305. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 12/5/2017 12:06:46 PM Central Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

305.1 Files compared

#	Location	File	Last Modified
1	IV-eHMP_CIF.zip\IMAG_Source\VISA\Java\ImagingVistaRealm\main\src\java\gov\va\med\imaging\tomcat\vistarealm	CertificateRealm.java	Mon Dec 4 21:35:12 2017 UTC
2	IV-eHMP_CIF.zip\IMAG_Source\VISA\Java\ImagingVistaRealm\main\src\java\gov\va\med\imaging\tomcat\vistarealm	CertificateRealm.java	Mon Dec 4 22:03:42 2017 UTC

305.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	1056
Changed	1	2
Inserted	0	0
Removed	0	0

305.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

305.4 Active regular expressions

No regular expressions were active.

305.5 Comparison detail

	1	package go v.va.med.i maging.tom cat.vistar ealm;
	2
	3	import jav a.security .Principal ;
	4	import jav a.security .cert.Cert ificateExp iredExcept ion;
	5	import jav a.security .cert.Cert ificateNot YetValidEx ception;
	6	import jav a.security .cert.X509 Certificat e;
	7	import jav a.util.Arr ayList;
	8	import jav a.util.Lis t;
	9
	10	import org .apache.ca talina.Lif ecycleStat e;
	11	import org .apache.ca talina.Cre dentialHan dler;
	12	import org .apache.ca talina.Con tainer;
	13	import org .apache.ca talina.Rea lm;
	14	import org .apache.lo gging.log4 j.LogManag er;
	15	import org .apache.lo gging.log4 j.Logger;
	16	import org .ietf.jgss .GSSContex t;
	17
	18
	19	/**
	20	* This cl ass implem ents a Tom cat Realm that accep ts only X. 509 certif icates.
	21	* Otherwi se it is s imilar to the VistaR ealm in th at the cre ated Princ ipal
	22	* instanc es are Vis taRealmPri ncipal and compatibl e with the Transacti onContext
	23	* mechani sm in VIX.
	24	*
	25	* This re alm implem entation i s intended to be use d when a s ervice acc ount is
	26	* availab le for the local Vis tA install ation.
	27	*
	28	* This Re alm will N OT delegat e authenti cation to its contai ner parent realm lik e
	29	* VistaRe alm does.
	30	*
	31	* Portion s of this code and t he comment s are copi ed verbati m from
	32	* Tomcat/ Catalina s ource.
	33	*
	34	* A quick discussio n of Realm calling s equence in Tomcat (o r at least how I
	35	* think t hey work). -startup- 1.) const ructor() 2 .) setCont ainer() 3. )
	36	* MBeanRe gistration .preRegist er() 4.) M BeanRegist ration.pos tRegister( ) 5.)
	37	* Lifecyc le.start() 6.) backg roundProce ss() runs periodical ly from he re to
	38	* Lifecyc le.stop()
	39	*
	40	* -on cli ent call- 1.) findSe curityCons traints() - determin es if the web.xml
	41	* file ha s defined security-c onstraint elements f or the res ource shou ld return
	42	* an arra y of appli cable cons traints (i n descendi ng order o f specific ity) 2.)
