Package com.netscape.cms.authentication
Class CMCUserSignedAuth
- java.lang.Object
-
- com.netscape.cms.authentication.CMCUserSignedAuth
-
- All Implemented Interfaces:
IAuthManager
,IExtendedPluginInfo
,IProfileAuthenticator
public class CMCUserSignedAuth extends java.lang.Object implements IAuthManager, IExtendedPluginInfo, IProfileAuthenticator
User Signed CMC authentication plug-in note: - this version differs from CMCAuth in that it allows non-agent users to sign own cmc requests; It is expected to be used with CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint so that the resulting cert will bear the same subjectDN of that of the CMC signing cert - it originates from CMCAuth with modification for user-signed cmc- Version:
- $Revision$, $Date$
- Author:
- cfu - user signed cmc authentication
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CRED_CMC
protected static java.lang.String[]
mConfigParams
protected static java.util.Vector<java.lang.String>
mExtendedPluginInfo
protected static java.lang.String[]
mRequiredCreds
static java.lang.String
REASON_CODE
static java.lang.String
TOKEN_CERT_SERIAL
-
Fields inherited from interface com.netscape.certsrv.authentication.IAuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
-
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
Fields inherited from interface com.netscape.certsrv.profile.IProfileAuthenticator
AUTHENTICATED_NAME
-
-
Constructor Summary
Constructors Constructor Description CMCUserSignedAuth()
Default constructor, initialization must follow.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description IAuthToken
authenticate(IAuthCredentials authCred)
Authenticates user by their CMC; resulting AuthToken sets a TOKEN_SUBJECT for the subject name.java.lang.String[]
getConfigParams()
Returns a list of configuration parameter names.IConfigStore
getConfigStore()
gets the configuration substore used by this authentication plug-injava.lang.String[]
getExtendedPluginInfo()
Activate the help system.java.lang.String[]
getExtendedPluginInfo(java.util.Locale locale)
This method returns an array of strings.java.lang.String
getImplName()
gets the plug-in name of this authentication plug-in.java.lang.String
getName()
gets the name of this authentication plug-in instancejava.lang.String
getName(java.util.Locale locale)
Retrieves the localizable name of this policy.java.lang.String[]
getRequiredCreds()
get the list of required credentials.java.lang.String
getText(java.util.Locale locale)
Retrieves the localizable description of this policy.IDescriptor
getValueDescriptor(java.util.Locale locale, java.lang.String name)
Retrieves the descriptor of the given value parameter by name.java.util.Enumeration<java.lang.String>
getValueNames()
Retrieves a list of names of the value parameter.void
init(IProfile profile, IConfigStore config)
Initializes this default policy.void
init(java.lang.String name, java.lang.String implName, IConfigStore config)
Initializes the CMCUserSignedAuth authentication plug-in.boolean
isSSLClientRequired()
Checks if this authenticator requires SSL client authentication.boolean
isValueWriteable(java.lang.String name)
Checks if the value of the given property should be serializable into the request.protected void
log(int level, java.lang.String msg)
Logs a message for this class in the system log file.void
populate(IAuthToken token, IRequest request)
Populates authentication specific information into the request for auditing purposes.void
shutdown()
prepares for shutdown.protected void
verifySelfSignedCMC(org.mozilla.jss.pkix.cms.SignerInfo signerInfo, org.mozilla.jss.asn1.OBJECT_IDENTIFIER id)
protected IAuthToken
verifySignerInfo(SessionContext auditContext, AuthToken authToken, org.mozilla.jss.pkix.cms.SignedData cmcFullReq)
User-signed CMC requests can be signed in two ways: a.
-
-
-
Field Detail
-
TOKEN_CERT_SERIAL
public static final java.lang.String TOKEN_CERT_SERIAL
- See Also:
- Constant Field Values
-
REASON_CODE
public static final java.lang.String REASON_CODE
- See Also:
- Constant Field Values
-
mConfigParams
protected static java.lang.String[] mConfigParams
-
CRED_CMC
public static final java.lang.String CRED_CMC
- See Also:
- Constant Field Values
-
mRequiredCreds
protected static java.lang.String[] mRequiredCreds
-
mExtendedPluginInfo
protected static java.util.Vector<java.lang.String> mExtendedPluginInfo
-
-
Method Detail
-
init
public void init(java.lang.String name, java.lang.String implName, IConfigStore config) throws EBaseException
Initializes the CMCUserSignedAuth authentication plug-in.- Specified by:
init
in interfaceIAuthManager
- Parameters:
name
- The name for this authentication plug-in instance.implName
- The name of the authentication plug-in.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
authenticate
public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, EBaseException
Authenticates user by their CMC; resulting AuthToken sets a TOKEN_SUBJECT for the subject name.- signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed or self-signed) cert requests or revocation requests are submitted and signature is verified
- Specified by:
authenticate
in interfaceIAuthManager
- Parameters:
authCred
- Authentication credentials, CRED_UID and CRED_CMC.- Returns:
- an AuthToken
- Throws:
EMissingCredential
- If a required authentication credential is missing.EInvalidCredentials
- If credentials failed authentication.EBaseException
- If an internal error occurred.- See Also:
AuthToken
-
verifySelfSignedCMC
protected void verifySelfSignedCMC(org.mozilla.jss.pkix.cms.SignerInfo signerInfo, org.mozilla.jss.asn1.OBJECT_IDENTIFIER id) throws EBaseException
- Throws:
EBaseException
-
getConfigParams
public java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceIAuthManager
- Returns:
- String array of configuration parameter names.
