Loading projects/cadcTomcat/Dependencies.txt +6 −6 Original line number Diff line number Diff line Loading @@ -3,8 +3,8 @@ JAR files required for the OpenCADC cadcTomcat project Name in build.xml Versioned Name Project URL ----------------- -------------- ----------- tomcat-coyote.jar http://tomcat.apache.org/ tomcat-util.jar http://tomcat.apache.org/ tomcat-http.jari http://tomcat.apache.org/ log4j.jar log4j-1.2.15 http://logging.apache.org/ cadcUtil.jar http://code.google.com/p/opencadc catalina.jar catalina-7.0.33.jar http://tomcat.apache.org/ tomcat-util.jar tomcat-util-7.0.33.jar http://tomcat.apache.org/ tomcat-juli.jar tomcat-juli-7.0.33.jar http://tomcat.apache.org/ tomcat-coyote.jar tomcat-coyote-7.0.33.jar http://tomcat.apache.org/ cadcUtil http://code.google.com/p/opencadc/source/checkout No newline at end of file projects/cadcTomcat/README-REALM 0 → 100644 +16 −0 Original line number Diff line number Diff line =============================================================================== REALM README file for opencadc project cadcTomcat. This project contains plugins to apache tomcat for x509 client certificates and custom authentication realms. To use this plugin, add the following line to the <Host> element (within the <Service> element) in the tomcat 7 server.xml file: <Realm className="ca.nrc.cadc.tomcat.CadcBasicAuthenticator" /> =============================================================================== projects/cadcTomcat/README-SSL 0 → 100644 +116 −0 Original line number Diff line number Diff line =============================================================================== SSL README file for opencadc project cadcTomcat. cadcTomcat is a custom custom trust management implementation for apache tomcat (version 7) that overrides the default tomcat trust behaviour by adding trust to valid proxy certificates. =============================================================================== cadcTomcat Installation Steps: 1. Create / identify keystore file (serves as server identity) 2. Create / identify truststore file (list of CAs that server trusts) 3. Checkout cadcTomcat source and build 4. Include cadcTomcat.jar in $CATALINA_HOME/server/lib 5. Configure server.xml to use custom trust store Step 1: Create / identify keystore file (serves as server identity) =============================================================================== Steps to create a development version of a keystore file. Notes: - Common name (first & last name) must be the fully qualified name of the server. - Keystore password MUST match key password (only hit enter on last step) - Record name/location of keystore and password for use in Step 5. > keytool -keystore $KEYSTORE_DIR/tomcatkeystore.ks --genkey -alias tomcat Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: server.cadc.nrc.ca What is the name of your organizational unit? [Unknown]: CADC What is the name of your organization? [Unknown]: NRC What is the name of your City or Locality? [Unknown]: Victoria What is the name of your State or Province? [Unknown]: British Columbia What is the two-letter country code for this unit? [Unknown]: CA Is CN=server.cadc.nrc.ca OU=CADC, O=NRC, L=Victoria, ST=British Columbia, C=CA correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): Step 2: Create / identify truststore file (list of CAs that server trusts) =============================================================================== Steps to create a development version of a truststore file. Notes: - Only one truststore file can be used. This means that the common list of CAs needs to be merged with any internal CAs. - The common list of java trusted CAs is: $JAVA_HOME/jre/lib/security/cacerts - Note the location / name of the truststore file. The password is 'changeit'. If no internal CAs need to be identified, then the default java trust store file can be used: $JAVA_HOME/jre/lib/security/cacerts Otherwise, follow these steps to combine the common set of CAs with internal CAs: > cp $JAVA_HOME/jre/lib/security/cacerts $KEYSTORE_DIR/tomcattruststore.ks > chmod 664 $KEYSTORE_DIR/tomcattruststore.ks > keytool -import -alias root -keystore $KEYSTORE_DIR/tomcattruststore.ks -trustcacerts -file <path to internal CA public key file .crt> Repeat the third command for each internal CA that needs importing. Step 3: Checkout cadcTomcat source and build =============================================================================== > svn checkout http://opencadc.googlecode.com/svn/trunk/projects/cadcTomcat $WORK_DIR/cadcTomcat > ant clean build Step 4: Include cadcTomcat.jar in $CATALINA_HOME/server/lib =============================================================================== > ln -s $WORK_DIR/cadcTomcat/build/lib/cadcTomcat.jar $CATALINA_HOME/server/lib/cadcTomcat.jar Step 5: Configure tomcat's conf/server.xml to use custom trust store =============================================================================== Add a connector in tomcat's server.xml file. Relevant elements are: keyStoreFile - Points to the created / identified keystore keystorePass - The keystore password truststoreFile - Points to the created / identified truststore truststorePass - The truststore password SSLImplementation - The CADC Custom implementation of TrustManagers that accepts proxy certificates (default tomcat trust manager does not.) <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="600" scheme="https" secure="true" SSLEnabled="true" keystoreFile="$KEYSTORE_DIR/tomcatkeystore.ks" keystorePass="changeit" keyAlias="tomcat" clientAuth="true" truststoreFile="$KEYSTORE_DIR/tomcattruststore.ks" truststorePass="changeit" truststoreType="JKS" sslProtocol="TLS" SSLImplementation="ca.nrc.cadc.auth.CadcSSLImplementation"/> (Note that the environment variables cannot be used in server.xml in this way.) No newline at end of file projects/cadcTomcat/build.xml +123 −32 Original line number Diff line number Diff line <!DOCTYPE project> <project default="build" basedir="."> <!--*+ <!-- ************************************************************************ **** C A N A D I A N A S T R O N O M Y D A T A C E N T R E ***** ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2009. (c) 2009. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * System Name: build.xml * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * Purpose: * Over-ride default ant behaviour. * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * Date : Nov 5, 2009 * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 4 $ * **** C A N A D I A N A S T R O N O M Y D A T A C E N T R E ***** ************************************************************************ *--> --> <project default="build" basedir="."> <property environment="env"/> <property file="local.build.properties" /> <property file="${env.A}/compilers/setup.ant.java.properties" /> <import file="${env.A}/compilers/setup.ant.java.targets.xml"/> <!-- site-specific build properties or overrides of values in opencadc.properties --> <property file="${env.CADC_PREFIX}/etc/local.properties" /> <!-- site-specific targets, e.g. install, cannot duplicate those in opencadc.targets.xml --> <import file="${env.CADC_PREFIX}/etc/local.targets.xml" optional="true" /> <!-- default properties and targets --> <property file="${env.CADC_PREFIX}/etc/opencadc.properties" /> <import file="${env.CADC_PREFIX}/etc/opencadc.targets.xml"/> <property name="project" value="cadcTomcat" /> <property name="cadcUtil" value="${lib}/cadcUtil.jar"/> <property name="log4j" value="${ext.lib}/log4j.jar"/> <property name="tomcat-coyote" value="${env.CATALINA_HOME}/server/lib/tomcat-coyote.jar"/> <property name="tomcat-util" value="${env.CATALINA_HOME}/server/lib/tomcat-util.jar"/> <property name="tomcat-http" value="${env.CATALINA_HOME}/server/lib/tomcat-http.jar"/> <!-- developer convenience: place for extra targets and properties --> <import file="extras.xml" optional="true" /> <!-- JAR files to be included in classpath for compilation --> <property name="jars" value="${cadcUtil}:${log4j}:${tomcat-coyote}:${tomcat-util}:${tomcat-http}" /> <property name="cadc" value="${lib}/cadcUtil.jar" /> <property name="log4j" value="${ext.lib}/log4j.jar" /> <property name="tomcat" value="${ext.lib}/catalina.jar:${ext.lib}/tomcat-util.jar:${ext.lib}/tomcat-coyote.jar" /> <property name="jars" value="${cadc}:${log4j}:${tomcat}" /> <target name="build" depends="compile"> <target name="build" depends="simpleJar" /> <jar jarfile="${build}/lib/${project}.jar" <target name="test-resources"> <copy todir="${build}/class"> <fileset dir="src/resources"> <include name="**.properties" /> </fileset> </copy> <jar jarfile="${build}/tmp/test.jar" basedir="${build}/class" update="no"> <include name="ca/nrc/cadc/**" /> <zipfileset includes="**/*.class" src="${cadcUtil}"/> <exclude name="**Test**" /> <include name="ca/nrc/cadc/reg/client/**" /> <include name="**.properties" /> </jar> </target> <!