Author: markt
Date: Wed Sep 3 19:30:15 2014
New Revision: 1622328
URL: http://svn.apache.org/r1622328
Log:
Don't trigger re-authentication for webapps that don't need it.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1617461
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Sep 3 19:30:15 2014
@@ -562,7 +562,7 @@ public abstract class AuthenticatorBase
}
if (!authRequired && context.getPreemptiveAuthentication()) {
- X509Certificate[] certs = getRequestCertificates(request);
+ X509Certificate[] certs = getRequestCertificates(request, false);
authRequired = certs != null && certs.length > 0;
}
@@ -620,11 +620,13 @@ public abstract class AuthenticatorBase
* extracting the certificate chain from the Coyote request.
*
* @param request Request to be processed
+ * @param force Should a renegotiation be forced to request
certificates
+ * from the user agent if none have been provided
*
* @return The X509 certificate chain if found, <code>null</code>
* otherwise.
*/
- protected X509Certificate[] getRequestCertificates(final Request request)
+ protected X509Certificate[] getRequestCertificates(final Request request,
boolean force)
throws IllegalStateException {
X509Certificate certs[] =
@@ -632,7 +634,7 @@ public abstract class AuthenticatorBase
if ((certs == null) || (certs.length < 1)) {
try {
- request.getCoyoteRequest().action
(ActionCode.REQ_SSL_CERTIFICATE, null);
+
request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE,
Boolean.valueOf(force));
certs = (X509Certificate[])
request.getAttribute(Globals.CERTIFICATES_ATTR);
} catch (IllegalStateException ise) {
// Request body was too large for save buffer
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
Wed Sep 3 19:30:15 2014
@@ -127,7 +127,7 @@ public class SSLAuthenticator
if (containerLog.isDebugEnabled())
containerLog.debug(" Looking up certificates");
- X509Certificate certs[] = getRequestCertificates(request);
+ X509Certificate certs[] = getRequestCertificates(request, true);
if ((certs == null) || (certs.length < 1)) {
if (containerLog.isDebugEnabled())
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
Wed Sep 3 19:30:15 2014
@@ -402,18 +402,26 @@ public class Http11AprProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (endpoint.isSSLEnabled() && (socketRef != 0)) {
- // Consume and buffer the request body, so that it does not
- // interfere with the client's handshake messages
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter)
inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
-
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter)
inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
try {
- // Configure connection to require a certificate
- SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
- ((AprEndpoint)endpoint).getSSLVerifyDepth());
- // Renegotiate certificates
- if (SSLSocket.renegotiate(socketRef) == 0) {
- // Don't look for certs unless we know renegotiation
worked.
+ if (force) {
+ // Configure connection to require a certificate
+ SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
+ ((AprEndpoint)endpoint).getSSLVerifyDepth());
+ }
+ if (!force || SSLSocket.renegotiate(socketRef) == 0) {
+ // Only look for certs if not forcing a renegotiation
or
+ // if we know renegotiation worked.
// Get client certificate and the certificate chain if
present
// certLength == -1 indicates an error
int certLength =
SSLSocket.getInfoI(socketRef,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
Wed Sep 3 19:30:15 2014
@@ -408,18 +408,20 @@ public class Http11NioProcessor extends
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter)
inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
SecureNioChannel sslChannel = (SecureNioChannel)
socketWrapper.getSocket();
SSLEngine engine = sslChannel.getSslEngine();
- if (!engine.getNeedClientAuth()) {
+ if (!engine.getNeedClientAuth() && force) {
// Need to re-negotiate SSL connection
engine.setNeedClientAuth(true);
try {
@@ -436,9 +438,8 @@ public class Http11NioProcessor extends
// use force=false since re-negotiation is handled above
// (and it is a NO-OP for NIO anyway)
Object sslO = sslSupport.getPeerCertificateChain(false);
- if( sslO != null) {
- request.setAttribute
- (SSLSupport.CERTIFICATE_KEY, sslO);
+ if (sslO != null) {
+ request.setAttribute(SSLSupport.CERTIFICATE_KEY, sslO);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Wed
Sep 3 19:30:15 2014
@@ -331,17 +331,19 @@ public class Http11Processor extends Abs
}
case REQ_SSL_CERTIFICATE: {
if (sslSupport != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ boolean force = ((Boolean) param).booleanValue();
+ if (force) {
+ /* Forced triggers a handshake so consume and buffer the
+ * request body, so that it does not interfere with the
+ * client's handshake messages
+ */
+ InputFilter[] inputFilters = inputBuffer.getFilters();
+ ((BufferedInputFilter)
inputFilters[Constants.BUFFERED_FILTER])
+ .setLimit(maxSavePostSize);
+
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ }
try {
- Object sslO = sslSupport.getPeerCertificateChain(true);
+ Object sslO = sslSupport.getPeerCertificateChain(force);
if( sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified:
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java?rev=1622328&r1=1622327&r2=1622328&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
(original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/TestClientCert.java
Wed Sep 3 19:30:15 2014
@@ -45,16 +45,24 @@ public class TestClientCert extends Tomc
doTestClientCertGet(true);
}
- public void doTestClientCertGet(boolean preemtive) throws Exception {
+ private void doTestClientCertGet(boolean preemtive) throws Exception {
Assume.assumeTrue("SSL renegotiation has to be supported for this
test",
TesterSupport.isRenegotiationSupported(getTomcatInstance()));
if (preemtive) {
+ Tomcat tomcat = getTomcatInstance();
// Only one context deployed
- Context c = (Context)
getTomcatInstance().getHost().findChildren()[0];
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ // Enable pre-emptive auth
c.setPreemptiveAuthentication(true);
+
+ // Connector needs to advertise is accepts client certs for
+ // pre-emptive to work
+ tomcat.getConnector().setAttribute("clientAuth", "want");
}
+ getTomcatInstance().start();
+
// Unprotected resource
ByteChunk res =
getUrl("https://localhost:"; + getPort() + "/unprotected");
@@ -95,6 +103,8 @@ public class TestClientCert extends Tomc
Assume.assumeTrue("SSL renegotiation has to be supported for this
test",
TesterSupport.isRenegotiationSupported(getTomcatInstance()));
+ getTomcatInstance().start();
+
byte[] body = new byte[bodySize];
Arrays.fill(body, TesterSupport.DATA);
@@ -127,9 +137,6 @@ public class TestClientCert extends Tomc
TesterSupport.configureClientCertContext(tomcat);
- // Start Tomcat
- tomcat.start();
-
TesterSupport.configureClientSsl();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
