From 9c38f89b61cbac5293f6358b57b7e1cacd3ffc29 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:24:53 +1000 Subject: [PATCH 169/175] Update AuthMethodInterceptor to handle external principals Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359 --- .../server/rest/AuthMethodInterceptor.java | 27 +++++++++++++--------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java index ac0b2518cdc42528b7c0e94153f2b02777c26785..8571ad6b1fb241956f8d437e65ff3f1e7169b015 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java @@ -33,12 +33,14 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; + import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthMethodMapping; -import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.cms.realm.PKIPrincipal; @@ -139,14 +141,11 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Anonymous access not allowed."); } - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - CMS.debug("AuthMethodInterceptor: unknown principal"); - throw new ForbiddenException("Unknown user principal"); - } - - PKIPrincipal pkiPrincipal = (PKIPrincipal) principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); + IAuthToken authToken = null; + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + else if (principal instanceof GenericPrincipal) + authToken = new ExternalAuthToken((GenericPrincipal) principal); // If missing auth token, reject request. if (authToken == null) { @@ -154,7 +153,8 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication token."); } - String authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + String authManager = authToken.getInString(IAuthToken.TOKEN_AUTHMGR_INST_NAME); + CMS.debug("AuthMethodInterceptor: authentication manager: " + authManager); if (authManager == null) { @@ -162,7 +162,12 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication manager."); } - if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + if ( + authMethods.isEmpty() + || authManager.equals("external") + || authMethods.contains(authManager) + || authMethods.contains("*") + ) { CMS.debug("AuthMethodInterceptor: access granted"); return; } -- 2.9.3