diff --git a/projects/cadcAccessControl-Server/build.xml b/projects/cadcAccessControl-Server/build.xml
index a5fea3d97328b8ea86663092f3136e7528463a7b..c9b7e5c538100ffbf94bf9bf5c529ecfd8b66de1 100644
--- a/projects/cadcAccessControl-Server/build.xml
+++ b/projects/cadcAccessControl-Server/build.xml
@@ -93,6 +93,7 @@
<property name="cadcUtil" value="${lib}/cadcUtil.jar"/>
<property name="cadcUWS" value="${lib}/cadcUWS.jar"/>
<property name="wsUtil" value="${lib}/wsUtil.jar"/>
+ <property name="wsUtil-augment" value="${lib}/wsUtil-augment.jar"/>
<property name="javacsv" value="${ext.lib}/javacsv.jar"/>
<property name="jdom2" value="${ext.lib}/jdom2.jar"/>
@@ -102,7 +103,7 @@
<property name="xerces" value="${ext.lib}/xerces.jar"/>
<property name="jars"
- value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}"/>
+ value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}:${wsUtil-augment}"/>
<target name="build" depends="compile">
<jar jarfile="${build}/lib/${project}.jar"
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
index 70cf6b0dfc454f82f6817b42eb217d97d6961016..f21870be46498ebdc3ed7aed00840ad9ab590887 100644
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
@@ -100,7 +100,7 @@ public class GetUserAction extends AbstractUserAction
{
User<Principal> user;
- if (isSubjectUser(this.augmentUserDN))
+ if (isServops())
{
Subject subject = new Subject();
subject.getPrincipals().add(this.userID);
@@ -176,21 +176,22 @@ public class GetUserAction extends AbstractUserAction
return user;
}
-
- protected boolean isSubjectUser(String username)
+
+ protected boolean isServops()
{
- boolean found = false;
- Subject subject = Subject.getSubject(AccessController.getContext());
+ boolean isServops = false;
+ AccessControlContext acc = AccessController.getContext();
+ Subject subject = Subject.getSubject(acc);
if (subject != null)
{
- for (Principal principal : subject.getPrincipals())
- {
- if (principal.getName().equals(username))
- {
- found = true;
- break;
- }
- }
+ for (Principal principal : subject.getPrincipals())
+ {
+ if (principal.getName().equals(this.getAugmentUserDN()))
+ {
+ isServops = true;
+ break;
+ }
+ }
}
return found;
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
index 457dd4b1b686ef42092abd6378945affbf82ed05..30583c7ff083819565324705e964097eb6cc743f 100644
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
@@ -68,17 +68,18 @@
*/
package ca.nrc.cadc.ac.server.web.users;
-import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.web.WebUtil;
import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal;
import java.io.IOException;
import java.net.URL;
import java.security.Principal;
+
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java
index e54ea3da63d1689021d071ae82a86d58c12952f6..87abcdac7c5d70b2aadf0aca0aba438ae04ecbdd 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java
@@ -71,15 +71,18 @@ package ca.nrc.cadc.ac.server;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.server.web.groups.AddUserMemberActionTest;
import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.uws.Parameter;
import java.util.ArrayList;
import java.util.List;
+
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.junit.BeforeClass;
import org.junit.Test;
+
import static org.junit.Assert.*;
/**
@@ -152,7 +155,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
- paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
+ paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo"));
try
{
@@ -163,7 +166,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
- paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
+ paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo"));
paramList.add(new Parameter("GROUPID", ""));
try
@@ -175,7 +178,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
- paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
+ paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", Role.MEMBER.getValue()));
rv.validate(paramList);
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java
index 8eae8ace9c01d0fce6d452861e0f61030008e954..d079de6f350de9ea7fd41bef8e3a671c68c5b52e 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java
@@ -74,7 +74,9 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
+
import java.security.Principal;
import org.apache.log4j.Level;
@@ -107,7 +109,7 @@ public class AddUserMemberActionTest
try
{
