[jboss-cvs] JBossAS SVN: r109857 - branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Sun Dec 12 11:19:00 EST 2010
Author: mmoyses
Date: 2010-12-12 11:19:00 -0500 (Sun, 12 Dec 2010)
New Revision: 109857
Modified:
branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
Log:
JBPAPP-5572: adding getKey and getCertificate methods to JSD
Modified: branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2010-12-12 16:14:33 UTC (rev 109856)
+++ branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2010-12-12 16:19:00 UTC (rev 109857)
@@ -27,8 +27,11 @@
import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.Properties;
@@ -110,6 +113,8 @@
@author Scott.Stark at jboss.org
@author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
@version $Revision$
*/
@@ -163,6 +168,7 @@
private String clientAlias;
private Properties additionalOptions;
private boolean clientAuth;
+ private char[] serviceAuthToken;
/** Creates a default JaasSecurityDomain for with a securityDomain
name of 'other'.
@@ -256,6 +262,11 @@
this.keyStorePassword = Util.loadPassword(password);
}
+ public void setServiceAuthToken(String serviceAuthToken) throws Exception
+ {
+ this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
+ }
+
public String getKeyStoreAlias()
{
return this.keyStoreAlias;
@@ -526,7 +537,61 @@
{
loadKeyAndTrustStore();
}
+
+ /**
+ * Returns the key with the given alias from the key store this security domain delegates to.
+ * All keys except public keys require a service authentication token. In case of a public key
+ * the authentication token will be ignored, and it can be safely null.
+ *
+ * @param alias - the alias corresponding to the key to be retrieved.
+ * @param serviceAuthToken - the authentication token that establishes whether the calling
+ * service has the permission to retrieve the key. If no authentication token provided,
+ * or invalid authentication token is provided, the method will throw SecurityException
+ *
+ * @return the requested key, or null if the given alias does not exist or does not identify
+ * a key-related entry.
+ *
+ * @throws SecurityException for missing or invalid serviceAuthToken.
+ *
+ * @throws IllegalStateException if sensitive information is requested, but no service
+ * authorization token is configured on security domain.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Key getKey(String alias, String serviceAuthToken) throws Exception
+ {
+ log.debug(this + " got request for key with alias '" + alias + "'");
+ Key key = keyStore.getKey(alias, keyStorePassword);
+
+ if (key == null || key instanceof PublicKey)
+ {
+ return key;
+ }
+
+ verifyServiceAuthToken(serviceAuthToken);
+
+ return key;
+ }
+
+ /**
+ * Returns the certificate with the given alias or null if no such certificate exists, from the
+ * trust store this security domain delegates to.
+ *
+ * @param alias - the alias corresponding to the certificate to be retrieved.
+ *
+ * @return the requested certificate, or null if the given alias does not exist or does not
+ * identify a certificate-related entry.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Certificate getCertificate(String alias) throws Exception
+ {
+ log.debug(this + " got request for certifcate with alias '" + alias + "'");
+
+ return trustStore.getCertificate(alias);
+ }
+
protected void startService()
throws Exception
{
@@ -557,6 +622,13 @@
Arrays.fill(keyStorePassword, '\0');
keyStorePassword = null;
}
+
+ if (serviceAuthToken != null)
+ {
+ Arrays.fill(serviceAuthToken, '\0');
+ serviceAuthToken = null;
+ }
+
cipherKey = null;
}
@@ -709,4 +781,36 @@
}
return url;
}
+
+ private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
+ {
+ if (this.serviceAuthToken == null)
+ {
+ throw new IllegalStateException(
+ getName() + " has been requested to provide sensitive security information, but no service authentication token has been configured on it. Use setServiceAuthToken().");
+ }
+
+ boolean verificationSuccessful = true;
+ char[] ca = serviceAuthToken.toCharArray();
+
+ if (this.serviceAuthToken.length == ca.length)
+ {
+ for(int i = 0; i < this.serviceAuthToken.length; i ++)
+ {
+ if (this.serviceAuthToken[i] != ca[i])
+ {
+ verificationSuccessful = false;
+ break;
+ }
+ }
+
+ if (verificationSuccessful)
+ {
+ log.debug("valid service authentication token");
+ return;
+ }
+ }
+
+ throw new SecurityException("service authentication token verification failed");
+ }
}
Modified: branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2010-12-12 16:14:33 UTC (rev 109856)
+++ branches/JBPAPP_4_3_0_GA_CP09_JBPAPP-5571/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2010-12-12 16:19:00 UTC (rev 109857)
@@ -33,6 +33,8 @@
@author Scott.Stark at jboss.org
@author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
@version $Revision$
*/
public interface JaasSecurityDomainMBean extends ServiceMBean
@@ -56,6 +58,11 @@
*/
public void setKeyStorePass(String password)
throws Exception;
+ /** Set the service authorization token for this security domain. Services requesting sensitive
+ * information from this domain (PrivateKeys, for example) must present this authorization token
+ * otherwise the call will fail with SecurityException.
+ */
+ public void setServiceAuthToken(String serviceAuthToken) throws Exception;
/** Get the alias of the KeyStore.
*/
public String getKeyStoreAlias();
More information about the jboss-cvs-commits
mailing list