craigmcc 01/05/09 16:42:19
Modified: catalina/src/conf server.xml
catalina/src/share/org/apache/catalina Connector.java
catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
catalina/src/share/org/apache/catalina/connector/http
HttpConnector.java
catalina/src/share/org/apache/catalina/connector/http10
HttpConnector.java
catalina/src/share/org/apache/catalina/connector/warp
WarpConnector.java
Log:
[Servlet 2.3 PFD2, Section 12.8]
If a request is being processed on a non-SSL connection, and is subject to
a <security-constraint> that includes a transport guarantee requiring SSL,
automatically redirect the request to a configurable port number (attached
to the same Tomcat instance) that is listening on SSL.
PR: BugTRAQ #4410795
Revision Changes Path
1.25 +2 -2 jakarta-tomcat-4.0/catalina/src/conf/server.xml
Index: server.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/server.xml,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- server.xml 2001/05/08 05:58:43 1.24
+++ server.xml 2001/05/09 23:42:04 1.25
@@ -51,7 +51,7 @@
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8080" minProcessors="5" maxProcessors="75"
- enableLookups="true"
+ enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="60000"/>
<!-- Note : To disable connection timeouts, set connectionTimeout value
to -1 -->
@@ -81,7 +81,7 @@
<!--
<Connector className="org.apache.catalina.connector.http10.HttpConnector"
port="8082" minProcessors="5" maxProcessors="75"
- enableLookups="true"
+ enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0"/>
-->
1.5 +20 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java
Index: Connector.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- Connector.java 2001/05/08 05:58:43 1.4
+++ Connector.java 2001/05/09 23:42:07 1.5
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
1.4 2001/05/08 05:58:43 craigmcc Exp $
- * $Revision: 1.4 $
- * $Date: 2001/05/08 05:58:43 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Connector.java,v
1.5 2001/05/09 23:42:07 craigmcc Exp $
+ * $Revision: 1.5 $
+ * $Date: 2001/05/09 23:42:07 $
*
* ====================================================================
*
@@ -117,7 +117,7 @@
* normative.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.4 $ $Date: 2001/05/08 05:58:43 $
+ * @version $Revision: 1.5 $ $Date: 2001/05/09 23:42:07 $
*/
public interface Connector {
@@ -174,6 +174,22 @@
* Return descriptive information about this Connector implementation.
*/
public String getInfo();
+
+
+ /**
+ * Return the port number to which a request should be redirected if
+ * it comes in on a non-SSL port and is subject to a security constraint
+ * with a transport guarantee that requires SSL.
+ */
+ public int getRedirectPort();
+
+
+ /**
+ * Set the redirect port number.
+ *
+ * @param redirectPort The redirect port number (non-SSL to SSL)
+ */
+ public void setRedirectPort(int redirectPort);
/**
1.11 +98 -32
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Index: AuthenticatorBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- AuthenticatorBase.java 2001/03/30 21:38:47 1.10
+++ AuthenticatorBase.java 2001/05/09 23:42:10 1.11
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
1.10 2001/03/30 21:38:47 craigmcc Exp $
- * $Revision: 1.10 $
- * $Date: 2001/03/30 21:38:47 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
1.11 2001/05/09 23:42:10 craigmcc Exp $
+ * $Revision: 1.11 $
+ * $Date: 2001/05/09 23:42:10 $
*
* ====================================================================
*
@@ -66,6 +66,8 @@
import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
@@ -118,7 +120,7 @@
* requests. Requests of any other type will simply be passed through.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.10 $ $Date: 2001/03/30 21:38:47 $
+ * @version $Revision: 1.11 $ $Date: 2001/05/09 23:42:10 $
*/
@@ -168,7 +170,7 @@
/**
* The debugging detail level for this component.