String userID = "foo";
- String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
+ String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
@@ -159,7 +161,7 @@ public class AddUserMemberActionTest
try
{
String userID = "foo";
- String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
+ String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java
index 92f5263dabbed86331eb015a9e0098bc02a146b0..dcba09b625bbd5830640710fe4cc780bf1faf7f1 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java
@@ -74,8 +74,11 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
+
import java.security.Principal;
+
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.easymock.EasyMock;
@@ -106,7 +109,7 @@ public class RemoveUserMemberActionTest
try
{
String userID = "foo";
- String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
+ String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
@@ -156,7 +159,7 @@ public class RemoveUserMemberActionTest
try
{
String userID = "foo";
- String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
+ String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
diff --git a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java
index a22a7519f360b2598a9728110b0163e6dfab2f3c..3e1f8e2436d388d4db19d7f27452794708a7861e 100644
--- a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java
+++ b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java
@@ -71,13 +71,10 @@ package ca.nrc.cadc.ac.client;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URL;
-import java.net.URLEncoder;
-import java.security.AccessControlContext;
-import java.security.AccessController;
import java.security.Principal;
+import java.util.Iterator;
import java.util.Set;
-import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
@@ -87,9 +84,9 @@ import ca.nrc.cadc.auth.HttpPrincipal;
import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.xml.UserReader;
+import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
-import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.net.HttpDownload;
@@ -102,8 +99,6 @@ public class UserClient
private static final Logger log = Logger.getLogger(UserClient.class);
// socket factory to use when connecting
- private SSLSocketFactory sslSocketFactory;
- private SSLSocketFactory mySocketFactory;
private String baseURL;
/**
@@ -148,12 +143,11 @@ public class UserClient
*/
public void augmentSubject(Subject subject)
{
- URL url = this.getURL(subject);
+ Principal principal = this.getPrincipal(subject);
+ URL url = this.getURL(principal);
log.debug("augmentSubject request to " + url.toString());
ByteArrayOutputStream out = new ByteArrayOutputStream();
HttpDownload download = new HttpDownload(url, out);
-
- download.setSSLSocketFactory(getSSLSocketFactory());
download.run();
this.handleThrowable(download);
@@ -162,7 +156,7 @@ public class UserClient
protected void augmentSubject(Subject subject, Set<Principal> principals)
{
- if (principals.isEmpty())
+ if (!principals.iterator().hasNext())
{
String name = subject.getPrincipals().iterator().next().getName();
String msg = "No UserIdentity in LDAP server for principal: " + name;
@@ -197,6 +191,33 @@ public class UserClient
}
}
+ protected Principal getPrincipal(final Subject subject)
+ {
+ Set<Principal> principals = subject.getPrincipals();
+ Iterator<Principal> iterator = principals.iterator();
+ if (iterator.hasNext())
+ {
+ Principal principal = iterator.next();
+ log.debug("alinga-- UserClient.getPrincipal(): principal = " + principal);
+ if (iterator.hasNext())
+ {
+ Principal principal1 = iterator.next();
+ log.debug("alinga-- UserClient.getPrincipal(): principal1 = " + principal1);
+ log.debug("alinga-- UserClient.getPrincipal(): number of principals = " + principals.size());
+ // Should only have one principal
+ final String msg = "Subject has more than one principal.";
+ throw new IllegalArgumentException(msg);
+ }
+
+ return principal;
+ }
+ else
+ {
+ final String msg = "Subject has no principal.";
+ throw new IllegalArgumentException(msg);
+ }
+ }
+
protected Set<Principal> getPrincipals(ByteArrayOutputStream out)
{
try
@@ -224,127 +245,34 @@ public class UserClient
}
}
- protected URL getURL(Subject subject)
+ protected URL getURL(Principal principal)
{
try
{
- String userID = subject.getPrincipals().iterator().next().getName();
- String encodedUserID = URLEncoder.encode(userID, "UTF-8");
