pegasus/src/Pegasus/Security/Authentication/AuthenticationManager.cpp - diff

Return to AuthenticationManager.cpp CVS log

Up to [Pegasus] / pegasus / src / Pegasus / Security / Authentication

Diff for /pegasus/src/Pegasus/Security/Authentication/AuthenticationManager.cpp between version 1.2 and 1.27

version 1.2, 2001/12/13 14:54:30

version 1.27, 2007/03/16 17:16:58

Line 1

//%/////////////////////////////////////////////////////////////////////////////

//%2006////////////////////////////////////////////////////////////////////////

// The Open Group, Tivoli Systems

// Permission is hereby granted, free of charge, to any person obtaining a

// copy of this software and associated documentation files (the "Software"),

// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.

// to deal in the Software without restriction, including without limitation

// the rights to use, copy, modify, merge, publish, distribute, sublicense,

// IBM Corp.; EMC Corporation, The Open Group.

// and/or sell copies of the Software, and to permit persons to whom the

// Software is furnished to do so, subject to the following conditions:

// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.

// The above copyright notice and this permission notice shall be included in

// EMC Corporation; VERITAS Software Corporation; The Open Group.

// all copies of substantial portions of this software.

// EMC Corporation; Symantec Corporation; The Open Group.

// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

// Permission is hereby granted, free of charge, to any person obtaining a copy

// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

// of this software and associated documentation files (the "Software"), to

// THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

// deal in the Software without restriction, including without limitation the

// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or

// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER

// sell copies of the Software, and to permit persons to whom the Software is

// DEALINGS IN THE SOFTWARE.

// furnished to do so, subject to the following conditions:

// THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN

// ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED

// "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT

// LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR

// PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT

// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

// ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION

// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

//==============================================================================

// Author: Nag Boranna, Hewlett-Packard Company(nagaraja_boranna@hp.com)

// Modified By:

//%/////////////////////////////////////////////////////////////////////////////

#include <Pegasus/Common/System.h>

#include <Pegasus/Common/XmlWriter.h>

#include <Pegasus/Common/Destroyer.h>

#include <Pegasus/Common/Tracer.h>

#include <Pegasus/Common/PegasusVersion.h>

#include <Pegasus/Config/ConfigManager.h>

#include <Pegasus/Security/Authentication/LocalAuthenticationHandler.h>

#include <Pegasus/Security/Authentication/BasicAuthenticationHandler.h>

#include "LocalAuthenticationHandler.h"

#include "BasicAuthenticationHandler.h"

#include "AuthenticationManager.h"

#include <Pegasus/Common/AutoPtr.h>

#ifdef PEGASUS_KERBEROS_AUTHENTICATION

#include "KerberosAuthenticationHandler.h"

#endif

PEGASUS_USING_STD;

PEGASUS_NAMESPACE_BEGIN

Line 46

Line 58

AuthenticationManager::AuthenticationManager()

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::AuthenticationManager()");

// get authentication handler

// get authentication handlers

_localAuthHandler = _getLocalAuthHandler();

_httpAuthHandler = _getHttpAuthHandler();

PEG_METHOD_EXIT();

// Build the Basic authentication challenge header

// "hostname" + ":" + "portNo" using the hostname and port number

// get the local system name

_realm.assign(System::getHostName());

// get the configured port number

ConfigManager* configManager = ConfigManager::getInstance();

String port = configManager->getCurrentValue("port");

_realm.append(":");

_realm.append(port);

}

Line 80

Line 76

AuthenticationManager::~AuthenticationManager()

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::~AuthenticationManager()");

// delete authentication handler

// delete authentication handlers

if (_localAuthHandler)

{

delete _localAuthHandler;

delete _httpAuthHandler;

PEG_METHOD_EXIT();

}

if (_httpAuthHandler)

Boolean AuthenticationManager::isRemotePrivilegedUserAccessAllowed(

String & userName)

{

delete _httpAuthHandler;

// Reject access if the user is privileged and remote privileged user

// access is not enabled.

if (!ConfigManager::parseBooleanValue(ConfigManager::getInstance()->

getCurrentValue("enableRemotePrivilegedUserAccess"))

&& System::isPrivilegedUser(userName))

{

PEG_TRACE((TRC_AUTHENTICATION, Tracer::LEVEL2,

"Authentication failed for user '%s' because "

"enableRemotePrivilegedUserAccess is not set to 'true'.",

(const char*) userName.getCString()));

Logger::put_l(

Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,

"Security.Authentication.BasicAuthenticationHandler."