*/
- protected int debug = 0;
+ protected int debug = 99;
/**
@@ -473,32 +475,41 @@
log(" Subject to constraint " + constraint);
// Enforce any user data constraint for this security constraint
+ if (debug >= 1)
+ log(" Calling checkUserData()");
if (!checkUserData(hrequest, hresponse, constraint)) {
if (debug >= 1)
log(" Failed checkUserData() test");
- ((HttpServletResponse) hresponse.getResponse()).sendError
- (HttpServletResponse.SC_FORBIDDEN,
- ((HttpServletRequest) hrequest.getRequest()).getRequestURI());
- return;
- }
-
- // Authenticate based upon the specified login configuration
- if (!authenticate(hrequest, hresponse, config)) {
- if (debug >= 1)
- log(" Failed authenticate() test");
// ASSERT: Authenticator already set the appropriate
// HTTP status code, so we do not have to do anything special
return;
}
+ // Authenticate based upon the specified login configuration
+ if (constraint.getAuthConstraint()) {
+ if (debug >= 1)
+ log(" Calling authenticate()");
+ if (!authenticate(hrequest, hresponse, config)) {
+ if (debug >= 1)
+ log(" Failed authenticate() test");
+ // ASSERT: Authenticator already set the appropriate
+ // HTTP status code, so we do not have to do anything special
+ return;
+ }
+ }
+
// Perform access control based on the specified role(s)
- if (!accessControl(hrequest, hresponse, constraint)) {
- if (debug >= 1)
- log(" Failed accessControl() test");
- // ASSERT: Access control method has already set the appropriate
- // HTTP status code, so we do not have to do anything special
- return;
- }
+ if (constraint.getAuthConstraint()) {
+ if (debug >= 1)
+ log(" Calling accessControl()");
+ if (!accessControl(hrequest, hresponse, constraint)) {
+ if (debug >= 1)
+ log(" Failed accessControl() test");
+ // ASSERT: AccessControl method has already set the appropriate
+ // HTTP status code, so we do not have to do anything special
+ return;
+ }
+ }
// Any and all specified constraints have been satisfied
if (debug >= 1)
@@ -630,22 +641,77 @@
throws IOException {
// Is there a relevant user data constraint?
- if (constraint == null)
+ if (constraint == null) {
+ if (debug >= 2)
+ log(" No applicable security constraint defined");
return (true);
+ }
String userConstraint = constraint.getUserConstraint();
- if (userConstraint == null)
+ if (userConstraint == null) {
+ if (debug >= 2)
+ log(" No applicable user data constraint defined");
return (true);
- if (userConstraint.equals(Constants.NONE_TRANSPORT))
+ }
+ if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
+ if (debug >= 2)
+ log(" User data constraint has no restrictions");
return (true);
+ }
// Validate the request against the user data constraint
- if (!request.getRequest().isSecure()) {
- ((HttpServletResponse) response.getResponse()).sendError
- (HttpServletResponse.SC_BAD_REQUEST,
- sm.getString("authenticator.userDataConstraint"));
- return (false);
- }
- return (true);
+ if (request.getRequest().isSecure()) {
+ if (debug >= 2)
+ log(" User data constraint already satisfied");
+ return (true);
+ }
+
+ // Initialize variables we need to determine the appropriate action
+ HttpServletRequest hrequest =
+ (HttpServletRequest) request.getRequest();
+ HttpServletResponse hresponse =
+ (HttpServletResponse) response.getResponse();
+ int redirectPort = request.getConnector().getRedirectPort();
+
+ // Is redirecting disabled?
+ if (redirectPort <= 0) {
+ if (debug >= 2)
+ log(" SSL redirect is disabled");
+ hresponse.sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ hrequest.getRequestURI());
+ return (false);
+ }
+
+ // Redirect to the corresponding SSL port
+ String protocol = "https";
+ String host = hrequest.getServerName();
+ StringBuffer file = new StringBuffer(hrequest.getRequestURI());
+ String requestedSessionId = hrequest.getRequestedSessionId();
+ if ((requestedSessionId != null) &&
+ hrequest.isRequestedSessionIdFromURL()) {
+ file.append(";jsessionid=");
+ file.append(requestedSessionId);
+ }
+ String queryString = hrequest.getQueryString();
+ if (queryString != null) {
+ file.append('?');
+ file.append(queryString);
+ }
+ URL url = null;
+ try {
+ url = new URL(protocol, host, redirectPort, file.toString());
+ if (debug >= 2)
+ log(" Redirecting to " + url.toString());
+ hresponse.sendRedirect(url.toString());
+ return (false);
+ } catch (MalformedURLException e) {
+ if (debug >= 2)
+ log(" Cannot create new URL", e);
+ hresponse.sendError
+ (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+ hrequest.getRequestURI());
+ return (false);
+ }
}
1.15 +34 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java
Index: HttpConnector.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- HttpConnector.java 2001/05/08 05:58:44 1.14
+++ HttpConnector.java 2001/05/09 23:42:12 1.15
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
1.14 2001/05/08 05:58:44 craigmcc Exp $
- * $Revision: 1.14 $
- * $Date: 2001/05/08 05:58:44 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpConnector.java,v
1.15 2001/05/09 23:42:12 craigmcc Exp $
+ * $Revision: 1.15 $
+ * $Date: 2001/05/09 23:42:12 $
*
* ====================================================================
*
@@ -95,7 +95,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.14 $ $Date: 2001/05/08 05:58:44 $
+ * @version $Revision: 1.15 $ $Date: 2001/05/09 23:42:12 $
*/
@@ -225,6 +225,12 @@
/**
+ * The redirect port for non-SSL to SSL redirects.
