From ad8e4d0eaaa105de03e526a7fd00d36417bfd441 Mon Sep 17 00:00:00 2001
From: Joel Bernstein <joel.bernstein@alfresco.com>
Date: Tue, 21 Jul 2015 15:07:27 +0000
Subject: [PATCH] ACE-777: integrate the X509 Auth Servlet Filter into solr4
 and web-client projects.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@108677 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../servlet/AlfrescoX509ServletFilter.java    | 74 ++++++++++++++
 source/web/WEB-INF/web.xml                    | 98 ++++++-------------
 2 files changed, 104 insertions(+), 68 deletions(-)
 create mode 100644 source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java

diff --git a/source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java b/source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java
new file mode 100644
index 0000000000..972c04fbbd
--- /dev/null
+++ b/source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java
@@ -0,0 +1,74 @@
+/*
+* Copyright (C) 2005-2013 Alfresco Software Limited.
+*
+* This file is part of Alfresco
+*
+* Alfresco is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Lesser General Public License as published by
+* the Free Software Foundation, either version 3 of the License, or
+* (at your option) any later version.
+*
+* Alfresco is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public License
+* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package org.alfresco.web.app.servlet;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.context.support.WebApplicationContextUtils;
+import org.alfresco.web.scripts.servlet.X509ServletFilterBase;
+
+import javax.servlet.*;
+import java.io.IOException;
+import java.util.Properties;
+
+/**
+ * The AlfrescoX509ServletFilter implements the checkEnforce method of the X509ServletFilterBase.
+ * This allows the configuration of X509 authentication to be toggled on/off through a
+ * configuration outside of the web.xml.
+ **/
+
+public class AlfrescoX509ServletFilter extends X509ServletFilterBase
+{
+    private static final String BEAN_GLOBAL_PROPERTIES = "global-properties";
+    private static final String SECURE_COMMS = "solr.secureComms";
+
+    private static Log logger = LogFactory.getLog(AlfrescoX509ServletFilter.class);
+
+    @Override
+    protected boolean checkEnforce(ServletContext servletContext) throws IOException
+    {
+        /*
+        * Get the secureComms setting from the global properties bean.
+        */
+
+        WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
+        Properties globalProperties = (Properties) wc.getBean(BEAN_GLOBAL_PROPERTIES);
+        String prop = globalProperties.getProperty(SECURE_COMMS);
+
+        if(logger.isDebugEnabled())
+        {
+            logger.debug("secureComms:"+prop);
+        }
+
+        /*
+         * Return true or false based on the property. This will switch on/off X509 enforcement in the X509ServletFilterBase.
+         */
+
+        if (prop == null || "none".equals(prop))
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+}
\ No newline at end of file
diff --git a/source/web/WEB-INF/web.xml b/source/web/WEB-INF/web.xml
index 2da1784cfc..116e0cab9d 100644
--- a/source/web/WEB-INF/web.xml
+++ b/source/web/WEB-INF/web.xml
@@ -85,6 +85,15 @@
       <filter-name>Global Localization Filter</filter-name>
       <filter-class>org.alfresco.web.app.servlet.GlobalLocalizationFilter</filter-class>
    </filter>
+
+   <filter>
+      <filter-name>X509AuthFilter</filter-name>
+      <filter-class>org.alfresco.web.app.servlet.AlfrescoX509ServletFilter</filter-class>
+      <init-param>
+         <param-name>cert-contains</param-name>
+         <param-value>CN=Alfresco Repository</param-value>
+      </init-param>
+   </filter>
    
    <!-- CORS Filter Begin -->
    <!--<filter>
@@ -198,6 +207,27 @@
       <url-pattern>/cmisatom/*</url-pattern>
    </filter-mapping>
 
+   <filter-mapping>
+      <filter-name>X509AuthFilter</filter-name>
+      <url-pattern>/service/api/solr/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>X509AuthFilter</filter-name>
+      <url-pattern>/s/api/solr/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>X509AuthFilter</filter-name>
+      <url-pattern>/wcservice/api/solr/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>X509AuthFilter</filter-name>
+      <url-pattern>/wcs/api/solr/*</url-pattern>
+   </filter-mapping>
+
+
    <!-- Enterprise filter-mapping placeholder -->
 
    <listener>
@@ -491,74 +521,6 @@
    
    <!-- Toggle securecomms placeholder start -->
    
-   <security-constraint>
-      <web-resource-collection>
-         <web-resource-name>SOLR</web-resource-name>
-         <url-pattern>/service/api/solr/*</url-pattern>
-      </web-resource-collection>
-
-      <auth-constraint>
-         <role-name>repoclient</role-name>
-      </auth-constraint>
-
-      <user-data-constraint>
-         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-      </user-data-constraint>
-   </security-constraint>
-
-   <security-constraint>
-      <web-resource-collection>
-         <web-resource-name>SOLR</web-resource-name>
-         <url-pattern>/s/api/solr/*</url-pattern>
-      </web-resource-collection>
-
-      <auth-constraint>
-         <role-name>repoclient</role-name>
-      </auth-constraint>
-
-      <user-data-constraint>
-         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-      </user-data-constraint>
-   </security-constraint>
-   
-   <security-constraint>
-      <web-resource-collection>
-         <web-resource-name>SOLR</web-resource-name>
-         <url-pattern>/wcservice/api/solr/*</url-pattern>
-      </web-resource-collection>
-
-      <auth-constraint>
-         <role-name>repoclient</role-name>
-      </auth-constraint>
-
-      <user-data-constraint>
-         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-      </user-data-constraint>
-   </security-constraint>
-   
-   <security-constraint>
-      <web-resource-collection>
-         <web-resource-name>SOLR</web-resource-name>
-         <url-pattern>/wcs/api/solr/*</url-pattern>
-      </web-resource-collection>
-
-      <auth-constraint>
-         <role-name>repoclient</role-name>
-      </auth-constraint>
-
-      <user-data-constraint>
-         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-      </user-data-constraint>
-   </security-constraint>
-   
-   <login-config>
-      <auth-method>CLIENT-CERT</auth-method>
-      <realm-name>Repository</realm-name>
-   </login-config>
-
-   <security-role>
-     <role-name>repoclient</role-name>
-   </security-role>
 
    <!-- Toggle securecomms placeholder end -->