1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.users;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.URI;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.catalina.Globals;
import org.apache.catalina.Group;
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.UserDatabase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.digester.AbstractObjectCreationFactory;
import org.apache.tomcat.util.digester.Digester;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.file.ConfigurationSource;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.security.Escape;
import org.xml.sax.Attributes;
/**
* Concrete implementation of {@link UserDatabase} that loads all defined users, groups, and roles into an in-memory
* data structure, and uses a specified XML file for its persistent storage.
* <p>
* This class is thread-safe.
* <p>
* This class does not enforce what, in an RDBMS, would be called referential integrity. Concurrent modifications may
* result in inconsistent data such as a User retaining a reference to a Role that has been removed from the database.
*
* @author Craig R. McClanahan
*
* @since 4.1
*/
/*
* Implementation notes:
*
* Any operation that acts on a single element of the database (e.g. operations that create, read, update or delete a
* user, role or group) must first obtain the read lock. Operations that return iterators for users, roles or groups
* also fall into this category.
*
* Iterators must always be created from copies of the data to prevent possible corruption of the iterator due to the
* remove of all elements from the underlying Map that would occur during a subsequent re-loading of the database.
*
* Any operation that acts on multiple elements and expects the database to remain consistent during the operation (e.g.
* saving or loading the database) must first obtain the write lock.
*/
public class MemoryUserDatabase implements UserDatabase {
private static final Log log = LogFactory.getLog(MemoryUserDatabase.class);
private static final StringManager sm = StringManager.getManager(MemoryUserDatabase.class);
// ----------------------------------------------------------- Constructors
/**
* Create a new instance with default values.
*/
public MemoryUserDatabase() {
this(null);
}
/**
* Create a new instance with the specified values.
*
* @param id Unique global identifier of this user database
*/
public MemoryUserDatabase(String id) {
this.id = id;
}
// ----------------------------------------------------- Instance Variables
/**
* The set of {@link Group}s defined in this database, keyed by group name.
*/
protected final Map<String,Group> groups = new ConcurrentHashMap<>();
/**
* The unique global identifier of this user database.
*/
protected final String id;
/**
* The relative (to <code>catalina.base</code>) or absolute pathname to the XML file in which we will save our
* persistent information.
*/
protected String pathname = "conf/tomcat-users.xml";
/**
* The relative or absolute pathname to the file in which our old information is stored while renaming is in
* progress.
*/
protected String pathnameOld = pathname + ".old";
/**
* The relative or absolute pathname of the file in which we write our new information prior to renaming.
*/
protected String pathnameNew = pathname + ".new";
/**
* A flag, indicating if the user database is read only.
*/
protected boolean readonly = true;
/**
* The set of {@link Role}s defined in this database, keyed by role name.
*/
protected final Map<String,Role> roles = new ConcurrentHashMap<>();
/**
* The set of {@link User}s defined in this database, keyed by username.
*/
protected final Map<String,User> users = new ConcurrentHashMap<>();
private final ReentrantReadWriteLock dbLock = new ReentrantReadWriteLock();
private final Lock readLock = dbLock.readLock();
private final Lock writeLock = dbLock.writeLock();
private volatile long lastModified = 0;
private boolean watchSource = true;
// ------------------------------------------------------------- Properties
@Override
public Iterator<Group> getGroups() {
readLock.lock();
try {
return new ArrayList<>(groups.values()).iterator();
} finally {
readLock.unlock();
}
}
@Override
public String getId() {
return this.id;
}
/**
* @return the relative or absolute pathname to the persistent storage file.
*/
public String getPathname() {
return this.pathname;
}
/**
* Set the relative or absolute pathname to the persistent storage file.
