diff options
Diffstat (limited to 'jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/ClientCertAuthModule.java')
-rw-r--r-- | jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/ClientCertAuthModule.java | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/ClientCertAuthModule.java b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/ClientCertAuthModule.java new file mode 100644 index 0000000000..45750194b9 --- /dev/null +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/ClientCertAuthModule.java @@ -0,0 +1,89 @@ +// ======================================================================== +// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== + +package org.eclipse.jetty.security.jaspi.modules; + +import java.io.IOException; +import java.security.Principal; + +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.message.AuthException; +import javax.security.auth.message.AuthStatus; +import javax.security.auth.message.MessageInfo; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.eclipse.jetty.http.security.B64Code; +import org.eclipse.jetty.http.security.Constraint; +import org.eclipse.jetty.http.security.Password; + +/** + * @deprecated use *ServerAuthentication + * @version $Rev: 4530 $ $Date: 2009-02-13 00:47:44 +0100 (Fri, 13 Feb 2009) $ + */ +public class ClientCertAuthModule extends BaseAuthModule +{ + + public ClientCertAuthModule() + { + } + + public ClientCertAuthModule(CallbackHandler callbackHandler) + { + super(callbackHandler); + } + + @Override + public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, + Subject serviceSubject) + throws AuthException + { + HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); + java.security.cert.X509Certificate[] certs = (java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); + + try + { + // Need certificates. + if (certs == null || certs.length == 0 || certs[0] == null) + { + response.sendError(HttpServletResponse.SC_FORBIDDEN, + "A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate)."); + return AuthStatus.SEND_FAILURE; + } + Principal principal = certs[0].getSubjectDN(); + if (principal == null) principal = certs[0].getIssuerDN(); + final String username = principal == null ? "clientcert" : principal.getName(); + // TODO no idea if this is correct + final String password = new String(B64Code.encode(certs[0].getSignature())); + + // TODO is cert_auth correct? + if (login(clientSubject, username, new Password(password), Constraint.__CERT_AUTH, messageInfo)) { return AuthStatus.SUCCESS; } + + if (!isMandatory(messageInfo)) { return AuthStatus.SUCCESS; } + response.sendError(HttpServletResponse.SC_FORBIDDEN, "The provided client certificate does not correspond to a trusted user."); + return AuthStatus.SEND_FAILURE; + } + catch (IOException e) + { + throw new AuthException(e.getMessage()); + } + catch (UnsupportedCallbackException e) + { + throw new AuthException(e.getMessage()); + } + + } +} |