2 // ========================================================================
3 // Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
19 package org.eclipse.jetty.security.authentication;
21 import java.io.InputStream;
22 import java.security.KeyStore;
23 import java.security.Principal;
24 import java.security.cert.CRL;
25 import java.security.cert.X509Certificate;
26 import java.util.Collection;
28 import javax.servlet.ServletRequest;
29 import javax.servlet.ServletResponse;
30 import javax.servlet.http.HttpServletRequest;
31 import javax.servlet.http.HttpServletResponse;
33 import org.eclipse.jetty.security.ServerAuthException;
34 import org.eclipse.jetty.security.UserAuthentication;
35 import org.eclipse.jetty.server.Authentication;
36 import org.eclipse.jetty.server.Authentication.User;
37 import org.eclipse.jetty.server.UserIdentity;
38 import org.eclipse.jetty.util.B64Code;
39 import org.eclipse.jetty.util.security.CertificateUtils;
40 import org.eclipse.jetty.util.security.CertificateValidator;
41 import org.eclipse.jetty.util.security.Constraint;
42 import org.eclipse.jetty.util.security.Password;
45 * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
47 public class ClientCertAuthenticator extends LoginAuthenticator
49 /** String name of keystore password property. */
50 private static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
52 /** Truststore path */
53 private String _trustStorePath;
54 /** Truststore provider name */
55 private String _trustStoreProvider;
56 /** Truststore type */
57 private String _trustStoreType = "JKS";
58 /** Truststore password */
59 private transient Password _trustStorePassword;
61 /** Set to true if SSL certificate validation is required */
62 private boolean _validateCerts;
63 /** Path to file that contains Certificate Revocation List */
64 private String _crlPath;
65 /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
66 private int _maxCertPathLength = -1;
67 /** CRL Distribution Points (CRLDP) support */
68 private boolean _enableCRLDP = false;
69 /** On-Line Certificate Status Protocol (OCSP) support */
70 private boolean _enableOCSP = false;
71 /** Location of OCSP Responder */
72 private String _ocspResponderURL;
74 public ClientCertAuthenticator()
80 public String getAuthMethod()
82 return Constraint.__CERT_AUTH;
88 * @return Authentication for request
89 * @throws ServerAuthException
92 public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
95 return new DeferredAuthentication(this);
97 HttpServletRequest request = (HttpServletRequest)req;
98 HttpServletResponse response = (HttpServletResponse)res;
99 X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
103 // Need certificates.
104 if (certs != null && certs.length > 0)
109 KeyStore trustStore = getKeyStore(null,
110 _trustStorePath, _trustStoreType, _trustStoreProvider,
111 _trustStorePassword == null ? null :_trustStorePassword.toString());
112 Collection<? extends CRL> crls = loadCRL(_crlPath);
113 CertificateValidator validator = new CertificateValidator(trustStore, crls);
114 validator.validate(certs);
117 for (X509Certificate cert: certs)
122 Principal principal = cert.getSubjectDN();
123 if (principal == null) principal = cert.getIssuerDN();
124 final String username = principal == null ? "clientcert" : principal.getName();
126 final char[] credential = B64Code.encode(cert.getSignature());
128 UserIdentity user = login(username, credential, req);
131 return new UserAuthentication(getAuthMethod(),user);
136 if (!DeferredAuthentication.isDeferred(response))
138 response.sendError(HttpServletResponse.SC_FORBIDDEN);
139 return Authentication.SEND_FAILURE;
142 return Authentication.UNAUTHENTICATED;
146 throw new ServerAuthException(e.getMessage());
150 /* ------------------------------------------------------------ */
152 * Loads keystore using an input stream or a file path in the same
153 * order of precedence.
155 * Required for integrations to be able to override the mechanism
156 * used to load a keystore in order to provide their own implementation.
158 * @param storeStream keystore input stream
159 * @param storePath path of keystore file
160 * @param storeType keystore type
161 * @param storeProvider keystore provider
162 * @param storePassword keystore password
163 * @return created keystore
166 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
168 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
171 /* ------------------------------------------------------------ */
173 * Loads certificate revocation list (CRL) from a file.
