|
 |
f332ec |
From 8270ef0b8861bfc6d7a4e5bbe4e6125a221d0680 Mon Sep 17 00:00:00 2001
|
|
|
f332ec |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
f332ec |
Date: Mon, 22 Jul 2013 08:50:03 -0400
|
|
|
f332ec |
Subject: [PATCH 0/6] Storing authentication info in session.
|
|
|
f332ec |
|
|
|
f332ec |
The authenticator configuration has been modified to store the authentication
|
|
|
f332ec |
info in the session so it can be used by the servlets. An upgrade script has
|
|
|
f332ec |
been added to update the configuration in existing instances.
|
|
|
f332ec |
|
|
|
f332ec |
The SSLAuthenticatorWithFalback was modified to propagate the configuration
|
|
|
f332ec |
to the actual authenticator handling the request.
|
|
|
f332ec |
---
|
|
|
f332ec |
base/ca/shared/webapps/ca/META-INF/context.xml | 4 +-
|
|
|
f332ec |
.../cms/tomcat/SSLAuthenticatorWithFallback.java | 5 ++
|
|
|
f332ec |
base/kra/shared/webapps/kra/META-INF/context.xml | 4 +-
|
|
|
f332ec |
base/ocsp/shared/webapps/ocsp/META-INF/context.xml | 4 +-
|
|
|
f332ec |
base/server/upgrade/10.0.4/.gitignore | 4 ++
|
|
|
f332ec |
.../upgrade/10.0.5/01-EnableSessionInAuthenticator | 69 ++++++++++++++++++++++
|
|
|
f332ec |
base/tks/shared/webapps/tks/META-INF/context.xml | 4 +-
|
|
|
f332ec |
7 files changed, 90 insertions(+), 4 deletions(-)
|
|
|
f332ec |
create mode 100644 base/server/upgrade/10.0.4/.gitignore
|
|
|
f332ec |
create mode 100755 base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
|
|
|
f332ec |
|
|
|
f332ec |
diff --git a/base/ca/shared/webapps/ca/META-INF/context.xml b/base/ca/shared/webapps/ca/META-INF/context.xml
|
|
|
f332ec |
index 032fd14..e838503 100644
|
|
|
f332ec |
--- a/base/ca/shared/webapps/ca/META-INF/context.xml
|
|
|
f332ec |
+++ b/base/ca/shared/webapps/ca/META-INF/context.xml
|
|
|
f332ec |
@@ -28,7 +28,9 @@
|
|
|
f332ec |
secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
|
|
|
f332ec |
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
+ alwaysUseSession="true"
|
|
|
f332ec |
+ secureRandomProvider="Mozilla-JSS"
|
|
|
f332ec |
+ secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
<Realm className="com.netscape.cms.tomcat.ProxyRealm" />
|
|
|
f332ec |
|
|
|
f332ec |
diff --git a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
|
|
|
f332ec |
index d1b3dc3..20bf85d 100644
|
|
|
f332ec |
--- a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
|
|
|
f332ec |
+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
|
|
|
f332ec |
@@ -140,8 +140,13 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
|
|
|
f332ec |
@Override
|
|
|
f332ec |
protected void initInternal() throws LifecycleException {
|
|
|
f332ec |
log("Initializing authenticators");
|
|
|
f332ec |
+
|
|
|
f332ec |
super.initInternal();
|
|
|
f332ec |
+
|
|
|
f332ec |
+ sslAuthenticator.setAlwaysUseSession(alwaysUseSession);
|
|
|
f332ec |
sslAuthenticator.init();
|
|
|
f332ec |
+
|
|
|
f332ec |
+ fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession);
|
|
|
f332ec |
fallbackAuthenticator.init();
|
|
|
f332ec |
}
|
|
|
f332ec |
|
|
|
f332ec |
diff --git a/base/kra/shared/webapps/kra/META-INF/context.xml b/base/kra/shared/webapps/kra/META-INF/context.xml
|
|
|
f332ec |
index 032fd14..e838503 100644
|
|
|
f332ec |
--- a/base/kra/shared/webapps/kra/META-INF/context.xml
|
|
|
f332ec |
+++ b/base/kra/shared/webapps/kra/META-INF/context.xml
|
|
|
f332ec |
@@ -28,7 +28,9 @@
|
|
|
f332ec |
secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
|
|
|
f332ec |
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
+ alwaysUseSession="true"
|
|
|
f332ec |
+ secureRandomProvider="Mozilla-JSS"
|
|
|
f332ec |
+ secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
<Realm className="com.netscape.cms.tomcat.ProxyRealm" />
|
|
|
f332ec |
|
|
|
f332ec |
diff --git a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
|
|
|
f332ec |
index 032fd14..e838503 100644
|
|
|
f332ec |
--- a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
|
|
|
f332ec |
+++ b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
|
|
|
f332ec |
@@ -28,7 +28,9 @@
|
|
|
f332ec |
secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
|
|
|
f332ec |
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
+ alwaysUseSession="true"
|
|
|
f332ec |
+ secureRandomProvider="Mozilla-JSS"
|
|
|
f332ec |
+ secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
<Realm className="com.netscape.cms.tomcat.ProxyRealm" />
|
|
|
f332ec |
|
|
|
f332ec |
diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore
|
|
|
f332ec |
new file mode 100644
|
|
|
f332ec |
index 0000000..5e7d273
|
|
|
f332ec |
--- /dev/null
|
|
|
f332ec |
+++ b/base/server/upgrade/10.0.4/.gitignore
|
|
|
f332ec |
@@ -0,0 +1,4 @@
|
|
|
f332ec |
+# Ignore everything in this directory
|
|
|
f332ec |
+*
|
|
|
f332ec |
+# Except this file
|
|
|
f332ec |
+!.gitignore
|
|
|
f332ec |
diff --git a/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
|
|
|
f332ec |
new file mode 100755
|
|
|
f332ec |
index 0000000..7aee780
|
|
|
f332ec |
--- /dev/null
|
|
|
f332ec |
+++ b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
|
|
|
f332ec |
@@ -0,0 +1,69 @@
|
|
|
f332ec |
+#!/usr/bin/python
|
|
|
f332ec |
+# Authors:
|
|
|
f332ec |
+# Endi S. Dewata <edewata@redhat.com>
|
|
|
f332ec |
+#
|
|
|
f332ec |
+# This program is free software; you can redistribute it and/or modify
|
|
|
f332ec |
+# it under the terms of the GNU General Public License as published by
|
|
|
f332ec |
+# the Free Software Foundation; version 2 of the License.
