Apache mod_ssl tomcate Axis https user authentication

package com.tiandao.ws.util;

import java.io.ByteArrayInputStream;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;

import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

public class AxisUtil
{
/**
* This method read all possible certificate from request. If the apache
* passes certificate to tomcate in "SSL_CLIENT_CERT", this method will
* reads and create the certificate.
*
* @param request
* @return
*/
public static X509Certificate getX509Certificate(HttpServletRequest request)
{
X509Certificate ret = null;
String certString = null;
Object obj = request
.getAttribute("javax.servlet.request.X509Certificate");
if (obj != null)
{
if (obj instanceof String)
{
certString = (String) obj;
ret = stringToX509(certString);
} else if (obj instanceof X509Certificate[])
{
if (((X509Certificate[]) obj) != null
&& ((X509Certificate[]) obj).length > 0)
ret = ((X509Certificate[]) obj)[0];
}
} else
{
certString = (String) request.getAttribute("SSL_CLIENT_CERT");
ret = stringToX509(certString);
}

return ret;
}

/**
* A string of a PEM format certificate as input, will return a
* X509Certificate.
*
* @param cert
* @return
*/
public static X509Certificate stringToX509(String cert)
{

CertificateFactory cf;
try
{
cf = CertificateFactory.getInstance("X.509");

X509Certificate ret = null;
byte[] bytes = cert.getBytes();
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ret = (X509Certificate) cf.generateCertificate(bais);
return ret;
} catch (CertificateException e)
{
e.printStackTrace();
return null;
}
}

public static Principal getUserPrincipal(MessageContext mctx)
{
HttpServletRequest req = (HttpServletRequest) mctx
.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
X509Certificate[] certificate = (X509Certificate[]) req
.getAttribute("javax.servlet.request.X509Certificate");
Principal principal = certificate[0].getSubjectDN();

return principal;
}

public static WebApplicationContext getAppContext(MessageContext mctx)
{
HttpServlet servlet = (HttpServlet) mctx
.getProperty(HTTPConstants.MC_HTTP_SERVLET);

ServletContext servletContext = servlet.getServletContext();

WebApplicationContext webAppContext = WebApplicationContextUtils
.getRequiredWebApplicationContext(servletContext);
return webAppContext;
}

public static String getUserDN(MessageContext mctx)
{
Principal principal = getUserPrincipal(mctx);
return principal.getName();
}
}

Here are some explanation.

Apache was configured to pass the user certificate to tomcat. "javax.servlet.request.X509Certificate" and request attribute "SSL_CLIENT_CERT" will all be filled up with the proper certificate information.

Some wrapping method was in there for my own convenient.

Comments

Post a Comment

Popular posts from this blog

Spring framework, Hibernate and MySQL Replication

Image
Laterly we have our site grown to the stage that a single mysql server will not able to do the job anymore. That's something we realy like to see. The CPU usage had reached more then 90% at peak traffic time. MySQL even crashed a couple time when we were running an early version. 5.0.x. Don't remember what it was exactly. But when we upgrade to 5.0.24, it stopped crashing. It was also unacceptablely slow under the heavy loads. We need some heavy duty database solution. I have read a couple articals about mysql cluster. So my first thought is cluster. But when we ask our hosting company to set up a MySQL cluster, they suggested replication instead. Sometimes you just could not judge things by their name. Have run into the word "replication" a couple times in the mysql ref book. I miss judged the replication function. My sql does not like some other databases, this replication is real-time replication. To set up a master/slave replication system up is really a straight
Read more

the Art of Kindling a Light in the darkness of mere being

Playboy interview Stanley Kubrick published 1968 Sept Playboy:  Thanks to those special effects, 2001 is undoubtedly the most graphic depiction of space flight in the history of films — and yet you have admitted that you yourself refuse to fly, even in a commercial jet liner. Why? Kubrick : I suppose it comes down to a rather awesome awareness of mortality. Our ability, unlike the other animals, to conceptualize our own end creates tremendous psychic strains within us; whether we like to admit it or not, in each man’s chest a tiny ferret of fear at this ultimate knowledge gnaws away at his ego and his sense of purpose. We’re fortunate, in a way, that our body, and the fulfillment of its needs and functions, plays such an imperative role in our lives; this physical shell creates a buffer between us and the mind-paralyzing realization that only a few years of existence separate birth from death. If man really sat back and thought about his impending termination, and his terrifying ins
Read more

Exposed Domain Object implemented with Spring Aspect Transaction Control + AspectJ

Image
This application was designed and implemented as my first web app following the DDD principles. There are some interesting issues to solve. I had the domain models exposed to the presentation layer. No facade!??? Yeeeeaah, but not exactly. I did not see the similar design at other places yet. Which has no facade in front of domain models, no facade between presentation and business layers. I can imagine the reaction from people who are so used to facade. Spring+AspectJ allow you have this design. Using domain object that has the supporting DAO injected and letting "spring's annotation transaction aspect" handles the transaction. It can work. Although, using Spring+AspectJ can implement this design, it doesn't necessarily mean this design is good for all applications. An evaluation needs to be done. Here are the pros and cons . Pros: Faster development. It accelerates the development. No Facade for the exposed domain model. When a domain object is a natural entry point
Read more