"PRIVILEGED_ACCESS_DISABLED",

"Authentication failed for user '$0' because "

"enableRemotePrivilegedUserAccess is not set to 'true'.",

userName);

return false;

}

return true;

}

Line 98

Line 120

Boolean AuthenticationManager::performHttpAuthentication

(

String authHeader,

const String& authHeader,

AuthenticationInfo* authInfo

)

{

Boolean authenticated = false;

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::performHttpAuthentication()");

String authType = String::EMPTY;

String type = String::EMPTY;

String userName = String::EMPTY;

String cookie = String::EMPTY;

Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,

// Check whether the auth header has the authentication

"AuthenticationManager:: performHttpAuthentication - Authority Header: $0", authHeader);

// information or not and call authentication handlers

// authenticate method.

_parseAuthHeader(authHeader, type, userName, cookie);

// Check if the user is already authenticated

// Parse the HTTP authentication header for authentication information

if (authInfo->isAuthenticated() && (authInfo->isPrivileged() ||

if ( !_parseHttpAuthHeader(authHeader, authType, cookie) )

String::equal(userName, authInfo->getAuthenticatedUser())))

{

return true;

PEG_METHOD_EXIT();

return false;

}

Boolean authenticated = false;

// get the configured authentication type

ConfigManager* configManager = ConfigManager::getInstance();

String authType = configManager->getCurrentValue("httpAuthType");

// Check whether the auth header has the authentication

// Check the authenticationinformation and do the authentication

// information or not.

if (String::equalNoCase(authHeader, "Basic"))

if ( String::equalNoCase(authType, "Basic") &&

String::equalNoCase(_httpAuthType, "Basic") )

{

authenticated = _httpAuthHandler->authenticate(cookie, authInfo);

// Check if Basic authentication is supported or not.

if (!String::equalNoCase(authType, "Basic"))

{

// ATTN: Log basic authentication not supported message

return ( authenticated );

}

#ifdef PEGASUS_KERBEROS_AUTHENTICATION

Uint32 pos = authHeader.find("Basic");

else if ( String::equalNoCase(authType, "Negotiate") &&

String::equalNoCase(_httpAuthType, "Kerberos") )

if (authHeader.size() > (pos + 5))

{

cookie = authHeader.subString(pos + 6);

}

authenticated = _httpAuthHandler->authenticate(cookie, authInfo);

}

// else ATTN: add code for digest authentication

#endif

// FUTURE: Add code to check for "Digest" when digest

// else ATTN: Log authentication type not supported message

// authentication is implemented.

if (authenticated)

{

authInfo->setAuthStatus(AuthenticationInfo::AUTHENTICATED);

authInfo->setAuthStatus(AuthenticationInfoRep::AUTHENTICATED);

authInfo->setAuthType(authType);

}

PEG_METHOD_EXIT();

return ( authenticated );

}

Line 172

Line 180

Boolean AuthenticationManager::performPegasusAuthentication

(

String authHeader,

const String& authHeader,

AuthenticationInfo* authInfo

)

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::performPegasusAuthentication()");

Boolean authenticated = false;

String authType = String::EMPTY;

String userName = String::EMPTY;

String cookie = String::EMPTY;

Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,

// Check whether the auth header has the authentication

"AuthenticationManager:: performPegasusAuthentication - Authority Header: $0",

// information or not and call authentication handlers

authHeader);

// authenticate method.

