[jboss-cvs] Picketbox SVN: r186 - in trunk: security-jboss-sx/jbosssx/src/main/java/org/jboss/security and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Apr 15 11:29:54 EDT 2011
Author: mmoyses
Date: 2011-04-15 11:29:53 -0400 (Fri, 15 Apr 2011)
New Revision: 186
Added:
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/JBossJSSESecurityDomain.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SecurityKeyManager.java
trunk/security-spi/spi/src/main/java/org/jboss/security/JSSESecurityDomain.java
Modified:
trunk/picketbox/src/main/java/org/picketbox/plugins/PicketBoxSecurityManagement.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityActions.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityUtil.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/DefaultSecurityManagement.java
trunk/security-spi/spi/src/main/java/org/jboss/security/ISecurityManagement.java
Log:
Adding JSSESecurityDomain interface
Modified: trunk/picketbox/src/main/java/org/picketbox/plugins/PicketBoxSecurityManagement.java
===================================================================
--- trunk/picketbox/src/main/java/org/picketbox/plugins/PicketBoxSecurityManagement.java 2011-03-31 17:09:28 UTC (rev 185)
+++ trunk/picketbox/src/main/java/org/picketbox/plugins/PicketBoxSecurityManagement.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -24,6 +24,8 @@
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.ISecurityManagement;
+import org.jboss.security.JBossJSSESecurityDomain;
+import org.jboss.security.JSSESecurityDomain;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.identitytrust.IdentityTrustManager;
import org.jboss.security.mapping.MappingManager;
@@ -83,4 +85,12 @@
{
return new JBossMappingManager(securityDomain);
}
+
+ /**
+ * @see ISecurityManagement#getJSSE(String)
+ */
+ public JSSESecurityDomain getJSSE(String securityDomain)
+ {
+ return new JBossJSSESecurityDomain(securityDomain);
+ }
}
\ No newline at end of file
Added: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/JBossJSSESecurityDomain.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/JBossJSSESecurityDomain.java (rev 0)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/JBossJSSESecurityDomain.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -0,0 +1,522 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.security;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Constructor;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+
+import org.jboss.logging.Logger;
+import org.jboss.security.plugins.SecurityKeyManager;
+
+/**
+ * A security domain used to configure SSL.
+ *
+ * @author <a href="mailto:mmoyses at redhat.com">Marcus Moyses</a>
+ */
+public class JBossJSSESecurityDomain implements JSSESecurityDomain
+{
+
+ private static Logger log = Logger.getLogger(JBossJSSESecurityDomain.class);
+
+ private KeyStore keyStore;
+
+ private KeyManagerFactory keyManager;
+
+ private String keyStoreType = "JKS";
+
+ private URL keyStoreURL;
+
+ private char[] keyStorePassword;
+
+ private String keyStoreAlias;
+
+ private String keyStoreProvider;
+
+ private String keyStoreProviderArgument;
+
+ private String keyManagerFactoryProvider;
+
+ private String keyManagerFactoryAlgorithm;
+
+ private KeyStore trustStore;
+
+ private TrustManagerFactory trustManager;
+
+ private String trustStoreType = "JKS";
+
+ private URL trustStoreURL;
+
+ private char[] trustStorePassword;
+
+ private String trustStoreProvider;
+
+ private String trustStoreProviderArgument;
+
+ private String trustManagerFactoryProvider;
+
+ private String trustManagerFactoryAlgorithm;
+
+ private String clientAlias;
+
+ private boolean clientAuth;
+
+ private char[] serviceAuthToken;
+
+ private String name;
+
+ public JBossJSSESecurityDomain(String securityDomainName)
+ {
+ this.name = securityDomainName;
+ }
+
+ public String getKeyStoreType()
+ {
+ return keyStoreType;
+ }
+
+ public void setKeyStoreType(String keyStoreType)
+ {
+ this.keyStoreType = keyStoreType;
+ }
+
+ public String getKeyStoreURL()
+ {
+ String url = null;
+ if (keyStoreURL != null)
+ url = keyStoreURL.toExternalForm();
+ return url;
+ }
+
+ public void setKeyStoreURL(String keyStoreURL) throws IOException
+ {
+ this.keyStoreURL = validateStoreURL(keyStoreURL);
+ }
+
+ public String getKeyStoreAlias()
+ {
+ return keyStoreAlias;
+ }
+
+ public void setKeyStoreAlias(String keyStoreAlias)
+ {
+ this.keyStoreAlias = keyStoreAlias;
+ }
+
+ public String getKeyStoreProvider()
+ {
+ return keyStoreProvider;
+ }
+
+ public void setKeyStoreProvider(String keyStoreProvider)
+ {
+ this.keyStoreProvider = keyStoreProvider;
+ }
+
+ public String getKeyManagerFactoryProvider()
+ {
+ return keyManagerFactoryProvider;
+ }
+
+ public String getKeyStoreProviderArgument()
+ {
+ return keyStoreProviderArgument;
+ }
+
+ public void setKeyStoreProviderArgument(String keyStoreProviderArgument)
+ {
+ this.keyStoreProviderArgument = keyStoreProviderArgument;
+ }
+
+ public void setKeyManagerFactoryProvider(String keyManagerFactoryProvider)
+ {
+ this.keyManagerFactoryProvider = keyManagerFactoryProvider;
+ }
+
+ public String getKeyManagerFactoryAlgorithm()
+ {
+ return keyManagerFactoryAlgorithm;
+ }
+
+ public void setKeyManagerFactoryAlgorithm(String keyManagerFactoryAlgorithm)
+ {
+ this.keyManagerFactoryAlgorithm = keyManagerFactoryAlgorithm;
+ }
+
+ public String getTrustStoreType()
+ {
+ return trustStoreType;
+ }
+
+ public void setTrustStoreType(String trustStoreType)
+ {
+ this.trustStoreType = trustStoreType;
+ }
+
+ public String getTrustStoreURL()
+ {
+ String url = null;
+ if (trustStoreURL != null)
+ url = trustStoreURL.toExternalForm();
+ return url;
+ }
+
+ public void setTrustStoreURL(String trustStoreURL) throws IOException
+ {
+ this.trustStoreURL = validateStoreURL(trustStoreURL);
+ }
+
+ public String getTrustStoreProvider()
+ {
+ return trustStoreProvider;
+ }
+
+ public void setTrustStoreProvider(String trustStoreProvider)
+ {
+ this.trustStoreProvider = trustStoreProvider;
+ }
+
+ public String getTrustStoreProviderArgument()
+ {
+ return trustStoreProviderArgument;
+ }
+
+ public void setTrustStoreProviderArgument(String trustStoreProviderArgument)
+ {
+ this.trustStoreProviderArgument = trustStoreProviderArgument;
+ }
+
+ public String getTrustManagerFactoryProvider()
+ {
+ return trustManagerFactoryProvider;
+ }
+
+ public void setTrustManagerFactoryProvider(String trustManagerFactoryProvider)
+ {
+ this.trustManagerFactoryProvider = trustManagerFactoryProvider;
+ }
+
+ public String getTrustManagerFactoryAlgorithm()
+ {
+ return trustManagerFactoryAlgorithm;
+ }
+
+ public void setTrustManagerFactoryAlgorithm(String trustManagerFactoryAlgorithm)
+ {
+ this.trustManagerFactoryAlgorithm = trustManagerFactoryAlgorithm;
+ }
+
+ @Override
+ public String getClientAlias()
+ {
+ return clientAlias;
+ }
+
+ public void setClientAlias(String clientAlias)
+ {
+ this.clientAlias = clientAlias;
+ }
+
+ @Override
+ public String getServerAlias()
+ {
+ return keyStoreAlias;
+ }
+
+ public void setServerAlias(String serverAlias)
+ {
+ this.keyStoreAlias = serverAlias;
+ }
+
+ @Override
+ public boolean isClientAuth()
+ {
+ return clientAuth;
+ }
+
+ public void setClientAuth(boolean clientAuth)
+ {
+ this.clientAuth = clientAuth;
+ }
+
+ @Override
+ public KeyStore getKeyStore()
+ {
+ return keyStore;
+ }
+
+ @Override
+ public KeyStore getTrustStore()
+ {
+ return trustStore;
+ }
+
+ public void setKeyStorePassword(String keyStorePassword) throws Exception
+ {
+ this.keyStorePassword = Util.loadPassword(keyStorePassword);
+ }
+
+ public void setTrustStorePassword(String trustStorePassword) throws Exception
+ {
+ this.trustStorePassword = Util.loadPassword(trustStorePassword);
+ }
+
+ public void setServiceAuthToken(String serviceAuthToken) throws Exception
+ {
+ this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
+ }
+
+ @Override
+ public KeyManagerFactory getKeyManagerFactory() throws SecurityException
+ {
+ return keyManager;
+ }
+
