[jboss-cvs] JBossAS SVN: r66467 - in trunk: testsuite/src/resources/test-configs/tomcat-ssl/deployers and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Oct 25 18:28:34 EDT 2007
Author: sguilhen at redhat.com
Date: 2007-10-25 18:28:34 -0400 (Thu, 25 Oct 2007)
New Revision: 66467
Modified:
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
trunk/testsuite/src/resources/test-configs/tomcat-ssl/deployers/security-service.xml
Log:
JBAS-4701: Merge from Branch_4_2.
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2007-10-25 22:18:03 UTC (rev 66466)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2007-10-25 22:28:34 UTC (rev 66467)
@@ -114,46 +114,55 @@
@version $Revision: 37459 $
*/
-public class JaasSecurityDomain
- extends JaasSecurityManager
- implements SecurityDomain, JaasSecurityDomainMBean
+public class JaasSecurityDomain extends JaasSecurityManager implements SecurityDomain, JaasSecurityDomainMBean
{
/** The permission required to access encode, encode64 */
- private static final RuntimePermission encodePermission =
- new RuntimePermission("org.jboss.security.plugins.JaasSecurityDomain.encode");
+ private static final RuntimePermission encodePermission = new RuntimePermission(
+ "org.jboss.security.plugins.JaasSecurityDomain.encode");
+
/** The permission required to access decode, decode64 */
- private static final RuntimePermission decodePermission =
- new RuntimePermission("org.jboss.security.plugins.JaasSecurityDomain.decode");
+ private static final RuntimePermission decodePermission = new RuntimePermission(
+ "org.jboss.security.plugins.JaasSecurityDomain.decode");
/** The KeyStore associated with the security domain */
private KeyStore keyStore;
+
private KeyManagerFactory keyMgr;
+
/** The KeyStore implementation type which defaults to 'JKS' */
private String keyStoreType = "JKS";
+
/** The resource for the keystore location */
private URL keyStoreURL;
+
/** The keystore password for loading */
private char[] keyStorePassword;
- /** A command string to execute to obtain the keyStorePassword */
- private String keyStorePasswordCmd;
- /** The type of command string: EXT, CLASS */
- private String keyStorePasswordCmdType;
+
/** The secret key that corresponds to the keystore password */
private SecretKey cipherKey;
+
/** The encode/decode cipher algorigthm */
private String cipherAlgorithm = "PBEwithMD5andDES";
+
private byte[] salt = {1, 2, 3, 4, 5, 6, 7, 8};
+
private int iterationCount = 103;
+
private PBEParameterSpec cipherSpec;
+
/** The JMX object name of the security manager service */
private ObjectName managerServiceName = JaasSecurityManagerServiceMBean.OBJECT_NAME;
private KeyStore trustStore;
+
private String trustStoreType = "JKS";
+
private char[] trustStorePassword;
+
private URL trustStoreURL;
+
private TrustManagerFactory trustMgr;
-
+
/** Specify the SecurityManagement instance */
private ISecurityManagement securityManagement = new JNDIBasedSecurityManagement();
@@ -232,7 +241,7 @@
public String getKeyStoreURL()
{
String url = null;
- if( keyStoreURL != null )
+ if (keyStoreURL != null)
url = keyStoreURL.toExternalForm();
return url;
}
@@ -243,21 +252,9 @@
log.debug("Using KeyStore=" + keyStoreURL.toExternalForm());
}
- public void setKeyStorePass(String password)
+ public void setKeyStorePass(String password) throws Exception
{
- this.keyStorePassword = null;
- // Look for a {...} prefix indicating a password command
- if( password.charAt(0) == '{' )
- {
- StringTokenizer tokenizer = new StringTokenizer(password, "{}");
- this.keyStorePasswordCmdType = tokenizer.nextToken();
- this.keyStorePasswordCmd = tokenizer.nextToken();
- }
- else
- {
- // Its just the keystore password string
- this.keyStorePassword = password.toCharArray();
- }
+ this.keyStorePassword = this.loadPassword(password);
}
public String getTrustStoreType()
@@ -270,15 +267,15 @@
this.trustStoreType = type;
}
- public void setTrustStorePass(String password)
+ public void setTrustStorePass(String password) throws Exception
{
- this.trustStorePassword = password.toCharArray();
+ this.trustStorePassword = this.loadPassword(password);
}
public String getTrustStoreURL()
{
String url = null;
- if( trustStoreURL != null )
+ if (trustStoreURL != null)
url = trustStoreURL.toExternalForm();
return url;
}
@@ -311,13 +308,13 @@
public String getName()
{
return "JaasSecurityDomain(" + getSecurityDomain() + ")";
- }
+ }
public ISecurityManagement getSecurityManagement()
{
return securityManagement;
}
-
+
public void setSecurityManagement(ISecurityManagement securityManagement)
{
this.securityManagement = securityManagement;
@@ -327,14 +324,13 @@
* @param secret - the plaintext secret to encrypt
* @return the encrypted secret
* @throws Exception
- */
- public byte[] encode(byte[] secret)
- throws Exception
+ */
+ public byte[] encode(byte[] secret) throws Exception
{
SecurityManager sm = System.getSecurityManager();
- if( sm != null )
+ if (sm != null)
{
- System.out.println("Checking: "+encodePermission);
+ System.out.println("Checking: " + encodePermission);
sm.checkPermission(encodePermission);
}
@@ -343,17 +339,17 @@
byte[] encoding = cipher.doFinal(secret);
return encoding;
}
+
/** Decrypt the secret using the cipherKey.
