[jboss-cvs] JBossAS SVN: r71732 - trunk/security/src/main/org/jboss/security/plugins.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Apr 4 16:33:58 EDT 2008
Author: sguilhen at redhat.com
Date: 2008-04-04 16:33:58 -0400 (Fri, 04 Apr 2008)
New Revision: 71732
Modified:
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
Log:
JBAS-5369: merged the changes made in B4.2 into trunk. This basically consisted of moving some methods used to establish the keystore password to an utility class.
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2008-04-04 20:20:46 UTC (rev 71731)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2008-04-04 20:33:58 UTC (rev 71732)
@@ -1,38 +1,34 @@
/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
package org.jboss.security.plugins;
-import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.util.Arrays;
-import java.util.StringTokenizer;
+
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
@@ -44,75 +40,59 @@
import javax.net.ssl.TrustManagerFactory;
import javax.security.auth.callback.CallbackHandler;
+import org.jboss.crypto.CryptoUtil;
import org.jboss.mx.util.MBeanServerLocator;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.SecurityDomain;
-import org.jboss.crypto.CryptoUtil;
+import org.jboss.security.Util;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.security.integration.JNDIBasedSecurityManagement;
-/** The JaasSecurityDomain is an extension of JaasSecurityManager that addes
- the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory
- for supporting SSL and other cryptographic use cases.
-
- Attributes:
- <ul>
- <li>KeyStoreType: The implementation type name being used, defaults to 'JKS'.
- </li>
-
- <li>KeyStoreURL: Set the KeyStore database URL string. This is used to obtain
- an InputStream to initialize the KeyStore. If the string is not a value
- URL, its treated as a file.
- </li>
-
- <li>KeyStorePass: the password used to load the KeyStore. Its format is one of:
- <ul>
- <li>The plaintext password for the KeyStore(or whatever format is used
- by the KeyStore). The toCharArray() value of the string is used without any
- manipulation.
- </li>
- <li>A command to execute to obtain the plaintext password. The format
- is '{EXT}...' where the '...' is the exact command line that will be passed
- to the Runtime.exec(String) method to execute a platform command. The first
- line of the command output is used as the password.
- </li>
- <li>A class to create to obtain the plaintext password. The format
- is '{CLASS}classname[:ctorarg]' where the '[:ctorarg]' is an optional
- string delimited by the ':' from the classname that will be passed to the
- classname ctor. The password is obtained from classname by invoking a 'char[]
- toCharArray()' method if found, otherwise, the 'String toString()' method is
- used.
- </li>
- </ul>
- The KeyStorePass is also used in combination with the Salt and IterationCount
- attributes to create a PBE secret key used with the encode/decode operations.
- </li>
-
- <li>ManagerServiceName: The JMX object name string of the security manager service
- that the domain registers with to function as a security manager for the
- security domain name passed to the ctor. The makes the JaasSecurityDomain
- available under the standard JNDI java:/jaas/(domain) binding.
- </li>
-
- <li>LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider
- security provider should be loaded on startup. This is needed when using
- the Sun JSSE jars without them installed as an extension with JDK 1.3. This
- should be set to false with JDK 1.4 or when using an alternate JSSE provider
- </li>
-
- <li>Salt:
- </li>
-
- <li>IterationCount:
- </li>
- </ul>
-
- @todo add support for encode/decode based on a SecretKey in the keystore.
-
- @author Scott.Stark at jboss.org
- @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
-
- @version $Revision: 37459 $
+/**
+ * The JaasSecurityDomain is an extension of JaasSecurityManager that addes the notion of a KeyStore, and JSSE
+ * KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases.
