[jboss-cvs] JBossAS SVN: r109851 - branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Sun Dec 12 10:50:22 EST 2010 

Author: mmoyses
Date: 2010-12-12 10:50:21 -0500 (Sun, 12 Dec 2010)
New Revision: 109851

Modified:
   branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
   branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
Log:
JBPAPP-5578: adding options to retrieve keys and certificates from JSD

Modified: branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java	2010-12-12 15:19:23 UTC (rev 109850)
+++ branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomain.java	2010-12-12 15:50:21 UTC (rev 109851)
@@ -27,10 +27,12 @@
 import java.lang.reflect.Constructor;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.Key;
 import java.security.KeyStore;
 import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
 import java.util.Arrays;
-import java.util.Map;
 import java.util.Properties;
 
 import javax.crypto.Cipher;
@@ -107,6 +109,8 @@
  * 
  * @author Scott.Stark at jboss.org
  * @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ * @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ * @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
  * 
  * @version $Revision$
  */
@@ -187,6 +191,8 @@
 
    /** Specify the SecurityManagement instance */
    private ISecurityManagement securityManagement = SecurityConstantsBridge.getSecurityManagement();
+   
+   private char[] serviceAuthToken;
 
    /**
     * Creates a default JaasSecurityDomain for with a securityDomain name of 'other'.
@@ -284,6 +290,17 @@
    
    /*
     * (non-Javadoc)
+    *
+    * @see org.jboss.security.plugins.JaasSecurityDomainMBean#setServiceAuthToken(java.lang.String)
+    */
+   @ManagementProperty(use = {ViewUse.CONFIGURATION}, description = "The service authentication token", mandatory = false)
+   public void setServiceAuthToken(String serviceAuthToken) throws Exception
+   {
+      this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
+   }
+   
+   /*
+    * (non-Javadoc)
     * 
     * @see org.jboss.security.plugins.JaasSecurityDomainMBean#getKeyStoreAlias()
     */
@@ -855,6 +872,60 @@
    {
       loadKeyAndTrustStore();
    }
+   
+   /**
+    * Returns the key with the given alias from the key store this security domain delegates to.
+    * All keys except public keys require a service authentication token. In case of a public key
+    * the authentication token will be ignored, and it can be safely null.
+    *
+    * @param alias - the alias corresponding to the key to be retrieved.
+    * @param serviceAuthToken - the authentication token that establishes whether the calling
+    *        service has the permission to retrieve the key. If no authentication token provided,
+    *        or invalid authentication token is provided, the method will throw SecurityException
+    *
+    * @return the requested key, or null if the given alias does not exist or does not identify
+    *         a key-related entry.
+    *
+    * @throws SecurityException for missing or invalid serviceAuthToken.
+    *
+    * @throws IllegalStateException if sensitive information is requested, but no service
+    *         authorization token is configured on security domain.
+    *
+    * @see KeyStore#getKey(String, char[])
+    */
+   public Key getKey(String alias, String serviceAuthToken) throws Exception
+   {
+      log.debug(this + " got request for key with alias '" + alias + "'");
+   
+      Key key = keyStore.getKey(alias, keyStorePassword);
+   
+      if (key == null || key instanceof PublicKey)
+      {
+         return key;
+      }
+   
+      verifyServiceAuthToken(serviceAuthToken);
+          
+      return key;
+   }
+   
+   /**
+    * Returns the certificate with the given alias or null if no such certificate exists, from the
+    * trust store this security domain delegates to.
+    *
+    * @param alias - the alias corresponding to the certificate to be retrieved.
+    *
+    * @return the requested certificate, or null if the given alias does not exist or does not
+    *         identify a certificate-related entry.
+    *
+    * @see KeyStore#getKey(String, char[])
+    */
+   public Certificate getCertificate(String alias) throws Exception
+   {
+      log.debug(this + " got request for certifcate with alias '" + alias + "'");
+   
+      return trustStore.getCertificate(alias);
+   }
 
    /*
     * (non-Javadoc)
@@ -905,6 +976,13 @@
          Arrays.fill(keyStorePassword, '\0');
          keyStorePassword = null;
       }
+      
+      if (serviceAuthToken != null)
+      {
+         Arrays.fill(serviceAuthToken, '\0');
+         serviceAuthToken = null;
+      }
+      
       cipherKey = null;
 
       // Deregister yourself with the security management
@@ -1066,4 +1144,36 @@
       }
       return url;
    }
+   
+   private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
+   {
+      if (this.serviceAuthToken == null)
+      {
+         throw new IllegalStateException(
+               getName() + " has been requested to provide sensitive security information, but no service authentication token has been configured on it. Use setServiceAuthToken().");
+      }
+   
+      boolean verificationSuccessful = true;
+      char[] ca = serviceAuthToken.toCharArray();
+          
+      if (this.serviceAuthToken.length == ca.length)
+      {
+         for(int i = 0; i < this.serviceAuthToken.length; i ++)
+         {
+            if (this.serviceAuthToken[i] != ca[i])
+            {
+               verificationSuccessful = false;
+               break;
+            }
+         }
+   
+         if (verificationSuccessful)
+         {
+            log.debug("valid service authentication token");
+            return;
+         }
+      }
+   
+      throw new SecurityException("service authentication token verification failed");
+   }
 }

Modified: branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java	2010-12-12 15:19:23 UTC (rev 109850)
+++ branches/JBPAPP_5_1/security/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java	2010-12-12 15:50:21 UTC (rev 109851)
@@ -33,6 +33,8 @@
 
  @author Scott.Stark at jboss.org
  @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
  @version $Revision$
 */
 public interface JaasSecurityDomainMBean extends ServiceMBean
@@ -55,6 +57,11 @@
     /** Set the credential string for the KeyStore.
     */
    public void setKeyStorePass(String password) throws Exception;
+   /** Set the service authorization token for this security domain. Services requesting sensitive
+    * information from this domain (PrivateKeys, for example) must present this authorization token
+    * otherwise the call will fail with SecurityException.
+    */
+   public void setServiceAuthToken(String serviceAuthToken) throws Exception;
    /** Get the alias of the KeyStore.
     */
    public String getKeyStoreAlias();

More information about the jboss-cvs-commits mailing list