175 * Required for integrations to be able to override the mechanism used to
176 * load CRL in order to provide their own implementation.
178 * @param crlPath path of certificate revocation list file
179 * @return a (possibly empty) collection view of java.security.cert.CRL objects initialized with the data from the
183 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
185 return CertificateUtils.loadCRL(crlPath);
189 public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
194 /* ------------------------------------------------------------ */
196 * @return true if SSL certificate has to be validated
198 public boolean isValidateCerts()
200 return _validateCerts;
203 /* ------------------------------------------------------------ */
205 * @param validateCerts
206 * true if SSL certificates have to be validated
208 public void setValidateCerts(boolean validateCerts)
210 _validateCerts = validateCerts;
213 /* ------------------------------------------------------------ */
215 * @return The file name or URL of the trust store location
217 public String getTrustStore()
219 return _trustStorePath;
222 /* ------------------------------------------------------------ */
224 * @param trustStorePath
225 * The file name or URL of the trust store location
227 public void setTrustStore(String trustStorePath)
229 _trustStorePath = trustStorePath;
232 /* ------------------------------------------------------------ */
234 * @return The provider of the trust store
236 public String getTrustStoreProvider()
238 return _trustStoreProvider;
241 /* ------------------------------------------------------------ */
243 * @param trustStoreProvider
244 * The provider of the trust store
246 public void setTrustStoreProvider(String trustStoreProvider)
248 _trustStoreProvider = trustStoreProvider;
251 /* ------------------------------------------------------------ */
253 * @return The type of the trust store (default "JKS")
255 public String getTrustStoreType()
257 return _trustStoreType;
260 /* ------------------------------------------------------------ */
262 * @param trustStoreType
263 * The type of the trust store (default "JKS")
265 public void setTrustStoreType(String trustStoreType)
267 _trustStoreType = trustStoreType;
270 /* ------------------------------------------------------------ */
273 * The password for the trust store
275 public void setTrustStorePassword(String password)
277 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
280 /* ------------------------------------------------------------ */
282 * @return the crlPath
284 public String getCrlPath()
289 /* ------------------------------------------------------------ */
291 * @param crlPath the crlPath to set
293 public void setCrlPath(String crlPath)
299 * @return Maximum number of intermediate certificates in
300 * the certification path (-1 for unlimited)
302 public int getMaxCertPathLength()
304 return _maxCertPathLength;
307 /* ------------------------------------------------------------ */
309 * @param maxCertPathLength
310 * maximum number of intermediate certificates in
311 * the certification path (-1 for unlimited)
313 public void setMaxCertPathLength(int maxCertPathLength)
315 _maxCertPathLength = maxCertPathLength;
318 /* ------------------------------------------------------------ */
320 * @return true if CRL Distribution Points support is enabled
322 public boolean isEnableCRLDP()
327 /* ------------------------------------------------------------ */
328 /** Enables CRL Distribution Points Support
329 * @param enableCRLDP true - turn on, false - turns off
331 public void setEnableCRLDP(boolean enableCRLDP)
333 _enableCRLDP = enableCRLDP;
336 /* ------------------------------------------------------------ */
338 * @return true if On-Line Certificate Status Protocol support is enabled
340 public boolean isEnableOCSP()
345 /* ------------------------------------------------------------ */
346 /** Enables On-Line Certificate Status Protocol support
347 * @param enableOCSP true - turn on, false - turn off
349 public void setEnableOCSP(boolean enableOCSP)
351 _enableOCSP = enableOCSP;
354 /* ------------------------------------------------------------ */
356 * @return Location of the OCSP Responder
358 public String getOcspResponderURL()
360 return _ocspResponderURL;
363 /* ------------------------------------------------------------ */
364 /** Set the location of the OCSP Responder.
365 * @param ocspResponderURL location of the OCSP Responder
367 public void setOcspResponderURL(String ocspResponderURL)
369 _ocspResponderURL = ocspResponderURL;