_parseAuthHeader(authHeader, authType, userName, cookie);

// Check if the user is already authenticated

// Parse the pegasus authentication header authentication information

if (authInfo->isAuthenticated() && (authInfo->isPrivileged() ||

if ( !_parseLocalAuthHeader(authHeader, authType, userName, cookie) )

String::equal(userName, authInfo->getAuthenticatedUser())))

{

PEG_METHOD_EXIT();

return false;

}

if ( String::equalNoCase(authType, "Local") )

{

if (authInfo->isAuthenticated() &&

String::equal(userName, authInfo->getAuthenticatedUser()))

{

PEG_METHOD_EXIT();

return true;

}

else

{

PEG_METHOD_EXIT();

return false;

}

// Check if the authentication information is present

if (String::equal(cookie, String::EMPTY))

{

PEG_METHOD_EXIT();

return false;

}

Line 212

Line 235

if (authenticated)

{

authInfo->setAuthStatus(AuthenticationInfo::AUTHENTICATED);

authInfo->setAuthStatus(AuthenticationInfoRep::AUTHENTICATED);

authInfo->setAuthType(authType);

if ( String::equal(authType, "LocalPrivileged") )

{

authInfo->setPrivileged(true);

}

else

{

authInfo->setPrivileged(false);

}

PEG_METHOD_EXIT();

return ( authenticated );

}

// Validate user.

Boolean AuthenticationManager::validateUserForHttpAuth (const String& userName)

{

return _httpAuthHandler->validateUser(userName);

}

// Get pegasus/local authentication response header

String AuthenticationManager::getPegasusAuthResponseHeader

(

String authHeader,

const String& authHeader,

AuthenticationInfo* authInfo

)

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::getPegasusAuthResponseHeader()");

String respHeader = String::EMPTY;

String authType = String::EMPTY;

String userName = String::EMPTY;

String cookie = String::EMPTY;

// Check whether the auth header has the authentication

// Parse the pegasus authentication header authentication information

// information or not and call authentication handlers

// authenticate method.

_parseAuthHeader(authHeader, authType, userName, cookie);

if ( !_parseLocalAuthHeader(authHeader, authType, userName, cookie) )

{

PEG_METHOD_EXIT();

return (respHeader);

}

// Check if the authentication information is present

// User name can not be empty

if (String::equal(userName, String::EMPTY))

{

PEG_METHOD_EXIT();

// User name can not be empty

return (respHeader);

// ATTN: throw an exception

return (String::EMPTY);

}

return(_localAuthHandler->getAuthResponseHeader(userName, authInfo));

respHeader =

_localAuthHandler->getAuthResponseHeader(authType, userName, authInfo);

PEG_METHOD_EXIT();

return (respHeader);

}

// Get HTTP authentication response header

#ifdef PEGASUS_KERBEROS_AUTHENTICATION

String AuthenticationManager::getHttpAuthResponseHeader( AuthenticationInfo* authInfo )

#else

String AuthenticationManager::getHttpAuthResponseHeader()

#endif

{

return (_httpAuthHandler->getAuthResponseHeader(_realm));

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::getHttpAuthResponseHeader()");

#ifdef PEGASUS_KERBEROS_AUTHENTICATION

String respHeader = _httpAuthHandler->getAuthResponseHeader(

String::EMPTY, String::EMPTY, authInfo);

#else

String respHeader = _httpAuthHandler->getAuthResponseHeader();

#endif

PEG_METHOD_EXIT();

return (respHeader);

}

// parse the authentication header

// parse the local authentication header

void AuthenticationManager::_parseAuthHeader(

Boolean AuthenticationManager::_parseLocalAuthHeader(

String authHeader, String& authType, String& userName, String& cookie)

const String& authHeader, String& authType, String& userName, String& cookie)

{

Uint32 pos;

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::_parseLocalAuthHeader()");

if ( (pos = authHeader.find("LocalPrivileged")) == PEG_NOT_FOUND )

{

if ( (pos = authHeader.find("Local")) == PEG_NOT_FOUND )

{

//Invalid authorization header

// Extract the authentication type:

//ATTN: throw exception

Uint32 space = authHeader.find(' ');

return;

}

if ( space == PEG_NOT_FOUND )

{

PEG_METHOD_EXIT();

return false;

}

Uint32 startQuote = authHeader.find(pos, '"');

authType = authHeader.subString(0, space);

Uint32 startQuote = authHeader.find(space, '"');

if (startQuote == PEG_NOT_FOUND)

{

PEG_METHOD_EXIT();

//Invalid authorization header

return false;

//ATTN: throw exception

return;

}

Uint32 endQuote = authHeader.find(startQuote + 1, '"');

if (endQuote == PEG_NOT_FOUND)

{

PEG_METHOD_EXIT();

