Allow X509Authentication to be triggered from Login Choices page as well. Default is old behavior, This allows one to maintain the site under http and only protect certificate login page with https for certificate authentication. Implicit X509 Authentication is not ideal in relation to default Internet Explorer behavior.

git-svn-id: http://scm.dspace.org/svn/repo/branches/dspace-1_5_x@2435 9c30dcfa-912a-0410-8fc2-9e0234be79fd

dspace-api/src/main/java/org/dspace/authenticate/X509Authentication.java

@@ -110,6 +110,10 @@ public class X509Authentication
     /** key store for CA certs if we use that */
     private static KeyStore caCertKeyStore = null;
 
+    private static String loginPageTitle = null;
+    
+    private static String loginPageURL = null;
+    
     /**
      * Initialization:
      *  Set caPublicKey and/or keystore.  This loads the information
@@ -117,6 +121,14 @@ public class X509Authentication
      */
     static
     {
+        /*
+         * allow identification of alternative entry points 
+         * for certificate authentication when
+         * selected by the user rather than implicitly.
+         */
+        loginPageTitle = ConfigurationManager.getProperty("authentication.x509.chooser.title.key");
+        loginPageURL = ConfigurationManager.getProperty("authentication.x509.chooser.uri");
+        
         String keystorePath = ConfigurationManager.getProperty("authentication.x509.keystore.path");
         String keystorePassword = ConfigurationManager.getProperty("authentication.x509.keystore.password");
         String caCertPath = ConfigurationManager.getProperty("authentication.x509.ca.cert");
@@ -457,10 +469,10 @@ public class X509Authentication
     }
 
     /**
-     * Return null, since this is an implicit method with no login page.
+     * Returns URL of password-login servlet.
      *
      * @param context
-     *  DSpace context, will be modified (ePerson set) upon success.
+     *  DSpace context, will be modified (EPerson set) upon success.
      *
      * @param request
      *  The HTTP request that started this operation, or null if not applicable.
@@ -474,19 +486,20 @@ public class X509Authentication
                             HttpServletRequest request,
                             HttpServletResponse response)
     {
-        return null;
+        return loginPageURL;
     }
 
     /**
-     * Return null, since this is an implicit method with no login page.
+     * Returns message key for title of the "login" page, to use
+     * in a menu showing the choice of multiple login methods.
      *
      * @param context
-     *  DSpace context, will be modified (ePerson set) upon success.
+     *  DSpace context, will be modified (EPerson set) upon success.
      *
      * @return Message key to look up in i18n message catalog.
      */
     public String loginPageTitle(Context context)
     {
-        return null;
+        return loginPageTitle;
     }
 }

dspace-api/src/main/resources/Messages.properties

@@ -1329,6 +1329,7 @@ org.dspace.content.Collection.untitled
 org.dspace.content.Community.untitled                                           = Untitled
 org.dspace.eperson.LDAPAuthentication.title                                     = Enter LDAP Netid and Password
 org.dspace.eperson.PasswordAuthentication.title                                 = Enter DSpace Username and Password
+org.dspace.eperson.X509Authentication.title                                     = Enter DSpace using Web Certificate
 org.dspace.eperson.Subscribe.id                                                 = ID: 
 org.dspace.eperson.Subscribe.new-items                                          = New Items:
 org.dspace.eperson.Subscribe.title                                              = Title:

dspace-jspui/src/main/java/org/dspace/app/webui/servlet/X509CertificateServlet.java

