85. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 7/10/2017 1:01:45 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

85.1 Files compared

#	Location	File	Last Modified
1	C:\AraxisMergeCompare\Pri_un\IV-ehmp_cif\ImagingVistaRealm\main\src\java\gov\va\med\imaging\tomcat\vistarealm	VistaCertificateRealm.java	Thu Jun 29 17:23:03 2017 UTC
2	C:\AraxisMergeCompare\Pri_re\IV-ehmp_cif\ImagingVistaRealm\main\src\java\gov\va\med\imaging\tomcat\vistarealm	VistaCertificateRealm.java	Thu Jul 6 15:03:45 2017 UTC

85.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	1018
Changed	1	2
Inserted	0	0
Removed	0	0

85.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

85.4 Active regular expressions

No regular expressions were active.

85.5 Comparison detail

	1	package go v.va.med.i maging.tom cat.vistar ealm;
	2
	3	import jav a.lang.man agement.Ma nagementFa ctory;
	4	import jav a.security .Principal ;
	5	import jav a.security .cert.Cert ificateExp iredExcept ion;
	6	import jav a.security .cert.Cert ificateNot YetValidEx ception;
	7	import jav a.security .cert.X509 Certificat e;
	8	import jav a.util.Arr ayList;
	9	import jav a.util.Lis t;
	10
	11	import jav ax.managem ent.Instan ceAlreadyE xistsExcep tion;
	12	import jav ax.managem ent.Instan ceNotFound Exception;
	13	import jav ax.managem ent.MBeanR egistratio nException ;
	14	import jav ax.managem ent.MBeanS erver;
	15	import jav ax.managem ent.NotCom pliantMBea nException ;
	16	import jav ax.managem ent.Object Instance;
	17	import jav ax.managem ent.Object Name;
	18
	19	import org .apache.ca talina.Lif ecycleStat e;
	20	import org .apache.ca talina.Cre dentialHan dler;
	21	import org .apache.ca talina.Con tainer;
	22	import org .apache.ca talina.Rea lm;
	23	import org .apache.lo g4j.Logger ;
	24	import org .ietf.jgss .GSSContex t;
	25
	26	/**
	27	* This cl ass implem ents a Tom cat Realm that accep ts only X. 509 certif icates.
	28	* Otherwi se it is s imilar to the VistaR ealm in th at the cre ated Princ ipal
	29	* instanc es are Vis taRealmPri ncipal and compatibl e with the Transacti onContext
	30	* mechani sm in VIX.
	31	*
	32	* This Re alm will N OT delegat e authenti cation to its contai ner parent realm lik e
	33	* VistaRe alm does.
	34	*
	35	* Portion s of this code and t he comment s are copi ed verbati m from
	36	* Tomcat/ Catalina s ource.
	37	*
	38	* A quick discussio n of Realm calling s equence in Tomcat (o r at least how I
	39	* think t hey work). -startup- 1.) const ructor() 2 .) setCont ainer() 3. )
	40	* MBeanRe gistration .preRegist er() 4.) M BeanRegist ration.pos tRegister( ) 5.)
	41	* Lifecyc le.start() 6.) backg roundProce ss() runs periodical ly from he re to
	42	* Lifecyc le.stop()
	43	*
	44	* -on cli ent call- 1.) findSe curityCons traints() - determin es if the web.xml
	45	* file ha s defined security-c onstraint elements f or the res ource shou ld return
	46	* an arra y of appli cable cons traints (i n descendi ng order o f specific ity) 2.)