-- JAR files needed to run the test suite --> <property name="dev.junit" value="${ext.dev}/junit.jar" /> <property name="servlet" value="${ext.lib}/servlet-api.jar" /> <property name="log" value="${ext.lib}/commons-logging.jar" /> <property name="juli" value="${ext.lib}/tomcat-juli.jar" /> <property name="tomcatUtil" value="${ext.lib}/tomcat-util.jar" /> <property name="test" value="${build}/tmp/test.jar" /> <property name="testingJars" value="${dev.junit}:${servlet}:${log}:${juli}:${tomcatUtil}:${test}" /> <!-- Run the test suite --> <target name="test" depends="compile-test,test-resources"> <echo message="Running test" /> <!-- Run the junit test suite --> <echo message="Running test suite..." /> <junit printsummary="yes" haltonfailure="yes" fork="yes"> <classpath> <pathelement path="${build}/test/class" /> <pathelement path="${build}/class" /> <pathelement path="${jars}:${testingJars}" /> </classpath> <test name="ca.nrc.cadc.tomcat.CadcBasicAuthenticatorTest"/> <test name="ca.nrc.cadc.tomcat.RealmRegistryClientTest"/> <formatter type="plain" usefile="false"/> </junit> </target> </project> projects/cadcTomcat/src/ca/nrc/cadc/tomcat/CadcBasicAuthenticator.java 0 → 100644 +216 −0 Original line number Diff line number Diff line /* ************************************************************************ ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2015. (c) 2015. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 5 $ * ************************************************************************ */ package ca.nrc.cadc.tomcat; import java.io.IOException; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.security.Principal; import java.util.Arrays; import java.util.List; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.realm.RealmBase; import org.apache.log4j.Level; import org.apache.log4j.Logger; /** * Custom class for Tomcat realm authentication. * * This class was written against the Apache Tomcat 7 (7.0.33.0) API * * Authentication checks are performed as REST calls to servers * implementing the cadcAccessControl-Server code. * * @author majorb */ public class CadcBasicAuthenticator extends RealmBase { private static Logger log = Logger.getLogger(CadcBasicAuthenticator.class); private static final String AC_URI = "ivo://cadc.nrc.ca/canfargms"; static { RealmUtil.initLogging(); Logger.getLogger("ca.nrc.cadc.tomcat").setLevel(Level.INFO); } @Override protected String getName() { // not used return this.getClass().getSimpleName(); } @Override protected String getPassword(final String username) { // not used return null; } @Override protected Principal getPrincipal(final String username) { // not used return null; } @Override public Principal authenticate(String username, String credentials) { long start = System.currentTimeMillis(); boolean success = true; try { boolean valid = login(username, credentials); if (valid) { // authentication ok, add public role List<String> roles = Arrays.asList("public"); // Don't want to return the password here in the principal // in case it makes it into the servlet somehow return new GenericPrincipal(username, null, roles); } return null; } catch (Throwable t) { success = false; String message = "Could not do http basic authentication: " + t.getMessage(); log.error(message, t); throw new IllegalStateException(message, t); } finally { long duration = System.currentTimeMillis() - start; StringBuilder json = new StringBuilder(); json.append("{"); json.append("\"method\":\"AUTH\","); json.append("\"user\":\"" + username + "\","); json.append("\"success\":" + success + ","); json.append("\"time\":" + duration); json.append("}"); log.info(json.toString()); } } boolean login(String username, String credentials) throws URISyntaxException, IOException { RealmRegistryClient registryClient = new RealmRegistryClient(); URL loginURL = registryClient.getServiceURL( new URI(AC_URI), "http", "/login"); String post = "username=" + username + "&password=" + credentials; HttpURLConnection conn = (HttpURLConnection) loginURL.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); byte[] postData = post.getBytes("UTF-8"); conn.getOutputStream().write(postData); int responseCode = conn.getResponseCode(); log.debug("Http POST to /ac/login returned " + responseCode + " for user " + username); if (responseCode != 200) { // authentication not ok if (responseCode != 401) { // not an unauthorized, so log the // possible server side error String errorMessage = "Error calling /ac/login, error code: " + responseCode; throw new IllegalStateException(errorMessage); } // authentication simply failed return false; } return true; } } No newline at end of file Loading
