#857: Tomcat security support for its conf/tomcat-users.xml. Work in …

…progress.
hawtio · Dec 19, 2013 · 638bee8 · 638bee8
1 parent 32105b9
commit 638bee8
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 11 deletions.
diff --git a/hawtio-web/src/main/java/io/hawt/system/Authenticator.java b/hawtio-web/src/main/java/io/hawt/system/Authenticator.java
@@ -10,7 +10,6 @@
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.AccountException;
 import javax.security.auth.login.Configuration;
-import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import javax.servlet.http.HttpServletRequest;
@@ -20,7 +19,7 @@
 import org.slf4j.LoggerFactory;
 
 /**
- *
+ * To perform authentication using JAAS using the {@link LoginContext} for the choosen realm.
  */
 public class Authenticator {
 
@@ -139,7 +138,8 @@ private static Subject doAuthenticate(String realm, String role, String rolePrin
                     }
                 }
                 if (!found) {
-                    throw new FailedLoginException("User does not have the required role " + role);
+                    LOG.debug("User does not have the required role " + role);
+                    return null;
                 }
             }
 
@@ -148,8 +148,6 @@ private static Subject doAuthenticate(String realm, String role, String rolePrin
         } catch (AccountException e) {
             LOG.warn("Account failure", e);
         } catch (LoginException e) {
-            // TODO: Add some option for verbosity logging
-            LOG.warn("Login failed", e);
             LOG.debug("Login failed", e);
         }
 
@@ -182,4 +180,5 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
             }
         }
     }
+
 }
diff --git a/hawtio-web/src/main/java/io/hawt/web/AuthenticationHelpers.java b/hawtio-web/src/main/java/io/hawt/web/AuthenticationHelpers.java
@@ -0,0 +1,15 @@
+package io.hawt.web;
+
+public final class AuthenticationHelpers {
+
+    /**
+     * Is the realm empty or * to denote any realm.
+     */
+    public static boolean isEmptyOrAllRealm(String realm) {
+        if (realm == null || realm.trim().isEmpty() || realm.trim().equals("*")) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+}
diff --git a/hawtio-web/src/main/java/io/hawt/web/tomcat/TomcatAuthenticationContainerDiscovery.java b/hawtio-web/src/main/java/io/hawt/web/tomcat/TomcatAuthenticationContainerDiscovery.java
@@ -7,11 +7,15 @@
 
 import io.hawt.web.AuthenticationConfiguration;
 import io.hawt.web.AuthenticationContainerDiscovery;
+import io.hawt.web.AuthenticationHelpers;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * To use Apache Tomcat using its conf/tomcat-users.xml for authentication.
+ * <p/>
+ * To use this, then the {@link io.hawt.web.AuthenticationConfiguration#getRealm()} must be empty or "*". Otherwise
+ * if an explicit configured realm has been set, then regular JAAS authentication is in use.
  */
 public class TomcatAuthenticationContainerDiscovery implements AuthenticationContainerDiscovery {
 
@@ -24,6 +28,11 @@ public String getContainerName() {
 
     @Override
     public boolean canAuthenticate(AuthenticationConfiguration configuration) {
+        if (!AuthenticationHelpers.isEmptyOrAllRealm(configuration.getRealm())) {
+            LOG.debug("Realm explicit configured {}. {} userdata authentication integration not in use.", configuration.getRealm(), getContainerName());
+            return false;
+        }
+
         try {
             MBeanServer server = ManagementFactory.getPlatformMBeanServer();
             boolean isTomcat = server.isRegistered(new ObjectName("Catalina:type=Server"));

diff --git a/hawtio-web/src/main/java/io/hawt/web/tomcat/TomcatPrincipal.java b/hawtio-web/src/main/java/io/hawt/web/tomcat/TomcatPrincipal.java
@@ -3,18 +3,19 @@
 import java.io.Serializable;
 import java.security.Principal;
 
+/**
+ * A very simple Apache Tomcat {@link Principal}.
+ */
 public class TomcatPrincipal implements Principal, Serializable {
 
-    // TODO: add role
+    private final String roleName;
 
-    private final String name;
-
-    public TomcatPrincipal(String name) {
-        this.name = name;
+    public TomcatPrincipal(String roleName) {
+        this.roleName = roleName;
     }
 
     @Override
     public String getName() {
-        return name;
+        return roleName;
     }
 }