+ @Override
+ public TrustManagerFactory getTrustManagerFactory() throws SecurityException
+ {
+ return trustManager;
+ }
+
+ @Override
+ public String getSecurityDomain()
+ {
+ return name;
+ }
+
+ @Override
+ public Key getKey(String alias, String serviceAuthToken) throws Exception
+ {
+ log.debug(this + " got request for key with alias '" + alias + "'");
+
+ Key key = keyStore.getKey(alias, keyStorePassword);
+
+ if (key == null || key instanceof PublicKey)
+ {
+ return key;
+ }
+
+ verifyServiceAuthToken(serviceAuthToken);
+
+ return key;
+ }
+
+ @Override
+ public Certificate getCertificate(String alias) throws Exception
+ {
+ log.debug(this + " got request for certifcate with alias '" + alias + "'");
+
+ return trustStore.getCertificate(alias);
+ }
+
+ @Override
+ public void reloadKeyAndTrustStore() throws Exception
+ {
+ loadKeyAndTrustStore();
+ }
+
+ private URL validateStoreURL(String storeURL) throws IOException
+ {
+ URL url = null;
+ // First see if this is a URL
+ try
+ {
+ url = new URL(storeURL);
+ }
+ catch (MalformedURLException e)
+ {
+ // Not a URL or a protocol without a handler
+ }
+
+ // Next try to locate this as file path
+ if (url == null)
+ {
+ File tst = new File(storeURL);
+ if (tst.exists() == true)
+ url = tst.toURI().toURL();
+ }
+
+ // Last try to locate this as a classpath resource
+ if (url == null)
+ {
+ ClassLoader loader = SecurityActions.getContextClassLoader();
+ url = loader.getResource(storeURL);
+ }
+
+ // Fail if no valid key store was located
+ if (url == null)
+ {
+ String msg = "Failed to find url=" + storeURL + " as a URL, file or resource";
+ throw new MalformedURLException(msg);
+ }
+ return url;
+ }
+
+ private void verifyServiceAuthToken(String serviceAuthToken) throws SecurityException
+ {
+ if (this.serviceAuthToken == null)
+ {
+ throw new IllegalStateException(
+ getSecurityDomain()
+ + " has been requested to provide sensitive security information, but no service authentication token has been configured on it. Use setServiceAuthToken().");
+ }
+
+ boolean verificationSuccessful = true;
+ char[] ca = serviceAuthToken.toCharArray();
+
+ if (this.serviceAuthToken.length == ca.length)
+ {
+ for (int i = 0; i < this.serviceAuthToken.length; i++)
+ {
+ if (this.serviceAuthToken[i] != ca[i])
+ {
+ verificationSuccessful = false;
+ break;
+ }
+ }
+
+ if (verificationSuccessful)
+ {
+ log.debug("valid service authentication token");
+ return;
+ }
+ }
+
+ throw new SecurityException("service authentication token verification failed");
+ }
+
+ private void loadKeyAndTrustStore() throws Exception
+ {
+ if (keyStorePassword != null)
+ {
+ if (keyStoreProvider != null)
+ {
+ if (keyStoreProviderArgument != null)
+ {
+ ClassLoader loader = SecurityActions.getContextClassLoader();
+ Class clazz = loader.loadClass(keyStoreProvider);
+ Class[] ctorSig = {String.class};
+ Constructor ctor = clazz.getConstructor(ctorSig);
+ Object[] ctorArgs = {keyStoreProviderArgument};
+ Provider provider = (Provider) ctor.newInstance(ctorArgs);
+ keyStore = KeyStore.getInstance(keyStoreType, provider);
+ }
+ else
+ keyStore = KeyStore.getInstance(keyStoreType, keyStoreProvider);
+ }
+ else
+ keyStore = KeyStore.getInstance(keyStoreType);
+ InputStream is = null;
+ if ((!"PKCS11".equalsIgnoreCase(keyStoreType) || !"PKCS11IMPLKS".equalsIgnoreCase(keyStoreType))
+ && keyStoreURL != null)
+ {
+ is = keyStoreURL.openStream();
+ }
+ keyStore.load(is, keyStorePassword);
+ if (keyStoreAlias != null && !keyStore.isKeyEntry(keyStoreAlias))
+ {
+ throw new IOException("Cannot find key entry with alias " + keyStoreAlias + " in the keyStore");
+ }
+ String algorithm = null;
+ if (keyManagerFactoryAlgorithm != null)
+ algorithm = keyManagerFactoryAlgorithm;
+ else
+ algorithm = KeyManagerFactory.getDefaultAlgorithm();
+ if (keyManagerFactoryProvider != null)
+ keyManager = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
+ else
+ keyManager = KeyManagerFactory.getInstance(algorithm);
+ keyManager.init(keyStore, keyStorePassword);