	43	* hasUser DataPermis sion() - t o check th e web.xml specified requiremen ts for
	44	* data in tegrity an d security in transm ission 3.) authentic ate() - de pending on
	45	* the pre sented cre dentials, may call o ne of the four authe nticate me thods if
	46	* the use r exists, should ret urn a Prin cipal real ization 4. )
	47	* hasReso urcePermis sion() - d etermines if the aut henticated user has permission
	48	* to the specific r esource na med - on s erver stop - 1.) Lif ecycle.sto p()
	49	*
	50	* Initial ization Se quence:
	51	*
	52	* ======= ========== ========== ========== ========== ========== ========== ======
	53	* server. xml Realm element ex ample with just requ ired prope rties spec ified
	54	* <Realm
	55	* classNa me="gov.va .med.imagi ng.tomcat. vistarealm .Certifica teRealm"
	56	* siteNum ber = "660 "
	57	* siteAbb reviation = "SLC"
	58	* siteNam e = "Salt Lake City, UT"
	59	* service AccountUID ="userId"
	60	* service AccountPWD ="password "
	61	* />
	62	*
	63	* ======= ========== ========== ========== ========== ========== ========== ======
	64	* server. xml Realm element ex ample with all prope rties spec ified
	65	* <Realm
	66	* classNa me="gov.va .med.imagi ng.tomcat. vistarealm .Certifica teRealm"
	67	* siteNum ber="660"
	68	* siteAbb reviation= "SLC"
	69	* siteNam e="Salt La ke City, U T"
	70	* usingPr incipalCac he="true"
	71	* princip alCacheLif espan="600 00"
	72	* refresh PrincipalC acheEntryO nUse="true "
	73	* vistaCo nnectDelay Kludge="10 00"
	74	* service AccountUID ="userId"
	75	* service AccountPWD ="password "
	76	* />
	77	*
	78	* @author BECKEC
	79	*
	80	*/
	81	public cla ss Certifi cateRealm
	82	extends Ab stractVist aRealmImpl
	83	implements Realm, or g.apache.c atalina.Li fecycle, A bstractVis taRealm, C ertificate RealmMBean
	84	{
	85	// Known Rol es are now defined i n the Vist aRealmRole s Enum in the
	86	// VistaReal mClient pr oject.
	87	// Partially this was for a code cleanup, and partia lly to mak e them
	88	// available
	89	// outside o f the real m itself.
	90
	91	pr ivate Logg er logger = LogManag er.getLogg er(this.ge tClass());
	92
	93	pr ivate Cont ainer pare ntContaine r;
	94	pr ivate Real m parentCo ntainerRea lm;
	95
	96	pr ivate Stri ng service AccountUID ;
	97	pr ivate Stri ng service AccountPWD ;
	98	pr ivate List <VistaReal mRoles> se rviceAccou ntRoles;
	99	pr ivate Cred entialHand ler creden tialHandle r;
	100
	101
	102	/* *
	103	*
	104	* /
	105	pu blic Certi ficateReal m()
	106	{
	107	logg er.info(Ce rtificateR ealm.class .getCanoni calName() + " ctor() ");
	108	}
	109
	110	pu blic synch ronized Co ntainer ge tParentCon tainer()
	111	{
	112	if(p arentConta iner == nu ll)
	113	parent Container = getConta iner() == null ? nul l : getCon tainer().g etParent() ;
	114
	115	retu rn parentC ontainer;
	116	}
	117
	118	pu blic synch ronized Re alm getPar entContain erRealm()
	119	{
	120	if(p arentConta inerRealm == null)
	121	{
	122	Contai ner parent Container = getParen tContainer ();
	123	parent ContainerR ealm = par entContain er == null ? null : parentCont ainer.getR ealm();
	124	}
	125
	126	retu rn parentC ontainerRe alm;
	127	}
	128
	129
	130	/* (non-Java doc)
	131	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteAbbrevi ation()
	132	* /
	133	@O verride
