[jboss-cvs] JBossAS SVN: r109874 - in trunk/security/src/main/java/org/jboss/security: ssl and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Dec 13 09:43:44 EST 2010
Author: mmoyses
Date: 2010-12-13 09:43:43 -0500 (Mon, 13 Dec 2010)
New Revision: 109874
Modified:
trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomain.java
trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomainMBean.java
trunk/security/src/main/java/org/jboss/security/ssl/DomainServerSocketFactory.java
Log:
adding additionalOptions, clientAuth and serviceToken attributes
adding getKey and getCertificate methods
Modified: trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomain.java 2010-12-13 12:54:28 UTC (rev 109873)
+++ trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomain.java 2010-12-13 14:43:43 UTC (rev 109874)
@@ -27,9 +27,13 @@
import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
import java.util.Arrays;
+import java.util.Properties;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
@@ -105,6 +109,8 @@
*
* @author Scott.Stark at jboss.org
* @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ * @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ * @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
*
* @version $Revision$
*/
@@ -178,9 +184,15 @@
private String trustStoreProviderArgument;
private String clientAlias;
+
+ private Properties additionalOptions;
+
+ private boolean clientAuth;
/** Specify the SecurityManagement instance */
private ISecurityManagement securityManagement = SecurityConstantsBridge.getSecurityManagement();
+
+ private char[] serviceAuthToken;
/**
* Creates a default JaasSecurityDomain for with a securityDomain name of 'other'.
@@ -278,6 +290,17 @@
/*
* (non-Javadoc)
+ *
+ * @see org.jboss.security.plugins.JaasSecurityDomainMBean#setServiceAuthToken(java.lang.String)
+ */
+ @ManagementProperty(use = {ViewUse.CONFIGURATION}, description = "The service authentication token", mandatory = false)
+ public void setServiceAuthToken(String serviceAuthToken) throws Exception
+ {
+ this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
+ }
+
+ /*
+ * (non-Javadoc)
*
* @see org.jboss.security.plugins.JaasSecurityDomainMBean#getKeyStoreAlias()
*/
@@ -766,7 +789,7 @@
{
return clientAlias;
}
-
+
/*
* (non-Javadoc)
*
@@ -786,7 +809,7 @@
{
return keyStoreAlias;
}
-
+
/*
* (non-Javadoc)
*
@@ -796,6 +819,48 @@
{
this.keyStoreAlias = serverAlias;
}
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.plugins.JaasSecurityDomainMBean#getAdditionalOptions
+ */
+ @ManagementProperty(use = {ViewUse.CONFIGURATION}, description = "A map for additional options required by external components")
+ public Properties getAdditionalOptions()
+ {
+ return additionalOptions;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.plugins.JaasSecurityDomainMBean#setAdditionalOptions(java.lang.String)
+ */
+ public void setAdditionalOptions(Properties additionalOptions)
+ {
+ this.additionalOptions = additionalOptions;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.plugins.JaasSecurityDomainMBean#isClientAuth
+ */
+ @ManagementProperty(use = {ViewUse.CONFIGURATION}, description = "Flag for client authentication")
+ public boolean isClientAuth()
+ {
+ return clientAuth;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.plugins.JaasSecurityDomainMBean#setClientAuth(boolean)
+ */
+ public void setClientAuth(boolean clientAuth)
+ {
+ this.clientAuth = clientAuth;
+ }
/*
* (non-Javadoc)
@@ -807,6 +872,60 @@
{
loadKeyAndTrustStore();
}
+
+ /**
+ * Returns the key with the given alias from the key store this security domain delegates to.
+ * All keys except public keys require a service authentication token. In case of a public key
+ * the authentication token will be ignored, and it can be safely null.
+ *
+ * @param alias - the alias corresponding to the key to be retrieved.
+ * @param serviceAuthToken - the authentication token that establishes whether the calling
+ * service has the permission to retrieve the key. If no authentication token provided,
+ * or invalid authentication token is provided, the method will throw SecurityException
+ *
+ * @return the requested key, or null if the given alias does not exist or does not identify
+ * a key-related entry.
+ *
+ * @throws SecurityException for missing or invalid serviceAuthToken.
+ *
+ * @throws IllegalStateException if sensitive information is requested, but no service
+ * authorization token is configured on security domain.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Key getKey(String alias, String serviceAuthToken) throws Exception
+ {
+ log.debug(this + " got request for key with alias '" + alias + "'");
+
+ Key key = keyStore.getKey(alias, keyStorePassword);
+
+ if (key == null || key instanceof PublicKey)
+ {
+ return key;
+ }
+
+ verifyServiceAuthToken(serviceAuthToken);
+
+ return key;
+ }
+
+ /**
+ * Returns the certificate with the given alias or null if no such certificate exists, from the
+ * trust store this security domain delegates to.
+ *
+ * @param alias - the alias corresponding to the certificate to be retrieved.
