diff --git a/cadc-access-control/build.gradle b/cadc-access-control/build.gradle
index d519622d02792714286ebb2eebc5e489c59beb0f..890bada7a6623e263eb9125b451a7c2988dceca6 100644
--- a/cadc-access-control/build.gradle
+++ b/cadc-access-control/build.gradle
@@ -15,7 +15,7 @@ sourceCompatibility = 1.7
group = 'org.opencadc'
-version = '1.1.5'
+version = '1.1.6'
mainClassName = 'ca.nrc.cadc.ac.client.Main'
diff --git a/cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GMSClient.java b/cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GMSClient.java
index 55c56c125935c9a07e9ba8b7da06b7769994d935..bc5bd3df594630e34b86e93ef04422d8cacb1d17 100755
--- a/cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GMSClient.java
+++ b/cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GMSClient.java
@@ -1104,37 +1104,63 @@ public class GMSClient implements TransferListener
private URL lookupServiceURL(final URI standard)
throws AccessControlException
{
- final URL serviceURL = getRegistryClient()
- .getServiceURL(this.serviceID, standard, getAuthMethod());
-
+ Subject subject = AuthenticationUtil.getCurrentSubject();
+ AuthMethod am = getAuthMethod(subject);
+
+ URL serviceURL = getRegistryClient().getServiceURL(this.serviceID, standard, am);
+
+ // now that we have a URL we can check if the cookie will actually be sent to it
+ if (AuthMethod.COOKIE.equals(am))
+ {
+ try
+ {
+ boolean domainMatch = false;
+ String domain = NetUtil.getDomainName(serviceURL);
+ for (SSOCookieCredential cc : subject.getPublicCredentials(SSOCookieCredential.class))
+ {
+ if (cc.getDomain().equals(domain))
+ domainMatch = true;
+ }
+ if (!domainMatch)
+ {
+ throw new AccessControlException("no SSOCookieCredential for domain " + domain);
+ }
+ }
+ catch(IOException ex)
+ {
+ throw new RuntimeException("failure checking domain for cookie use", ex);
+ }
+ }
+
if (serviceURL == null)
{
throw new RuntimeException(
String.format("Unable to get Service URL for '%s', '%s', '%s'",
- serviceID.toString(), Standards.GMS_GROUPS_01,
- getAuthMethod()));
- }
- else
- {
- return serviceURL;
+ serviceID.toString(), standard, am));
}
+
+ return serviceURL;
}
-
- private AuthMethod getAuthMethod()
+
+ private AuthMethod getAuthMethod(Subject subject)
{
- Subject subject = AuthenticationUtil.getCurrentSubject();
if (subject != null)
{
- for (Object o : subject.getPublicCredentials())
+ // web services use CDP to load a proxy cert so prefer that
+ X509CertificateChain privateKeyChain = X509CertificateChain.findPrivateKeyChain(
+ subject.getPublicCredentials());
+ if (privateKeyChain != null)
+ return AuthMethod.CERT;
+
+ // ui applications pass cookie(s) along
+ Set sso = subject.getPublicCredentials(SSOCookieCredential.class);
+ if ( !sso.isEmpty() )
{
- if (o instanceof X509CertificateChain)
- return AuthMethod.CERT;
- if (o instanceof SSOCookieCredential)
- return AuthMethod.COOKIE;
- // AuthMethod.PASSWORD not supported
- // AuthMethod.TOKEN not supported
+ return AuthMethod.COOKIE;
}
-
+
+ // AuthMethod.PASSWORD not supported
+ // AuthMethod.TOKEN not supported
throw new AccessControlException("No valid public credentials.");
}
else