-
getConfigStore
public IConfigStore getConfigStore()
gets the configuration substore used by this authentication plug-in- Specified by:
getConfigStore
in interfaceIAuthManager
- Specified by:
getConfigStore
in interfaceIProfileAuthenticator
- Returns:
- configuration store
-
getImplName
public java.lang.String getImplName()
gets the plug-in name of this authentication plug-in.- Specified by:
getImplName
in interfaceIAuthManager
- Returns:
- the name of the authentication manager plugin.
-
getName
public java.lang.String getName()
gets the name of this authentication plug-in instance- Specified by:
getName
in interfaceIAuthManager
- Returns:
- the name of this authentication manager.
-
getRequiredCreds
public java.lang.String[] getRequiredCreds()
get the list of required credentials.- Specified by:
getRequiredCreds
in interfaceIAuthManager
- Returns:
- list of required credentials as strings.
-
shutdown
public void shutdown()
prepares for shutdown.- Specified by:
shutdown
in interfaceIAuthManager
-
getExtendedPluginInfo
public java.lang.String[] getExtendedPluginInfo()
Activate the help system.- Returns:
- help messages
-
log
protected void log(int level, java.lang.String msg)
Logs a message for this class in the system log file.- Parameters:
level
- The log level.msg
- The message to log.- See Also:
ILogger
-
verifySignerInfo
protected IAuthToken verifySignerInfo(SessionContext auditContext, AuthToken authToken, org.mozilla.jss.pkix.cms.SignedData cmcFullReq) throws EBaseException, EInvalidCredentials, EMissingCredential
User-signed CMC requests can be signed in two ways: a. signed with previously issued user signing cert b. self-signed with the private key paired with the public key in the request In case "a", the resulting authToke would contain (IAuthManager.CRED_CMC_SIGNING_CERT, signing cert serial number) In case "b", the resulting authToke would not contain the attribute IAuthManager.CRED_CMC_SIGNING_CERT
-
getExtendedPluginInfo
public java.lang.String[] getExtendedPluginInfo(java.util.Locale locale)
Description copied from interface:IExtendedPluginInfo
This method returns an array of strings. Each element of the array represents a configurable parameter, or some other meta-info (such as help-token) there is an entry indexed on that parameter name; [,required]; ;... Where: type_info is either 'string', 'number', 'boolean', 'password' or 'choice(ch1,ch2,ch3,...)' If the marker 'required' is included after the type_info, the parameter will has some visually distinctive marking in the UI. 'description' is a short sentence describing the parameter 'choice' is rendered as a drop-down list. The first parameter in the list will be activated by default 'boolean' is rendered as a checkbox. The resulting parameter will be either 'true' or 'false' 'string' allows any characters 'number' allows only numbers 'password' is rendered as a password field (the characters are replaced with *'s when being types. This parameter is not passed through to the plugin. It is instead inserted directly into the password cache keyed on the instance name. The value of the parameter 'bindPWPrompt' (see example below) is set to the key. In addition to the configurable parameters, the following magic parameters may be defined: HELP_TOKEN;helptoken - a pointer to the online manual section for this plugin HELP_TEXT;helptext - a general help string describing the plugin For example: "username;string;The username you wish to login as" "bindPWPrompt;password;Enter password to bind as above user with" "algorithm;choice(RSA,DSA);Which algorithm do you want to use" "enable;boolean;Do you want to run this plugin" "port;number;Which port number do you want to use" - Specified by:
getExtendedPluginInfo
in interfaceIExtendedPluginInfo
-
init
public void init(IProfile profile, IConfigStore config) throws EProfileException
Description copied from interface:IProfileAuthenticator
Initializes this default policy.- Specified by:
init
in interfaceIProfileAuthenticator
- Parameters:
profile
- owner of this authenticatorconfig
- configuration store- Throws:
EProfileException
- failed to initialize
-
getName
public java.lang.String getName(java.util.Locale locale)
Retrieves the localizable name of this policy.- Specified by:
getName
in interfaceIProfileAuthenticator
- Parameters:
locale
- end user locale- Returns:
- localized authenticator name
-
getText
public java.lang.String getText(java.util.Locale locale)
Retrieves the localizable description of this policy.- Specified by:
getText
in interfaceIProfileAuthenticator
- Parameters:
locale
- end user locale- Returns:
- localized authenticator description
-
getValueNames
public java.util.Enumeration<java.lang.String> getValueNames()
Retrieves a list of names of the value parameter.- Specified by:
getValueNames
in interfaceIProfileAuthenticator
- Returns:
- a list of property names
-
isValueWriteable
public boolean isValueWriteable(java.lang.String name)
Description copied from interface:IProfileAuthenticator
Checks if the value of the given property should be serializable into the request. Passsword or other security-related value may not be desirable for storage.- Specified by:
isValueWriteable
in interfaceIProfileAuthenticator
- Parameters:
name
- property name- Returns:
- true if the property is not security related
-
getValueDescriptor
public IDescriptor getValueDescriptor(java.util.Locale locale, java.lang.String name)
Retrieves the descriptor of the given value parameter by name.- Specified by:
getValueDescriptor
in interfaceIProfileAuthenticator
- Parameters:
locale
- user localename
- property name- Returns:
- descriptor of the requested property
-
populate
public void populate(IAuthToken token, IRequest request) throws EProfileException
Description copied from interface:IProfileAuthenticator
Populates authentication specific information into the request for auditing purposes.- Specified by:
populate
in interfaceIProfileAuthenticator
- Parameters:
token
- authentication tokenrequest
- request- Throws:
EProfileException
- failed to populate
-
isSSLClientRequired
public boolean isSSLClientRequired()
Description copied from interface:IProfileAuthenticator
Checks if this authenticator requires SSL client authentication.- Specified by:
isSSLClientRequired
in interfaceIProfileAuthenticator
- Returns:
- client authentication required or not
-
-