*
* @param pathname The new pathname
*/
public void setPathname(String pathname) {
this.pathname = pathname;
this.pathnameOld = pathname + ".old";
this.pathnameNew = pathname + ".new";
}
/**
* @return the readonly status of the user database
*/
public boolean getReadonly() {
return this.readonly;
}
/**
* Setting the readonly status of the user database
*
* @param readonly the new status
*/
public void setReadonly(boolean readonly) {
this.readonly = readonly;
}
public boolean getWatchSource() {
return watchSource;
}
public void setWatchSource(boolean watchSource) {
this.watchSource = watchSource;
}
@Override
public Iterator<Role> getRoles() {
readLock.lock();
try {
return new ArrayList<>(roles.values()).iterator();
} finally {
readLock.unlock();
}
}
@Override
public Iterator<User> getUsers() {
readLock.lock();
try {
return new ArrayList<>(users.values()).iterator();
} finally {
readLock.unlock();
}
}
// --------------------------------------------------------- Public Methods
@Override
public void close() throws Exception {
writeLock.lock();
try {
save();
users.clear();
groups.clear();
roles.clear();
} finally {
writeLock.unlock();
}
}
@Override
public Group createGroup(String groupname, String description) {
if (groupname == null || groupname.isEmpty()) {
String msg = sm.getString("memoryUserDatabase.nullGroup");
log.warn(msg);
throw new IllegalArgumentException(msg);
}
Group group = new GenericGroup<>(this, groupname, description, null);
readLock.lock();
try {
groups.put(group.getGroupname(), group);
} finally {
readLock.unlock();
}
return group;
}
@Override
public Role createRole(String rolename, String description) {
if (rolename == null || rolename.isEmpty()) {
String msg = sm.getString("memoryUserDatabase.nullRole");
log.warn(msg);
throw new IllegalArgumentException(msg);
}
Role role = new GenericRole<>(this, rolename, description);
readLock.lock();
try {
roles.put(role.getRolename(), role);
} finally {
readLock.unlock();
}
return role;
}
@Override
public User createUser(String username, String password, String fullName) {
if (username == null || username.isEmpty()) {
String msg = sm.getString("memoryUserDatabase.nullUser");
log.warn(msg);
throw new IllegalArgumentException(msg);
}
User user = new GenericUser<>(this, username, password, fullName, null, null);
readLock.lock();
try {
users.put(user.getUsername(), user);
} finally {
readLock.unlock();
}
return user;
}
@Override
public Group findGroup(String groupname) {
readLock.lock();
try {
return groups.get(groupname);
} finally {
readLock.unlock();
}
}
@Override
public Role findRole(String rolename) {
readLock.lock();
try {
return roles.get(rolename);
} finally {
readLock.unlock();
}
}
@Override
public User findUser(String username) {
readLock.lock();
try {
return users.get(username);
} finally {
readLock.unlock();
}
}
@Override
public void open() throws Exception {
writeLock.lock();
try {
// Erase any previous groups and users
users.clear();
groups.clear();
roles.clear();
String pathName = getPathname();
try (ConfigurationSource.Resource resource = ConfigFileLoader.getSource().getResource(pathName)) {
lastModified = resource.getLastModified();
// Construct a digester to read the XML input file
Digester digester = new Digester();
try {
digester.setFeature("http://apache.org/xml/features/allow-java-encodings", true);
} catch (Exception e) {
log.warn(sm.getString("memoryUserDatabase.xmlFeatureEncoding"), e);
}
digester.addFactoryCreate("tomcat-users/group", new MemoryGroupCreationFactory(this), true);
digester.addFactoryCreate("tomcat-users/role", new MemoryRoleCreationFactory(this), true);
digester.addFactoryCreate("tomcat-users/user", new MemoryUserCreationFactory(this), true);
// Parse the XML input to load this database
digester.parse(resource.getInputStream());
} catch (IOException ioe) {
log.error(sm.getString("memoryUserDatabase.fileNotFound", pathName));
} catch (Exception e) {
// Fail safe on error
users.clear();
groups.clear();
roles.clear();
throw e;
}
} finally {
writeLock.unlock();
}
}
@Override
public void removeGroup(Group group) {
readLock.lock();
try {
Iterator<User> users = getUsers();
while (users.hasNext()) {
User user = users.next();
user.removeGroup(group);
}
groups.remove(group.getGroupname());
} finally {
readLock.unlock();
}
}
@Override
public void removeRole(Role role) {
readLock.lock();
try {
Iterator<Group> groups = getGroups();
while (groups.hasNext()) {
Group group = groups.next();
group.removeRole(role);
}
Iterator<User> users = getUsers();
while (users.hasNext()) {
User user = users.next();
user.removeRole(role);
}
roles.remove(role.getRolename());
} finally {
readLock.unlock();
}
}
@Override
public void removeUser(User user) {
readLock.lock();
try {
users.remove(user.getUsername());
} finally {
readLock.unlock();
}
}
/**
* Check for permissions to save this user database to persistent storage location.
*
* @return <code>true</code> if the database is writable
*/
public boolean isWritable() {
File file = new File(pathname);
if (!file.isAbsolute()) {
file = new File(System.getProperty(Globals.CATALINA_BASE_PROP), pathname);
}
File dir = file.getParentFile();
return dir.exists() && dir.isDirectory() && dir.canWrite();
}
@Override
public void save() throws Exception {
if (getReadonly()) {
log.error(sm.getString("memoryUserDatabase.readOnly"));
return;
}
if (!isWritable()) {
log.warn(sm.getString("memoryUserDatabase.notPersistable"));
return;
}
// Write out contents to a temporary file
File fileNew = new File(pathnameNew);
if (!fileNew.isAbsolute()) {
fileNew = new File(System.getProperty(Globals.CATALINA_BASE_PROP), pathnameNew);
}
writeLock.lock();
try {
try (FileOutputStream fos = new FileOutputStream(fileNew);
OutputStreamWriter osw = new OutputStreamWriter(fos, StandardCharsets.UTF_8);
PrintWriter writer = new PrintWriter(osw)) {
// Print the file prolog
writer.println("<?xml version='1.0' encoding='utf-8'?>");
writer.println("<tomcat-users xmlns=\"http://tomcat.apache.org/xml\"");
writer.print(" ");
writer.println("xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"");
writer.print(" ");
writer.println("xsi:schemaLocation=\"http://tomcat.apache.org/xml tomcat-users.xsd\"");
writer.println(" version=\"1.0\">");
// Print entries for each defined role, group, and user
Iterator<?> values = getRoles();
while (values.hasNext()) {
Role role = (Role) values.next();
writer.print(" <role rolename=\"");
writer.print(Escape.xml(role.getRolename()));
writer.print("\"");
if (null != role.getDescription()) {
writer.print(" description=\"");
writer.print(Escape.xml(role.getDescription()));
writer.print("\"");
}
writer.println("/>");
}
values = getGroups();
while (values.hasNext()) {
Group group = (Group) values.next();
writer.print(" <group groupname=\"");
writer.print(Escape.xml(group.getName()));
writer.print("\"");
if (null != group.getDescription()) {
writer.print(" description=\"");
writer.print(Escape.xml(group.getDescription()));
writer.print("\"");
}
writer.print(" roles=\"");
for (Iterator<Role> roles = group.getRoles(); roles.hasNext();) {
Role role = roles.next();
writer.print(Escape.xml(role.getRolename()));
if (roles.hasNext()) {
writer.print(',');
}
}
writer.println("\"/>");
}
values = getUsers();
while (values.hasNext()) {
User user = (User) values.next();
writer.print(" <user username=\"");
writer.print(Escape.xml(user.getUsername()));
writer.print("\" password=\"");
writer.print(Escape.xml(user.getPassword()));
writer.print("\"");
if (null != user.getFullName()) {
writer.print(" fullName=\"");
writer.print(Escape.xml(user.getFullName()));
writer.print("\"");
}
writer.print(" groups=\"");
for (Iterator<Group> groups = user.getGroups(); groups.hasNext();) {
Group group = groups.next();
writer.print(Escape.xml(group.getGroupname()));
if (groups.hasNext()) {
writer.print(',');
}
}
writer.print("\" roles=\"");
for (Iterator<Role> roles = user.getRoles(); roles.hasNext();) {
Role role = roles.next();
writer.print(Escape.xml(role.getRolename()));
if (roles.hasNext()) {
writer.print(',');
}
}
writer.print("\"/>");
}
// Print the file epilog
writer.println("</tomcat-users>");
// Check for errors that occurred while printing
if (writer.checkError()) {
throw new IOException(sm.getString("memoryUserDatabase.writeException", fileNew.getAbsolutePath()));
}
} catch (IOException e) {
if (fileNew.exists() && !fileNew.delete()) {
log.warn(sm.getString("memoryUserDatabase.fileDelete", fileNew));
}
throw e;
}
this.lastModified = fileNew.lastModified();
} finally {
writeLock.unlock();
}
// Perform the required renames to permanently save this file
File fileOld = new File(pathnameOld);
if (!fileOld.isAbsolute()) {
fileOld = new File(System.getProperty(Globals.CATALINA_BASE_PROP), pathnameOld);
}
if (fileOld.exists() && !fileOld.delete()) {
throw new IOException(sm.getString("memoryUserDatabase.fileDelete", fileOld));
}
File fileOrig = new File(pathname);
if (!fileOrig.isAbsolute()) {
fileOrig = new File(System.getProperty(Globals.CATALINA_BASE_PROP), pathname);
}
if (fileOrig.exists()) {
if (!fileOrig.renameTo(fileOld)) {
throw new IOException(sm.getString("memoryUserDatabase.renameOld", fileOld.getAbsolutePath()));
}
}
if (!fileNew.renameTo(fileOrig)) {
if (fileOld.exists()) {
if (!fileOld.renameTo(fileOrig)) {
log.warn(sm.getString("memoryUserDatabase.restoreOrig", fileOld));
}
}
throw new IOException(sm.getString("memoryUserDatabase.renameNew", fileOrig.getAbsolutePath()));
}
if (fileOld.exists() && !fileOld.delete()) {
throw new IOException(sm.getString("memoryUserDatabase.fileDelete", fileOld));
}
}
@Override
public void backgroundProcess() {
if (!watchSource) {
return;
}
URI uri = ConfigFileLoader.getSource().getURI(getPathname());
URLConnection uConn = null;
try {
URL url = uri.toURL();
uConn = url.openConnection();
if (this.lastModified != uConn.getLastModified()) {
writeLock.lock();
try {
long detectedLastModified = uConn.getLastModified();
// Last modified as a resolution of 1s. Ensure that a write
// to the file is not in progress by ensuring that the last
// modified time is at least 2 seconds ago.
if (this.lastModified != detectedLastModified &&
detectedLastModified + 2000 < System.currentTimeMillis()) {
log.info(sm.getString("memoryUserDatabase.reload", id, uri));
open();
}
} finally {
writeLock.unlock();
}
}
} catch (Exception ioe) {
log.error(sm.getString("memoryUserDatabase.reloadError", id, uri), ioe);
} finally {
if (uConn != null) {
try {
// Can't close a uConn directly. Have to do it like this.
uConn.getInputStream().close();
} catch (FileNotFoundException fnfe) {
// The file doesn't exist.
// This has been logged above. No need to log again.
// Set the last modified time to avoid repeated log messages
this.lastModified = 0;
} catch (IOException ioe) {
log.warn(sm.getString("memoryUserDatabase.fileClose", pathname), ioe);
}
}
}
}
@Override
public String toString() {
return "MemoryUserDatabase[id=" + this.id + ",pathname=" + pathname + ",groupCount=" +
this.groups.size() + ",roleCount=" + this.roles.size() + ",userCount=" + this.users.size() + ']';
}
}
/**
* Digester object creation factory for group instances.
*/
class MemoryGroupCreationFactory extends AbstractObjectCreationFactory {
MemoryGroupCreationFactory(MemoryUserDatabase database) {
this.database = database;
}
@Override
public Object createObject(Attributes attributes) {
String groupname = attributes.getValue("groupname");
if (groupname == null) {
groupname = attributes.getValue("name");
}
String description = attributes.getValue("description");
String roles = attributes.getValue("roles");
Group group = database.findGroup(groupname);
if (group == null) {
group = database.createGroup(groupname, description);
} else {
if (group.getDescription() == null) {
group.setDescription(description);
}
}
if (roles != null) {
while (!roles.isEmpty()) {
String rolename;
int comma = roles.indexOf(',');
if (comma >= 0) {
rolename = roles.substring(0, comma).trim();
roles = roles.substring(comma + 1);
} else {
rolename = roles.trim();
roles = "";
}
if (!rolename.isEmpty()) {
Role role = database.findRole(rolename);
if (role == null) {
role = database.createRole(rolename, null);
}
group.addRole(role);
}
}
}
return group;
}
private final MemoryUserDatabase database;
}
/**
* Digester object creation factory for role instances.
*/
class MemoryRoleCreationFactory extends AbstractObjectCreationFactory {
MemoryRoleCreationFactory(MemoryUserDatabase database) {
this.database = database;
}
@Override
public Object createObject(Attributes attributes) {
String rolename = attributes.getValue("rolename");
if (rolename == null) {
rolename = attributes.getValue("name");
}
String description = attributes.getValue("description");
Role existingRole = database.findRole(rolename);
if (existingRole == null) {
return database.createRole(rolename, description);
}
if (existingRole.getDescription() == null) {
existingRole.setDescription(description);
}
return existingRole;
}
private final MemoryUserDatabase database;
}
/**
* Digester object creation factory for user instances.
*/
class MemoryUserCreationFactory extends AbstractObjectCreationFactory {
MemoryUserCreationFactory(MemoryUserDatabase database) {
this.database = database;
}
@Override
public Object createObject(Attributes attributes) {
String username = attributes.getValue("username");
if (username == null) {
username = attributes.getValue("name");
}
String password = attributes.getValue("password");
String fullName = attributes.getValue("fullName");
if (fullName == null) {
fullName = attributes.getValue("fullname");
}
String groups = attributes.getValue("groups");
String roles = attributes.getValue("roles");
User user = database.createUser(username, password, fullName);
if (groups != null) {
while (!groups.isEmpty()) {
String groupname;
int comma = groups.indexOf(',');
if (comma >= 0) {
groupname = groups.substring(0, comma).trim();
groups = groups.substring(comma + 1);
} else {
groupname = groups.trim();
groups = "";
}
if (!groupname.isEmpty()) {
Group group = database.findGroup(groupname);
if (group == null) {
group = database.createGroup(groupname, null);
}
user.addGroup(group);
}
}
}
if (roles != null) {
while (!roles.isEmpty()) {
String rolename;
int comma = roles.indexOf(',');
if (comma >= 0) {
rolename = roles.substring(0, comma).trim();
roles = roles.substring(comma + 1);
} else {
rolename = roles.trim();
roles = "";
}
if (!rolename.isEmpty()) {
Role role = database.findRole(rolename);
if (role == null) {
role = database.createRole(rolename, null);
}
user.addRole(role);
}
}
}
return user;
}
private final MemoryUserDatabase database;
}
|