+ *
+ * @return the requested certificate, or null if the given alias does not exist or does not
+ * identify a certificate-related entry.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Certificate getCertificate(String alias) throws Exception
+ {
+ log.debug(this + " got request for certifcate with alias '" + alias + "'");
+
+ return trustStore.getCertificate(alias);
+ }
/*
* (non-Javadoc)
@@ -857,6 +976,13 @@
Arrays.fill(keyStorePassword, '\0');
keyStorePassword = null;
}
+
+ if (serviceAuthToken != null)
+ {
+ Arrays.fill(serviceAuthToken, '\0');
+ serviceAuthToken = null;
+ }
+
cipherKey = null;
// Deregister yourself with the security management
@@ -1018,4 +1144,36 @@
}
return url;
}
+
+ private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
+ {
+ if (this.serviceAuthToken == null)
+ {
+ throw new IllegalStateException(
+ getName() + " has been requested to provide sensitive security information, but no service authentication token has been configured on it. Use setServiceAuthToken().");
+ }
+
+ boolean verificationSuccessful = true;
+ char[] ca = serviceAuthToken.toCharArray();
+
+ if (this.serviceAuthToken.length == ca.length)
+ {
+ for(int i = 0; i < this.serviceAuthToken.length; i ++)
+ {
+ if (this.serviceAuthToken[i] != ca[i])
+ {
+ verificationSuccessful = false;
+ break;
+ }
+ }
+
+ if (verificationSuccessful)
+ {
+ log.debug("valid service authentication token");
+ return;
+ }
+ }
+
+ throw new SecurityException("service authentication token verification failed");
+ }
}
Modified: trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2010-12-13 12:54:28 UTC (rev 109873)
+++ trunk/security/src/main/java/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2010-12-13 14:43:43 UTC (rev 109874)
@@ -22,6 +22,7 @@
package org.jboss.security.plugins;
import java.io.IOException;
+import java.util.Properties;
import javax.management.ObjectName;
@@ -32,6 +33,8 @@
@author Scott.Stark at jboss.org
@author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
+ @author <a href="mailto:ovidiu at novaordis.com">Ovidiu Feodorov</a>
+ @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
@version $Revision$
*/
public interface JaasSecurityDomainMBean extends ServiceMBean
@@ -54,6 +57,11 @@
/** Set the credential string for the KeyStore.
*/
public void setKeyStorePass(String password) throws Exception;
+ /** Set the service authorization token for this security domain. Services requesting sensitive
+ * information from this domain (PrivateKeys, for example) must present this authorization token
+ * otherwise the call will fail with SecurityException.
+ */
+ public void setServiceAuthToken(String serviceAuthToken) throws Exception;
/** Get the alias of the KeyStore.
*/
public String getKeyStoreAlias();
@@ -253,4 +261,32 @@
* @param clientAlias client alias name
*/
public void setServerAlias(String serverAlias);
+
+ /**
+ * Gets the additionalOptions map
+ *
+ * @return the map
+ */
+ public Properties getAdditionalOptions();
+
+ /**
+ * Sets the additionalOptions map
+ *
+ * @param additionalOptions the map
+ */
+ public void setAdditionalOptions(Properties additionalOptions);
+
+ /**
+ * Gets the clientAuth flag
+ *
+ * @return flag
+ */
+ public boolean isClientAuth();
+
+ /**
+ * Sets the clientAuth flag
+ *
+ * @param clientAuth the flag
+ */
+ public void setClientAuth(boolean clientAuth);
}
Modified: trunk/security/src/main/java/org/jboss/security/ssl/DomainServerSocketFactory.java
===================================================================
--- trunk/security/src/main/java/org/jboss/security/ssl/DomainServerSocketFactory.java 2010-12-13 12:54:28 UTC (rev 109873)
+++ trunk/security/src/main/java/org/jboss/security/ssl/DomainServerSocketFactory.java 2010-12-13 14:43:43 UTC (rev 109874)
@@ -37,6 +37,8 @@
import org.jboss.logging.Logger;
import org.jboss.security.SecurityDomain;
+import org.jboss.security.plugins.JaasSecurityDomain;
+
import javassist.util.proxy.ProxyFactory;
/**
@@ -161,7 +163,19 @@
public boolean isNeedsClientAuth()
{
- return needsClientAuth;
+ boolean b;
+
+ if (securityDomain != null && securityDomain instanceof JaasSecurityDomain)
+ {
+ b = ((JaasSecurityDomain) securityDomain).isClientAuth();
+ }
+ else
+ {
+ b = needsClientAuth;
+ }
+
+ log.debug("server socket factory " + (b ? "wants" : "does NOT want") + " client authentication");
+ return b;
}
public void setNeedsClientAuth(boolean needsClientAuth)
@@ -258,10 +272,11 @@
String[] supportedCipherSuites = socket.getSupportedCipherSuites();
log.debug("Supported CipherSuites: " + Arrays.asList(supportedCipherSuites));
}
- socket.setNeedClientAuth(needsClientAuth);
- // JBAS-5815: only set the wantClientAuth property if needClientAuth hasn't been already set.
- if (!needsClientAuth)
- socket.setWantClientAuth(wantsClientAuth);
+ socket.setNeedClientAuth(isNeedsClientAuth());
+ if (!isNeedsClientAuth())
+ {
+ socket.setWantClientAuth(wantsClientAuth);
+ }
if (protocols != null)
socket.setEnabledProtocols(protocols);
@@ -303,9 +318,11 @@
String[] supportedCipherSuites = socket.getSupportedCipherSuites();
log.debug("Supported CipherSuites: " + Arrays.asList(supportedCipherSuites));
}
- socket.setNeedClientAuth(needsClientAuth);
- if (!needsClientAuth)
- socket.setWantClientAuth(wantsClientAuth);
+ socket.setNeedClientAuth(isNeedsClientAuth());
+ if (!isNeedsClientAuth())
+ {
+ socket.setWantClientAuth(wantsClientAuth);
+ }
if( protocols != null )
socket.setEnabledProtocols(protocols);
if( cipherSuites != null )
More information about the jboss-cvs-commits
mailing list