inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

ACE-777: integrate the X509 Auth Servlet Filter into solr4 and web-client projects.

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@108677 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Joel Bernstein
2015-07-21 15:07:27 +00:00
parent 92e919c9ba
commit ad8e4d0eaa
2 changed files with 104 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
source/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java Normal file
View File

@@ -0,0 +1,74 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.app.servlet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.alfresco.web.scripts.servlet.X509ServletFilterBase;
import javax.servlet.*;
import java.io.IOException;
import java.util.Properties;
/**
* The AlfrescoX509ServletFilter implements the checkEnforce method of the X509ServletFilterBase.
* This allows the configuration of X509 authentication to be toggled on/off through a
* configuration outside of the web.xml.
**/
public class AlfrescoX509ServletFilter extends X509ServletFilterBase
{
private static final String BEAN_GLOBAL_PROPERTIES = "global-properties";
private static final String SECURE_COMMS = "solr.secureComms";
private static Log logger = LogFactory.getLog(AlfrescoX509ServletFilter.class);
@Override
protected boolean checkEnforce(ServletContext servletContext) throws IOException
{
/*
* Get the secureComms setting from the global properties bean.
*/
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
Properties globalProperties = (Properties) wc.getBean(BEAN_GLOBAL_PROPERTIES);
String prop = globalProperties.getProperty(SECURE_COMMS);
if(logger.isDebugEnabled())
{
logger.debug("secureComms:"+prop);
}
/*
* Return true or false based on the property. This will switch on/off X509 enforcement in the X509ServletFilterBase.
*/
if (prop == null || "none".equals(prop))
{
return false;
}
else
{
return true;
}
}
}

98
source/web/WEB-INF/web.xml
View File

@@ -86,6 +86,15 @@
<filter-class>org.alfresco.web.app.servlet.GlobalLocalizationFilter</filter-class>
</filter>
<filter>
<filter-name>X509AuthFilter</filter-name>
<filter-class>org.alfresco.web.app.servlet.AlfrescoX509ServletFilter</filter-class>
<init-param>
<param-name>cert-contains</param-name>
<param-value>CN=Alfresco Repository</param-value>
</init-param>
</filter>
<!-- CORS Filter Begin -->
<!--<filter>
<filter-name>CORS</filter-name>
@@ -198,6 +207,27 @@
<url-pattern>/cmisatom/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>X509AuthFilter</filter-name>
<url-pattern>/service/api/solr/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>X509AuthFilter</filter-name>
<url-pattern>/s/api/solr/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>X509AuthFilter</filter-name>
<url-pattern>/wcservice/api/solr/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>X509AuthFilter</filter-name>
<url-pattern>/wcs/api/solr/*</url-pattern>
</filter-mapping>
<!-- Enterprise filter-mapping placeholder -->
<listener>
@@ -491,74 +521,6 @@
<!-- Toggle securecomms placeholder start -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SOLR</web-resource-name>
<url-pattern>/service/api/solr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>repoclient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SOLR</web-resource-name>
<url-pattern>/s/api/solr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>repoclient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SOLR</web-resource-name>
<url-pattern>/wcservice/api/solr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>repoclient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SOLR</web-resource-name>
<url-pattern>/wcs/api/solr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>repoclient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Repository</realm-name>
</login-config>
<security-role>
<role-name>repoclient</role-name>
</security-role>
<!-- Toggle securecomms placeholder end -->