- URL url = new URL(this.baseURL + "/users/" + encodedUserID +
- "?idType=" + this.getIdType(subject) + "&detail=identity");
+ String userID = principal.getName();
+ URL url = new URL(this.baseURL + "/users/" + userID +
+ "?idType=" + this.getIdType(principal) + "&detail=identity");
log.debug("getURL(): returned url ="
+ ""
+ " " + url.toString());
return url;
}
- catch (UnsupportedEncodingException e)
- {
- throw new RuntimeException(e);
- }
catch (MalformedURLException e)
{
throw new RuntimeException(e);
}
}
- protected String getIdType(Subject subject)
+ protected String getIdType(Principal principal)
{
- Set<Principal> principals = subject.getPrincipals();
- if (principals.size() > 0)
- {
- String idTypeStr = null;
- Principal principal = principals.iterator().next();
- if (principal instanceof HttpPrincipal)
- {
- idTypeStr = IdentityType.USERNAME.getValue();
- }
- else if (principal instanceof X500Principal)
- {
- idTypeStr = IdentityType.X500.getValue();
- }
- else if (principal instanceof NumericPrincipal)
- {
- idTypeStr = IdentityType.CADC.getValue();
- }
- else if (principal instanceof CookiePrincipal)
- {
- idTypeStr = IdentityType.COOKIE.getValue();
- }
- else
- {
- final String msg = "Subject has unsupported principal " +
- principal.getName() +
- ", not one of (X500, Cookie, HTTP or Cadc).";
- throw new IllegalArgumentException(msg);
- }
-
- return idTypeStr;
- }
- else
- {
- final String msg = "Subject has no principal.";
- throw new IllegalArgumentException(msg);
- }
- }
-
- /**
- * @param sslSocketFactory the sslSocketFactory to set
- */
- public void setSSLSocketFactory(SSLSocketFactory sslSocketFactory)
- {
- if (mySocketFactory != null)
- {
- throw new IllegalStateException(
- "Illegal use of GMSClient: cannot set SSLSocketFactory " +
- "after using one created from Subject");
- }
- this.sslSocketFactory = sslSocketFactory;
- clearCache();
- }
-
- private int subjectHashCode = 0;
-
- private SSLSocketFactory getSSLSocketFactory()
- {
- AccessControlContext ac = AccessController.getContext();
- Subject s = Subject.getSubject(ac);
-
- // no real Subject: can only use the one from setSSLSocketFactory
- if (s == null || s.getPrincipals().isEmpty())
- {
- return sslSocketFactory;
- }
-
- // lazy init
- if (this.mySocketFactory == null)
+ String idTypeStr = AuthenticationUtil.getPrincipalType(principal);
+ if (idTypeStr == null)
{
- log.debug("getSSLSocketFactory: " + s);
- this.mySocketFactory = SSLUtil.getSocketFactory(s);
- this.subjectHashCode = s.hashCode();
- }
- else
- {
- int c = s.hashCode();
- if (c != subjectHashCode)
- {
- throw new IllegalStateException(
- "Illegal use of " + this.getClass().getSimpleName() +
- ": subject change not supported for internal " +
- "SSLSocketFactory");
- }
- }
- return this.mySocketFactory;
- }
-
- protected void clearCache()
- {
- AccessControlContext acContext = AccessController.getContext();
- Subject subject = Subject.getSubject(acContext);
-
- if (subject != null)
- {
- log.debug("Clearing cache");
- subject.getPrivateCredentials().clear();
+ final String msg = "Subject has unsupported principal " +
+ principal.getName();
+ throw new IllegalArgumentException(msg);
}
+
+ return idTypeStr;
}
}
diff --git a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
index 7401185b0487eafa718057a3fa74732f74f0e6bc..732e406596b8cadc758526c86342742ebd4ccd1c 100644
--- a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
+++ b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
@@ -72,7 +72,6 @@ package ca.nrc.cadc.ac.xml;
import ca.nrc.cadc.ac.AC;
import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupProperty;
-import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.PersonalDetails;
import ca.nrc.cadc.ac.PosixDetails;
import ca.nrc.cadc.ac.ReaderException;
@@ -81,9 +80,11 @@ import ca.nrc.cadc.ac.UserDetails;
import ca.nrc.cadc.ac.UserRequest;
import ca.nrc.cadc.ac.WriterException;
import ca.nrc.cadc.auth.HttpPrincipal;
+import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal;
import ca.nrc.cadc.date.DateUtil;
+
import org.jdom2.Attribute;
import org.jdom2.Document;
import org.jdom2.Element;
@@ -91,6 +92,7 @@ import org.jdom2.output.Format;
import org.jdom2.output.XMLOutputter;
import javax.security.auth.x500.X500Principal;
+
import java.io.IOException;
import java.io.Writer;
import java.security.Principal;