	47	* hasUser DataPermis sion() - t o check th e web.xml specified requiremen ts for
	48	* data in tegrity an d security in transm ission 3.) authentic ate() - de pending on
	49	* the pre sented cre dentials, may call o ne of the four authe nticate me thods if
	50	* the use r exists, should ret urn a Prin cipal real ization 4. )
	51	* hasReso urcePermis sion() - d etermines if the aut henticated user has permission
	52	* to the specific r esource na med - on s erver stop - 1.) Lif ecycle.sto p()
	53	*
	54	* Initial ization Se quence:
	55	*
	56	* ======= ========== ========== ========== ========== ========== ========== ======
	57	* server. xml Realm element ex ample with just requ ired prope rties spec ified
	58	* <Realm
	59	* classNa me="gov.va .med.imagi ng.tomcat. vistarealm .VistaReal m"
	60	* siteNum ber = "660 "
	61	* siteAbb reviation = "SLC"
	62	* siteNam e = "Salt Lake City, UT"
	63	* />
	64	*
	65	* ======= ========== ========== ========== ========== ========== ========== ======
	66	* server. xml Realm element ex ample with all prope rties spec ified
	67	* <Realm
	68	* classNa me="gov.va .med.imagi ng.tomcat. vistarealm .VistaReal m"
	69	* siteNum ber="660"
	70	* siteAbb reviation= "SLC"
	71	* siteNam e="Salt La ke City, U T"
	72	* usingPr incipalCac he="true"
	73	* princip alCacheLif espan="600 00"
	74	* refresh PrincipalC acheEntryO nUse="true "
	75	* vistaCo nnectDelay Kludge="10 00"
	76	* />
	77	*
	78	* @author BECKEC
	79	*
	80	*/
	81	public cla ss VistaCe rtificateR ealm
	82	extends Ab stractVist aRealmImpl
	83	implements Realm, or g.apache.c atalina.Li fecycle, A bstractVis taRealm, V istaCertif icateRealm MBean
	84	{
	85	// Known Rol es are now defined i n the Vist aRealmRole s Enum in the
	86	// VistaReal mClient pr oject.
	87	// Partially this was for a code cleanup, and partia lly to mak e them
	88	// available
	89	// outside o f the real m itself.
	90
	91	pr ivate Logg er logger = Logger.g etLogger(t his.getCla ss());
	92
	93	pr ivate Cont ainer pare ntContaine r;
	94	pr ivate Real m parentCo ntainerRea lm;
	95
	96	/* *
	97	*
	98	* /
	99	pu blic Vista Certificat eRealm()
	100	{
	101	logg er.info(Vi staCertifi cateRealm. class.getC anonicalNa me() + " c tor()");
	102	}
	103
	104	pu blic synch ronized Co ntainer ge tParentCon tainer()
	105	{
	106	if(p arentConta iner == nu ll)
	107	parent Container = getConta iner() == null ? nul l : getCon tainer().g etParent() ;
	108
	109	retu rn parentC ontainer;
	110	}
	111
	112	pu blic synch ronized Re alm getPar entContain erRealm()
	113	{
	114	if(p arentConta inerRealm == null)
	115	{
	116	Contai ner parent Container = getParen tContainer ();
	117	parent ContainerR ealm = par entContain er == null ? null : parentCont ainer.getR ealm();
	118	}
	119
	120	retu rn parentC ontainerRe alm;
	121	}
	122
	123
	124	/* (non-Java doc)
	125	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteAbbrevi ation()
	126	* /
	127	@O verride
	128	pu blic Strin g getSiteA bbreviatio n()
	129	{
	130	// i f the site abbreviat ion has no t been set , attempt to get it from the p arent Vist aAccessVer ifyRealm
	131	if(s uper.getSi teAbbrevia tion() == null)
	132	{
	133	logger .debug("Re alm site a bbreviatio n is null, attemptin g to set f rom parent ");
	134	Realm parentReal m = getPar entContain erRealm();
	135	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	136	{
	137	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	138	logger.d ebug("Sett ing site a bbreviatio n from par ent VistaA ccessVerif yRealm to [" + acces sVerifyRea lm.getSite Abbreviati on() + "]" );
	139	this.set SiteAbbrev iation(acc essVerifyR ealm.getSi teAbbrevia tion());
	140	}
	141	}
	142	retu rn super.g etSiteAbbr eviation() ;
	143	}
	144
	145	/* (non-Java doc)
	146	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteName()
	147	* /
	148	@O verride
	149	pu blic Strin g getSiteN ame()
	150	{
	151	// i f the site name has not been s et, attemp t to get i t from the parent Vi staAccessV erifyRealm
	152	if(s uper.getSi teName() = = null)
	153	{
	154	logger .debug("Re alm site n ame is nul l, attempt ing to set from pare nt");
