First working (kind of) version.

2025-06-28 14:52:24 +00:00 · 2005-03-11 00:39:36 +00:00 · 2005-03-11 00:39:36 +00:00 · 5c86b97f37
commit 5c86b97f37
parent 740373ad01
3 changed files with 33 additions and 4 deletions
--- a/core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationProvider.java
@ -4,6 +4,7 @@ import net.sf.acegisecurity.providers.AuthenticationProvider;
 import net.sf.acegisecurity.Authentication;
 import net.sf.acegisecurity.AuthenticationException;
 import net.sf.acegisecurity.UserDetails;
+import net.sf.acegisecurity.BadCredentialsException;
 import org.springframework.beans.factory.InitializingBean;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@ -11,6 +12,11 @@ import org.apache.commons.logging.LogFactory;
 import java.security.cert.X509Certificate;

 /**
+ * Processes an X.509 authentication request.
+ * <p>
+ * The request will typically originate from
+ * {@link net.sf.acegisecurity.ui.x509.X509ProcessingFilter}).
+ *
 * @author Luke Taylor
 */
 public class X509AuthenticationProvider implements AuthenticationProvider,
@ -20,6 +26,7 @@ public class X509AuthenticationProvider implements AuthenticationProvider,
    private static final Log logger = LogFactory.getLog(X509AuthenticationProvider.class);

    //~ Instance fields ========================================================
+
    private X509AuthoritiesPopulator x509AuthoritiesPopulator;

    //~ Methods ================================================================
@ -35,10 +42,19 @@ public class X509AuthenticationProvider implements AuthenticationProvider,
    }

    /**
+     * If the supplied authentication token contains a certificate then this will be passed
+     * to the configured {@link X509AuthoritiesPopulator}
+     * to obtain the user details and authorities for the user identified by the certificate.
+     * <p>
+     * If no certificate is present (for example, if the filter is applied to an HttpRequest for which
+     * client authentication hasn't been configured in the container) then a BadCredentialsException will be raised.
+     * </p>
     *
-     * @param authentication
-     * @return
-     * @throws AuthenticationException if the {@link X509AuthoritiesPopulator} rejects the certficate
+     * @param authentication the authentication request.
+     * @return an X509AuthenticationToken containing the authorities of the principal represented by the
+     * certificate.
+     * @throws AuthenticationException if the {@link X509AuthoritiesPopulator} rejects the certficate.
+     * @throws BadCredentialsException if no certificate was presented in the authentication request.
     */
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass())) {
@ -50,8 +66,14 @@ public class X509AuthenticationProvider implements AuthenticationProvider,

        X509Certificate clientCertificate = (X509Certificate)authentication.getCredentials();

+        if(clientCertificate == null) {
+            //logger.debug("Certificate is null. Returning null Authentication.");
+            throw new BadCredentialsException("Certificate is null.");
+        }
+
        // TODO: Cache

+        logger.debug("Authenticating with certificate " + clientCertificate);

        // Lookup user details for the given certificate
        UserDetails userDetails = x509AuthoritiesPopulator.getUserDetails(clientCertificate);
--- a/core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationToken.java
+++ b/core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationToken.java
@ -3,7 +3,6 @@ package net.sf.acegisecurity.providers.x509;
 import net.sf.acegisecurity.providers.AbstractAuthenticationToken;
 import net.sf.acegisecurity.GrantedAuthority;

-import javax.security.cert.Certificate;
 import java.security.cert.X509Certificate;

 /**
--- a/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java
+++ b/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java
@ -21,6 +21,8 @@ import net.sf.acegisecurity.providers.dao.AuthenticationDao;
 import net.sf.acegisecurity.providers.x509.X509AuthoritiesPopulator;

 import org.springframework.beans.factory.InitializingBean;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;

 import java.security.cert.X509Certificate;

@ -33,9 +35,14 @@ import java.security.cert.X509Certificate;
 */
 public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator,
    InitializingBean {
+    //~ Static fields/initializers =============================================
+
+    private static final Log logger = LogFactory.getLog(DaoX509AuthoritiesPopulator.class);
+
    //~ Instance fields ========================================================

    private AuthenticationDao authenticationDao;
+    private String userPattern;

    //~ Methods ================================================================

@ -49,6 +56,7 @@ public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator,

    public UserDetails getUserDetails(X509Certificate clientCert)
        throws AuthenticationException {
+        logger.debug("Populating authorities for " + clientCert.getSubjectDN().getName());
        return this.authenticationDao.loadUserByUsername("marissa"/*clientCert.getSubjectDN().getName()*/);
    }