private void setUpLogin() throws Exception {
// Must have a real docBase for webapps - just use temp
basicContext = tomcat.addContext(CONTEXT_PATH_LOGIN, System.getProperty("java.io.tmpdir"));
basicContext.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS);
// Add protected servlet to the context
Tomcat.addServlet(basicContext, "TesterServlet3", new TesterServletEncodeUrl());
basicContext.addServletMapping(URI_PROTECTED, "TesterServlet3");
SecurityCollection collection = new SecurityCollection();
collection.addPattern(URI_PROTECTED);
SecurityConstraint sc = new SecurityConstraint();
sc.addAuthRole(ROLE);
sc.addCollection(collection);
basicContext.addConstraint(sc);
// Add unprotected servlet to the context
Tomcat.addServlet(basicContext, "TesterServlet4", new TesterServletEncodeUrl());
basicContext.addServletMapping(URI_PUBLIC, "TesterServlet4");
SecurityCollection collection2 = new SecurityCollection();
collection2.addPattern(URI_PUBLIC);
SecurityConstraint sc2 = new SecurityConstraint();
// do not add a role - which signals access permitted without one
sc2.addCollection(collection2);
basicContext.addConstraint(sc2);
// Configure the authenticator and inherit the Realm from Engine
LoginConfig lc = new LoginConfig();
lc.setAuthMethod("BASIC");
basicContext.setLoginConfig(lc);
AuthenticatorBase basicAuthenticator = new BasicAuthenticator();
basicContext.getPipeline().addValve(basicAuthenticator);
}
protected static void configureClientCertContext(Tomcat tomcat) {
TesterSupport.initSsl(tomcat);
// Need a web application with a protected and unprotected URL
// Must have a real docBase - just use temp
Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir"));
Tomcat.addServlet(ctx, "simple", new SimpleServlet());
ctx.addServletMapping("/unprotected", "simple");
ctx.addServletMapping("/protected", "simple");
// Security constraints
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/protected");
SecurityConstraint sc = new SecurityConstraint();
sc.addAuthRole("testrole");
sc.addCollection(collection);
ctx.addConstraint(sc);
// Configure the Realm
MapRealm realm = new MapRealm();
realm.addUser("CN=user1, C=US", "not used");
realm.addUserRole("CN=user1, C=US", "testrole");
ctx.setRealm(realm);
// Configure the authenticator
LoginConfig lc = new LoginConfig();
lc.setAuthMethod("CLIENT-CERT");
ctx.setLoginConfig(lc);
ctx.getPipeline().addValve(new SSLAuthenticator());
}
private FormAuthClientSelectedMethods(
boolean clientShouldUseCookies,
boolean serverShouldUseCookies,
boolean serverShouldChangeSessid)
throws Exception {
Tomcat tomcat = getTomcatInstance();
// No file system docBase required
Context ctx = tomcat.addContext("", null);
Tomcat.addServlet(ctx, "SelectedMethods", new SelectedMethodsServlet());
ctx.addServletMapping("/test", "SelectedMethods");
// Login servlet just needs to respond "OK". Client will handle
// creating a valid response. No need for a form.
Tomcat.addServlet(ctx, "Login", new TesterServlet());
ctx.addServletMapping("/login", "Login");
// Configure the security constraints
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
collection.setName("Protect PUT");
collection.addMethod("PUT");
collection.addPattern("/test");
constraint.addCollection(collection);
constraint.addAuthRole("tomcat");
ctx.addConstraint(constraint);
// Configure authentication
LoginConfig lc = new LoginConfig();
lc.setAuthMethod("FORM");
lc.setLoginPage("/login");
ctx.setLoginConfig(lc);
ctx.getPipeline().addValve(new FormAuthenticator());
setUseCookies(clientShouldUseCookies);
ctx.setCookies(serverShouldUseCookies);
MapRealm realm = new MapRealm();
realm.addUser("tomcat", "tomcat");
realm.addUserRole("tomcat", "tomcat");
ctx.setRealm(realm);
tomcat.start();
// perhaps this does not work until tomcat has started?
