OFBiz › OFBiz - Commits

svn commit: r532403 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/util/KeyStoreUtil.java security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jaz-3

svn commit: r532403 - in /ofbiz/trunk/framework: base/src/base/org/ofbiz/base/util/KeyStoreUtil.java security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Author: jaz
Date: Wed Apr 25 09:45:18 2007
New Revision: 532403

URL: http://svn.apache.org/viewvc?view=rev&rev=532403
Log:
made the pattern which finds the userLoginId from the common name (x500) configurable; also can disable cert login from security.properties

Modified:
ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
ofbiz/trunk/framework/security/config/security.properties
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java?view=diff&rev=532403&r1=532402&r2=532403
==============================================================================
--- ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java (original)
+++ ofbiz/trunk/framework/base/src/base/org/ofbiz/base/util/KeyStoreUtil.java Wed Apr 25 09:45:18 2007
@@ -95,7 +95,7 @@

String[] x500Opts = x500.getName().split("\\,");
for (int x = 0; x < x500Opts.length; x++) {
- String[] nv = x500Opts[x].split("\\=");
+ String[] nv = x500Opts[x].split("\\=", 2);
x500Map.put(nv[0], nv[1]);
}

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?view=diff&rev=532403&r1=532402&r2=532403
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Wed Apr 25 09:45:18 2007
@@ -54,3 +54,9 @@
# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
username.lowercase=false
password.lowercase=false
+
+# -- should we allow x509 certificate login
+security.login.cert.allow=true
+
+# -- pattern for the userlogin id in CN section of certificate
+security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
\ No newline at end of file

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?view=diff&rev=532403&r1=532402&r2=532403
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Wed Apr 25 09:45:18 2007
@@ -19,6 +19,8 @@
package org.ofbiz.webapp.control;

import java.util.*;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
import java.security.cert.X509Certificate;
import java.math.BigInteger;

@@ -33,7 +35,6 @@
import javax.security.auth.x500.X500Principal;

import javolution.util.FastList;
-import javolution.util.FastMap;

import org.ofbiz.base.component.ComponentConfig;
import org.ofbiz.base.util.*;
@@ -520,59 +521,74 @@
return "success";
}

+ // preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
- GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
- HttpSession session = request.getSession();
- GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
- if (currentUserLogin != null) {
- String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
- if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
- currentUserLogin = null;
+ boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "security.login.cert.allow", "true"));
+ if (doCheck) {
+ GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+ HttpSession session = request.getSession();
+ GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
+ if (currentUserLogin != null) {
+ String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+ if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
+ currentUserLogin = null;
+ }
}
- }

- if (currentUserLogin == null) {
- X509Certificate[] clientCerts = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); // 2.2 spec
- if (clientCerts == null) {
- clientCerts = (X509Certificate[]) request.getAttribute("javax.net.ssl.peer_certificates"); // 2.1 spec
- }
-
- if (clientCerts != null) {
- String userLoginId = null;
-
- for (int i = 0; i < clientCerts.length; i++) {
- X500Principal x500 = clientCerts[i].getSubjectX500Principal();
- Debug.log("Checking client certification for authentication: " + x500.getName(), module);
-
- Map x500Map = KeyStoreUtil.getCertX500Map(clientCerts[i]);
- if (i == 0) {
- userLoginId = (String) x500Map.get("CN");
- }
+ String cnPattern = UtilProperties.getPropertyValue("security.properties", "security.login.cert.pattern", "(.*)");
+ Pattern pattern = Pattern.compile(cnPattern);
+ Debug.log("CN Pattern: " + cnPattern, module);
+
+ if (currentUserLogin == null) {
+ X509Certificate[] clientCerts = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); // 2.2 spec
+ if (clientCerts == null) {
+ clientCerts = (X509Certificate[]) request.getAttribute("javax.net.ssl.peer_certificates"); // 2.1 spec
+ }

- try {
- // check for a valid issuer (or generated cert data)
- if (LoginWorker.checkValidIssuer(delegator, x500Map, clientCerts[i].getSerialNumber())) {
- Debug.log("Looking up userLogin from CN: " + userLoginId, module);
-
- // CN should match the userLoginId
- GenericValue userLogin = delegator.findByPrimaryKey("UserLogin", UtilMisc.toMap("userLoginId", userLoginId));
- if (userLogin != null) {
- String enabled = userLogin.getString("enabled");
- if (enabled == null || "Y".equals(enabled)) {
- userLogin.set("hasLoggedOut", "N");
- userLogin.store();
-
- // login the user
- Map ulSessionMap = LoginServices.getUserLoginSession(userLogin);
- return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
+ if (clientCerts != null) {
+ String userLoginId = null;
+
+ for (int i = 0; i < clientCerts.length; i++) {
+ X500Principal x500 = clientCerts[i].getSubjectX500Principal();
+ Debug.log("Checking client certification for authentication: " + x500.getName(), module);
+
+ Map x500Map = KeyStoreUtil.getCertX500Map(clientCerts[i]);
+ if (i == 0) {
+ String cn = (String) x500Map.get("CN");
+ cn = cn.replaceAll("\\\\", "");
+ Matcher m = pattern.matcher(cn);
+ if (m.matches()) {
+ userLoginId = m.group(1);
+ } else {
+ Debug.log("Client certificate CN does not match pattern: [" + cnPattern + "]", module);
+ }
+ }
+
+ try {
+ // check for a valid issuer (or generated cert data)
+ if (LoginWorker.checkValidIssuer(delegator, x500Map, clientCerts[i].getSerialNumber())) {
+ Debug.log("Looking up userLogin from CN: " + userLoginId, module);
+
+ // CN should match the userLoginId
+ GenericValue userLogin = delegator.findByPrimaryKey("UserLogin", UtilMisc.toMap("userLoginId", userLoginId));
+ if (userLogin != null) {
+ String enabled = userLogin.getString("enabled");
+ if (enabled == null || "Y".equals(enabled)) {
+ userLogin.set("hasLoggedOut", "N");
+ userLogin.store();
+
+ // login the user
+ Map ulSessionMap = LoginServices.getUserLoginSession(userLogin);
+ return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
+ }
}
}
+ } catch (GeneralException e) {
+ Debug.logError(e, module);
}
- } catch (GeneralException e) {
- Debug.logError(e, module);
}
}
- }
+ }
}

return "success";