*
* @param secret - the encrypted secret to decrypt.
* @return the decrypted secret
* @throws Exception
- */
- public byte[] decode(byte[] secret)
- throws Exception
+ */
+ public byte[] decode(byte[] secret) throws Exception
{
SecurityManager sm = System.getSecurityManager();
- if( sm != null )
+ if (sm != null)
sm.checkPermission(decodePermission);
Cipher cipher = Cipher.getInstance(cipherAlgorithm);
@@ -361,26 +357,26 @@
byte[] decode = cipher.doFinal(secret);
return decode;
}
+
/** Encrypt the secret using the cipherKey and return a base64 encoding.
* @param secret - the plaintext secret to encrypt
* @return the encrypted secret as a base64 string
* @throws Exception
- */
- public String encode64(byte[] secret)
- throws Exception
+ */
+ public String encode64(byte[] secret) throws Exception
{
byte[] encoding = encode(secret);
String b64 = CryptoUtil.tob64(encoding);
return b64;
}
+
/** Decrypt the base64 encoded secret using the cipherKey.
*
* @param secret - the base64 encoded encrypted secret to decrypt.
* @return the decrypted secret
* @throws Exception
*/
- public byte[] decode64(String secret)
- throws Exception
+ public byte[] decode64(String secret) throws Exception
{
byte[] encoding = CryptoUtil.fromb64(secret);
byte[] decode = decode(encoding);
@@ -390,35 +386,35 @@
/**
Reload the key- and truststore
*/
- public void reloadKeyAndTrustStore()
- throws Exception
+ public void reloadKeyAndTrustStore() throws Exception
{
loadKeyAndTrustStore();
}
- protected void startService()
- throws Exception
+ protected void startService() throws Exception
{
- // Load the keystore password if it was
- loadKeystorePassword();
+ // Load the secret key
+ loadPBESecretKey();
// Load the key and/or truststore into memory
loadKeyAndTrustStore();
// Only register with the JaasSecurityManagerService if its defined
- if( managerServiceName != null )
+ if (managerServiceName != null)
{
/* Register with the JaasSecurityManagerServiceMBean. This allows this
JaasSecurityDomain to function as the security manager for security-domain
elements that declare java:/jaas/xxx for our security domain name.
*/
MBeanServer server = MBeanServerLocator.locateJBoss();
- Object[] params = {getSecurityDomain(), this};
- String[] signature = new String[]{"java.lang.String", "org.jboss.security.SecurityDomain"};
+ Object[] params =
+ {getSecurityDomain(), this};
+ String[] signature = new String[]
+ {"java.lang.String", "org.jboss.security.SecurityDomain"};
server.invoke(managerServiceName, "registerSecurityDomain", params, signature);
}
//Register yourself with the security management
- if(securityManagement instanceof JNDIBasedSecurityManagement)
+ if (securityManagement instanceof JNDIBasedSecurityManagement)
{
JNDIBasedSecurityManagement jbs = (JNDIBasedSecurityManagement) securityManagement;
jbs.registerJaasSecurityDomainInstance(getSecurityDomain(), this);
@@ -427,7 +423,7 @@
protected void stopService()
{
- if( keyStorePassword != null )
+ if (keyStorePassword != null)
{
Arrays.fill(keyStorePassword, '\0');
keyStorePassword = null;
@@ -435,33 +431,25 @@
cipherKey = null;
}
- /** If keyStorePassword is null and keyStorePasswordCmd exists,
- * execute it to obtain the password.
- */
- private void loadKeystorePassword()
- throws Exception
+ /**
+ * <p>
+ * Loads the PBE secret key.
