Newer
Older
Patrick Dowler
committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
package org.astrogrid.security.delegation;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* A servlet-like device to response to HTTP requests to the delegation-list
* resource. This is like a servlet in that it works from servlet requests to
* responses but is not itself a servlet. The CSR responds to HTTP GET and POST.
*
* @author Guy Rixon
*/
public class DelegationListProcessor extends ResourceProcessor {
private static final Logger log = Logger.getLogger(DelegationListProcessor.class);
/**
* Responds to HTTP GET and POST requests.
* Other HTTP requests are rejected.
*/
@Override
public void service(HttpServletRequest request,
DelegationUri path,
HttpServletResponse response) throws IOException {
if (request.getMethod().equals("GET")) {
sendDelegationList(response);
}
else if (request.getMethod().equals("POST")) {
createIdentity(request, response);
}
else {
response.setHeader("Accept", "GET, POST");
response.sendError(response.SC_METHOD_NOT_ALLOWED);
}
}
/**
* Writes to the client a listing of the current known identities.
*/
private void sendDelegationList(HttpServletResponse response) throws IOException {
response.setContentType("text/plain");
PrintWriter out = response.getWriter();
Object[] principals = Delegations.getInstance().getPrincipals();
for (int i = 0; i < principals.length; i++) {
out.println(principals[i]);
}
out.close();
}
/**
* Creates a new identity. Creates the identity resource and its CSR and
* certificate children. Also creates the key-pair for the identity. Does
* not create the identity certificate: this is loaded later by the client.
*/
private void createIdentity(HttpServletRequest request,
HttpServletResponse response) throws IOException {
String hashKey = null;
try {
if (request.isSecure()) {
hashKey = createSecureIdentity(request);
log.info("Delegation is begun for " +
Delegations.getInstance().getName(hashKey) +
" (" + hashKey + "; authenticated).");
}
else {
hashKey = createInsecureIdentity(request);
log.info("Delegation is begun for " +
Delegations.getInstance().getName(hashKey) +
" (" + hashKey + "; unauthenticated).");
}
}
catch (AccessControlException ex) {
log.info("Delegation failed: " + ex.getMessage());
response.sendError(response.SC_BAD_REQUEST, ex.getMessage());
return;
}
catch (GeneralSecurityException ex) {
log.info("Delegation failed: " + ex.getMessage());
response.sendError(response.SC_INTERNAL_SERVER_ERROR, ex.getMessage());
return;
}
StringBuffer createdUri = request.getRequestURL();
createdUri.append('/');
createdUri.append(hashKey);
response.addHeader("Location", response.encodeRedirectURL(createdUri.toString()));
response.setStatus(response.SC_CREATED);
}
/**
* Creates a new identity from the principal authenticated by HTTPS.
*/
private String createSecureIdentity(HttpServletRequest request) throws IOException,
GeneralSecurityException {
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set<X500Principal> principals = subject.getPrincipals(X500Principal.class);
if (principals.size() == 0) {
throw new AccessControlException("Delegation failed because the caller is not authenticated.");
}
else if (principals.size() > 1)
{
throw new AccessControlException("Delegation failed because caller autheticated with multiple certificates");
}
else {
return Delegations.getInstance().initializeIdentity(principals.iterator().next());
}
}
/**
* Creates a new identity from the distinguished name given as a parameter.
*/
private String createInsecureIdentity(HttpServletRequest request) throws IOException,
GeneralSecurityException {
String dn = request.getParameter("DN");
if (dn == null) {
throw new AccessControlException("No value was given for the DN parameter.");
}
return Delegations.getInstance().initializeIdentity(dn);
}
}