📄 x509authentication.java
字号:
{ log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate is EXPIRED or PREMATURE: "+e.toString())); return false; } // Try CA public key, if available. if (caPublicKey != null) { try { certificate.verify(caPublicKey); return true; } catch (GeneralSecurityException e) { log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate FAILED SIGNATURE check: "+e.toString())); } } // Try it with keystore, if available. if (caCertKeyStore != null) { try { Enumeration ke = caCertKeyStore.aliases(); while (ke.hasMoreElements()) { String alias = (String)ke.nextElement(); if (caCertKeyStore.isCertificateEntry(alias)) { Certificate ca = caCertKeyStore.getCertificate(alias); try { certificate.verify(ca.getPublicKey()); return true; } catch (CertificateException ce) { } } } log.info(LogManager.getHeader(context, "authentication", "Keystore method FAILED SIGNATURE check on client cert.")); } catch (GeneralSecurityException e) { log.info(LogManager.getHeader(context, "authentication", "X.509 Certificate FAILED SIGNATURE check: "+e.toString())); } } return false; } /** * Predicate, can new user automatically create EPerson. * Checks configuration value. You'll probably want this to * be true to take advantage of a Web certificate infrastructure * with many more users than are already known by DSpace. */ public boolean canSelfRegister(Context context, HttpServletRequest request, String username) throws SQLException { return ConfigurationManager .getBooleanProperty("authentication.x509.autoregister"); } /** * Nothing extra to initialize. */ public void initEPerson(Context context, HttpServletRequest request, EPerson eperson) throws SQLException { } /** * We don't use EPerson password so there is no reason to change it. */ public boolean allowSetPassword(Context context, HttpServletRequest request, String username) throws SQLException { return false; } /** * Returns true, this is an implicit method. */ public boolean isImplicit() { return true; } /** * No special groups. */ public int[] getSpecialGroups(Context context, HttpServletRequest request) { return new int[0]; } /** * X509 certificate authentication. The client certificate * is obtained from the <code>ServletRequest</code> object. * <ul> * <li>If the certificate is valid, and corresponds to an existing EPerson, * and the user is allowed to login, return success.</li> * <li>If the user is matched but is not allowed to login, it fails.</li> * <li>If the certificate is valid, but there is no corresponding EPerson, * the <code>"authentication.x509.autoregister"</code> * configuration parameter is checked (via <code>canSelfRegister()</code>) * <ul> * <li>If it's true, a new EPerson record is created for the certificate, and * the result is success.</li> * <li>If it's false, return that the user was unknown.</li> * </ul> * </li> * </ul> * * @return One of: SUCCESS, BAD_CREDENTIALS, NO_SUCH_USER, BAD_ARGS */ public int authenticate(Context context, String username, String password, String realm, HttpServletRequest request) throws SQLException { // Obtain the certificate from the request, if any X509Certificate[] certs = null; if (request != null) certs = (X509Certificate[]) request .getAttribute("javax.servlet.request.X509Certificate"); if ((certs == null) || (certs.length == 0)) return BAD_ARGS; else { // We have a cert -- check it and get username from it. try { if (!isValid(context, certs[0])) { log.warn(LogManager.getHeader(context, "authenticate", "type=x509certificate, status=BAD_CREDENTIALS (not valid)")); return BAD_CREDENTIALS; } // And it's valid - try and get an e-person String email = getEmail(certs[0]); EPerson eperson = null; if (email != null) eperson = EPerson.findByEmail(context, email); if (eperson == null) { // Cert is valid, but no record. if (email != null && canSelfRegister(context, request, null)) { // Register the new user automatically log.info(LogManager.getHeader(context, "autoregister", "from=x.509, email=" + email)); // TEMPORARILY turn off authorisation context.setIgnoreAuthorization(true); eperson = EPerson.create(context); eperson.setEmail(email); eperson.setCanLogIn(true); AuthenticationManager.initEPerson(context, request, eperson); eperson.update(); context.commit(); context.setIgnoreAuthorization(false); context.setCurrentUser(eperson); return SUCCESS; } else { // No auto-registration for valid certs log.warn(LogManager.getHeader(context, "authenticate", "type=cert_but_no_record, cannot auto-register")); return NO_SUCH_USER; } } // make sure this is a login account else if (!eperson.canLogIn()) { log.warn(LogManager.getHeader(context, "authenticate", "type=x509certificate, email="+email+", canLogIn=false, rejecting.")); return BAD_ARGS; } else { log.info(LogManager.getHeader(context, "login", "type=x509certificate")); context.setCurrentUser(eperson); return SUCCESS; } } catch (AuthorizeException ce) { log.warn(LogManager.getHeader(context, "authorize_exception", ""), ce); } return BAD_ARGS; } } /** * Return null, since this is an implicit method with no login page. * * @param context * DSpace context, will be modified (ePerson set) upon success. * * @param request * The HTTP request that started this operation, or null if not applicable. * * @param response * The HTTP response from the servlet method. * * @return fully-qualified URL */ public String loginPageURL(Context context, HttpServletRequest request, HttpServletResponse response) { return null; } /** * Return null, since this is an implicit method with no login page. * * @param context * DSpace context, will be modified (ePerson set) upon success. * * @return Message key to look up in i18n message catalog. */ public String loginPageTitle(Context context) { return null; }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -