[Pki-devel] [PATCH] 648 Fixed user search in PasswdUserDBAuthentication.
Endi Sukma Dewata
edewata at redhat.com
Thu Oct 1 22:37:31 UTC 2015
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
--
Endi S. Dewata
-------------- next part --------------
From eaaa0ea486b5fbb9b92515b03c173bf8d835e119 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 2 Oct 2015 00:09:36 +0200
Subject: [PATCH] Fixed user search in PasswdUserDBAuthentication.
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
---
.../cms/src/com/netscape/cms/realm/PKIRealm.java | 33 +++------
.../server/rest/SessionContextInterceptor.java | 10 +++
.../authentication/PasswdUserDBAuthentication.java | 80 ++++++++--------------
3 files changed, 50 insertions(+), 73 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
index 73fae47fdfbd312227f763094cc08ddfa616627c..1933601db6640126ee43e1487d213a091a471869 100644
--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
@@ -6,8 +6,6 @@ import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
-import netscape.security.x509.X509CertImpl;
-
import org.apache.catalina.realm.RealmBase;
import org.apache.commons.lang.StringUtils;
@@ -25,6 +23,8 @@ import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.certsrv.usrgrp.IUser;
import com.netscape.cms.servlet.common.AuthCredentials;
+import netscape.security.x509.X509CertImpl;
+
/**
* PKI Realm
*
@@ -47,7 +47,7 @@ public class PKIRealm extends RealmBase {
@Override
public Principal authenticate(String username, String password) {
- logDebug("Authenticating username "+username+" with password.");
+ CMS.debug("PKIRealm: Authenticating user " + username + " with password.");
String auditMessage = null;
String auditSubjectID = ILogger.UNIDENTIFIED;
String attemptedAuditUID = username;
@@ -61,7 +61,7 @@ public class PKIRealm extends RealmBase {
creds.set(IPasswdUserDBAuthentication.CRED_PWD, password);
IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails
- authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+ authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
// store a message in the signed audit log file
@@ -91,7 +91,7 @@ public class PKIRealm extends RealmBase {
@Override
public Principal authenticate(final X509Certificate certs[]) {
- logDebug("Authenticating certificate chain:");
+ CMS.debug("PKIRealm: Authenticating certificate chain:");
String auditMessage = null;
// get the cert from the ssl client auth
@@ -105,7 +105,7 @@ public class PKIRealm extends RealmBase {
X509CertImpl certImpls[] = new X509CertImpl[certs.length];
for (int i=0; i<certs.length; i++) {
X509Certificate cert = certs[i];
- logDebug(" "+cert.getSubjectDN());
+ CMS.debug("PKIRealm: " + cert.getSubjectDN());
// Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl
certImpls[i] = new X509CertImpl(cert.getEncoded());
@@ -123,7 +123,7 @@ public class PKIRealm extends RealmBase {
// reset it to the one authenticated with authManager
auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
- logDebug("User ID: "+username);
+ CMS.debug("PKIRealm: User ID: " + username);
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
@@ -181,7 +181,7 @@ public class PKIRealm extends RealmBase {
protected IUser getUser(String username) throws EUsrGrpException {
IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
IUser user = ugSub.getUser(username);
- logDebug("User DN: "+user.getUserDN());
+ CMS.debug("PKIRealm: User DN: " + user.getUserDN());
return user;
}
@@ -192,12 +192,12 @@ public class PKIRealm extends RealmBase {
IUGSubsystem ugSub = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
Enumeration<IGroup> groups = ugSub.findGroupsByUser(user.getUserDN(), null);
- logDebug("Roles:");
+ CMS.debug("PKIRealm: Roles:");
while (groups.hasMoreElements()) {
IGroup group = groups.nextElement();
String name = group.getName();
- logDebug(" "+name);
+ CMS.debug("PKIRealm: " + name);
roles.add(name);
}
@@ -209,19 +209,6 @@ public class PKIRealm extends RealmBase {
return null;
}
- /*
- * TODO: Figure out how to do real logging
- */
- public void logErr(String msg) {
- System.err.println(msg);
- CMS.debug("PKIRealm.logErr: " + msg);
- }
-
- public void logDebug(String msg) {
- System.out.println("PKIRealm: "+msg);
- CMS.debug("PKIRealm.logDebug: " + msg);
- }
-
/**
* Signed Audit Log
*
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
index bae25b66018b3cbebdc235b4328bbde89836e49b..b6461abfdee36ea4eeba4d07da815482b02712ba 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
@@ -18,6 +18,7 @@
package org.dogtagpki.server.rest;
import java.io.IOException;
+import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Locale;
@@ -28,6 +29,8 @@ import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
+import org.jboss.resteasy.core.ResourceMethodInvoker;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.base.ForbiddenException;
@@ -59,6 +62,13 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
+ ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext
+ .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker");
+ Method method = methodInvoker.getMethod();
+ Class<?> clazz = methodInvoker.getResourceClass();
+
+ CMS.debug("SessionContextInterceptor: " + clazz.getSimpleName() + "." + method.getName() + "()");
+
Principal principal = securityContext.getUserPrincipal();
// If unauthenticated, ignore.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java
index 692dc49d62b85b3db03bd3f46059d4f94072223b..07092aa07dda39fbed88bba748ddc960b81c3a61 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java
@@ -17,12 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cmscore.authentication;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv2;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.authentication.EInvalidCredentials;
@@ -38,10 +32,11 @@ import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.usrgrp.IUser;
import com.netscape.cmscore.dbs.DBSubsystem;
import com.netscape.cmscore.ldapconn.LdapAnonConnFactory;
-import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
import com.netscape.cmscore.ldapconn.LdapConnInfo;
import com.netscape.cmscore.usrgrp.UGSubsystem;
-import com.netscape.cmscore.util.Debug;
+
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
/**
* Certificate Server admin authentication.