	134	pu blic Strin g getSiteA bbreviatio n()
	135	{
	136	// i f the site abbreviat ion has no t been set , attempt to get it from the p arent Vist aAccessVer ifyRealm
	137	if(s uper.getSi teAbbrevia tion() == null)
	138	{
	139	logger .debug("Re alm site a bbreviatio n is null, attemptin g to set f rom parent ");
	140	Realm parentReal m = getPar entContain erRealm();
	141	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	142	{
	143	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	144	logger.d ebug("Sett ing site a bbreviatio n from par ent VistaA ccessVerif yRealm to [" + acces sVerifyRea lm.getSite Abbreviati on() + "]" );
	145	this.set SiteAbbrev iation(acc essVerifyR ealm.getSi teAbbrevia tion());
	146	}
	147	}
	148	retu rn super.g etSiteAbbr eviation() ;
	149	}
	150
	151	/* (non-Java doc)
	152	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteName()
	153	* /
	154	@O verride
	155	pu blic Strin g getSiteN ame()
	156	{
	157	// i f the site name has not been s et, attemp t to get i t from the parent Vi staAccessV erifyRealm
	158	if(s uper.getSi teName() = = null)
	159	{
	160	logger .debug("Re alm site n ame is nul l, attempt ing to set from pare nt");
	161	Realm parentReal m = getPar entContain erRealm();
	162	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	163	{
	164	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	165	logger.d ebug("Sett ing site n ame from p arent Vist aAccessVer ifyRealm t o [" + acc essVerifyR ealm.getSi teName() + "]");
	166	this.set SiteName(a ccessVerif yRealm.get SiteName() );
	167	}
	168	}
	169	retu rn super.g etSiteName ();
	170	}
	171
	172	/* (non-Java doc)
	173	* @see gov. va.med.ima ging.tomca t.vistarea lm.Abstrac tVistaReal mImpl#getS iteNumber( )
	174	* /
	175	@O verride
	176	pu blic Strin g getSiteN umber()
	177	{
	178	// i f the site number ha s not been set, atte mpt to get it from t he parent VistaAcces sVerifyRea lm
	179	if(s uper.getSi teNumber() == null)
	180	{
	181	logger .debug("Re alm site n umber is n ull, attem pting to s et from pa rent");
	182	Realm parentReal m = getPar entContain erRealm();
	183	if(par entRealm i nstanceof gov.va.med .imaging.t omcat.vist arealm.Vis taAccessVe rifyRealm)
	184	{
	185	gov.va.m ed.imaging .tomcat.vi starealm.V istaAccess VerifyReal m accessVe rifyRealm = (gov.va. med.imagin g.tomcat.v istarealm. VistaAcces sVerifyRea lm)parentR ealm;
	186	logger.d ebug("Sett ing site n umber from parent Vi staAccessV erifyRealm to [" + a ccessVerif yRealm.get SiteNumber () + "]");
	187	this.set SiteNumber (accessVer ifyRealm.g etSiteNumb er());
	188	}
	189	}
	190	retu rn super.g etSiteNumb er();
	191	}
	192
	193	pu blic Strin g getServi ceAccountU ID()
	194	{
	195	retu rn this.se rviceAccou ntUID;
	196	}
	197
	198	pu blic void setService AccountUID (String se rviceAccou ntUID)
	199	{
	200	this .serviceAc countUID = serviceAc countUID;
	201	}
	202
	203	pu blic Strin g getServi ceAccountP WD()
	204	{
	205	retu rn this.se rviceAccou ntPWD;
	206	}
	207
	208	pu blic void setService AccountPWD (String se rviceAccou ntPWD)
	209	{
	210	this .serviceAc countPWD = serviceAc countPWD;
	211	}
	212
	213	/* *
	214	* ServiceAc countRoles are store d as a lis t of enume rations, b ut externa lly they
	215	* are set/g et as a co mma delimi ted String .