	155	Realm parentReal m = getPar entContain erRealm();
	156	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	157	{
	158	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	159	logger.d ebug("Sett ing site n ame from p arent Vist aAccessVer ifyRealm t o [" + acc essVerifyR ealm.getSi teName() + "]");
	160	this.set SiteName(a ccessVerif yRealm.get SiteName() );
	161	}
	162	}
	163	retu rn super.g etSiteName ();
	164	}
	165
	166	/* (non-Java doc)
	167	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteNumber( )
	168	* /
	169	@O verride
	170	pu blic Strin g getSiteN umber()
	171	{
	172	// i f the site number ha s not been set, atte mpt to get it from t he parent VistaAcces sVerifyRea lm
	173	if(s uper.getSi teNumber() == null)
	174	{
	175	logger .debug("Re alm site n umber is n ull, attem pting to s et from pa rent");
	176	Realm parentReal m = getPar entContain erRealm();
	177	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	178	{
	179	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	180	logger.d ebug("Sett ing site n umber from parent Vi staAccessV erifyRealm to [" + a ccessVerif yRealm.get SiteNumber () + "]");
	181	this.set SiteNumber (accessVer ifyRealm.g etSiteNumb er());
	182	}
	183	}
	184	retu rn super.g etSiteNumb er();
	185	}
	186
	187	/* (non-Java doc)
	188	* @see org. apache.cat alina.Real m#isAvaila ble()
	189	*/
	190	@O verride
	191	pu blic boole an isAvail able()
	192	{
	193	retu rn false;
	194	}
	195
	196	@O verride
	197	protec ted Logger getLogger ()
	198	{
	199	return l ogger;
	200	}
	201
	202
	203	/* (non-Java doc)
	204	* @see org. apache.cat alina.Real m#getRoles (java.secu rity.Princ ipal)
	205	* /
	206	@O verride
	207	pu blic Strin g[] getRol es(Princip al princip al)
	208	{
	209	retu rn null; / /getParent ContainerR ealm() == null ? nul l : getPar entContain erRealm(). getRoles(p rincipal);
	210	}
	211
	212
	213	/* (non-Java doc)
	214	* @see org. apache.cat alina.Life cycle#getS tateName()
	215	*/
	216	@O verride
	217	pu blic Strin g getState Name()
	218	{
	219	retu rn null; / /getParent ContainerR ealm() == null ? nul l : getPar entContain erRealm(). getStateNa me();
	220	}
	221
	222	/* (non-Java doc)
	223	* @see org. apache.cat alina.Life cycle#getS tate()
	224	*/
	225	@O verride
	226	pu blic Lifec ycleState getState()
	227	{
	228	retu rn null; / /getParent ContainerR ealm() == null ? nul l : getPar entContain erRealm(). getState() ;
	229	}
	230
	231	/* (non-Java doc)
	232	* @see org. apache.Lif ecycle.des troy()
	233	*/
	234	@O verride
	235	pu blic void destroy()
	236	{
	237	}
	238
	239	/* (non-Java doc)
	240	* @see org. apache.Lif ecycle.ini t()
	241	*/
	242	@O verride
	243	pu blic void init()
	244	{
	245	}
	246
	247
	248	/* *
	249	* Is the re alm initia lized (i.e . capable of authent icating/au thorizing
	250	* users).
	251	*
	252	* @return
	253	* /
	254	pu blic boole an isIniti alized()
	255	{
	256	bool ean result = true;
	257	Cont ainer cont ainer = th is.getCont ainer();
	258	Stri ng contain erName = c ontainer = = null ? n ull : cont ainer.getN ame();
	259
	260	if ( getSiteAbb reviation( ) == null)
	261	{
	262	logger .warn("Vis taRealm[" + containe rName + "] - site ab breviation is not se t and must be before authentic ation will succeed." );
	263	result = false;
	264	}
	265	if ( getSiteNam e() == nul l)
	266	{
	267	logger .warn("Vis taRealm[" + containe rName + "] - site na me is not set and mu st be befo re authent ication wi ll succeed .");
	268	result = false;
	269	}
	270	if ( getSiteNum ber() == n ull)
	271	{
	272	logger .warn("Vis taRealm[" + containe rName + "] - site nu mber is no t set and must be be fore authe ntication will succe ed.");
	273	result = false;
	274	}
	275
	276	retu rn result;
	277	}
	278
	279	/*
	280	/*
	281	* ========= ========== ========== ========== ========== ========== ========== ========== =======
	282	* Authentic ation Meth ods
	283	* ========= ========== ========== ========== ========== ========== ========== ========== =======
	284	* /
	285
	286	/* *
	287	* Return th e Principa l associat ed with th e specifie d username and
	288	* credentia ls, if the re is one; otherwise return <c ode>null</ code>.