+ * </p>
+ *
+ * @throws Exception if an error ocurrs when loading the PBE key.
+ */
+ private void loadPBESecretKey() throws Exception
{
- if( keyStorePassword == null )
- {
- if( keyStorePasswordCmdType.equals("EXT") )
- execPasswordCmd();
- else if( keyStorePasswordCmdType.equals("CLASS") )
- invokePasswordClass();
- else
- throw new IllegalArgumentException("Unknown keyStorePasswordCmdType: "+keyStorePasswordCmdType);
- }
-
// Create the PBE secret key
cipherSpec = new PBEParameterSpec(salt, iterationCount);
PBEKeySpec keySpec = new PBEKeySpec(keyStorePassword);
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES");
cipherKey = factory.generateSecret(keySpec);
}
-
- private void loadKeyAndTrustStore()
- throws Exception
+
+ private void loadKeyAndTrustStore() throws Exception
{
- if( keyStoreURL != null )
+ if (keyStoreURL != null)
{
keyStore = KeyStore.getInstance(keyStoreType);
InputStream is = keyStoreURL.openStream();
@@ -470,7 +458,7 @@
keyMgr = KeyManagerFactory.getInstance(algorithm);
keyMgr.init(keyStore, keyStorePassword);
}
- if( trustStoreURL != null )
+ if (trustStoreURL != null)
{
trustStore = KeyStore.getInstance(trustStoreType);
InputStream is = trustStoreURL.openStream();
@@ -479,53 +467,111 @@
trustMgr = TrustManagerFactory.getInstance(algorithm);
trustMgr.init(trustStore);
}
- else if( keyStore != null )
+ else if (keyStore != null)
{
trustStore = keyStore;
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
trustMgr = TrustManagerFactory.getInstance(algorithm);
- trustMgr.init(trustStore);
+ trustMgr.init(trustStore);
}
}
- private void execPasswordCmd()
- throws Exception
+ /**
+ * <p>
+ * Parses the <code>passwordString</code> parameter to obtain the (key/trust)store password.
+ * </p>
+ *
+ * @param passwordString a <code>String</code> representing either the password itself, or a
+ * command for retrieving the password from somewhere else.
+ * @return the (key/trust)store password.
+ * @throws Exception if an error occurs when parsing the <code>passwordString</code>.
+ */
+ private char[] loadPassword(String passwordString) throws Exception
{
- log.debug("Executing command: "+keyStorePasswordCmd);
+ char[] password = null;
+ String commandType = null;
+ String command = null;
+
+ if (passwordString.charAt(0) != '{')
+ {
+ // its just the keystore password string.
+ password = passwordString.toCharArray();
+ }
+ else
+ {
+ // the parameter is command or a password class.
+ StringTokenizer tokenizer = new StringTokenizer(passwordString, "{}");
+ commandType = tokenizer.nextToken();
+ command = tokenizer.nextToken();
+ if (commandType.equals("EXT"))
+ password = execPasswordCmd(command);
+ else if (commandType.equals("CLASS"))
+ password = invokePasswordClass(command);
+ else
+ throw new IllegalArgumentException("Unknown keyStorePasswordCmdType: " + commandType);
+ }
+
+ return password;
+ }
+
+ /**
+ * <p>
+ * Retrieves the (key/trust)store password by running the specified external command.
+ * </p>
+ *
+ * @param command the external command that must be executed in the operating system to
+ * retrieve the password.
+ * @return a <code>char[]</code> representing the retrieved password.
+ * @throws Exception if an error occurs when running the external command.
+ */
+ private char[] execPasswordCmd(String command) throws Exception
+ {
+ log.debug("Executing command: " + command);
Runtime rt = Runtime.getRuntime();
- Process p = rt.exec(keyStorePasswordCmd);
+ Process p = rt.exec(command);
InputStream stdin = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(stdin));
String password = reader.readLine();
stdin.close();
int exitCode = p.waitFor();
- log.debug("Command exited with: "+exitCode);
- keyStorePassword = password.toCharArray();
+ log.debug("Command exited with: " + exitCode);
+ return password.toCharArray();
}
+
/**
+ * <p>
+ * Retrieves the (key/trust)store password by instantiating a class as specified by the
+ * <code>classdef</code> parameter, and invoking either the <code>toCharArray</code> or
+ * <code>toString</code> methods of the instantiated class.
+ * </p>
*
- * @throws Exception
- */
- private void invokePasswordClass()
- throws Exception
+ * @param classdef a <code>String</code> specifying how to instantiate the password
+ * class. The syntax accepted is <code>class_name:constructor_value</code>, where the
+ * <code>class_name</code> is the fully-qualified name of the class, and <code>
+ * :constructor_value</code> is an optional section for specifying the value of a
+ * <code>String</code> parameter for the constructor, when applicable.