@@ -64,8 +59,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu
private String mName = null;
private String mImplName = null;
private IConfigStore mConfig;
- private String mBaseDN = null;
- private LdapBoundConnFactory mConnFactory = null;
private LdapAnonConnFactory mAnonConnFactory = null;
private ILogger mLogger = CMS.getLogger();
@@ -94,8 +87,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu
if (ldapinfo == null && CMS.isPreOpMode())
return;
- mBaseDN = dbs.getBaseDN();
- mConnFactory = new LdapBoundConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo, dbs.getLdapAuthInfo());
mAnonConnFactory = new LdapAnonConnFactory("PasswdUserDBAuthentication", 3, 20, ldapinfo);
log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_AUTH_INIT_AUTH", mName));
@@ -124,76 +115,66 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu
// make sure the required credentials are provided
String uid = (String) authCred.get(CRED_UID);
- CMS.debug("Authentication: UID=" + uid);
+ CMS.debug("PasswdUserDBAuthentication: UID: " + uid);
if (uid == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_MISSING_UID"));
throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_UID));
}
+
String pwd = (String) authCred.get(CRED_PWD);
-
if (pwd == null) {
log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NULL_PW", uid));
throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_PWD));
}
+
// don't allow anonymous binding
if (pwd == "") {
log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_EMPTY_PW", uid));
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
}
- String userdn = null;
- LDAPConnection conn = null;
+ UGSubsystem ug = UGSubsystem.getInstance();
+ IUser user;
+
+ try {
+ user = ug.getUser(uid);
+ } catch (EBaseException e) {
+ CMS.debug(e);
+ // not a user in our user/group database.
+ log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString()));
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage());
+ }
+
+ if (user == null) {
+ CMS.debug("PasswdUserDBAuthentication: User not found: " + uid);
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR",
+ "Failure in User Group subsystem."));
+ }
+
+ String userdn = user.getUserDN();
+ CMS.debug("PasswdUserDBAuthentication: DN: " + userdn);
+
LDAPConnection anonConn = null;
try {
- conn = mConnFactory.getConn();
- // do anonymous search for the user's dn.
- LDAPSearchResults res = conn.search(mBaseDN,
- LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", null, false);
-
- if (res.hasMoreElements()) {
- LDAPEntry entry = (LDAPEntry) res.nextElement();
-
- userdn = entry.getDN();
- }
- if (userdn == null) {
- log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_ADMIN_NOT_FOUND", uid));
- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
- }
anonConn = mAnonConnFactory.getConn();
anonConn.authenticate(userdn, pwd);
+
} catch (LDAPException e) {
log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_AUTH_FAILED", uid, e.toString()));
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+
} finally {
- if (conn != null)
- mConnFactory.returnConn(conn);
if (anonConn != null)
mAnonConnFactory.returnConn(anonConn);
}
- UGSubsystem ug = UGSubsystem.getInstance();
-
authToken.set(TOKEN_USERDN, userdn);
authToken.set(CRED_UID, uid); // return original uid for info
- IUser user = null;
-
- try {
- user = ug.getUser(uid);
- } catch (EBaseException e) {
- if (Debug.ON)
- e.printStackTrace();
- // not a user in our user/group database.
- log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSCORE_AUTH_UID_NOT_FOUND", uid, e.toString()));
- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + " " + e.getMessage());
- }
- if (user == null) {
- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR",
- "Failure in User Group subsystem."));
- }
authToken.set(TOKEN_USERDN, user.getUserDN());
authToken.set(TOKEN_USERID, user.getUserID());
+
log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", uid));
return authToken;
@@ -241,7 +222,6 @@ public class PasswdUserDBAuthentication implements IAuthManager, IPasswdUserDBAu
public void shutdown() {
try {
// disconnect all outstanding connections in the factory
- if (mConnFactory != null) mConnFactory.reset();
if (mAnonConnFactory != null) mAnonConnFactory.reset();
} catch (ELdapException e) {
log(ILogger.LL_FAILURE, e.toString());
--
2.4.3
More information about the Pki-devel
mailing list