthenticated, run the authorization
        String remoteUser = (String)
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
        if (remoteUser != null) {
            if (log.isDebugEnabled())
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
            principal = context.getRealm().authenticate(remoteUser);
            if (principal != null) {
                register(request, response, principal,
                        HttpServletRequest.DIGEST_AUTH, remoteUser, null);
                return (true);
            }
            return (false);
        }

        // Validate any credentials already included with this request
        String authorization = request.getHeader("authorization");
        DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),




            }
        }

        // If we are preauthenticated, run the authorization
        String remoteUser = (String)
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
        if (remoteUser != null) {
            if (log.isDebugEnabled())
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
            principal = context.getRealm().authenticate(remoteUser);
            if (principal != null) {
                session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
                register(request, response, principal,
                        HttpServletRequest.FORM_AUTH, remoteUser, null);
                return (true);
            }
            return (false);
        }

        // Have we authenticated this user before but have caching disabled?
        if (!cache) {
            session = request.getSessionInternal(true);




            return (true);
        }

        // If we are preauthenticated, run the authorization
        String remoteUser = (String)
        		request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
        if (remoteUser != null) {
            if (containerLog.isDebugEnabled())
            	containerLog.debug("Already authenticated '" + remoteUser + "', authorizing");
            principal = context.getRealm().authenticate(remoteUser);
            if (principal != null) {
                register(request, response, principal,
                        HttpServletRequest.CLIENT_CERT_AUTH, remoteUser, null);
                return (true);
            }
            return (false);
        }

        // NOTE: We don't try to reauthenticate using any existing SSO session,
        // because that will only work if the original authentication was
        // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type




            }
        }

        // If we are preauthenticated, run the authorization
        String remoteUser = (String)
                       request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
        if (remoteUser != null) {
            if (log.isDebugEnabled())
                log.debug("Already authenticated '" + remoteUser + "', authorizing");
            principal = context.getRealm().authenticate(remoteUser);
            if (principal != null) {
                register(request, response, principal,
                              Constants.SPNEGO_METHOD, remoteUser, null);
                return (true);
            }
            return (false);
        }

        MessageBytes authorization =
            request.getCoyoteRequest().getMimeHeaders()
            .getValue("authorization");






    /**
     * Return the Principal associated with the specified username, if there
     * is one; otherwise return <code>null</code>.
     *
     * @param username Username of the Principal to look up
     */
    @Override
    public Principal authenticate(String username) {

    	if (username == null) {
    		return null;
    	}

        if (containerLog.isTraceEnabled()) {
            containerLog.trace(sm.getString("realmBase.authenticateSuccess",
                                            username));
        }

        return getPrincipal(username);
    }


    /**
     * Return the Principal associated with the specified username and
     * credentials, if there is one; otherwise return <code>null</code>.
     *

Lines 303-308 Link Here

(-)java/org/apache/coyote/ajp/AjpProcessor.java (-2 / +18 lines)
303		303
304		304
305	/**	305	/**
		306	* Use Tomcat authorization ?
		307	*/
		308	protected boolean tomcatAuthorization = true;
		309	public boolean getTomcatAuthorization() { return tomcatAuthorization; }
		310	public void setTomcatAuthorization(boolean tomcatAuthorization) {
		311	this.tomcatAuthorization = tomcatAuthorization;
		312	}
		313
		314
		315	/**
306	* Required secret.	316	* Required secret.
307	*/	317	*/
308	private String requiredSecret = null;	318	private String requiredSecret = null;
Lines 1162-1172 Link Here
1162	break;	1172	break;
1163		1173
1164	case Constants.SC_A_REMOTE_USER :	1174	case Constants.SC_A_REMOTE_USER :
1165	if (tomcatAuthentication) {	1175	if (tomcatAuthorization) {
		1176	requestHeaderMessage.getBytes(tmpMB);
		1177	request.setAttribute(
		1178	org.apache.catalina.authenticator.Constants.REQ_REMOTE_USER_NOTE,
		1179	tmpMB.toString());
		1180	}
		1181	else if (tomcatAuthentication) {
1166	// ignore server	1182	// ignore server
1167	requestHeaderMessage.getBytes(tmpMB);	1183	requestHeaderMessage.getBytes(tmpMB);
1168	} else {	1184	} else {
1169	requestHeaderMessage.getBytes(request.getRemoteUser());	1185	requestHeaderMessage.getBytes(request.getRemoteUser());
1170	}	1186	}
1171	break;	1187	break;
1172		1188

Lines 430-438 Link Here

(-)webapps/docs/config/ajp.xml (-1 / +10 lines)
430	<p>If set to <code>true</code>, the authentication will be done in Tomcat.	430	<p>If set to <code>true</code>, the authentication will be done in Tomcat.
431	Otherwise, the authenticated principal will be propagated from the native	431	Otherwise, the authenticated principal will be propagated from the native
432	webserver and used for authorization in Tomcat.	432	webserver and used for authorization in Tomcat.
433	The default value is <code>true</code>.</p>	433	The default value is <code>true</code>. If
		434	<code>tomcatAuthorization</code> is set to <code>true</code> this
		435	attribute has no effect.</p>
434	</attribute>	436	</attribute>
435		437
		438	<attribute name="tomcatAuthorization" required="false">
		439	<p>If set to <code>true</code>, the authenticated principal will be
		440	propagated from the native webserver and considered already authenticated
		441	in Tomcat. Authorization will then be performed by Tomcat as normal.
		442	The default value is <code>false</code>.</p>
		443	</attribute>
		444
436	</attributes>	445	</attributes>
437		446
438	</subsection>	447	</subsection>