+ *
+ * Attributes:
+ * <ul>
+ * <li>KeyStoreType: The implementation type name being used, defaults to 'JKS'. </li>
+ *
+ * <li>KeyStoreURL: Set the KeyStore database URL string. This is used to obtain an InputStream to initialize the
+ * KeyStore. If the string is not a value URL, its treated as a file. </li>
+ *
+ * <li>KeyStorePass: the password used to load the KeyStore. Its format is one of:
+ * <ul>
+ * <li>The plaintext password for the KeyStore(or whatever format is used by the KeyStore). The toCharArray() value of
+ * the string is used without any manipulation. </li>
+ * <li>A command to execute to obtain the plaintext password. The format is '{EXT}...' where the '...' is the exact
+ * command line that will be passed to the Runtime.exec(String) method to execute a platform command. The first line of
+ * the command output is used as the password. </li>
+ * <li>A class to create to obtain the plaintext password. The format is '{CLASS}classname[:ctorarg]' where the
+ * '[:ctorarg]' is an optional string delimited by the ':' from the classname that will be passed to the classname ctor.
+ * The password is obtained from classname by invoking a 'char[] toCharArray()' method if found, otherwise, the 'String
+ * toString()' method is used. </li>
+ * </ul>
+ * The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key
+ * used with the encode/decode operations. </li>
+ *
+ * <li>ManagerServiceName: The JMX object name string of the security manager service that the domain registers with to
+ * function as a security manager for the security domain name passed to the ctor. The makes the JaasSecurityDomain
+ * available under the standard JNDI java:/jaas/(domain) binding. </li>
+ *
+ * <li>LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider security provider should
+ * be loaded on startup. This is needed when using the Sun JSSE jars without them installed as an extension with JDK
+ * 1.3. This should be set to false with JDK 1.4 or when using an alternate JSSE provider </li>
+ *
+ * <li>Salt: </li>
+ *
+ * <li>IterationCount: </li>
+ * </ul>
+ *
+ * @todo add support for encode/decode based on a SecretKey in the keystore.
+ *
+ * @author Scott.Stark at jboss.org
+ * @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ *
+ * @version $Revision: 37459 $
*/
public class JaasSecurityDomain extends JaasSecurityManager implements SecurityDomain, JaasSecurityDomainMBean
{
@@ -166,27 +146,29 @@
/** Specify the SecurityManagement instance */
private ISecurityManagement securityManagement = new JNDIBasedSecurityManagement();
- /** Creates a default JaasSecurityDomain for with a securityDomain
- name of 'other'.
+ /**
+ * Creates a default JaasSecurityDomain for with a securityDomain name of 'other'.
*/
public JaasSecurityDomain()
{
super();
}
- /** Creates a JaasSecurityDomain for with a securityDomain
- name of that given by the 'securityDomain' argument.
- @param securityDomain , the name of the security domain
+ /**
+ * Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument.
+ *
+ * @param securityDomain , the name of the security domain
*/
public JaasSecurityDomain(String securityDomain)
{
this(securityDomain, new SecurityAssociationHandler());
}
- /** Creates a JaasSecurityDomain for with a securityDomain
- name of that given by the 'securityDomain' argument.
- @param securityDomain , the name of the security domain
- @param handler , the CallbackHandler to use to obtain login module info
+ /**
+ * Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument.
+ *
+ * @param securityDomain , the name of the security domain
+ * @param handler , the CallbackHandler to use to obtain login module info
*/
public JaasSecurityDomain(String securityDomain, CallbackHandler handler)
{
@@ -213,15 +195,18 @@
return trustMgr;
}
- /** The JMX object name string of the security manager service.
- @return The JMX object name string of the security manager service.
+ /**
+ * The JMX object name string of the security manager service.
+ *
+ * @return The JMX object name string of the security manager service.
*/
public ObjectName getManagerServiceName()
{
return this.managerServiceName;
}
- /** Set the JMX object name string of the security manager service.
+ /**
+ * Set the JMX object name string of the security manager service.