ctx.setSessionTimeout(TIMEOUT_MINS);
// Valve pipeline is only established after tomcat starts
Valve[] valves = ctx.getPipeline().getValves();
for (Valve valve : valves) {
if (valve instanceof AuthenticatorBase) {
((AuthenticatorBase) valve).setChangeSessionIdOnAuthentication(serverShouldChangeSessid);
break;
}
}
// Port only known after Tomcat starts
setPort(getPort());
}
public static void main(String[] args) {
// invoke: http://localhost:8080/Modern or http://localhost:8080/Primitive
System.setProperty("catalina.base", System.getProperty("user.dir"));
Connector connector = new HttpConnector();
Wrapper wrapper1 = new SimpleWrapper();
wrapper1.setName("Primitive");
wrapper1.setServletClass("PrimitiveServlet");
Wrapper wrapper2 = new SimpleWrapper();
wrapper2.setName("Modern");
wrapper2.setServletClass("ModernServlet");
Context context = new StandardContext();
// StandardContext's start method adds a default mapper
context.setPath("/myApp");
context.setDocBase("myApp");
LifecycleListener listener = new SimpleContextConfig();
((Lifecycle) context).addLifecycleListener(listener);
context.addChild(wrapper1);
context.addChild(wrapper2);
// for simplicity, we don't add a valve, but you can add
// valves to context or wrapper just as you did in Chapter 6
Loader loader = new WebappLoader();
context.setLoader(loader);
// context.addServletMapping(pattern, name);
context.addServletMapping("/Primitive", "Primitive");
context.addServletMapping("/Modern", "Modern");
// add ContextConfig. This listener is important because it configures
// StandardContext (sets configured to true), otherwise StandardContext
// won't start
// add constraint
SecurityCollection securityCollection = new SecurityCollection();
securityCollection.addPattern("/");
securityCollection.addMethod("GET");
SecurityConstraint constraint = new SecurityConstraint();
constraint.addCollection(securityCollection);
constraint.addAuthRole("manager");
LoginConfig loginConfig = new LoginConfig();
loginConfig.setRealmName("Simple Realm");
// add realm
Realm realm = new SimpleRealm();
context.setRealm(realm);
context.addConstraint(constraint);
context.setLoginConfig(loginConfig);
connector.setContainer(context);
try {
connector.initialize();
((Lifecycle) connector).start();
((Lifecycle) context).start();
// make the application wait until we press a key.
System.in.read();
((Lifecycle) context).stop();
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
protected void doStart() throws ElasticsearchException {
try {
final String currentDir = new File(".").getCanonicalPath();
final String tomcatDir = currentDir + File.separatorChar + "tomcat";
logger.debug("cur dir " + currentDir);
if (tomcat != null) {
try {
tomcat.stop();
tomcat.destroy();
} catch (final Exception e) {
}
}
tomcat = new ExtendedTomcat();
tomcat.enableNaming();
tomcat.getServer().setPort(-1); // shutdown disabled
tomcat.getServer().setAddress("localhost");
final String httpProtocolImpl =
blockingServer
? "org.apache.coyote.http11.Http11Protocol"
: "org.apache.coyote.http11.Http11NioProtocol";
final Connector httpConnector = new Connector(httpProtocolImpl);
tomcat.setConnector(httpConnector);
tomcat.getService().addConnector(httpConnector);
// TODO report tomcat bug with setProtocol
if (maxContentLength != null) {
httpConnector.setMaxPostSize(maxContentLength.bytesAsInt());
}
if (maxHeaderSize != null) {
httpConnector.setAttribute("maxHttpHeaderSize", maxHeaderSize.bytesAsInt());
}
if (tcpNoDelay != null) {
httpConnector.setAttribute("tcpNoDelay", tcpNoDelay.booleanValue());
}
if (reuseAddress != null) {