@@ -0,0 +1,115 @@
+/*
+ * X509CertificateServlet.java
+ *
+ * Version: $Revision$
+ *
+ * Date: $Date$
+ *
+ * Copyright (c) 2002-2005, Hewlett-Packard Company and Massachusetts
+ * Institute of Technology.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the Hewlett-Packard Company nor the name of the
+ * Massachusetts Institute of Technology nor the names of their
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+package org.dspace.app.webui.servlet;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.sql.SQLException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.log4j.Logger;
+import org.dspace.app.webui.util.Authenticate;
+import org.dspace.app.webui.util.JSPManager;
+import org.dspace.app.webui.util.UIUtil;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.core.Context;
+import org.dspace.core.LogManager;
+import org.dspace.eperson.EPerson;
+
+/**
+ * X509 certificate authentication servlet. This is an
+ * access point for interactive certificate auth that will
+ * not be implicit (i.e. not immediately performed
+ * because the resource is being accessed via HTTP
+ * 
+ * @author Robert Tansley
+ * @author Mark Diggory
+ * @version $Revision$
+ */
+public class X509CertificateServlet extends DSpaceServlet
+{
+    /** serialization id */
+    private static final long serialVersionUID = -3571151231655696793L;
+    
+    /** log4j logger */
+    private static Logger log = Logger.getLogger(X509CertificateServlet.class);
+
+    protected void doDSGet(Context context, HttpServletRequest request,
+            HttpServletResponse response) throws ServletException, IOException,
+            SQLException, AuthorizeException
+    {
+        // Obtain the certificate from the request, if any
+        X509Certificate[] certs = (X509Certificate[]) request
+                .getAttribute("javax.servlet.request.X509Certificate");
+
+        if ((certs == null) || (certs.length == 0))
+        {
+            log.info(LogManager.getHeader(context, "failed_login",
+                    "type=x509certificate"));
+
+            JSPManager.showJSP(request, response, "/login/no-valid-cert.jsp");
+        }
+        else
+        {
+
+            Context ctx = UIUtil.obtainContext(request);
+
+            EPerson eperson = ctx.getCurrentUser();
+
+            // Do we have an active e-person now?
+            if ((eperson != null) && eperson.canLogIn())
+            {
+                // Everything OK - they should have already been logged in.
+                // resume previous request
+                Authenticate.resumeInterruptedRequest(request, response);
+
+                return;
+            }
+
+            // If we get to here, no valid cert
+            log.info(LogManager.getHeader(context, "failed_login",
+                    "type=x509certificate"));
+            JSPManager.showJSP(request, response, "/login/no-valid-cert.jsp");
+        }
+    }
+}

dspace-jspui/src/main/webapp/WEB-INF/web.xml

@@ -297,6 +297,11 @@
     <servlet-class>org.dspace.app.webui.servlet.LDAPServlet</servlet-class>
   </servlet>
 
+  <servlet>
+    <servlet-name>certificate-login</servlet-name>
+    <servlet-class>org.dspace.app.webui.servlet.X509CertificateServlet</servlet-class>
+  </servlet>
+  
   <servlet>
     <servlet-name>profile</servlet-name>
     <servlet-class>org.dspace.app.webui.servlet.EditProfileServlet</servlet-class>
@@ -543,6 +548,11 @@
     <url-pattern>/ldap-login</url-pattern>
   </servlet-mapping>
 
+  <servlet-mapping>
+    <servlet-name>certificate-login</servlet-name>
+    <url-pattern>/certificate-login</url-pattern>
+  </servlet-mapping>
+  
   <servlet-mapping>
     <servlet-name>profile</servlet-name>
     <url-pattern>/profile</url-pattern>

dspace/config/dspace.cfg

@@ -249,6 +249,13 @@ plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
 ## Create e-persons for unknown names in valid certificates?
 #authentication.x509.autoregister = true
 
+## Allow Certificate auth to show as a choice in chooser
+# Use Messages.properties key for title
+#authentication.x509.chooser.title.key=org.dspace.eperson.X509Authentication.title
+#
+# Identify the location of the Certificate Login Servlet.
+#authentication.x509.chooser.uri=/certificate-login
+        
 #### Example of configuring IP-based authentication
 #### (to use, add org.dspace.authenticate.IPAuthentication to auth stack above)
 #