	216	* @return
	217	* /
	218	pu blic Strin g getServi ceAccountR oles()
	219	{
	220	if(t his.servic eAccountRo les == nul l)
	221	return null;
	222	Stri ngBuilder sb = new S tringBuild er();
	223	for( VistaRealm Roles role : this.se rviceAccou ntRoles)
	224	{
	225	if(sb. length() > 0)
	226	sb.appen d(',');
	227	sb.app end(role.t oString()) ;
	228	}
	229
	230	retu rn sb.toSt ring();
	231	}
	232
	233	pu blic List< String> ge tServiceAc countRoles Names()
	234	{
	235	if(t his.servic eAccountRo les == nul l)
	236	return null;
	237	List <String> r oleNames = new Array List<Strin g>(service AccountRol es.size()) ;
	238	for( VistaRealm Roles role : this.se rviceAccou ntRoles)
	239	roleNa mes.add(ro le.getRole Name());
	240	retu rn roleNam es;
	241	}
	242
	243	pu blic void setService AccountRol es(String serviceAcc ountRoles)
	244	{
	245	if(s erviceAcco untRoles = = null)
	246	return ;
	247	Stri ng[] servi ceAccountR oleNames = serviceAc countRoles .split("," );
	248	this .serviceAc countRoles = new Arr ayList<Vis taRealmRol es>(servic eAccountRo leNames.le ngth);
	249	for( String ser viceAccoun tRoleName : serviceA ccountRole Names)
	250	{
	251	VistaR ealmRoles role = Vis taRealmRol es.getRole ByName(ser viceAccoun tRoleName) ;
	252	if(rol e == null)
	253	logger.e rror("Unkn own role n ame '" + s erviceAcco untRoleNam e + "' con figured in Certifica teRealm.") ;
	254	else
	255	this.ser viceAccoun tRoles.add (role);
	256	}
	257	}
	258
	259	@O verride
	260	protec ted Logger getLogger ()
	261	{
	262	return l ogger;
	263	}
	264
	265	/* *
	266	* Is the re alm initia lized (i.e . capable of authent icating/au thorizing
	267	* users).
	268	*
	269	* @return
	270	* /
	271	pu blic boole an isIniti alized()
	272	{
	273	bool ean result = true;
	274	Cont ainer cont ainer = th is.getCont ainer();
	275	Stri ng contain erName = c ontainer = = null ? n ull : cont ainer.getN ame();
	276
	277	if ( getSiteAbb reviation( ) == null)
	278	{
	279	logger .warn("Vis taRealm[" + containe rName + "] - site ab breviation is not se t and must be before authentic ation will succeed." );
	280	result = false;
	281	}
	282	if ( getSiteNam e() == nul l)
	283	{
	284	logger .warn("Vis taRealm[" + containe rName + "] - site na me is not set and mu st be befo re authent ication wi ll succeed .");
	285	result = false;
	286	}
	287	if ( getSiteNum ber() == n ull)
	288	{
	289	logger .warn("Vis taRealm[" + containe rName + "] - site nu mber is no t set and must be be fore authe ntication will succe ed.");
	290	result = false;
	291	}
	292	if ( getService AccountUID () == null )
	293	{
	294	logger .warn("Vis taRealm[" + containe rName + "] - service account U ID is not set and mu st be befo re authent ication wi ll succeed .");
	295	result = false;
	296	}
	297	if ( getService AccountPWD () == null )
	298	{
	299	logger .warn("Vis taRealm[" + containe rName + "] - service account P WD is not set and mu st be befo re authent ication wi ll succeed .");
	300	result = false;
	301	}
	302	if ( getService AccountRol esNames() == null)
	303	{
	304	logger .warn("Vis taRealm[" + containe rName + "] - service account r ole names is not set and must be before authentica tion will succeed.") ;
	305	result = false;
	306	}
	307
	308	retu rn result;
	309	}
	310
	311	/*
	312	/*
	313	* ========= ========== ========== ========== ========== ========== ========== ========== =======
	314	* Authentic ation Meth ods
	315	* ========= ========== ========== ========== ========== ========== ========== ========== =======
	316	* /
	317
	318	/* *
	319	* Return th e Principa l associat ed with th e specifie d username and
	320	* credentia ls, if the re is one; otherwise return <c ode>null</ code>.
	321	*
	322	* @param us ername
	323	* Username of the Pr incipal to look up, A valid Vi staImaging
	324	* access c ode
	325	* @param cr edentials
	326	* Password or other credential s to use i n authenti cating thi s
	327	* username , The veri fy code ma tching the given acc ess code
	328	* /
	329	pu blic Princ ipal authe nticate(St ring usern ame, Strin g password )
	330	{
	331	logg er.info("a uthenticat e (" + use rname + ", password) ");
	332	retu rn null;
	333	}
	334
	335	/* *
	336	* Return th e Principa l associat ed with th e specifie d username and
	337	* credentia ls, if the re is one; otherwise return <c ode>null</ code>.