*/
public void setManagerServiceName(ObjectName managerServiceName)
{
@@ -254,7 +239,7 @@
public void setKeyStorePass(String password) throws Exception
{
- this.keyStorePassword = this.loadPassword(password);
+ this.keyStorePassword = Util.loadPassword(password);
}
public String getTrustStoreType()
@@ -269,7 +254,7 @@
public void setTrustStorePass(String password) throws Exception
{
- this.trustStorePassword = this.loadPassword(password);
+ this.trustStorePassword = Util.loadPassword(password);
}
public String getTrustStoreURL()
@@ -305,6 +290,7 @@
this.cipherAlgorithm = cipherAlgorithm;
}
+ @Override
public String getName()
{
return "JaasSecurityDomain(" + getSecurityDomain() + ")";
@@ -320,7 +306,9 @@
this.securityManagement = securityManagement;
}
- /** Encrypt the secret using the cipherKey.
+ /**
+ * Encrypt the secret using the cipherKey.
+ *
* @param secret - the plaintext secret to encrypt
* @return the encrypted secret
* @throws Exception
@@ -340,7 +328,8 @@
return encoding;
}
- /** Decrypt the secret using the cipherKey.
+ /**
+ * Decrypt the secret using the cipherKey.
*
* @param secret - the encrypted secret to decrypt.
* @return the decrypted secret
@@ -358,7 +347,9 @@
return decode;
}
- /** Encrypt the secret using the cipherKey and return a base64 encoding.
+ /**
+ * Encrypt the secret using the cipherKey and return a base64 encoding.
+ *
* @param secret - the plaintext secret to encrypt
* @return the encrypted secret as a base64 string
* @throws Exception
@@ -370,7 +361,8 @@
return b64;
}
- /** Decrypt the base64 encoded secret using the cipherKey.
+ /**
+ * Decrypt the base64 encoded secret using the cipherKey.
*
* @param secret - the base64 encoded encrypted secret to decrypt.
* @return the decrypted secret
@@ -384,13 +376,14 @@
}
/**
- Reload the key- and truststore
- */
+ * Reload the key- and truststore
+ */
public void reloadKeyAndTrustStore() throws Exception
{
loadKeyAndTrustStore();
}
+ @Override
protected void startService() throws Exception
{
// Load the secret key
@@ -402,18 +395,16 @@
// Only register with the JaasSecurityManagerService if its defined
if (managerServiceName != null)
{
- /* Register with the JaasSecurityManagerServiceMBean. This allows this
- JaasSecurityDomain to function as the security manager for security-domain
- elements that declare java:/jaas/xxx for our security domain name.
+ /*
+ * Register with the JaasSecurityManagerServiceMBean. This allows this JaasSecurityDomain to function as the
+ * security manager for security-domain elements that declare java:/jaas/xxx for our security domain name.
*/
MBeanServer server = MBeanServerLocator.locateJBoss();
- Object[] params =
- {getSecurityDomain(), this};
- String[] signature = new String[]
- {"java.lang.String", "org.jboss.security.SecurityDomain"};
+ Object[] params = {getSecurityDomain(), this};
+ String[] signature = new String[]{"java.lang.String", "org.jboss.security.SecurityDomain"};
server.invoke(managerServiceName, "registerSecurityDomain", params, signature);
}
- //Register yourself with the security management
+ // Register yourself with the security management
if (securityManagement instanceof JNDIBasedSecurityManagement)
{
JNDIBasedSecurityManagement jbs = (JNDIBasedSecurityManagement) securityManagement;
@@ -421,6 +412,7 @@
}
}
+ @Override
protected void stopService()
{
if (keyStorePassword != null)
@@ -476,134 +468,6 @@
}
}
- /**
- * <p>
- * Parses the <code>passwordString</code> parameter to obtain the (key/trust)store password.
- * </p>
- *
- * @param passwordString a <code>String</code> representing either the password itself, or a
- * command for retrieving the password from somewhere else.
- * @return the (key/trust)store password.
- * @throws Exception if an error occurs when parsing the <code>passwordString</code>.