	289	*
	290	* @param us ername
	291	* Username of the Pr incipal to look up, A valid Vi staImaging
	292	* access c ode
	293	* @param cr edentials
	294	* Password or other credential s to use i n authenti cating thi s
	295	* username , The veri fy code ma tching the given acc ess code
	296	* /
	297	pu blic Princ ipal authe nticate(St ring usern ame, Strin g password )
	298	{
	299	logg er.info("a uthenticat e (" + use rname + ", password) ");
	300	retu rn null;
	301	}
	302
	303	/* *
	304	* Return th e Principa l associat ed with th e specifie d username and
	305	* credentia ls, if the re is one; otherwise return <c ode>null</ code>.
	306	*
	307	* @param us ername
	308	* Username of the Pr incipal to look up
	309	* @param cr edentials
	310	* Password or other credential s to use i n authenti cating thi s
	311	* username
	312	* /
	313	pu blic Princ ipal authe nticate(St ring usern ame, byte[ ] credenti als)
	314	{
	315	logg er.info("a uthenticat e (" + use rname + ", byte[])") ;
	316	retu rn null;
	317	}
	318
	319	/* (non-Java doc)
	320	* @see org. apache.cat alina.Real m#authenti cate(org.i etf.jgss.G SSContext; , java.lan g.String)
	321	* /
	322	pu blic Princ ipal authe nticate(GS SContext g ssContext, boolean s toreCreds)
	323	{
	324	retu rn null;
	325	}
	326
	327	/* (non-Java doc)
	328	* @see org. apache.cat alina.Real m#authenti cate(java. lang.Strin g)
	329	* /
	330	pu blic Princ ipal authe nticate(St ring uid)
	331	{
	332	retu rn null;
	333	}
	334
	335
	336	/* *
	337	* Return th e Principa l associat ed with th e specifie d username , which
	338	* matches t he digest calculated using the given par ameters us ing the me thod
	339	* described in RFC 20 69; otherw ise return <code>nul l</code>.
	340	*
	341	* @param us ername
	342	* Username of the Pr incipal to look up
	343	* @param di gest
	344	* Digest w hich has b een submit ted by the client
	345	* @param no nce
	346	* Unique ( or suppose dly unique ) token wh ich has be en used fo r
	347	* this req uest
	348	* @param re alm
	349	* Realm na me
	350	* @param md 5a2
	351	* Second M D5 digest used to ca lculate th e digest : MD5(Metho d +
	352	* ":" + ur i)
	353	* /
	354	pu blic Princ ipal authe nticate(St ring usern ame, Strin g clientDi gest, Stri ng nOnce, String nc, String cn once, Stri ng qop, St ring realm ,
	355	Stri ng md5a2)
	356	{
	357	logg er.info("a uthenticat e (" + use rname + ", digest)") ;
	358	retu rn null;
	359	}
	360
	361	/* *
	362	* Return th e Principa l associat ed with th e specifie d chain of X509 clie nt
	363	* certifica tes. If th ere is non e, return <code>null </code>.
	364	*
	365	* For this method to be called the client must have presented an X509
	366	* certifica te, which has been s igned by a trusted C ertificate Authority . At
	367	* this poin t, all we need to do is get th e user nam e from the certifica te
	368	* and assig n the role .
	369	*
	370	* @param ce rts
	371	* Array of client ce rtificates , with the first one in the ar ray
	372	* being th e certific ate of the client it self.
	373	* /
	374	pu blic Princ ipal authe nticate(X5 09Certific ate certs[ ])
	375	{
	376	logg er.debug(" Authentica ting using X509 cert ificate.") ;
	377	Vist aRealmPrin cipal prin cipal = nu ll;
	378	List <java.secu rity.cert. X509Certif icate> cer tsList = n ew ArrayLi st<java.se curity.cer t.X509Cert ificate>() ;
	379	bool ean posses sesTrusted Certificat e = false;
	380	Stri ng name = null;
	381
	382	// c heck all o f the cert ificates, if one is valid then that beco mes the
	383	// s ource for the Princi pal inform ation
	384	for (X509Certi ficate cer t : certs)
	385	{
	386	logger .debug("X5 09Certific ate subjec t '" + cer t.getSubje ctDN().get Name() + " .");
	387	certsL ist.add(ce rt); // bu ild the li st that wi ll populat e the
	388	// Pri ncipal
	389	// we may not us e this lis t but buil ding it no w
	390	// avo ids a seco nd iterato r
	391	try
	392	{
