Make client certificate authorization more robust

author Mathieu Baudier <mbaudier@argeo.org>

Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)

committer Mathieu Baudier <mbaudier@argeo.org>

Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)
author Mathieu Baudier <mbaudier@argeo.org>
Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)
committer Mathieu Baudier <mbaudier@argeo.org>
Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java

index 61268ca34f895956541935b557d7202fa93ad061..7622eef27da26c49f13d6a56ef63a68e27f1387e 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -200,17 +200,22 @@ public class HttpSessionLoginModule implements LoginModule {
         private void extractClientCertificate(HttpServletRequest req) {
                 X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
                 if (null != certs && certs.length > 0) {// Servlet container verified the client certificate
-                       sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
+                       String certDn = certs[0].getSubjectX500Principal().getName();
+                       sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
                         sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
+                       if (log.isDebugEnabled())
+                               log.debug("Client certificate " + certDn + " verified by servlet container");
                 } // Reverse proxy verified the client certificate
                 String clientDnHttpHeader = Activator.getHttpProxySslHeader();
                 if (clientDnHttpHeader != null) {
                         String certDn = req.getHeader(clientDnHttpHeader);
                         // TODO retrieve more cf. https://httpd.apache.org/docs/current/mod/mod_ssl.html
                         // String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
-                       if (certDn != null) {
+                       if (certDn != null && !certDn.trim().equals("")) {
                                 sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
                                 sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, "");
+                               if (log.isDebugEnabled())
+                                       log.debug("Client certificate " + certDn + " verified by reverse proxy");
                         }
                 }
         }
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java

index b50bf8ac4699ba5098fff3cac93d041d5c687efd..ad9eb24c52ac912c32f9568ca956f19869123405 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -13,7 +13,6 @@ import java.util.Locale;
  import java.util.Map;
  import java.util.Set;
  
-import javax.naming.InvalidNameException;
  import javax.naming.ldap.LdapName;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
@@ -94,15 +93,16 @@ public class UserAdminLoginModule implements LoginModule {
                         // // TODO locale?
                 } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
-                       String certificateName = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
-                       LdapName ldapName;
-                       try {
-                               ldapName = new LdapName(certificateName);
-                       } catch (InvalidNameException e) {
-                               e.printStackTrace();
-                               return false;
-                       }
-                       username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+//                     LdapName ldapName;
+//                     try {
+//                             ldapName = new LdapName(certificateName);
+//                     } catch (InvalidNameException e) {
+//                             e.printStackTrace();
+//                             return false;
+//                     }
+//                     username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       username = certDn;
                         certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                         password = null;
                 } else if (singleUser) {
author	Mathieu Baudier <mbaudier@argeo.org>
	Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)
committer	Mathieu Baudier <mbaudier@argeo.org>
	Wed, 14 Nov 2018 10:10:48 +0000 (11:10 +0100)
org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java		patch \| blob \| history
org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java		patch \| blob \| history