	338	*
	339	* @param us ername
	340	* Username of the Pr incipal to look up
	341	* @param cr edentials
	342	* Password or other credential s to use i n authenti cating thi s
	343	* username
	344	* /
	345	pu blic Princ ipal authe nticate(St ring usern ame, byte[ ] credenti als)
	346	{
	347	logg er.info("a uthenticat e (" + use rname + ", byte[])") ;
	348	retu rn null;
	349	}
	350
	351	/* (non-Java doc)
	352	* @see org. apache.cat alina.Real m#authenti cate(java. lang.Strin g)
	353	* /
	354	@O verride
	355	pu blic Princ ipal authe nticate(St ring uid)
	356	{
	357	retu rn null;
	358	}
	359
	360	/* (non-Java doc)
	361	* @see org. apache.cat alina.Real m#authenti cate(org.i etf.jgss.G SSContext; , java.lan g.String)
	362	* /
	363	@O verride
	364	pu blic Princ ipal authe nticate(GS SContext g ssContext, boolean s toreCreds)
	365	{
	366	retu rn null;
	367	}
	368
	369
	370	/* *
	371	* Return th e Principa l associat ed with th e specifie d username , which
	372	* matches t he digest calculated using the given par ameters us ing the me thod
	373	* described in RFC 20 69; otherw ise return <code>nul l</code>.
	374	*
	375	* @param us ername
	376	* Username of the Pr incipal to look up
	377	* @param di gest
	378	* Digest w hich has b een submit ted by the client
	379	* @param no nce
	380	* Unique ( or suppose dly unique ) token wh ich has be en used fo r
	381	* this req uest
	382	* @param re alm
	383	* Realm na me
	384	* @param md 5a2
	385	* Second M D5 digest used to ca lculate th e digest : MD5(Metho d +
	386	* ":" + ur i)
	387	* /
	388	pu blic Princ ipal authe nticate(St ring usern ame, Strin g clientDi gest, Stri ng nOnce, String nc, String cn once, Stri ng qop, St ring realm ,
	389	Stri ng md5a2)
	390	{
	391	logg er.info("a uthenticat e (" + use rname + ", digest)") ;
	392	retu rn null;
	393	}
	394
	395	/* *
	396	* Return th e Principa l associat ed with th e specifie d chain of X509 clie nt
	397	* certifica tes. If th ere is non e, return <code>null </code>.
	398	*
	399	* For this method to be called the client must have presented an X509
	400	* certifica te, which has been s igned by a trusted C ertificate Authority . At
	401	* this poin t, all we need to do is get th e user nam e from the certifica te
	402	* and assig n the role .
	403	*
	404	* @param ce rts
	405	* Array of client ce rtificates , with the first one in the ar ray
	406	* being th e certific ate of the client it self.