projects/cadcTomcat/Dependencies.txt +6 −6 Original line number Diff line number Diff line Loading @@ -3,8 +3,8 @@ JAR files required for the OpenCADC cadcTomcat project Name in build.xml Versioned Name Project URL ----------------- -------------- ----------- tomcat-coyote.jar http://tomcat.apache.org/ tomcat-util.jar http://tomcat.apache.org/ tomcat-http.jari http://tomcat.apache.org/ log4j.jar log4j-1.2.15 http://logging.apache.org/ cadcUtil.jar http://code.google.com/p/opencadc catalina.jar catalina-7.0.33.jar http://tomcat.apache.org/ tomcat-util.jar tomcat-util-7.0.33.jar http://tomcat.apache.org/ tomcat-juli.jar tomcat-juli-7.0.33.jar http://tomcat.apache.org/ tomcat-coyote.jar tomcat-coyote-7.0.33.jar http://tomcat.apache.org/ cadcUtil http://code.google.com/p/opencadc/source/checkout No newline at end of file
projects/cadcTomcat/README-REALM 0 → 100644 +16 −0 Original line number Diff line number Diff line =============================================================================== REALM README file for opencadc project cadcTomcat. This project contains plugins to apache tomcat for x509 client certificates and custom authentication realms. To use this plugin, add the following line to the <Host> element (within the <Service> element) in the tomcat 7 server.xml file: <Realm className="ca.nrc.cadc.tomcat.CadcBasicAuthenticator" /> ===============================================================================
projects/cadcTomcat/README-SSL 0 → 100644 +116 −0 Original line number Diff line number Diff line =============================================================================== SSL README file for opencadc project cadcTomcat. cadcTomcat is a custom custom trust management implementation for apache tomcat (version 7) that overrides the default tomcat trust behaviour by adding trust to valid proxy certificates. =============================================================================== cadcTomcat Installation Steps: 1. Create / identify keystore file (serves as server identity) 2. Create / identify truststore file (list of CAs that server trusts) 3. Checkout cadcTomcat source and build 4. Include cadcTomcat.jar in $CATALINA_HOME/server/lib 5. Configure server.xml to use custom trust store Step 1: Create / identify keystore file (serves as server identity) =============================================================================== Steps to create a development version of a keystore file. Notes: - Common name (first & last name) must be the fully qualified name of the server. - Keystore password MUST match key password (only hit enter on last step) - Record name/location of keystore and password for use in Step 5. > keytool -keystore $KEYSTORE_DIR/tomcatkeystore.ks --genkey -alias tomcat Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: server.cadc.nrc.ca What is the name of your organizational unit? [Unknown]: CADC What is the name of your organization? [Unknown]: NRC What is the name of your City or Locality? [Unknown]: Victoria What is the name of your State or Province? [Unknown]: British Columbia What is the two-letter country code for this unit? [Unknown]: CA Is CN=server.cadc.nrc.ca OU=CADC, O=NRC, L=Victoria, ST=British Columbia, C=CA correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): Step 2: Create / identify truststore file (list of CAs that server trusts) =============================================================================== Steps to create a development version of a truststore file. Notes: - Only one truststore file can be used. This means that the common list of CAs needs to be merged with any internal CAs. - The common list of java trusted CAs is: $JAVA_HOME/jre/lib/security/cacerts - Note the location / name of the truststore file. The password is 'changeit'. If no internal CAs need to be identified, then the default java trust store file can be used: $JAVA_HOME/jre/lib/security/cacerts Otherwise, follow these steps to combine the common set of CAs with internal CAs: > cp $JAVA_HOME/jre/lib/security/cacerts $KEYSTORE_DIR/tomcattruststore.ks > chmod 664 $KEYSTORE_DIR/tomcattruststore.ks > keytool -import -alias root -keystore $KEYSTORE_DIR/tomcattruststore.ks -trustcacerts -file <path to internal CA public key file .crt> Repeat the third command for each internal CA that needs importing. Step 3: Checkout cadcTomcat source and build =============================================================================== > svn checkout http://opencadc.googlecode.com/svn/trunk/projects/cadcTomcat $WORK_DIR/cadcTomcat > ant clean build Step 4: Include cadcTomcat.jar in $CATALINA_HOME/server/lib =============================================================================== > ln -s $WORK_DIR/cadcTomcat/build/lib/cadcTomcat.jar $CATALINA_HOME/server/lib/cadcTomcat.jar Step 5: Configure tomcat's conf/server.xml to use custom trust store =============================================================================== Add a connector in tomcat's server.xml file. Relevant elements are: keyStoreFile - Points to the created / identified keystore keystorePass - The keystore password truststoreFile - Points to the created / identified truststore truststorePass - The truststore password SSLImplementation - The CADC Custom implementation of TrustManagers that accepts proxy certificates (default tomcat trust manager does not.) <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="600" scheme="https" secure="true" SSLEnabled="true" keystoreFile="$KEYSTORE_DIR/tomcatkeystore.ks" keystorePass="changeit" keyAlias="tomcat" clientAuth="true" truststoreFile="$KEYSTORE_DIR/tomcattruststore.ks" truststorePass="changeit" truststoreType="JKS" sslProtocol="TLS" SSLImplementation="ca.nrc.cadc.auth.CadcSSLImplementation"/> (Note that the environment variables cannot be used in server.xml in this way.) No newline at end of file
projects/cadcTomcat/build.xml +123 −32 Original line number Diff line number Diff line <!DOCTYPE project> <project default="build" basedir="."> <!--*+ <!-- ************************************************************************ **** C A N A D I A N A S T R O N O M Y D A T A C E N T R E ***** ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2009. (c) 2009. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * System Name: build.xml * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * Purpose: * Over-ride default ant behaviour. * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * Date : Nov 5, 2009 * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 4 $ * **** C A N A D I A N A S T R O N O M Y D A T A C E N T R E ***** ************************************************************************ *--> --> <project default="build" basedir="."> <property environment="env"/> <property file="local.build.properties" /> <property file="${env.A}/compilers/setup.ant.java.properties" /> <import file="${env.A}/compilers/setup.ant.java.targets.xml"/> <!-- site-specific build properties or overrides of values in opencadc.properties --> <property file="${env.CADC_PREFIX}/etc/local.properties" /> <!-- site-specific targets, e.g. install, cannot duplicate those in opencadc.targets.xml --> <import file="${env.CADC_PREFIX}/etc/local.targets.xml" optional="true" /> <!-- default properties and targets --> <property file="${env.CADC_PREFIX}/etc/opencadc.properties" /> <import file="${env.CADC_PREFIX}/etc/opencadc.targets.xml"/> <property name="project" value="cadcTomcat" /> <property name="cadcUtil" value="${lib}/cadcUtil.jar"/> <property name="log4j" value="${ext.lib}/log4j.jar"/> <property name="tomcat-coyote" value="${env.CATALINA_HOME}/server/lib/tomcat-coyote.jar"/> <property name="tomcat-util" value="${env.CATALINA_HOME}/server/lib/tomcat-util.jar"/> <property name="tomcat-http" value="${env.CATALINA_HOME}/server/lib/tomcat-http.jar"/> <!-- developer convenience: place for extra targets and properties --> <import file="extras.xml" optional="true" /> <!-- JAR files to be included in classpath for compilation --> <property name="jars" value="${cadcUtil}:${log4j}:${tomcat-coyote}:${tomcat-util}:${tomcat-http}" /> <property name="cadc" value="${lib}/cadcUtil.jar" /> <property name="log4j" value="${ext.lib}/log4j.jar" /> <property name="tomcat" value="${ext.lib}/catalina.jar:${ext.lib}/tomcat-util.jar:${ext.lib}/tomcat-coyote.jar" /> <property name="jars" value="${cadc}:${log4j}:${tomcat}" /> <target name="build" depends="compile"> <target name="build" depends="simpleJar" /> <jar jarfile="${build}/lib/${project}.jar" <target name="test-resources"> <copy todir="${build}/class"> <fileset dir="src/resources"> <include name="**.properties" /> </fileset> </copy> <jar jarfile="${build}/tmp/test.jar" basedir="${build}/class" update="no"> <include name="ca/nrc/cadc/**" /> <zipfileset includes="**/*.class" src="${cadcUtil}"/> <exclude name="**Test**" /> <include name="ca/nrc/cadc/reg/client/**" /> <include name="**.properties" /> </jar> </target> <!