httpConnector.setAttribute("socket.soReuseAddress", reuseAddress.booleanValue());
}
if (tcpKeepAlive != null) {
httpConnector.setAttribute("socket.soKeepAlive", tcpKeepAlive.booleanValue());
httpConnector.setAttribute(
"maxKeepAliveRequests", tcpKeepAlive.booleanValue() ? "100" : "1");
}
if (tcpReceiveBufferSize != null) {
httpConnector.setAttribute("socket.rxBufSize", tcpReceiveBufferSize.bytesAsInt());
}
if (tcpSendBufferSize != null) {
httpConnector.setAttribute("socket.txBufSize", tcpSendBufferSize.bytesAsInt());
}
httpConnector.setAttribute(
"compression", compression ? String.valueOf(compressionLevel) : "off");
if (maxChunkSize != null) {
httpConnector.setAttribute("maxExtensionSize", maxChunkSize.bytesAsInt());
}
httpConnector.setPort(Integer.parseInt(port));
tomcat.setBaseDir(tomcatDir);
final TomcatHttpTransportHandlerServlet servlet = new TomcatHttpTransportHandlerServlet();
servlet.setTransport(this);
final Context ctx = tomcat.addContext("", currentDir);
logger.debug("currentDir " + currentDir);
Tomcat.addServlet(ctx, "ES Servlet", servlet);
ctx.addServletMapping("/*", "ES Servlet");
if (useSSL) {
logger.info("Using SSL");
// System.setProperty("javax.net.debug", "ssl");
httpConnector.setAttribute("SSLEnabled", "true");
httpConnector.setSecure(true);
httpConnector.setScheme("https");
httpConnector.setAttribute("sslProtocol", "TLS");
httpConnector.setAttribute(
"keystoreFile", settings.get("security.ssl.keystorefile", "keystore"));
httpConnector.setAttribute(
"keystorePass", settings.get("security.ssl.keystorepass", "changeit"));
httpConnector.setAttribute(
"keystoreType", settings.get("security.ssl.keystoretype", "JKS"));
final String keyalias = settings.get("security.ssl.keyalias", null);
if (keyalias != null) {
httpConnector.setAttribute("keyAlias", keyalias);
}
if (useClientAuth) {
logger.info(
"Using SSL Client Auth (PKI), so user/roles will be retrieved from client certificate.");
httpConnector.setAttribute("clientAuth", "true");
httpConnector.setAttribute(
"truststoreFile",
settings.get("security.ssl.clientauth.truststorefile", "truststore"));
httpConnector.setAttribute(
"truststorePass", settings.get("security.ssl.clientauth.truststorepass", "changeit"));
httpConnector.setAttribute(
"truststoreType", settings.get("security.ssl.clientauth.truststoretype", "JKS"));
/*final String loginconf = this.settings
.get("security.kerberos.login.conf.path");
final String krbconf = this.settings
.get("security.kerberos.krb5.conf.path");
SecurityUtil.setSystemPropertyToAbsoluteFile(
"java.security.auth.login.config", loginconf);
SecurityUtil.setSystemPropertyToAbsoluteFile(
"java.security.krb5.conf", krbconf);*/
// httpConnector.setAttribute("allowUnsafeLegacyRenegotiation", "true");
final SecurityConstraint constraint = new SecurityConstraint();
constraint.addAuthRole("*");
constraint.setAuthConstraint(true);
constraint.setUserConstraint("CONFIDENTIAL");
final SecurityCollection col = new SecurityCollection();
col.addPattern("/*");
constraint.addCollection(col);
ctx.addConstraint(constraint);
final LoginConfig lc = new LoginConfig();
lc.setAuthMethod("CLIENT-CERT");
lc.setRealmName("clientcretificate");
ctx.setLoginConfig(lc);
configureJndiRealm(ctx);
ctx.getPipeline().addValve(new SSLAuthenticator());
logger.info("Auth Method is CLIENT-CERT");
// http://pki-tutorial.readthedocs.org/en/latest/simple/
}
} else {
if (useClientAuth) {
logger.error("Client Auth only available with SSL");
throw new RuntimeException("Client Auth only available with SSL");
}
// useClientAuth = false;
}
if (!useClientAuth) {
if ("waffle".equalsIgnoreCase(kerberosMode)) {