+ if (keyStoreAlias != null)
+ {
+ KeyManager[] keyManagers = keyManager.getKeyManagers();
+ for (int i = 0; i < keyManagers.length; i++)
+ {
+ keyManagers[i] = new SecurityKeyManager((X509KeyManager) keyManagers[i], keyStoreAlias, clientAlias);
+ }
+ }
+ }
+ if (trustStorePassword != null)
+ {
+ if (trustStoreProvider != null)
+ {
+ if (trustStoreProviderArgument != null)
+ {
+ ClassLoader loader = Thread.currentThread().getContextClassLoader();
+ Class clazz = loader.loadClass(trustStoreProvider);
+ Class[] ctorSig = {String.class};
+ Constructor ctor = clazz.getConstructor(ctorSig);
+ Object[] ctorArgs = {trustStoreProviderArgument};
+ Provider provider = (Provider) ctor.newInstance(ctorArgs);
+ trustStore = KeyStore.getInstance(trustStoreType, provider);
+ }
+ else
+ trustStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
+ }
+ else
+ trustStore = KeyStore.getInstance(trustStoreType);
+ InputStream is = null;
+ if ((!"PKCS11".equalsIgnoreCase(trustStoreType) || !"PKCS11IMPLKS".equalsIgnoreCase(trustStoreType))
+ && trustStoreURL != null)
+ {
+ is = trustStoreURL.openStream();
+ }
+ trustStore.load(is, trustStorePassword);
+ String algorithm = null;
+ if (trustManagerFactoryAlgorithm != null)
+ algorithm = trustManagerFactoryAlgorithm;
+ else
+ algorithm = TrustManagerFactory.getDefaultAlgorithm();
+ if (trustManagerFactoryProvider != null)
+ trustManager = TrustManagerFactory.getInstance(algorithm, trustStoreProvider);
+ else
+ trustManager = TrustManagerFactory.getInstance(algorithm);
+ trustManager.init(trustStore);
+ }
+ else if (keyStore != null)
+ {
+ trustStore = keyStore;
+ String algorithm = null;
+ if (trustManagerFactoryAlgorithm != null)
+ algorithm = trustManagerFactoryAlgorithm;
+ else
+ algorithm = TrustManagerFactory.getDefaultAlgorithm();
+ trustManager = TrustManagerFactory.getInstance(algorithm);
+ trustManager.init(trustStore);
+ }
+ }
+
+}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityActions.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityActions.java 2011-03-31 17:09:28 UTC (rev 185)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityActions.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -78,4 +78,20 @@
}
return prop;
}
+
+ private static class GetTCLAction implements PrivilegedAction<ClassLoader>
+ {
+ static PrivilegedAction<ClassLoader> ACTION = new GetTCLAction();
+ public ClassLoader run()
+ {
+ ClassLoader loader = Thread.currentThread().getContextClassLoader();
+ return loader;
+ }
+ }
+
+ static ClassLoader getContextClassLoader()
+ {
+ ClassLoader loader = (ClassLoader) AccessController.doPrivileged(GetTCLAction.ACTION);
+ return loader;
+ }
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityUtil.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityUtil.java 2011-03-31 17:09:28 UTC (rev 185)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityUtil.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -46,6 +46,8 @@
public class SecurityUtil
{
private static Logger log = Logger.getLogger(SecurityUtil.class);
+
+ private static String LEGACY_JAAS_CONTEXT_ROOT = "java:/jaas/";
/**
* Strip the security domain of prefix (java:jaas or java:jbsx)
@@ -62,6 +64,8 @@
result = securityDomain.substring(SecurityConstants.JAAS_CONTEXT_ROOT.length());
else if (securityDomain.startsWith(SecurityConstants.JASPI_CONTEXT_ROOT))
result = securityDomain.substring(SecurityConstants.JASPI_CONTEXT_ROOT.length());
+ else if (securityDomain.startsWith(LEGACY_JAAS_CONTEXT_ROOT))
+ result = securityDomain.substring(LEGACY_JAAS_CONTEXT_ROOT.length());
else
result = securityDomain;
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/DefaultSecurityManagement.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/DefaultSecurityManagement.java 2011-03-31 17:09:28 UTC (rev 185)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/DefaultSecurityManagement.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -26,6 +26,8 @@
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.ISecurityManagement;
