mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
ACE-777: integrate the X509 Auth Servlet Filter into solr4 and web-client projects.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@108677 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Joel Bernstein
@@ -0,0 +1,74 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (C) 2005-2013 Alfresco Software Limited.
|
||||||
|
*
|
||||||
|
* This file is part of Alfresco
|
||||||
|
*
|
||||||
|
* Alfresco is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Lesser General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* Alfresco is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Lesser General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Lesser General Public License
|
||||||
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.alfresco.web.app.servlet;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.springframework.web.context.WebApplicationContext;
|
||||||
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
||||||
|
import org.alfresco.web.scripts.servlet.X509ServletFilterBase;
|
||||||
|
|
||||||
|
import javax.servlet.*;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The AlfrescoX509ServletFilter implements the checkEnforce method of the X509ServletFilterBase.
|
||||||
|
* This allows the configuration of X509 authentication to be toggled on/off through a
|
||||||
|
* configuration outside of the web.xml.
|
||||||
|
**/
|
||||||
|
|
||||||
|
public class AlfrescoX509ServletFilter extends X509ServletFilterBase
|
||||||
|
{
|
||||||
|
private static final String BEAN_GLOBAL_PROPERTIES = "global-properties";
|
||||||
|
private static final String SECURE_COMMS = "solr.secureComms";
|
||||||
|
|
||||||
|
private static Log logger = LogFactory.getLog(AlfrescoX509ServletFilter.class);
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected boolean checkEnforce(ServletContext servletContext) throws IOException
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Get the secureComms setting from the global properties bean.
|
||||||
|
*/
|
||||||
|
|
||||||
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
|
||||||
|
Properties globalProperties = (Properties) wc.getBean(BEAN_GLOBAL_PROPERTIES);
|
||||||
|
String prop = globalProperties.getProperty(SECURE_COMMS);
|
||||||
|
|
||||||
|
if(logger.isDebugEnabled())
|
||||||
|
{
|
||||||
|
logger.debug("secureComms:"+prop);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return true or false based on the property. This will switch on/off X509 enforcement in the X509ServletFilterBase.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (prop == null || "none".equals(prop))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -86,6 +86,15 @@
|
|||||||
<filter-class>org.alfresco.web.app.servlet.GlobalLocalizationFilter</filter-class>
|
<filter-class>org.alfresco.web.app.servlet.GlobalLocalizationFilter</filter-class>
|
||||||
</filter>
|
</filter>
|
||||||
|
|
||||||
|
<filter>
|
||||||
|
<filter-name>X509AuthFilter</filter-name>
|
||||||
|
<filter-class>org.alfresco.web.app.servlet.AlfrescoX509ServletFilter</filter-class>
|
||||||
|
<init-param>
|
||||||
|
<param-name>cert-contains</param-name>
|
||||||
|
<param-value>CN=Alfresco Repository</param-value>
|
||||||
|
</init-param>
|
||||||
|
</filter>
|
||||||
|
|
||||||
<!-- CORS Filter Begin -->
|
<!-- CORS Filter Begin -->
|
||||||
<!--<filter>
|
<!--<filter>
|
||||||
<filter-name>CORS</filter-name>
|
<filter-name>CORS</filter-name>
|
||||||
@@ -198,6 +207,27 @@
|
|||||||
<url-pattern>/cmisatom/*</url-pattern>
|
<url-pattern>/cmisatom/*</url-pattern>
|
||||||
</filter-mapping>
|
</filter-mapping>
|
||||||
|
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>X509AuthFilter</filter-name>
|
||||||
|
<url-pattern>/service/api/solr/*</url-pattern>
|
||||||
|
</filter-mapping>
|
||||||
|
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>X509AuthFilter</filter-name>
|
||||||
|
<url-pattern>/s/api/solr/*</url-pattern>
|
||||||
|
</filter-mapping>
|
||||||
|
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>X509AuthFilter</filter-name>
|
||||||
|
<url-pattern>/wcservice/api/solr/*</url-pattern>
|
||||||
|
</filter-mapping>
|
||||||
|
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>X509AuthFilter</filter-name>
|
||||||
|
<url-pattern>/wcs/api/solr/*</url-pattern>
|
||||||
|
</filter-mapping>
|
||||||
|
|
||||||
|
|
||||||
<!-- Enterprise filter-mapping placeholder -->
|
<!-- Enterprise filter-mapping placeholder -->
|
||||||
|
|
||||||
<listener>
|
<listener>
|
||||||
@@ -491,74 +521,6 @@
|
|||||||
|
|
||||||
<!-- Toggle securecomms placeholder start -->
|
<!-- Toggle securecomms placeholder start -->
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>SOLR</web-resource-name>
|
|
||||||
<url-pattern>/service/api/solr/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>repoclient</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>SOLR</web-resource-name>
|
|
||||||
<url-pattern>/s/api/solr/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>repoclient</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>SOLR</web-resource-name>
|
|
||||||
<url-pattern>/wcservice/api/solr/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>repoclient</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>SOLR</web-resource-name>
|
|
||||||
<url-pattern>/wcs/api/solr/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>repoclient</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<login-config>
|
|
||||||
<auth-method>CLIENT-CERT</auth-method>
|
|
||||||
<realm-name>Repository</realm-name>
|
|
||||||
</login-config>
|
|
||||||
|
|
||||||
<security-role>
|
|
||||||
<role-name>repoclient</role-name>
|
|
||||||
</security-role>
|
|
||||||
|
|
||||||
<!-- Toggle securecomms placeholder end -->
|
<!-- Toggle securecomms placeholder end -->
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user