final Boolean testMode = settings.getAsBoolean("security.waffle.testmode", false);
final FilterDef fd = new FilterDef();
fd.setFilterClass("waffle.servlet.NegotiateSecurityFilter");
fd.setFilterName("Waffle");
if (testMode != null && testMode.booleanValue()) {
fd.addInitParameter("principalFormat", "fqn");
fd.addInitParameter("roleFormat", "both");
fd.addInitParameter("allowGuestLogin", "true");
fd.addInitParameter(
"securityFilterProviders",
"org.elasticsearch.plugins.security.waffle.TestProvider");
logger.info(
"Kerberos implementaton is WAFFLE in testmode (only work on Windows Operations system)");
} else {
final Map<String, String> waffleSettings =
settings.getByPrefix("security.waffle").getAsMap();
for (final String waffleKey : waffleSettings.keySet()) {
fd.addInitParameter(waffleKey.substring(1), waffleSettings.get(waffleKey));
logger.debug(waffleKey.substring(1) + "=" + waffleSettings.get(waffleKey));
}
fd.addInitParameter("principalFormat", "fqn");
fd.addInitParameter("roleFormat", "both");
fd.addInitParameter("allowGuestLogin", "false");
logger.info(
"Kerberos implementaton is WAFFLE (only work on Windows Operations system)");
}
ctx.addFilterDef(fd);
final FilterMap fm = new FilterMap();
fm.setFilterName("Waffle");
fm.addURLPattern("/*");
ctx.addFilterMap(fm);
} else if ("spnegoad".equalsIgnoreCase(kerberosMode)) {
// System.setProperty("sun.security.krb5.debug", "true"); // TODO
// switch
// off
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
final SecurityConstraint constraint = new SecurityConstraint();
constraint.addAuthRole("*");
constraint.setAuthConstraint(true);
constraint.setDisplayName("spnego_sc_all");
final SecurityCollection col = new SecurityCollection();
col.addPattern("/*");
constraint.addCollection(col);
ctx.addConstraint(constraint);
final LoginConfig lc = new LoginConfig();
lc.setAuthMethod("SPNEGO");
lc.setRealmName("SPNEGO");
ctx.setLoginConfig(lc);
logger.info("Kerberos implementaton is SPNEGOAD");
configureJndiRealm(ctx);
final ExtendedSpnegoAuthenticator spnegoValve = new ExtendedSpnegoAuthenticator();
// spnegoValve.setLoginConfigName("es-login");
spnegoValve.setStoreDelegatedCredential(true);
ctx.getPipeline().addValve(spnegoValve);
// final SpnegoAuthenticator spnegoValve = new SpnegoAuthenticator();
// spnegoValve.setLoginEntryName("es-login");
// ctx.getPipeline().addValve(spnegoValve);
} else if ("none".equalsIgnoreCase(kerberosMode)) {
logger.warn(
"Kerberos is not configured so user/roles are unavailable. Host based security, in contrast, is woking. ");
} else {
logger.error(
"No Kerberos implementaion '"
+ kerberosMode
+ "' found. Kerberos is therefore not configured so user/roles are unavailable. Host based security, in contrast, is woking. ");
}
}
tomcat.start();
logger.info("Tomcat started");
InetSocketAddress bindAddress;
try {
bindAddress =
new InetSocketAddress(
networkService.resolveBindHostAddress(bindHost),
tomcat.getConnector().getLocalPort());
} catch (final Exception e) {
throw new BindTransportException("Failed to resolve bind address", e);
}
InetSocketAddress publishAddress;
try {
publishAddress =
new InetSocketAddress(
networkService.resolvePublishHostAddress(publishHost), bindAddress.getPort());
} catch (final Exception e) {
throw new BindTransportException("Failed to resolve publish address", e);
}
logger.debug("bindAddress " + bindAddress);
logger.debug("publishAddress " + publishAddress);
boundAddress =
new BoundTransportAddress(
new InetSocketTransportAddress(bindAddress),
new InetSocketTransportAddress(publishAddress));
} catch (final Exception e) {
throw new ElasticsearchException("Unable to start Tomcat", e);
}
}
