maguro 2005/04/23 14:44:30
Modified: modules/core/src/java/org/openejb/corba/security/config/tss
TSSASMechConfig.java TSSCompoundSecMechConfig.java
TSSCompoundSecMechListConfig.java TSSConfig.java
TSSGSSUPMechConfig.java TSSNULLASMechConfig.java
TSSSASMechConfig.java
Added: modules/core/src/java/org/openejb/corba/security/config/tss
TSSITTAbsent.java
Log:
Better handling of identity assertions.
Revision Changes Path
1.4 +7 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSASMechConfig.java
Index: TSSASMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSASMechConfig.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- TSSASMechConfig.java 28 Mar 2005 21:00:19 -0000 1.3
+++ TSSASMechConfig.java 23 Apr 2005 18:44:29 -0000 1.4
@@ -47,12 +47,16 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
import java.io.Serializable;
import org.omg.CORBA.ORB;
+import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.IOP.Codec;
+import org.openejb.corba.security.SASException;
+
/**
* @version $Rev: $ $Date$
@@ -76,4 +80,6 @@
return result;
}
+
+ public abstract Subject check(EstablishContext msg) throws SASException;
}
1.5 +26 -5
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSCompoundSecMechConfig.java
Index: TSSCompoundSecMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSCompoundSecMechConfig.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- TSSCompoundSecMechConfig.java 12 Apr 2005 15:27:49 -0000 1.4
+++ TSSCompoundSecMechConfig.java 23 Apr 2005 18:44:29 -0000 1.5
@@ -48,13 +48,16 @@
package org.openejb.corba.security.config.tss;
import java.io.Serializable;
+import javax.security.auth.Subject;
import org.omg.CORBA.ORB;
+import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.CompoundSecMech;
import org.omg.IOP.Codec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.openejb.corba.security.SASException;
import org.openejb.corba.security.config.ConfigUtil;
@@ -120,19 +123,29 @@
// transport mechanism
result.transport_mech = transport_mech.encodeIOR(orb, codec);
result.target_requires |= transport_mech.getRequires();
- if (log.isDebugEnabled()) log.debug("transport adds: " +
ConfigUtil.flags(transport_mech.getRequires()));
+ if (log.isDebugEnabled()) {
+ log.debug("transport adds supported: " +
ConfigUtil.flags(transport_mech.getSupports()));
+ log.debug("transport adds required: " +
ConfigUtil.flags(transport_mech.getRequires()));
+ }
// AS_ContextSec
result.as_context_mech = as_mech.encodeIOR(orb, codec);
result.target_requires |= as_mech.getRequires();
- if (log.isDebugEnabled()) log.debug("AS adds: " +
ConfigUtil.flags(as_mech.getRequires()));
+ if (log.isDebugEnabled()) {
+ log.debug("AS adds supported: " +
ConfigUtil.flags(as_mech.getSupports()));
+ log.debug("AS adds required: " +
ConfigUtil.flags(as_mech.getRequires()));
+ }
// SAS_ContextSec
result.sas_context_mech = sas_mech.encodeIOR(orb, codec);
result.target_requires |= sas_mech.getRequires();
- if (log.isDebugEnabled()) log.debug("SAS adds: " +
ConfigUtil.flags(sas_mech.getRequires()));
+ if (log.isDebugEnabled()) {
+ log.debug("SAS adds supported: " +
ConfigUtil.flags(sas_mech.getSupports()));
+ log.debug("SAS adds required: " +
ConfigUtil.flags(sas_mech.getRequires()));
+
+ log.debug("REQUIRES: " +
ConfigUtil.flags(result.target_requires));
+ }
- if (log.isDebugEnabled()) log.debug("REQUIRES: " +
ConfigUtil.flags(result.target_requires));
return result;
}
@@ -147,4 +160,12 @@
return result;
}
+ public Subject check(EstablishContext msg) throws SASException {
+ Subject asSubject = as_mech.check(msg);
+ Subject sasSubject = sas_mech.check(msg);
+
+ if (sasSubject != null) return sasSubject;
+
+ return asSubject;
+ }
}
1.4 +16 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSCompoundSecMechListConfig.java
Index: TSSCompoundSecMechListConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSCompoundSecMechListConfig.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- TSSCompoundSecMechListConfig.java 28 Mar 2005 21:00:19 -0000 1.3
