diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
index edca5ac955..2b7953b8cb 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
@@ -92,7 +92,9 @@
javax.servlet.http,
javax.xml,
org.apache.axis2.transport.http,
- org.wso2.carbon.apimgt.impl
+ org.wso2.carbon.apimgt.impl,
+ org.wso2.carbon.certificate.mgt.core.service,
+ org.wso2.carbon.certificate.mgt.core.exception
@@ -146,6 +148,10 @@
org.wso2.orbit.com.nimbusds
nimbus-jose-jwt
+
+ org.wso2.carbon.devicemgt
+ org.wso2.carbon.certificate.mgt.core
+
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java
index 12be00a570..2ad358341d 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java
@@ -18,12 +18,14 @@
*/
package org.wso2.carbon.webapp.authenticator.framework;
+import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.user.core.service.RealmService;
public class DataHolder {
private WebappAuthenticatorRepository repository;
private RealmService realmService;
+ private CertificateManagementService certificateManagementService;
private DataHolder() {}
@@ -48,4 +50,12 @@ public class DataHolder {
public void setRealmService(RealmService realmService) {
this.realmService = realmService;
}
+
+ public CertificateManagementService getCertificateManagementService() {
+ return certificateManagementService;
+ }
+
+ public void setCertificateManagementService(CertificateManagementService certificateManagementService) {
+ this.certificateManagementService = certificateManagementService;
+ }
}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
new file mode 100644
index 0000000000..6916e21a34
--- /dev/null
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
@@ -0,0 +1,78 @@
+package org.wso2.carbon.webapp.authenticator.framework.authenticator;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
+
+/**
+ * This authenticator authenticates HTTP requests using certificates.
+ */
+public class CertificateAuthenticator implements WebappAuthenticator {
+
+ private static final Log log = LogFactory.getLog(CertificateAuthenticator.class);
+ private static final String CERTIFICATE_AUTHENTICATOR = "CertificateAuth";
+ private static final String HEADER_MDM_SIGNATURE = "Mdm-Signature";
+ private String[] skippedURIs;
+
+ public CertificateAuthenticator() {
+ skippedURIs = new String[]{
+ "/ios-enrollment/ca",
+ "/ios-enrollment/authenticate",
+ "/ios-enrollment/profile",
+ "/ios-enrollment/scep",
+ "/ios-enrollment/enroll",
+ "/ios-enrollment/enrolled"};
+ }
+
+ @Override
+ public boolean canHandle(Request request) {
+ return true;
+ }
+
+ @Override
+ public Status authenticate(Request request, Response response) {
+
+ String requestUri = request.getRequestURI();
+ if (requestUri == null || requestUri.isEmpty()) {
+ return Status.CONTINUE;
+ }
+
+ if(isURISkipped(requestUri)) {
+ return Status.CONTINUE;
+ }
+
+ String headerMDMSignature = request.getHeader(HEADER_MDM_SIGNATURE);
+
+ try {
+ if (headerMDMSignature != null && !headerMDMSignature.isEmpty() &&
+ DataHolder.getInstance().getCertificateManagementService().verifySignature(headerMDMSignature)) {
+ return Status.SUCCESS;
+ }
+ } catch (KeystoreException e) {
+ log.error("KeystoreException occurred ", e);
+ return Status.FAILURE;
+ }
+
+ return Status.FAILURE;
+ }
+
+ @Override
+ public String getName() {
+ return CERTIFICATE_AUTHENTICATOR;
+ }
+
+ private boolean isURISkipped(String requestUri) {
+
+ for (String element : skippedURIs) {
+ if (element.equals(requestUri)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java
index e30d9ce680..7b7935a1f9 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java
@@ -21,14 +21,14 @@ package org.wso2.carbon.webapp.authenticator.framework.internal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osgi.service.component.ComponentContext;
+import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationHandler;
-import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
-import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve;
import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorRepository;
+import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
import org.wso2.carbon.webapp.authenticator.framework.config.AuthenticatorConfig;
import org.wso2.carbon.webapp.authenticator.framework.config.WebappAuthenticatorConfig;
@@ -44,6 +44,12 @@ import java.util.List;
* policy="dynamic"
* bind="setRealmService"
* unbind="unsetRealmService"
+ * @scr.reference name="org.wso2.carbon.certificate.mgt"
+ * interface="org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService"
+ * policy="dynamic"
+ * cardinality="1..n"
+ * bind="setCertificateManagementService"
+ * unbind="unsetCertificateManagementService"
*/
public class WebappAuthenticatorFrameworkServiceComponent {
@@ -91,4 +97,19 @@ public class WebappAuthenticatorFrameworkServiceComponent {
protected void unsetRealmService(RealmService realmService) {
DataHolder.getInstance().setRealmService(null);
}
+
+ protected void setCertificateManagementService(CertificateManagementService certificateManagementService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Setting certificate management service");
+ }
+ DataHolder.getInstance().setCertificateManagementService(certificateManagementService);
+ }
+
+ protected void unsetCertificateManagementService(CertificateManagementService certificateManagementService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Removing certificate management service");
+ }
+
+ DataHolder.getInstance().setCertificateManagementService(null);
+ }
}
diff --git a/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml b/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml
index f42dde6271..067d8cd3ce 100644
--- a/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml
+++ b/features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml
@@ -12,5 +12,9 @@
JWT
org.wso2.carbon.webapp.authenticator.framework.authenticator.JWTAuthenticator
+
+ CertificateAuth
+ org.wso2.carbon.webapp.authenticator.framework.authenticator.CertificateAuthenticator
+