26 |
26 |
|
27 |
27 |
package edu.ucsb.nceas.metacat.replication;
|
28 |
28 |
|
|
29 |
import java.io.FileInputStream;
|
|
30 |
import java.io.FileNotFoundException;
|
29 |
31 |
import java.io.IOException;
|
|
32 |
import java.io.InputStream;
|
30 |
33 |
import java.io.OutputStream;
|
31 |
34 |
import java.io.PrintWriter;
|
|
35 |
import java.security.KeyStore;
|
|
36 |
import java.security.KeyStoreException;
|
|
37 |
import java.security.NoSuchAlgorithmException;
|
|
38 |
import java.security.cert.CertificateException;
|
|
39 |
import java.security.cert.X509Certificate;
|
32 |
40 |
import java.util.Enumeration;
|
33 |
41 |
import java.util.Hashtable;
|
34 |
42 |
|
... | ... | |
40 |
48 |
import javax.servlet.http.HttpSession;
|
41 |
49 |
|
42 |
50 |
import org.apache.log4j.Logger;
|
|
51 |
import org.dataone.client.auth.CertificateManager;
|
43 |
52 |
|
|
53 |
import edu.ucsb.nceas.metacat.properties.PropertyService;
|
44 |
54 |
import edu.ucsb.nceas.metacat.service.ServiceService;
|
45 |
55 |
import edu.ucsb.nceas.metacat.service.SessionService;
|
46 |
56 |
import edu.ucsb.nceas.metacat.shared.MetacatUtilException;
|
47 |
57 |
import edu.ucsb.nceas.metacat.shared.ServiceException;
|
48 |
58 |
import edu.ucsb.nceas.metacat.util.AuthUtil;
|
49 |
59 |
import edu.ucsb.nceas.metacat.util.SessionData;
|
|
60 |
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
|
50 |
61 |
|
51 |
62 |
public class ReplicationServlet extends HttpServlet {
|
52 |
63 |
|
... | ... | |
113 |
124 |
if (!action.equals("servercontrol") && !action.equals("stop")
|
114 |
125 |
&& !action.equals("start") && !action.equals("getall")) {
|
115 |
126 |
|
|
127 |
// verify the client certificate on the request
|
|
128 |
boolean isValid = false;
|
|
129 |
String msg = "Client certificate is invalid";
|
|
130 |
try {
|
|
131 |
isValid = hasValidCertificate(request);
|
|
132 |
} catch (Exception e) {
|
|
133 |
msg = "Could not verify client certificate: " + e.getMessage();
|
|
134 |
logMetacat.error(msg, e);
|
|
135 |
logReplication.error(msg, e);
|
|
136 |
}
|
|
137 |
if (!isValid) {
|
|
138 |
// send message to response
|
|
139 |
out = response.getWriter();
|
|
140 |
out.print("<error>");
|
|
141 |
out.print(msg);
|
|
142 |
out.print("</error>");
|
|
143 |
out.close();
|
|
144 |
return;
|
|
145 |
}
|
|
146 |
|
116 |
147 |
server = ((String[]) params.get("server"))[0];
|
117 |
148 |
if (ReplicationService.getServerCodeForServerName(server) == 0) {
|
118 |
149 |
logReplication.debug("ReplicationServlet.handleGetOrPost - Action \"" + action + "\" rejected for server: "
|
... | ... | |
122 |
153 |
logReplication.debug("ReplicationServlet.handleGetOrPost - Action \"" + action + "\" accepted for server: "
|
123 |
154 |
+ server);
|
124 |
155 |
}
|
|
156 |
|
125 |
157 |
} else {
|
126 |
158 |
// start, stop, getall and servercontrol need to check if user is administor
|
127 |
159 |
HttpSession sess = request.getSession(true);
|
... | ... | |
237 |
269 |
}
|
238 |
270 |
}
|
239 |
271 |
}
|
|
272 |
|
|
273 |
private boolean hasValidCertificate(HttpServletRequest request) throws KeyStoreException, PropertyNotFoundException, NoSuchAlgorithmException, CertificateException, IOException {
|
|
274 |
// get the certificate from the request
|
|
275 |
X509Certificate certificate = CertificateManager.getInstance().getCertificate(request);
|
|
276 |
if (certificate != null) {
|
|
277 |
// load the keystore
|
|
278 |
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
|
279 |
InputStream is = new FileInputStream(PropertyService.getProperty("replication.keystore.filename"));
|
|
280 |
String password = PropertyService.getProperty("replication.keystore.password");
|
|
281 |
keyStore.load(is, password.toCharArray());
|
|
282 |
// check that it contains our client's entry
|
|
283 |
String alias = keyStore.getCertificateAlias(certificate);
|
|
284 |
if (alias != null) {
|
|
285 |
// TODO: more checking?
|
|
286 |
return true;
|
|
287 |
}
|
|
288 |
}
|
|
289 |
return false;
|
|
290 |
}
|
240 |
291 |
}
|
check client-provided certificate when servicing ReplicationServlet requests.