-- JAR files needed to run the test suite --> <property name="dev.junit" value="${ext.dev}/junit.jar" /> <property name="servlet" value="${ext.lib}/servlet-api.jar" /> <property name="log" value="${ext.lib}/commons-logging.jar" /> <property name="juli" value="${ext.lib}/tomcat-juli.jar" /> <property name="tomcatUtil" value="${ext.lib}/tomcat-util.jar" /> <property name="test" value="${build}/tmp/test.jar" /> <property name="testingJars" value="${dev.junit}:${servlet}:${log}:${juli}:${tomcatUtil}:${test}" /> <!-- Run the test suite --> <target name="test" depends="compile-test,test-resources"> <echo message="Running test" /> <!-- Run the junit test suite --> <echo message="Running test suite..." /> <junit printsummary="yes" haltonfailure="yes" fork="yes"> <classpath> <pathelement path="${build}/test/class" /> <pathelement path="${build}/class" /> <pathelement path="${jars}:${testingJars}" /> </classpath> <test name="ca.nrc.cadc.tomcat.CadcBasicAuthenticatorTest"/> <test name="ca.nrc.cadc.tomcat.RealmRegistryClientTest"/> <formatter type="plain" usefile="false"/> </junit> </target> </project>
projects/cadcTomcat/src/ca/nrc/cadc/tomcat/CadcBasicAuthenticator.java 0 → 100644 +216 −0 Original line number Diff line number Diff line /* ************************************************************************ ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2015. (c) 2015. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 5 $ * ************************************************************************ */ package ca.nrc.cadc.tomcat; import java.io.IOException; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.security.Principal; import java.util.Arrays; import java.util.List; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.realm.RealmBase; import org.apache.log4j.Level; import org.apache.log4j.Logger; /** * Custom class for Tomcat realm authentication. * * This class was written against the Apache Tomcat 7 (7.0.33.0) API * * Authentication checks are performed as REST calls to servers * implementing the cadcAccessControl-Server code. * * @author majorb */ public class CadcBasicAuthenticator extends RealmBase { private static Logger log = Logger.getLogger(CadcBasicAuthenticator.class); private static final String AC_URI = "ivo://cadc.nrc.ca/canfargms"; static { RealmUtil.initLogging(); Logger.getLogger("ca.nrc.cadc.tomcat").setLevel(Level.INFO); } @Override protected String getName() { // not used return this.getClass().getSimpleName(); } @Override protected String getPassword(final String username) { // not used return null; } @Override protected Principal getPrincipal(final String username) { // not used return null; } @Override public Principal authenticate(String username, String credentials) { long start = System.currentTimeMillis(); boolean success = true; try { boolean valid = login(username, credentials); if (valid) { // authentication ok, add public role List<String> roles = Arrays.asList("public"); // Don't want to return the password here in the principal // in case it makes it into the servlet somehow return new GenericPrincipal(username, null, roles); } return null; } catch (Throwable t) { success = false; String message = "Could not do http basic authentication: " + t.getMessage(); log.error(message, t); throw new IllegalStateException(message, t); } finally { long duration = System.currentTimeMillis() - start; StringBuilder json = new StringBuilder(); json.append("{"); json.append("\"method\":\"AUTH\","); json.append("\"user\":\"" + username + "\","); json.append("\"success\":" + success + ","); json.append("\"time\":" + duration); json.append("}"); log.info(json.toString()); } } boolean login(String username, String credentials) throws URISyntaxException, IOException { RealmRegistryClient registryClient = new RealmRegistryClient(); URL loginURL = registryClient.getServiceURL( new URI(AC_URI), "http", "/login"); String post = "username=" + username + "&password=" + credentials; HttpURLConnection conn = (HttpURLConnection) loginURL.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); byte[] postData = post.getBytes("UTF-8"); conn.getOutputStream().write(postData); int responseCode = conn.getResponseCode(); log.debug("Http POST to /ac/login returned " + responseCode + " for user " + username); if (responseCode != 200) { // authentication not ok if (responseCode != 401) { // not an unauthorized, so log the // possible server side error String errorMessage = "Error calling /ac/login, error code: " + responseCode; throw new IllegalStateException(errorMessage); } // authentication simply failed return false; } return true; } } No newline at end of file