//Invalid authorization header

return false;

//ATTN: throw exception

return;

}

authType = authHeader.subString(pos, (startQuote - pos) - 1);

String temp = authHeader.subString(

startQuote + 1, (endQuote - startQuote - 1));

Uint32 colonPos;

// Extract the user name and cookie:

Uint32 colon = temp.find(0, ':');

if ((colonPos = temp.find(0, ':')) == PEG_NOT_FOUND)

if ( colon == PEG_NOT_FOUND )

{

userName = temp;

return;

}

else

{

userName = temp.subString(0, colonPos);

userName = temp.subString(0, colon);

cookie = temp;

}

PEG_METHOD_EXIT();

return true;

}

// parse the HTTP authentication header

Boolean AuthenticationManager::_parseHttpAuthHeader(

const String& authHeader, String& authType, String& cookie)

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::_parseHttpAuthHeader()");

// Extract the authentication type:

Uint32 space = authHeader.find(' ');

if ( space == PEG_NOT_FOUND )

{

PEG_METHOD_EXIT();

return false;

}

authType = authHeader.subString(0, space);

// Extract the cookie:

cookie = authHeader.subString(space + 1);

PEG_METHOD_EXIT();

return true;

}

// Get local authentication handler

Authenticator* AuthenticationManager::_getLocalAuthHandler()

{

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::_getLocalAuthHandler()");

PEG_METHOD_EXIT();

// create and return a local authentication handler.

Line 346

Line 434

Authenticator* AuthenticationManager::_getHttpAuthHandler()

{

Authenticator* handler = 0;

PEG_METHOD_ENTER(

TRC_AUTHENTICATION, "AuthenticationManager::_getHttpAuthHandler()");

AutoPtr<Authenticator> handler;

// get the configured/default authentication type

// get the configured authentication type

ConfigManager* configManager = ConfigManager::getInstance();

AutoPtr<ConfigManager> configManager(ConfigManager::getInstance());

String authType = configManager->getCurrentValue("httpAuthType");

_httpAuthType = configManager->getCurrentValue("httpAuthType");

configManager.release();

// If Basic authentication is configured then

// create a authentication handler.

// create a basic authentication handler.

if (String::equal(authType, "Basic"))

if ( String::equalNoCase(_httpAuthType, "Basic") )

{

handler = (Authenticator* ) new BasicAuthenticationHandler( );

handler.reset((Authenticator* ) new BasicAuthenticationHandler( ));

}

#ifdef PEGASUS_KERBEROS_AUTHENTICATION

//ATTN: add support for Digest authentication.

else if ( String::equalNoCase(_httpAuthType, "Kerberos") )

//else if (authType.equalNoCase("Digest"))

{

handler.reset((Authenticator* ) new KerberosAuthenticationHandler( ));

AutoPtr<KerberosAuthenticationHandler> kerberosHandler((KerberosAuthenticationHandler *)handler.get());

int itFailed = kerberosHandler->initialize();

kerberosHandler.release();

if (itFailed)

{

if (handler.get())

{

handler.reset(0);

}

// L10N TODO DONE

//Logger::put(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,

//"CIMOM server authentication handler for Kerberos failed to initialize properly. The CIMOM server is not started.");

Logger::put_l(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,

"Security.Authentication.AuthenticationManager.AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",

"CIMOM server authentication handler for Kerberos failed to initialize properly. The CIMOM server is not started.");

// end the server because Kerberos could not initialized.

MessageLoaderParms parms( "Security.Authentication.AuthenticationManager.AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",

"CIMOM server authentication handler for Kerberos failed to initialize properly. The CIMOM server is not started.");

throw Exception(parms);

}

#endif

// FUTURE: uncomment these line when Digest authentication

// is implemented.

//else if (String::equalNoCase(_httpAuthType, "Digest"))

//{

// handler = (Authenticator* ) new DigestAuthenticationHandler( );

//}

else

{

// This should never happen. Gets here only if Security Config

// property owner has not validated the configured http auth type.

PEGASUS_ASSERT(0);

}

return ( handler );

PEG_METHOD_EXIT();

return ( handler.release() );

}

Legend:

Removed from v.1.2
changed lines
	Added in v.1.27

No CVS admin address has been configured