+ */
+ private int redirectPort = 443;
+
+
+ /**
* The request scheme that will be set on all requests received
* through this connector.
*/
@@ -631,6 +637,30 @@
public void setProxyPort(int proxyPort) {
this.proxyPort = proxyPort;
+
+ }
+
+
+ /**
+ * Return the port number to which a request should be redirected if
+ * it comes in on a non-SSL port and is subject to a security constraint
+ * with a transport guarantee that requires SSL.
+ */
+ public int getRedirectPort() {
+
+ return (this.redirectPort);
+
+ }
+
+
+ /**
+ * Set the redirect port number.
+ *
+ * @param redirectPort The redirect port number (non-SSL to SSL)
+ */
+ public void setRedirectPort(int redirectPort) {
+
+ this.redirectPort = redirectPort;
}
1.6 +34 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java
Index: HttpConnector.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- HttpConnector.java 2001/05/08 05:58:44 1.5
+++ HttpConnector.java 2001/05/09 23:42:14 1.6
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
1.5 2001/05/08 05:58:44 craigmcc Exp $
- * $Revision: 1.5 $
- * $Date: 2001/05/08 05:58:44 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http10/HttpConnector.java,v
1.6 2001/05/09 23:42:14 craigmcc Exp $
+ * $Revision: 1.6 $
+ * $Date: 2001/05/09 23:42:14 $
*
* ====================================================================
*
@@ -94,7 +94,7 @@
* purposes. Not intended to be the final solution.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.5 $ $Date: 2001/05/08 05:58:44 $
+ * @version $Revision: 1.6 $ $Date: 2001/05/09 23:42:14 $
*/
@@ -224,6 +224,12 @@
/**
+ * The redirect port for non-SSL to SSL redirects.
+ */
+ private int redirectPort = 443;
+
+
+ /**
* The request scheme that will be set on all requests received
* through this connector.
*/
@@ -602,6 +608,30 @@
public void setProxyPort(int proxyPort) {
this.proxyPort = proxyPort;
+
+ }
+
+
+ /**
+ * Return the port number to which a request should be redirected if
+ * it comes in on a non-SSL port and is subject to a security constraint
+ * with a transport guarantee that requires SSL.
+ */
+ public int getRedirectPort() {
+
+ return (this.redirectPort);
+
+ }
+
+
+ /**
+ * Set the redirect port number.
+ *
+ * @param redirectPort The redirect port number (non-SSL to SSL)
+ */
+ public void setRedirectPort(int redirectPort) {
+
+ this.redirectPort = redirectPort;
}
1.11 +21 -1
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java
Index: WarpConnector.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/warp/WarpConnector.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- WarpConnector.java 2001/05/08 05:58:44 1.10
+++ WarpConnector.java 2001/05/09 23:42:17 1.11
@@ -78,7 +78,7 @@
* @author <a href="mailto:[EMAIL PROTECTED]";>Pier Fumagalli</a>
* @author Copyright © 1999, 2000 <a href="http://www.apache.org";>The
* Apache Software Foundation.
- * @version CVS $Id: WarpConnector.java,v 1.10 2001/05/08 05:58:44 craigmcc Exp $
+ * @version CVS $Id: WarpConnector.java,v 1.11 2001/05/09 23:42:17 craigmcc Exp $
*/
public class WarpConnector implements Connector, Lifecycle, Runnable {
@@ -104,6 +104,8 @@
// -------------------------------------------------------- BEAN PROPERTIES
+ /** The port to which non-SSL requests should be redirected for SSL */
+ private int redirectPort = 443;
/** Wether requests received through this connector are secure. */
private boolean secure=false;
/** The scheme to be set on requests received through this connector. */
@@ -241,6 +243,24 @@
}
// ----------------------------------------------------------- BEAN METHODS
+
+ /**
+ * Return the port number to which a request should be redirected if
+ * it comes in on a non-SSL port and is subject to a security constraint
+ * with a transport guarantee that requires SSL.
+ */
+ public int getRedirectPort() {
+ return (this.redirectPort);
+ }
+
+ /**
+ * Set the redirect port number.
+ *
+ * @param redirectPort The redirect port number (non-SSL to SSL)
+ */
+ public void setRedirectPort(int redirectPort) {
+ this.redirectPort = redirectPort;
+ }
/**
* Return the secure connection flag that will be assigned to requests
