![]() ![]() |
![]() |
File: [Pegasus] / pegasus / src / Pegasus / Security / Authentication / SecureBasicAuthenticator.cpp
(download)
Revision: 1.18, Fri May 25 17:35:18 2007 UTC (17 years, 1 month ago) by kumpf Branch: MAIN CVS Tags: TASK-Bug2102Final-root, TASK-Bug2102Final-merged_out_to_branch, TASK-Bug2102Final-merged_out_from_trunk, TASK-Bug2102Final-merged_in_to_trunk, TASK-Bug2102Final-merged_in_from_branch, TASK-Bug2102Final-branch Changes since 1.17: +86 -58 lines BUG#: 6037 TITLE: PEP 286 Privilege Separation DESCRIPTION: Implement privilege separation for the CIM Server. This allows the CIM Server to run without privilege, using a separate small process to perform privileged operations as necessary. |
//%2006//////////////////////////////////////////////////////////////////////// // // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems. // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.; // IBM Corp.; EMC Corporation, The Open Group. // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.; // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group. // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.; // EMC Corporation; VERITAS Software Corporation; The Open Group. // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.; // EMC Corporation; Symantec Corporation; The Open Group. // // Permission is hereby granted, free of charge, to any person obtaining a copy // of this software and associated documentation files (the "Software"), to // deal in the Software without restriction, including without limitation the // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or // sell copies of the Software, and to permit persons to whom the Software is // furnished to do so, subject to the following conditions: // // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. // //============================================================================== // // Author: Nag Boranna, Hewlett-Packard Company(nagaraja_boranna@hp.com) // // Modified By: Josephine Eskaline Joyce (jojustin@in.ibm.com) for PEP#101 // Sushma Fernandes, Hewlett-Packard Company(sushma_fernandes@hp.com) // //%///////////////////////////////////////////////////////////////////////////// #include <Pegasus/Common/System.h> #include <Pegasus/Common/Tracer.h> #include <Pegasus/Config/ConfigManager.h> #include <Pegasus/Security/UserManager/UserExceptions.h> #include "SecureBasicAuthenticator.h" #include <Pegasus/Common/Executor.h> #ifdef PEGASUS_OS_OS400 #include "qycmutiltyUtility.H" #include "OS400ConvertChar.h" #endif #ifdef PEGASUS_OS_ZOS #include <pwd.h> #ifdef PEGASUS_ZOS_SECURITY // This include file will not be provided in the OpenGroup CVS for now. // Do NOT try to include it in your compile #include <Pegasus/Common/safCheckzOS_inline.h> #endif #endif PEGASUS_USING_STD; PEGASUS_NAMESPACE_BEGIN /** Constant representing the Basic authentication challenge header. */ static const String BASIC_CHALLENGE_HEADER = "WWW-Authenticate: Basic \""; /* constructor. */ SecureBasicAuthenticator::SecureBasicAuthenticator() { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "SecureBasicAuthenticator::SecureBasicAuthenticator()"); // // get the local system name // _realm.assign(System::getHostName()); // // get the configured port number // ConfigManager* configManager = ConfigManager::getInstance(); String port = configManager->getCurrentValue("httpPort"); // // Create realm that will be used for Basic challenges // _realm.append(":"); _realm.append(port); // // Get a user manager instance handler // _userManager = UserManager::getInstance(); PEG_METHOD_EXIT(); } /* destructor. */ SecureBasicAuthenticator::~SecureBasicAuthenticator() { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "SecureBasicAuthenticator::~SecureBasicAuthenticator()"); PEG_METHOD_EXIT(); } Boolean SecureBasicAuthenticator::authenticate( const String & userName, const String & password) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "SecureBasicAuthenticator::authenticate()"); Boolean authenticated = false; #ifdef PEGASUS_OS_OS400 // Use OS400 APIs to do user name and password verification // (note - need to convert to EBCDIC before calling ycm) CString userCStr = userName.getCString(); const char * user = (const char *) userCStr; AtoE((char *) user); CString pwCStr = password.getCString(); const char *pw = (const char *) pwCStr; AtoE((char *) pw); int os400auth = ycmVerifyUserAuthorization(user, pw); if (os400auth == TRUE) authenticated = true; #elif defined(PEGASUS_OS_ZOS) // use zOS API to do the user name and password verification // note: write possible errors to the tracelog if ((password.size() > 0) && (__passwd ((const char *) userName.getCString(), (const char *) password.getCString(), NULL) == 0)) { # ifdef PEGASUS_ZOS_SECURITY if (CheckProfileCIMSERVclassWBEM(userName, __READ_RESOURCE)) { authenticated = true; } else { authenticated = false; // no READ access to security resource profile CIMSERV CL(WBEM) Logger::put_l( Logger::TRACE_LOG, ZOS_SECURITY_NAME, Logger::WARNING, "Security.Authentication.SecureBasicAuthenticator" ".NOREAD_CIMSERV_ACCESS.PEGASUS_OS_ZOS", "Request UserID $0 misses READ permission to profile CIMSERV " "CL(WBEM).", userName); } # else /* PEGASUS_OS_ZOS */ authenticated = true; # endif /* !PEGASUS_OS_ZOS */ } else { authenticated = false; PEG_TRACE_CSTRING(TRC_AUTHENTICATION, Tracer::LEVEL4, "Authentication failed."); } #else /* DEFAULT (!PEGASUS_OS_ZOS && !PEGASUS_OS_OS400) */ // Check whether valid system user. if (!System::isSystemUser(userName.getCString())) { PEG_METHOD_EXIT(); return (authenticated); } try { // Verify the CIM user password. Use executor if present. Else, use // conventional method. if (Executor::detectExecutor() == 0) { if (Executor::authenticatePassword( userName.getCString(), password.getCString()) == 0) { authenticated = true; } } else { if (_userManager->verifyCIMUserPassword(userName, password)) authenticated = true; } } catch(InvalidUser &) { PEG_METHOD_EXIT(); return (authenticated); } catch(Exception & e) { PEG_METHOD_EXIT(); throw e; } #endif /* DEFAULT (!PEGASUS_OS_ZOS && !PEGASUS_OS_OS400) */ PEG_METHOD_EXIT(); return (authenticated); } Boolean SecureBasicAuthenticator::validateUser(const String& userName) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "SecureBasicAuthenticator::validateUser()"); Boolean authenticated = false; if ( System::isSystemUser(userName.getCString())) { if (Executor::detectExecutor() == 0) { if (Executor::validateUser(userName.getCString()) != 0) authenticated = true; } else if (_userManager->verifyCIMUser(userName)) { authenticated = true; } } PEG_METHOD_EXIT(); return (authenticated); } // // Create authentication response header // String SecureBasicAuthenticator::getAuthResponseHeader() { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "SecureBasicAuthenticator::getAuthResponseHeader()"); // // build response header using realm // String responseHeader = BASIC_CHALLENGE_HEADER; responseHeader.append(_realm); responseHeader.append("\""); PEG_METHOD_EXIT(); return (responseHeader); } PEGASUS_NAMESPACE_END
No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |