[jboss-cvs] JBossAS SVN: r109857 - branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Sun Dec 12 11:19:00 EST 2010 

Author: mmoyses
Date: 2010-12-12 11:19:00 -0500 (Sun, 12 Dec 2010)
New Revision: 109857

Modified:
   branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
   branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
Log:
JBPAPP-5572: adding getKey and getCertificate methods to JSD

Modified: branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java	2010-12-12 16:14:33 UTC (rev 109856)
+++ branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java	2010-12-12 16:19:00 UTC (rev 109857)
@@ -27,8 +27,11 @@
 import java.lang.reflect.Constructor;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.Key;
 import java.security.KeyStore;
 import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
 import java.util.Arrays;
 import java.util.Properties;
 
@@ -110,6 +113,8 @@
  
  @author Scott.Stark at jboss.org
  @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
 
  @version $Revision$
  */
@@ -163,6 +168,7 @@
    private String clientAlias;
    private Properties additionalOptions;
    private boolean clientAuth;
+   private char[] serviceAuthToken;
 
    /** Creates a default JaasSecurityDomain for with a securityDomain
     name of 'other'.
@@ -256,6 +262,11 @@
       this.keyStorePassword = Util.loadPassword(password);
    }
    
+   public void setServiceAuthToken(String serviceAuthToken) throws Exception
+   {
+      this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
+   }
+   
    public String getKeyStoreAlias()
    {
       return this.keyStoreAlias;
@@ -526,7 +537,61 @@
    {
       loadKeyAndTrustStore();
    }
+   
+   /**
+    * Returns the key with the given alias from the key store this security domain delegates to.
+    * All keys except public keys require a service authentication token. In case of a public key
+    * the authentication token will be ignored, and it can be safely null.
+    *
+    * @param alias - the alias corresponding to the key to be retrieved.
+    * @param serviceAuthToken - the authentication token that establishes whether the calling
+    *        service has the permission to retrieve the key. If no authentication token provided,
+    *        or invalid authentication token is provided, the method will throw SecurityException
+    *
+    * @return the requested key, or null if the given alias does not exist or does not identify
+    *         a key-related entry.
+    *
+    * @throws SecurityException for missing or invalid serviceAuthToken.
+    *
+    * @throws IllegalStateException if sensitive information is requested, but no service
+    *         authorization token is configured on security domain.
+    *
+    * @see KeyStore#getKey(String, char[])
+    */
+   public Key getKey(String alias, String serviceAuthToken) throws Exception
+   {
+      log.debug(this + " got request for key with alias '" + alias + "'");
 
+      Key key = keyStore.getKey(alias, keyStorePassword);
+
+      if (key == null || key instanceof PublicKey)
+      {
+         return key;
+      }
+
+      verifyServiceAuthToken(serviceAuthToken);
+
+      return key;
+   }
+   
+   /**
+    * Returns the certificate with the given alias or null if no such certificate exists, from the
+    * trust store this security domain delegates to.
+    *
+    * @param alias - the alias corresponding to the certificate to be retrieved.
+    *
+    * @return the requested certificate, or null if the given alias does not exist or does not
+    *         identify a certificate-related entry.
+    *
+    * @see KeyStore#getKey(String, char[])
+    */
+   public Certificate getCertificate(String alias) throws Exception
+   {
+      log.debug(this + " got request for certifcate with alias '" + alias + "'");
+
+      return trustStore.getCertificate(alias);
+   }
+
    protected void startService()
       throws Exception
    {
@@ -557,6 +622,13 @@
          Arrays.fill(keyStorePassword, '\0');
          keyStorePassword = null;
       }
+      
+      if (serviceAuthToken != null)
+      {
+         Arrays.fill(serviceAuthToken, '\0');
+         serviceAuthToken = null;
+      }
+      
       cipherKey = null;
    }
 
@@ -709,4 +781,36 @@
       }
       return url;
    }
+   
+   private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
+   {
+      if (this.serviceAuthToken == null)
+      {
+         throw new IllegalStateException(
+               getName() + " has been requested to provide sensitive security information, but no service authentication token has been configured on it. Use setServiceAuthToken().");
+      }
+
+      boolean verificationSuccessful = true;
+      char[] ca = serviceAuthToken.toCharArray();
+
+      if (this.serviceAuthToken.length == ca.length)
+      {
+         for(int i = 0; i < this.serviceAuthToken.length; i ++)
+         {
+            if (this.serviceAuthToken[i] != ca[i])
+            {
+               verificationSuccessful = false;
+               break;
+            }
+         }
+
+         if (verificationSuccessful)
+         {
+            log.debug("valid service authentication token");
+            return;
+         }
+      }
+
+      throw new SecurityException("service authentication token verification failed");
+   }
 }

Modified: branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java	2010-12-12 16:14:33 UTC (rev 109856)
+++ branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java	2010-12-12 16:19:00 UTC (rev 109857)
@@ -33,6 +33,8 @@
 
  @author Scott.Stark at jboss.org
  @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
  @version $Revision$
 */
 public interface JaasSecurityDomainMBean extends ServiceMBean
@@ -56,6 +58,11 @@
     */
    public void setKeyStorePass(String password)
       throws Exception;
+   /** Set the service authorization token for this security domain. Services requesting sensitive
+    * information from this domain (PrivateKeys, for example) must present this authorization token
+    * otherwise the call will fail with SecurityException.
+    */
+   public void setServiceAuthToken(String serviceAuthToken) throws Exception;
    /** Get the alias of the KeyStore.
     */
    public String getKeyStoreAlias();

More information about the jboss-cvs-commits mailing list