	407	* /
	408	pu blic Princ ipal authe nticate(X5 09Certific ate certs[ ])
	409	{
	410	logg er.debug(" Authentica ting using X509 cert ificate.") ;
	411	Vist aRealmPrin cipal prin cipal = nu ll;
	412	List <java.secu rity.cert. X509Certif icate> cer tsList = n ew ArrayLi st<java.se curity.cer t.X509Cert ificate>() ;
	413	bool ean posses sesTrusted Certificat e = false;
	414	Stri ng certifi cateDistin guishedNam e = null;
	415
	416	// c heck all o f the cert ificates, if one is valid then that beco mes the
	417	// s ource for the Princi pal inform ation
	418	for (X509Certi ficate cer t : certs)
	419	{
	420	logger .debug("X5 09Certific ate subjec t '" + cer t.getSubje ctDN().get Name() + " .");
	421	certsL ist.add(ce rt); // bu ild the li st that wi ll populat e the
	422	// Pri ncipal
	423	// we may not us e this lis t but buil ding it no w
	424	// avo ids a seco nd iterato r
	425	try
	426	{
	427	// the v alidity ch eck will t hrow an ex ception if it is inv alid
	428	cert.che ckValidity ();
	429	certific ateDisting uishedName = cert.ge tSubjectX5 00Principa l().getNam e();
	430	possesse sTrustedCe rtificate = true;
	431	logger.d ebug("X509 Certificat e is valid .");
	432	}
	433	catch (Certifica teExpiredE xception e )
	434	{
	435	logger.w arn("Authe ntication by certifi cate of " + cert.get SubjectX50 0Principal ().getName () + " fai led due to "
	436	+ e.getMes sage());
	437	}
	438	catch (Certifica teNotYetVa lidExcepti on e)
	439	{
	440	logger.w arn("Authe ntication by certifi cate of " + cert.get SubjectX50 0Principal ().getName () + " fai led due to "
	441	+ e.getMes sage());
	442	}
	443	}
	444
	445	// p ossessesTr ustedCerti ficate wil l be false unless at least one certifica te is vali d
	446	if ( possessesT rustedCert ificate)
	447	{
	448	logger .debug("Us er '" + ce rtificateD istinguish edName + " ' has been authentic ated by X5 09Certific ate.");
	449	princi pal = new VistaRealm Principal( getRealmNa me(), getS erviceAcco untUID(), getService AccountPWD (), certsL ist, getSe rviceAccou ntRolesNam es(), null );
	450	princi pal.setPre emptiveAut horization (this);
	451	VistaR ealmSecuri tyContext. set(princi pal);
	452	getLog ger().info ("VistaRea lmSecurity Context se t on threa d (" + Thr ead.curren tThread(). getName() + ")");
	453	}
	454
	455	retu rn princip al;
	456	}
	457
	458
	459	/* (non-Java doc)
	460	* @see org. apache.cat alina.Real m#isAvaila ble()
	461	*/
	462	pu blic boole an isAvail able()
	463	{
	464	retu rn true;
	465	}
	466
	467	/* (non-Java doc)
	468	* @see org. apache.cat alina.Real m#getRoles (java.secu rity.Princ ipal)
	469	* /
	470	pu blic Strin g[] getRol es(Princip al princip al)
	471	{
	472	retu rn null;
	473	}
	474
	475	/* (non-Java doc)
	476	* @see org. apache.cat alina.Real m#setCrede ntialHandl er(org.apa che.catali na.Credent ialHandler )
	477	*/
	478	@O verride
	479	pu blic void setCredent ialHandler (Credentia lHandler c redentialH andler)
	480	{
	481	this .credentia lHandler = credentia lHandler;
	482	}
	483
	484	/* (non-Java doc)
	485	* @see org. apache.cat alina.Real m#getCrede ntialHandl er()
	486	*/
	487	@O verride
	488	pu blic Crede ntialHandl er getCred entialHand ler()
	489	{
	490	retu rn credent ialHandler ;
	491	}
	492
	493	/* (non-Java doc)
	494	* @see org. apache.cat alina.Life cycle#getS tateName()
	495	*/
	496	@O verride
	497	pu blic Strin g getState Name()
	498	{
	499	retu rn null; / /getParent ContainerR ealm() == null ? nul l : getPar entContain erRealm(). getStateNa me();
	500	}
	501
	502	/* (non-Java doc)
	503	* @see org. apache.cat alina.Life cycle#getS tate()
	504	*/
	505	@O verride
	506	pu blic Lifec ycleState getState()
	507	{
	508	retu rn null; / /getParent ContainerR ealm() == null ? nul l : getPar entContain erRealm(). getState() ;
	509	}
	510
	511	/* (non-Java doc)
	512	* @see org. apache.Lif ecycle.des troy()
	513	*/
	514	@O verride
	515	pu blic void destroy()
	516	{
	517	}
	518
	519	/* (non-Java doc)
	520	* @see org. apache.Lif ecycle.ini t()
	521	*/
	522	@O verride
	523	pu blic void init()
	524	{
	525	}
	526
	527	}
	528
	529