Project

General

Profile

Revision 6579

check client-provided certificate when servicing ReplicationServlet requests.

View differences:

lib/metacat.properties
341 341
replication.firsttimedreplication=10:00 PM
342 342
replication.timedreplicationinterval=172800000
343 343
replication.forcereplicationwaitingtime=30000
344
# certificate-based replication configuration
345
replication.keystore.filename=/etc/java-6-sun/security/cacerts
346
replication.keystore.password=changeit
344 347

  
345 348
######## Skins  #########################################
346 349

  
src/edu/ucsb/nceas/metacat/replication/ReplicationServlet.java
26 26

  
27 27
package edu.ucsb.nceas.metacat.replication;
28 28

  
29
import java.io.FileInputStream;
30
import java.io.FileNotFoundException;
29 31
import java.io.IOException;
32
import java.io.InputStream;
30 33
import java.io.OutputStream;
31 34
import java.io.PrintWriter;
35
import java.security.KeyStore;
36
import java.security.KeyStoreException;
37
import java.security.NoSuchAlgorithmException;
38
import java.security.cert.CertificateException;
39
import java.security.cert.X509Certificate;
32 40
import java.util.Enumeration;
33 41
import java.util.Hashtable;
34 42

  
......
40 48
import javax.servlet.http.HttpSession;
41 49

  
42 50
import org.apache.log4j.Logger;
51
import org.dataone.client.auth.CertificateManager;
43 52

  
53
import edu.ucsb.nceas.metacat.properties.PropertyService;
44 54
import edu.ucsb.nceas.metacat.service.ServiceService;
45 55
import edu.ucsb.nceas.metacat.service.SessionService;
46 56
import edu.ucsb.nceas.metacat.shared.MetacatUtilException;
47 57
import edu.ucsb.nceas.metacat.shared.ServiceException;
48 58
import edu.ucsb.nceas.metacat.util.AuthUtil;
49 59
import edu.ucsb.nceas.metacat.util.SessionData;
60
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
50 61

  
51 62
public class ReplicationServlet extends HttpServlet {
52 63

  
......
113 124
			if (!action.equals("servercontrol") && !action.equals("stop")
114 125
					&& !action.equals("start") && !action.equals("getall")) {
115 126

  
127
				// verify the client certificate on the request
128
				boolean isValid = false;
129
				String msg = "Client certificate is invalid";
130
				try {
131
					isValid = hasValidCertificate(request);
132
				} catch (Exception e) {
133
					msg = "Could not verify client certificate: " + e.getMessage();
134
					logMetacat.error(msg, e);
135
					logReplication.error(msg, e);
136
				}
137
				if (!isValid) {
138
					// send message to response
139
					out = response.getWriter();
140
					out.print("<error>");
141
					out.print(msg);
142
					out.print("</error>");
143
					out.close();
144
					return;
145
				}
146
				
116 147
				server = ((String[]) params.get("server"))[0];
117 148
				if (ReplicationService.getServerCodeForServerName(server) == 0) {
118 149
					logReplication.debug("ReplicationServlet.handleGetOrPost - Action \"" + action + "\" rejected for server: "
......
122 153
					logReplication.debug("ReplicationServlet.handleGetOrPost - Action \"" + action + "\" accepted for server: "
123 154
							+ server);
124 155
				}
156
				
125 157
			} else {
126 158
				// start, stop, getall and servercontrol need to check if user is administor
127 159
				HttpSession sess = request.getSession(true);
......
237 269
			}
238 270
		}
239 271
	}
272

  
273
	private boolean hasValidCertificate(HttpServletRequest request) throws KeyStoreException, PropertyNotFoundException, NoSuchAlgorithmException, CertificateException, IOException {
274
		// get the certificate from the request
275
		X509Certificate certificate = CertificateManager.getInstance().getCertificate(request);
276
		if (certificate != null) {
277
			// load the keystore
278
			KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
279
			InputStream is = new FileInputStream(PropertyService.getProperty("replication.keystore.filename"));
280
			String password = PropertyService.getProperty("replication.keystore.password");
281
			keyStore.load(is, password.toCharArray());
282
			// check that it contains our client's entry
283
			String alias = keyStore.getCertificateAlias(certificate);
284
			if (alias != null) {
285
				// TODO: more checking?
286
				return true;
287
			}
288
		}
289
 		return false;
290
	}
240 291
}

Also available in: Unified diff