- */
- private char[] loadPassword(String passwordString) throws Exception
- {
- char[] password = null;
- String commandType = null;
- String command = null;
-
- if (passwordString.charAt(0) != '{')
- {
- // its just the keystore password string.
- password = passwordString.toCharArray();
- }
- else
- {
- // the parameter is command or a password class.
- StringTokenizer tokenizer = new StringTokenizer(passwordString, "{}");
- commandType = tokenizer.nextToken();
- command = tokenizer.nextToken();
- if (commandType.equals("EXT"))
- password = execPasswordCmd(command);
- else if (commandType.equals("CLASS"))
- password = invokePasswordClass(command);
- else
- throw new IllegalArgumentException("Unknown keyStorePasswordCmdType: " + commandType);
- }
-
- return password;
- }
-
- /**
- * <p>
- * Retrieves the (key/trust)store password by running the specified external command.
- * </p>
- *
- * @param command the external command that must be executed in the operating system to
- * retrieve the password.
- * @return a <code>char[]</code> representing the retrieved password.
- * @throws Exception if an error occurs when running the external command.
- */
- private char[] execPasswordCmd(String command) throws Exception
- {
- log.debug("Executing command: " + command);
- Runtime rt = Runtime.getRuntime();
- Process p = rt.exec(command);
- InputStream stdin = p.getInputStream();
- BufferedReader reader = new BufferedReader(new InputStreamReader(stdin));
- String password = reader.readLine();
- stdin.close();
- int exitCode = p.waitFor();
- log.debug("Command exited with: " + exitCode);
- return password.toCharArray();
- }
-
- /**
- * <p>
- * Retrieves the (key/trust)store password by instantiating a class as specified by the
- * <code>classdef</code> parameter, and invoking either the <code>toCharArray</code> or
- * <code>toString</code> methods of the instantiated class.
- * </p>
- *
- * @param classdef a <code>String</code> specifying how to instantiate the password
- * class. The syntax accepted is <code>class_name:constructor_value</code>, where the
- * <code>class_name</code> is the fully-qualified name of the class, and <code>
- * :constructor_value</code> is an optional section for specifying the value of a
- * <code>String</code> parameter for the constructor, when applicable.
- * @return a <code>char[]</code> representing the retrieved password.
- * @throws Exception if an error occurs when instantiating the password class.
- */
- private char[] invokePasswordClass(String classdef) throws Exception
- {
- keyStorePassword = null;
-
- // Check for a ctor argument delimited by ':'
- String classname = classdef;
- String ctorArg = null;
- int colon = classdef.indexOf(':');
- if (colon > 0)
- {
- classname = classdef.substring(0, colon);
- ctorArg = classdef.substring(colon + 1);
- }
- log.debug("Loading class: " + classname + ", ctorArg=" + ctorArg);
- ClassLoader loader = SubjectActions.getContextClassLoader();
- Class c = loader.loadClass(classname);
- Object instance = null;
- // Check for a ctor(String) if ctorArg is not null
- if (ctorArg != null)
- {
- Class[] sig = {String.class};
- Constructor ctor = c.getConstructor(sig);
- Object[] args = {ctorArg};
- instance = ctor.newInstance(args);
- }
- else
- {
- // Use the default ctor
- instance = c.newInstance();
- }
-
- // Look for a toCharArray() method
- try
- {
- log.debug("Checking for toCharArray");
- Class[] sig = {};
- Method toCharArray = c.getMethod("toCharArray", sig);
- Object[] args = {};
- log.debug("Invoking toCharArray");
- return (char[]) toCharArray.invoke(instance, args);
- }
- catch (NoSuchMethodException e)
- {
- log.debug("No toCharArray found, invoking toString");
- String tmp = instance.toString();
- if (tmp != null)
- return tmp.toCharArray();
- }
- return null;
- }
-
private URL validateStoreURL(String storeURL) throws IOException
{
URL url = null;
More information about the jboss-cvs-commits
mailing list