Lines 287-293 Link Here

(-)webapps/docs/security-howto.xml (-1 / +2 lines)
287	rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for	287	rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
288	configuring these settings.</p>	288	configuring these settings.</p>
289		289
290	<p>The <strong>tomcatAuthentication</strong> attribute is used with the	290	<p>The <strong>tomcatAuthentication</strong> and
		291	<strong>tomcatAuthorization</strong> attributes are used with the
291	AJP connectors to determine if Tomcat should authenticate the user or if	292	AJP connectors to determine if Tomcat should authenticate the user or if
292	authentication can be delegated to the reverse proxy that will then pass	293	authentication can be delegated to the reverse proxy that will then pass
293	the authenticated username to Tomcat as part of the AJP protocol.</p>	294	the authenticated username to Tomcat as part of the AJP protocol.</p>

Lines 301-307 Link Here

(-)webapps/docs/windows-auth-howto.xml (-1 / +3 lines)
301	<li>Configure IIS to use Windows authentication</li>	301	<li>Configure IIS to use Windows authentication</li>
302	<li>Configure Tomcat to use the authentication user information from IIS by	302	<li>Configure Tomcat to use the authentication user information from IIS by
303	setting the tomcatAuthentication attribute on the <a href="config/ajp.html">	303	setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
304	AJP connector</a> to <code>false</code>.</li>	304	AJP connector</a> to <code>false</code>. Alternatively, set the
		305	tomcatAuthorization attribute to <code>true</code> to allow Windows to
		306	authenticate, while Tomcat performs the authorization.</li>
305	</ol>	307	</ol>
306	</subsection>	308	</subsection>
307		309

Return to bug 57708

Lines 94-99 Link Here

(-)java/org/apache/catalina/authenticator/BasicAuthenticator.java (+15 lines)
94	}	94	}
95	}	95	}
96		96
		97	// If we are preauthenticated, run the authorization
		98	String remoteUser = (String)
		99	request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
		100	if (remoteUser != null) {
		101	if (log.isDebugEnabled())
		102	log.debug("Already authenticated '" + remoteUser + "', authorizing");
		103	principal = context.getRealm().authenticate(remoteUser);
		104	if (principal != null) {
		105	register(request, response, principal,
		106	HttpServletRequest.BASIC_AUTH, remoteUser, null);
		107	return (true);
		108	}
		109	return (false);
		110	}
		111
97	// Validate any credentials already included with this request	112	// Validate any credentials already included with this request
98	MessageBytes authorization =	113	MessageBytes authorization =
99	request.getCoyoteRequest().getMimeHeaders()	114	request.getCoyoteRequest().getMimeHeaders()

Lines 238-243 Link Here

(-)java/org/apache/catalina/authenticator/DigestAuthenticator.java (+15 lines)
238	}	238	}
239	*/	239	*/
240		240
		241	// If we are preauthenticated, run the authorization
		242	String remoteUser = (String)
		243	request.getCoyoteRequest().getAttribute(Constants.REQ_REMOTE_USER_NOTE);
		244	if (remoteUser != null) {
		245	if (log.isDebugEnabled())
		246	log.debug("Already authenticated '" + remoteUser + "', authorizing");
		247	principal = context.getRealm().authenticate(remoteUser);
		248	if (principal != null) {
		249	register(request, response, principal,
		250	HttpServletRequest.DIGEST_AUTH, remoteUser, null);
		251	return (true);
		252	}
		253	return (false);
		254	}
		255
241	// Validate any credentials already included with this request	256	// Validate any credentials already included with this request
242	String authorization = request.getHeader("authorization");	257	String authorization = request.getHeader("authorization");
243	DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),	258	DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),

Lines 416-421 Link Here

(-)java/org/apache/catalina/realm/RealmBase.java (+22 lines)
416		416
417		417
418	/**	418	/**
		419	* Return the Principal associated with the specified username, if there
		420	* is one; otherwise return <code>null</code>.
		421	*
		422	* @param username Username of the Principal to look up
		423	*/
		424	@Override
		425	public Principal authenticate(String username) {
		426
		427	if (username == null) {
		428	return null;
		429	}
		430
		431	if (containerLog.isTraceEnabled()) {
		432	containerLog.trace(sm.getString("realmBase.authenticateSuccess",
		433	username));
		434	}
		435
		436	return getPrincipal(username);
		437	}
		438
		439
		440	/**
419	* Return the Principal associated with the specified username and	441	* Return the Principal associated with the specified username and
420	* credentials, if there is one; otherwise return <code>null</code>.	442	* credentials, if there is one; otherwise return <code>null</code>.
421	*	443	*