1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.security.jaspi.modules;
20
21 import java.io.IOException;
22 import java.security.Principal;
23
24 import javax.security.auth.Subject;
25 import javax.security.auth.callback.CallbackHandler;
26 import javax.security.auth.callback.UnsupportedCallbackException;
27 import javax.security.auth.message.AuthException;
28 import javax.security.auth.message.AuthStatus;
29 import javax.security.auth.message.MessageInfo;
30 import javax.servlet.http.HttpServletRequest;
31 import javax.servlet.http.HttpServletResponse;
32
33 import org.eclipse.jetty.util.B64Code;
34 import org.eclipse.jetty.util.security.Constraint;
35 import org.eclipse.jetty.util.security.Password;
36
37 @Deprecated
38 public class ClientCertAuthModule extends BaseAuthModule
39 {
40
41 public ClientCertAuthModule()
42 {
43 }
44
45 public ClientCertAuthModule(CallbackHandler callbackHandler)
46 {
47 super(callbackHandler);
48 }
49
50 @Override
51 public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
52 Subject serviceSubject)
53 throws AuthException
54 {
55 HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
56 HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
57 java.security.cert.X509Certificate[] certs = (java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
58
59 try
60 {
61
62 if (certs == null || certs.length == 0 || certs[0] == null)
63 {
64 response.sendError(HttpServletResponse.SC_FORBIDDEN,
65 "A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate).");
66 return AuthStatus.SEND_FAILURE;
67 }
68 Principal principal = certs[0].getSubjectDN();
69 if (principal == null) principal = certs[0].getIssuerDN();
70 final String username = principal == null ? "clientcert" : principal.getName();
71
72 final String password = new String(B64Code.encode(certs[0].getSignature()));
73
74
75 if (login(clientSubject, username, new Password(password), Constraint.__CERT_AUTH, messageInfo)) { return AuthStatus.SUCCESS; }
76
77 if (!isMandatory(messageInfo)) { return AuthStatus.SUCCESS; }
78 response.sendError(HttpServletResponse.SC_FORBIDDEN, "The provided client certificate does not correspond to a trusted user.");
79 return AuthStatus.SEND_FAILURE;
80 }
81 catch (IOException e)
82 {
83 throw new AuthException(e.getMessage());
84 }
85 catch (UnsupportedCallbackException e)
86 {
87 throw new AuthException(e.getMessage());
88 }
89
90 }
91 }