	393	// the v alidity ch eck will t hrow an ex ception if it is inv alid
	394	cert.che ckValidity ();
	395	name = ( name == nu ll ? cert. getSubject DN().getNa me() : nam e);
	396	possesse sTrustedCe rtificate = true;
	397	logger.d ebug("X509 Certificat e is valid .");
	398	}
	399	catch (Certifica teExpiredE xception e )
	400	{
	401	logger.w arn("Authe ntication by certifi cate of " + cert.get SubjectX50 0Principal ().getName () + " fai led due to "
	402	+ e.getMes sage());
	403	}
	404	catch (Certifica teNotYetVa lidExcepti on e)
	405	{
	406	logger.w arn("Authe ntication by certifi cate of " + cert.get SubjectX50 0Principal ().getName () + " fai led due to "
	407	+ e.getMes sage());
	408	}
	409	}
	410
	411	// p ossessesTr ustedCerti ficate wil l be false unless at least one certifica te is vali d
	412	if ( possessesT rustedCert ificate)
	413	{
	414	logger .debug("Us er '" + na me + "' ha s been aut henticated by X509Ce rtificate. ");
	415	List<S tring> rol es = new A rrayList<S tring>();
	416	roles. add(VistaR ealmRoles. PeerVixsRo le.getRole Name());
	417	princi pal = new VistaRealm Principal( getRealmNa me(), name , certsLis t, roles, null);
	418	princi pal.setPre emptiveAut horization (this);
	419	VistaR ealmSecuri tyContext. set(princi pal);
	420	}
	421
	422	retu rn princip al;
	423	}
	424
	425	/* (non-Java doc)
	426	* @see org. apache.cat alina.Real m#setCrede ntialHandl er(org.apa che.catali na.Credent ialHandler )
	427	*/
	428	@O verride
	429	pu blic void setCredent ialHandler (Credentia lHandler c redentialH andler)
	430	{
	431	if ( getParentC ontainerRe alm() != n ull)
	432	getPar entContain erRealm(). setCredent ialHandler (credentia lHandler);
	433	}
	434
	435	/* (non-Java doc)
	436	* @see org. apache.cat alina.Real m#getCrede ntialHandl er()
	437	*/
	438	@O verride
	439	pu blic Crede ntialHandl er getCred entialHand ler()
	440	{
	441	retu rn getPare ntContaine rRealm() = = null ? n ull : getP arentConta inerRealm( ).getCrede ntialHandl er();
	442	}
	443
	444
	445
	446	/* *
	447	// ========= ========== ========== ========== ========== ========== ========== ========== =========
	448	// MBean Reg istration Stuff
	449	// ========= ========== ========== ========== ========== ========== ========== ========== =========
	450	/* *
	451	* Self-regi ster with the MBeanS erver. Onc e this met hod runs o nce, it wi ll
	452	* not re-re gister, ju st return immediatel y.
	453	*
	454	* /
	455
	456	/*
	457	pr ivate Obje ctName reg isteredIns tanceName = null;
	458
	459	pr otected vo id mBeanRe gistration ()
	460	{
	461	// i f we're al ready regi stered the n just ret urn
	462	if ( registered InstanceNa me != null )
	463	return ;
	464
	465	// r egister th e manageme nt interfa ce if the MBeanServe r exists
	466	// n ote that t he regions are creat ed by the FileSystem Cache, whi ch is
	467	// r eponsible
	468	// f or registe ring their managemen t MBeans
	469	MBea nServer mb s = Manage mentFactor y.getPlatf ormMBeanSe rver();
	470	if ( mbs != nul l)
	471	{
	472	try
	473	{
	474	ObjectIn stance oi = mbs.regi sterMBean( this, null );
	475	register edInstance Name = oi. getObjectN ame();
	476	} catc h (Instanc eAlreadyEx istsExcept ion e)
	477	{
	478	logger.e rror(e);
	479	} catc h (MBeanRe gistration Exception e)
	480	{
	481	logger.e rror(e);
	482	} catc h (NotComp liantMBean Exception e)
	483	{
	484	logger.e rror(e);
	485	}
	486	}
	487	}
	488
	489	pr otected vo id mBeanUn Registrati on()
	490	{
	491	MBea nServer mb s = Manage mentFactor y.getPlatf ormMBeanSe rver();
	492	if ( mbs != nul l && regis teredInsta nceName != null)
	493	{
	494	try
	495	{
	496	mbs.unre gisterMBea n(register edInstance Name);
	497	register edInstance Name = nul l;
	498	} catc h (Instanc eNotFoundE xception x )
	499	{
	500	logger.e rror(x);
	501	} catc h (MBeanRe gistration Exception x)
	502	{
	503	logger.e rror(x);
	504	}
	505	}
	506	}
	507	*/
	508	}
	509
	510