+import org.jboss.security.JBossJSSESecurityDomain;
+import org.jboss.security.JSSESecurityDomain;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.identitytrust.IdentityTrustManager;
import org.jboss.security.mapping.MappingManager;
@@ -88,5 +90,13 @@
public MappingManager getMappingManager(String securityDomain)
{
return new JBossMappingManager(securityDomain);
- }
+ }
+
+ /**
+ * @see ISecurityManagement#getJSSE(String)
+ */
+ public JSSESecurityDomain getJSSE(String securityDomain)
+ {
+ return new JBossJSSESecurityDomain(securityDomain);
+ }
}
Added: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SecurityKeyManager.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SecurityKeyManager.java (rev 0)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SecurityKeyManager.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -0,0 +1,103 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.plugins;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.X509KeyManager;
+
+/**
+ * X509KeyManager that allows selection of a key entry to be used.
+ *
+ * @author <a href="mmoyses at redhat.com">Marcus Moyses</a>
+ */
+public class SecurityKeyManager implements X509KeyManager
+{
+ private X509KeyManager delegate;
+
+ private String serverAlias;
+
+ private String clientAlias;
+
+ public SecurityKeyManager(X509KeyManager keyManager, String serverAlias, String clientAlias)
+ {
+ this.delegate = keyManager;
+ this.serverAlias = serverAlias;
+ this.clientAlias = clientAlias;
+ }
+
+ /**
+ * @see X509KeyManager#chooseClientAlias(String[], Principal[], Socket)
+ */
+ public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
+ {
+ if (clientAlias != null)
+ return clientAlias;
+ return delegate.chooseClientAlias(keyType, issuers, socket);
+ }
+
+ /**
+ * @see X509KeyManager#chooseServerAlias(String, Principal[], Socket)
+ */
+ public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
+ {
+ if (serverAlias != null)
+ return serverAlias;
+ return delegate.chooseServerAlias(keyType, issuers, socket);
+ }
+
+ /**
+ * @see X509KeyManager#getCertificateChain(String)
+ */
+ public X509Certificate[] getCertificateChain(String alias)
+ {
+ return delegate.getCertificateChain(alias);
+ }
+
+ /**
+ * @see X509KeyManager#getClientAliases(String, Principal[])
+ */
+ public String[] getClientAliases(String keyType, Principal[] issuers)
+ {
+ return delegate.getClientAliases(keyType, issuers);
+ }
+
+ /**
+ * @see X509KeyManager#getPrivateKey(String)
+ */
+ public PrivateKey getPrivateKey(String alias)
+ {
+ return delegate.getPrivateKey(alias);
+ }
+
+ /**
+ * @see X509KeyManager#getServerAliases(String, Principal[])
+ */
+ public String[] getServerAliases(String keyType, Principal[] issuers)
+ {
+ return delegate.getServerAliases(keyType, issuers);
+ }
+
+}
Modified: trunk/security-spi/spi/src/main/java/org/jboss/security/ISecurityManagement.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/ISecurityManagement.java 2011-03-31 17:09:28 UTC (rev 185)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/ISecurityManagement.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -68,4 +68,12 @@
* @return
*/
public IdentityTrustManager getIdentityTrustManager(String securityDomain);
+
+ /**
+ * JSSE configuration for the security domain
+ *
+ * @param securityDomain the SecurityDomain
+ * @return
+ */
+ public JSSESecurityDomain getJSSE(String securityDomain);
}
Added: trunk/security-spi/spi/src/main/java/org/jboss/security/JSSESecurityDomain.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/JSSESecurityDomain.java (rev 0)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/JSSESecurityDomain.java 2011-04-15 15:29:53 UTC (rev 186)
@@ -0,0 +1,136 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security;
+
+import java.lang.SecurityException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+// JSSE key and trust managers
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+/**
+ * Security domain used for configuring SSL.
+ *
+ * @author <a href="mmoyses at redhat.com">Marcus Moyses</a>
+ */
+public interface JSSESecurityDomain extends BaseSecurityManager
+{
+ /**
+ * Get the keystore associated with the security domain
+ *
+ * @return the keystore
+ */
+ public KeyStore getKeyStore() throws SecurityException;
+
+ /**
+ * Get the KeyManagerFactory associated with the security domain
+ *
+ * @return the keystore manager factory
+ */
+ public KeyManagerFactory getKeyManagerFactory() throws SecurityException;
+
+ /**
+ * Get the truststore associated with the security domain. This may be the same as the keystore
+ *
+ * @return the truststore
+ */
+ public KeyStore getTrustStore() throws SecurityException;
+
+ /**
+ * Get the TrustManagerFactory associated with the security domain
+ *
+ * @return the truststore manager factory
+ */
+ public TrustManagerFactory getTrustManagerFactory() throws SecurityException;
+
+ /**
+ * Reload/initialize keystore and truststore using the attributes set in the security domain
+ *
+ * @throws Exception if an error occurs
+ */
+ public void reloadKeyAndTrustStore() throws Exception;
+
+ /**
+ * Get the preferred server alias name
+ *
+ * @return the preferred server alias, in case the underlying keystore contains multiple server
+ * aliases that can be used, and we wish to have more control over picking a specific
+ * one. Will return null if no preferred server alias is configured.
+ */
+ public String getServerAlias();
+
+ /**
+ * Get the preferred client alias name
+ *
+ * @return the preferred client alias, in case the underlying keystore contains multiple client
+ * aliases that can be used, and we wish to have more control over picking a specific
+ * one. Will return null if no preferred client alias is configured.
+ */
+ public String getClientAlias();
+
+ /**
+ * Get the client auth flag
+ *
+ * @return true to instruct callers into the implementations of this interface to require
+ * client authentication during the SSL handshake. If this flag is "true", the SSL
+ * handshake is supposed to fail if a client does not provide a valid certificate.
+ */
+ public boolean isClientAuth();
+
+ /**
+ * Returns the key with the given alias from the key store this security domain delegates to.
+ * All keys except public keys require a service authentication token. In case of a public key
+ * the authentication token will be ignored, and it can be safely null.
+ *
+ * @param alias - the alias corresponding to the key to be retrieved.
+ * @param serviceAuthToken - the authentication token that establishes whether the calling
+ * service has the permission to retrieve the key. If no authentication token provided,
+ * or invalid authentication token is provided, the method will throw SecurityException
+ *
+ * @return the requested key, or null if the given alias does not exist or does not identify
+ * a key-related entry.
+ *
+ * @throws SecurityException for missing or invalid serviceAuthToken.
+ *
+ * @throws IllegalStateException if sensitive information is requested, but no service
+ * authorization token is configured on security domain.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Key getKey(String alias, String serviceAuthToken) throws Exception;
+
+ /**
+ * Returns the certificate with the given alias or null if no such certificate exists, from the
+ * trust store this security domain delegates to.
+ *
+ * @param alias - the alias corresponding to the certificate to be retrieved.
+ *
+ * @return the requested certificate, or null if the given alias does not exist or does not
+ * identify a certificate-related entry.
+ *
+ * @see KeyStore#getKey(String, char[])
+ */
+ public Certificate getCertificate(String alias) throws Exception;
+
+}
More information about the jboss-cvs-commits
mailing list