version 1.62, 2006/01/30 16:18:31
|
version 1.63, 2006/03/08 20:55:16
|
|
|
// In this case, no further attempts to authenticate the client are made | // In this case, no further attempts to authenticate the client are made |
authenticated = httpMessage->authInfo->isAuthenticated(); | authenticated = httpMessage->authInfo->isAuthenticated(); |
#endif | #endif |
// If the request was authenticated via SSL, append the username to the IdentityContainer |
|
String cimOperation; |
// Get the user name associated with the certificate (using the |
|
// certificate chain, if necessary). |
|
|
|
String certUserName; |
if (authenticated && | if (authenticated && |
(String::equal(httpMessage->authInfo->getAuthType(), | (String::equal(httpMessage->authInfo->getAuthType(), |
AuthenticationInfoRep::AUTH_TYPE_SSL))) | AuthenticationInfoRep::AUTH_TYPE_SSL))) |
{ | { |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, "Client was authenticated via trusted SSL certificate."); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, "Client was authenticated via trusted SSL certificate."); |
| |
//PEP187 |
|
String trustStore = configManager->getCurrentValue("sslTrustStore"); | String trustStore = configManager->getCurrentValue("sslTrustStore"); |
| |
if (FileSystem::isDirectory(ConfigManager::getHomedPath(trustStore))) | if (FileSystem::isDirectory(ConfigManager::getHomedPath(trustStore))) |
|
|
{ | { |
cimInstance = _repository->getInstance(PEGASUS_NAMESPACENAME_CERTIFICATE, cimObjectPath); | cimInstance = _repository->getInstance(PEGASUS_NAMESPACENAME_CERTIFICATE, cimObjectPath); |
| |
Boolean isValidUser = false; |
|
pos = cimInstance.findProperty("RegisteredUserName"); | pos = cimInstance.findProperty("RegisteredUserName"); |
| |
if (pos != PEG_NOT_FOUND && !(value = cimInstance.getProperty(pos).getValue()).isNull()) | if (pos != PEG_NOT_FOUND && !(value = cimInstance.getProperty(pos).getValue()).isNull()) |
|
|
value.get(userName); | value.get(userName); |
| |
// | // |
// If a username is not specified, continue up the chain to look for a username. |
// If a user name is specified, our search is complete |
// | // |
if (userName == String::EMPTY && i < loopCount ) |
if (userName.size()) |
{ | { |
Tracer::trace(TRC_HTTP, Tracer::LEVEL4, |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, |
"The certificate at level %u has no associated username, moving up the chain", i); |
"User name for certificate is " + userName); |
continue; |
certUserName = userName; |
|
break; |
} | } |
| |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, "User name for certificate is " + userName); |
// No user name is specified; continue up the chain |
isValidUser = _validateUser(userName, queueId); |
Tracer::trace(TRC_HTTP, Tracer::LEVEL4, |
|
"The certificate at level %u has no " |
|
"associated username, moving up the chain", |
|
i); |
} | } |
else | else |
{ | { |
Logger::put(Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, | Logger::put(Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, |
"HTTPAuthenticatorDelegator - Bailing, no username is registered to this certificate."); | "HTTPAuthenticatorDelegator - Bailing, no username is registered to this certificate."); |
} | } |
|
|
if (isValidUser) |
|
{ |
|
httpMessage->authInfo->setAuthenticatedUser(userName); |
|
|
|
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, "User name for certificate is " + userName); |
|
Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, |
|
"HTTPAuthenticatorDelegator - The trusted client certificate is registered to $0.", userName); |
|
break; |
|
|
|
} else |
|
{ |
|
MessageLoaderParms msgParms("Pegasus.Server.HTTPAuthenticatorDelegator.BAD_CERTIFICATE_USERNAME", |
|
"The username associated to this certificate is not a valid system user"); |
|
String msg(MessageLoader::getMessage(msgParms)); |
|
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); |
|
_sendHttpError( |
|
queueId, |
|
HTTP_STATUS_UNAUTHORIZED, |
|
String::EMPTY, |
|
msg, |
|
closeConnect); |
|
PEG_METHOD_EXIT(); |
|
return; |
|
} |
|
|
|
|
|
} catch (CIMException& e) | } catch (CIMException& e) |
{ | { |
//this certificate did not have a registration associated with it; continue up the chain | //this certificate did not have a registration associated with it; continue up the chain |
|
|
{ | { |
//trustStore is a single CA file, lookup username | //trustStore is a single CA file, lookup username |
//user was already verified as a valid system user during server startup | //user was already verified as a valid system user during server startup |
String trustStoreUserName = configManager->getCurrentValue("sslTrustStoreUserName"); |
certUserName = |
|
configManager->getCurrentValue("sslTrustStoreUserName"); |
|
} |
| |
// | // |
// Validate user information | // Validate user information |
// | // |
| |
if (!_validateUser(trustStoreUserName, queueId)) |
if (!_authenticationManager->validateUserForHttpAuth(certUserName)) |
{ | { |
|
MessageLoaderParms msgParms( |
|
"Pegasus.Server.HTTPAuthenticatorDelegator." |
|
"BAD_CERTIFICATE_USERNAME", |
|
"The username registered to this certificate is not a " |
|
"valid user."); |
|
_sendHttpError( |
|
queueId, |
|
HTTP_STATUS_UNAUTHORIZED, |
|
String::EMPTY, |
|
MessageLoader::getMessage(msgParms), |
|
closeConnect); |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
return; | return; |
} | } |
| |
|
httpMessage->authInfo->setAuthenticatedUser(certUserName); |
httpMessage->authInfo->setAuthenticatedUser(trustStoreUserName); |
|
| |
PEG_TRACE_STRING( | PEG_TRACE_STRING( |
TRC_HTTP, | TRC_HTTP, |
Tracer::LEVEL3, | Tracer::LEVEL3, |
"User name for certificate is " + trustStoreUserName); |
"User name for certificate is " + certUserName); |
Logger::put( | Logger::put( |
Logger::STANDARD_LOG, | Logger::STANDARD_LOG, |
System::CIMSERVER, | System::CIMSERVER, |
Logger::TRACE, | Logger::TRACE, |
"HTTPAuthenticatorDelegator - The trusted client certificate is registered to $0.", |
"HTTPAuthenticatorDelegator - The trusted client certificate " |
trustStoreUserName); |
"is registered to $0.", |
|
certUserName); |
} | } |
} |
|
|
|
} //end enableAuthentication | } //end enableAuthentication |
| |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Exited authentication loop"); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Exited authentication loop"); |
|
|
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
} | } |
| |
Boolean HTTPAuthenticatorDelegator::_validateUser( |
|
const String& userName, |
|
Uint32 queueId) |
|
{ |
|
Boolean authenticated = false; |
|
|
|
authenticated = _authenticationManager->validateUserForHttpAuth(userName); |
|
|
|
if (!authenticated) |
|
{ |
|
MessageLoaderParms msgParms( |
|
"Pegasus.Server.HTTPAuthenticatorDelegator.BAD_CERTIFICATE_USERNAME", |
|
"The username registered to this certificate is not a valid user."); |
|
|
|
String msg(MessageLoader::getMessage(msgParms)); |
|
_sendHttpError(queueId, |
|
HTTP_STATUS_UNAUTHORIZED, |
|
String::EMPTY, |
|
msg); |
|
} |
|
|
|
return(authenticated); |
|
} |
|
|
|
PEGASUS_NAMESPACE_END | PEGASUS_NAMESPACE_END |