|
|
|
f332ec |
+#
|
|
|
f332ec |
+# This program is distributed in the hope that it will be useful,
|
|
|
f332ec |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
f332ec |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
f332ec |
+# GNU General Public License for more details.
|
|
|
f332ec |
+#
|
|
|
f332ec |
+# You should have received a copy of the GNU General Public License along
|
|
|
f332ec |
+# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
f332ec |
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
f332ec |
+#
|
|
|
f332ec |
+# Copyright (C) 2013 Red Hat, Inc.
|
|
|
f332ec |
+# All rights reserved.
|
|
|
f332ec |
+#
|
|
|
f332ec |
+
|
|
|
f332ec |
+import os
|
|
|
f332ec |
+from lxml import etree
|
|
|
f332ec |
+
|
|
|
f332ec |
+import pki.server.upgrade
|
|
|
f332ec |
+
|
|
|
f332ec |
+
|
|
|
f332ec |
+class EnableSessionInAuthenticator(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
f332ec |
+
|
|
|
f332ec |
+ def __init__(self):
|
|
|
f332ec |
+
|
|
|
f332ec |
+ self.message = 'Enable session in authenticator'
|
|
|
f332ec |
+
|
|
|
f332ec |
+ self.parser = etree.XMLParser(remove_blank_text=True)
|
|
|
f332ec |
+
|
|
|
f332ec |
+ def upgrade_subsystem(self, instance, subsystem):
|
|
|
f332ec |
+
|
|
|
f332ec |
+ context_xml = os.path.join(
|
|
|
f332ec |
+ instance.base_dir, 'webapps', subsystem.name, 'META-INF', 'context.xml')
|
|
|
f332ec |
+ self.backup(context_xml)
|
|
|
f332ec |
+
|
|
|
f332ec |
+ document = etree.parse(context_xml, self.parser)
|
|
|
f332ec |
+
|
|
|
f332ec |
+ self.enable_session(document)
|
|
|
f332ec |
+
|
|
|
f332ec |
+ with open(context_xml, 'w') as f:
|
|
|
f332ec |
+ f.write(etree.tostring(document, pretty_print=True))
|
|
|
f332ec |
+
|
|
|
f332ec |
+ def enable_session(self, document):
|
|
|
f332ec |
+
|
|
|
f332ec |
+ context = document.getroot()
|
|
|
f332ec |
+ valves = context.findall('Valve')
|
|
|
f332ec |
+ authenticator = None
|
|
|
f332ec |
+
|
|
|
f332ec |
+ # Find existing authenticator
|
|
|
f332ec |
+ for valve in valves:
|
|
|
f332ec |
+ className = valve.get('className')
|
|
|
f332ec |
+ if className != 'com.netscape.cms.tomcat.SSLAuthenticatorWithFallback':
|
|
|
f332ec |
+ continue
|
|
|
f332ec |
+
|
|
|
f332ec |
+ # Found existing authenticator
|
|
|
f332ec |
+ authenticator = valve
|
|
|
f332ec |
+ break
|
|
|
f332ec |
+
|
|
|
f332ec |
+ if authenticator is None:
|
|
|
f332ec |
+ raise Exception('Missing SSLAuthenticatorWithFallback')
|
|
|
f332ec |
+
|
|
|
f332ec |
+ # Update authenticator's attributes
|
|
|
f332ec |
+ authenticator.set('alwaysUseSession', 'true')
|
|
|
f332ec |
diff --git a/base/tks/shared/webapps/tks/META-INF/context.xml b/base/tks/shared/webapps/tks/META-INF/context.xml
|
|
|
f332ec |
index 032fd14..e838503 100644
|
|
|
f332ec |
--- a/base/tks/shared/webapps/tks/META-INF/context.xml
|
|
|
f332ec |
+++ b/base/tks/shared/webapps/tks/META-INF/context.xml
|
|
|
f332ec |
@@ -28,7 +28,9 @@
|
|
|
f332ec |
secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
|
|
|
f332ec |
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
+ alwaysUseSession="true"
|
|
|
f332ec |
+ secureRandomProvider="Mozilla-JSS"
|
|
|
f332ec |
+ secureRandomAlgorithm="pkcs11prng"/>
|
|
|
f332ec |
|
|
|
f332ec |
<Realm className="com.netscape.cms.tomcat.ProxyRealm" />
|
|
|
f332ec |
|
|
|
f332ec |
--
|
|
|
f332ec |
1.8.3.1
|
|
|
f332ec |
|