Apache mod_ssl tomcate Axis https user authentication

package com.tiandao.ws.util;

import java.io.ByteArrayInputStream;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;

import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

public class AxisUtil
{
/**
* This method read all possible certificate from request. If the apache
* passes certificate to tomcate in "SSL_CLIENT_CERT", this method will
* reads and create the certificate.
*
* @param request
* @return
*/
public static X509Certificate getX509Certificate(HttpServletRequest request)
{
X509Certificate ret = null;
String certString = null;
Object obj = request
.getAttribute("javax.servlet.request.X509Certificate");
if (obj != null)
{
if (obj instanceof String)
{
certString = (String) obj;
ret = stringToX509(certString);
} else if (obj instanceof X509Certificate[])
{
if (((X509Certificate[]) obj) != null
&& ((X509Certificate[]) obj).length > 0)
ret = ((X509Certificate[]) obj)[0];
}
} else
{
certString = (String) request.getAttribute("SSL_CLIENT_CERT");
ret = stringToX509(certString);
}

return ret;
}

/**
* A string of a PEM format certificate as input, will return a
* X509Certificate.
*
* @param cert
* @return
*/
public static X509Certificate stringToX509(String cert)
{

CertificateFactory cf;
try
{
cf = CertificateFactory.getInstance("X.509");

X509Certificate ret = null;
byte[] bytes = cert.getBytes();
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ret = (X509Certificate) cf.generateCertificate(bais);
return ret;
} catch (CertificateException e)
{
e.printStackTrace();
return null;
}
}

public static Principal getUserPrincipal(MessageContext mctx)
{
HttpServletRequest req = (HttpServletRequest) mctx
.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
X509Certificate[] certificate = (X509Certificate[]) req
.getAttribute("javax.servlet.request.X509Certificate");
Principal principal = certificate[0].getSubjectDN();

return principal;
}

public static WebApplicationContext getAppContext(MessageContext mctx)
{
HttpServlet servlet = (HttpServlet) mctx
.getProperty(HTTPConstants.MC_HTTP_SERVLET);

ServletContext servletContext = servlet.getServletContext();

WebApplicationContext webAppContext = WebApplicationContextUtils
.getRequiredWebApplicationContext(servletContext);
return webAppContext;
}

public static String getUserDN(MessageContext mctx)
{
Principal principal = getUserPrincipal(mctx);
return principal.getName();
}
}

Here are some explanation.

Apache was configured to pass the user certificate to tomcat. "javax.servlet.request.X509Certificate" and request attribute "SSL_CLIENT_CERT" will all be filled up with the proper certificate information.

Some wrapping method was in there for my own convenient.

Comments

Post a Comment

Popular posts from this blog

Spring framework, Hibernate and MySQL Replication

Image
Laterly we have our site grown to the stage that a single mysql server will not able to do the job anymore. That's something we realy like to see. The CPU usage had reached more then 90% at peak traffic time. MySQL even crashed a couple time when we were running an early version. 5.0.x. Don't remember what it was exactly. But when we upgrade to 5.0.24, it stopped crashing. It was also unacceptablely slow under the heavy loads. We need some heavy duty database solution. I have read a couple articals about mysql cluster. So my first thought is cluster. But when we ask our hosting company to set up a MySQL cluster, they suggested replication instead. Sometimes you just could not judge things by their name. Have run into the word "replication" a couple times in the mysql ref book. I miss judged the replication function. My sql does not like some other databases, this replication is real-time replication. To set up a master/slave replication system up is really a straight ...
Read more

Reindeer power - you are more than that

Image
This GIF is Reindeer . Treat Studios  created it two years ago. After seeing this on G+, a few thoughts started to growl. They are not about the artistic taste. They are about what we can do or be as an individual. You are more than what you think you are. You can easily tell whose lawn was maintained by professionals. Why is that? Professionals do the work with a much higher standard. Can you do that? I am sure you can, if you have the patience, and interest to read this post. But why people did not do a professional job on their lawn? Can it be that they didn't want to? Self motivated people are rear to find. But almost everyone can do it if a clear standard is given. They need a Santa to transform them. The Santa here is someone who zaps you into a Super Saiyan.  He is setting the standard, the target, and direction. Having a purpose, and meaning is making the difference. When the right group of people get together, some will come up with the direction....
Read more

Blizzard

Image
Here was what Edmonton just had on Jan 10, 2007. I was looking at Maven2 and am very convinced by its power. To have a project going, maven 2 can save you a lot of time on those small things. Testing report, build, dependency jar files and more. The Continuous Integration tool I used is continuum. A very nice tool, it works with Maven nicely. Another thing that is worth to mention is that JSF is not that bad after all. I spent a little time on JSF and found it's not hard to pick-up. It is going to win a bigger market share soon. Because it's "standard". A lot people will buy it just because of that.
Read more