+ * @return a <code>char[]</code> representing the retrieved password.
+ * @throws Exception if an error occurs when instantiating the password class.
+ */
+ private char[] invokePasswordClass(String classdef) throws Exception
{
keyStorePassword = null;
// Check for a ctor argument delimited by ':'
- String classname = keyStorePasswordCmd;
+ String classname = classdef;
String ctorArg = null;
- int colon = keyStorePasswordCmd.indexOf(':');
- if( colon > 0 )
+ int colon = classdef.indexOf(':');
+ if (colon > 0)
{
- classname = keyStorePasswordCmd.substring(0, colon);
- ctorArg = keyStorePasswordCmd.substring(colon+1);
+ classname = classdef.substring(0, colon);
+ ctorArg = classdef.substring(colon + 1);
}
- log.debug("Loading class: "+classname+", ctorArg="+ctorArg);
+ log.debug("Loading class: " + classname + ", ctorArg=" + ctorArg);
ClassLoader loader = SubjectActions.getContextClassLoader();
Class c = loader.loadClass(classname);
Object instance = null;
// Check for a ctor(String) if ctorArg is not null
- if( ctorArg != null )
+ if (ctorArg != null)
{
Class[] sig = {String.class};
Constructor ctor = c.getConstructor(sig);
@@ -546,15 +592,16 @@
Method toCharArray = c.getMethod("toCharArray", sig);
Object[] args = {};
log.debug("Invoking toCharArray");
- keyStorePassword = (char[]) toCharArray.invoke(instance, args);
+ return (char[]) toCharArray.invoke(instance, args);
}
- catch(NoSuchMethodException e)
+ catch (NoSuchMethodException e)
{
log.debug("No toCharArray found, invoking toString");
String tmp = instance.toString();
- if( tmp != null )
- keyStorePassword = tmp.toCharArray();
+ if (tmp != null)
+ return tmp.toCharArray();
}
+ return null;
}
private URL validateStoreURL(String storeURL) throws IOException
@@ -565,28 +612,28 @@
{
url = new URL(storeURL);
}
- catch(MalformedURLException e)
+ catch (MalformedURLException e)
{
// Not a URL or a protocol without a handler
}
// Next try to locate this as file path
- if( url == null )
+ if (url == null)
{
File tst = new File(storeURL);
- if( tst.exists() == true )
+ if (tst.exists() == true)
url = tst.toURL();
}
// Last try to locate this as a classpath resource
- if( url == null )
+ if (url == null)
{
ClassLoader loader = SubjectActions.getContextClassLoader();
url = loader.getResource(storeURL);
}
// Fail if no valid key store was located
- if( url == null )
+ if (url == null)
{
String msg = "Failed to find url=" + storeURL + " as a URL, file or resource";
throw new MalformedURLException(msg);
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2007-10-25 22:18:03 UTC (rev 66466)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2007-10-25 22:28:34 UTC (rev 66467)
@@ -51,7 +51,7 @@
public void setKeyStoreURL(String storeURL) throws IOException;
/** Set the credential string for the KeyStore.
*/
- public void setKeyStorePass(String password);
+ public void setKeyStorePass(String password) throws Exception;
/** Get the type of the trust store
* @return the type of the trust store
@@ -63,7 +63,7 @@
public void setTrustStoreType(String type);
/** Set the credential string for the trust store.
*/
- public void setTrustStorePass(String password);
+ public void setTrustStorePass(String password) throws Exception;
/** Get the trust store database URL string.
*/
public String getTrustStoreURL();
Modified: trunk/testsuite/src/resources/test-configs/tomcat-ssl/deployers/security-service.xml
===================================================================
--- trunk/testsuite/src/resources/test-configs/tomcat-ssl/deployers/security-service.xml 2007-10-25 22:18:03 UTC (rev 66466)
+++ trunk/testsuite/src/resources/test-configs/tomcat-ssl/deployers/security-service.xml 2007-10-25 22:28:34 UTC (rev 66467)
@@ -15,6 +15,8 @@
</constructor>
<attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/deploy/keystore.password</attribute>
+ <attribute name="TrustStoreURL">resource:localhost.keystore</attribute>
+ <attribute name="TrustStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/deploy/keystore.password</attribute>
<attribute name="Salt">welcometojboss</attribute>
<attribute name="IterationCount">13</attribute>
</mbean>
More information about the jboss-cvs-commits
mailing list