+++ TSSCompoundSecMechListConfig.java 23 Apr 2005 18:44:29 -0000 1.4
@@ -49,9 +49,11 @@
import java.io.Serializable;
import java.util.ArrayList;
+import javax.security.auth.Subject;
import org.omg.CORBA.Any;
import org.omg.CORBA.ORB;
+import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.CompoundSecMech;
import org.omg.CSIIOP.CompoundSecMechList;
import org.omg.CSIIOP.CompoundSecMechListHelper;
@@ -59,6 +61,8 @@
import org.omg.IOP.Codec;
import org.omg.IOP.TaggedComponent;
+import org.openejb.corba.security.SASException;
+
/**
* @version $Rev: $ $Date$
@@ -114,6 +118,17 @@
for (int i = 0; i < csml.mechanism_list.length; i++) {
result.add(TSSCompoundSecMechConfig.decodeIOR(codec,
csml.mechanism_list[i]));
+ }
+
+ return result;
+ }
+
+ public Subject check(EstablishContext msg) throws SASException {
+ Subject result = null;
+
+ for (int i = 0; i < mechs.size(); i++) {
+ result = ((TSSCompoundSecMechConfig) mechs.get(i)).check(msg);
+ if (result != null) break;
}
return result;
1.5 +6 -3
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSConfig.java
Index: TSSConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSConfig.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- TSSConfig.java 28 Mar 2005 21:00:19 -0000 1.4
+++ TSSConfig.java 23 Apr 2005 18:44:29 -0000 1.5
@@ -105,8 +105,11 @@
public Subject check(SSLSession session, EstablishContext msg) throws
SASException {
- Subject result = transport_mech.check(session);
+ Subject transportSubject = transport_mech.check(session);
+
+ Subject mechSubject = mechListConfig.check(msg);
+ if (mechSubject != null) return mechSubject;
- return result;
+ return transportSubject;
}
}
1.4 +42 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSGSSUPMechConfig.java
Index: TSSGSSUPMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSGSSUPMechConfig.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- TSSGSSUPMechConfig.java 28 Mar 2005 21:00:19 -0000 1.3
+++ TSSGSSUPMechConfig.java 23 Apr 2005 18:44:29 -0000 1.4
@@ -47,12 +47,22 @@
*/
package org.openejb.corba.security.config.tss;
+import java.io.UnsupportedEncodingException;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
import org.omg.CORBA.ORB;
+import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.CSIIOP.EstablishTrustInClient;
import org.omg.GSSUP.GSSUPMechOID;
+import org.omg.GSSUP.InitialContextToken;
import org.omg.IOP.Codec;
+import org.apache.geronimo.security.jaas.UsernamePasswordCallback;
+
+import org.openejb.corba.security.SASException;
import org.openejb.corba.util.Util;
@@ -103,6 +113,37 @@
result.target_requires = (required ? EstablishTrustInClient.value :
0);
result.client_authentication_mech =
Util.encodeOID(GSSUPMechOID.value);
result.target_name = Util.encodeGSSExportName(GSSUPMechOID.value,
targetName);
+
+ return result;
+ }
+
+ public Subject check(EstablishContext msg) throws SASException {
+ Subject result = null;
+
+ try {
+ if (msg.client_authentication_token != null &&
msg.client_authentication_token.length > 0) {
+ InitialContextToken token = new InitialContextToken();
+
+ if (!Util.decodeGSSUPToken(Util.getCodec(),
msg.client_authentication_token, token)) throw new SASException(2);
+
+ if (token.target_name == null) return null;
+
+ String tokenTargetName = (token.target_name == null ?
targetName : new String(token.target_name, "UTF8"));
+
+ if (!targetName.equals(tokenTargetName)) throw new
SASException(2);
+
+ LoginContext context = new LoginContext(tokenTargetName,
+ new
UsernamePasswordCallback(new String(token.username, "UTF8"),
+
new String(token.password, "UTF8").toCharArray()));
+ context.login();
+ result = context.getSubject();
+ }
+ } catch (UnsupportedEncodingException e) {
+ throw new SASException(1, e);
+ } catch (LoginException e) {
+ throw new SASException(1, e);
+ }
+
return result;
}
1.5 +11 -2
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSNULLASMechConfig.java
Index: TSSNULLASMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSNULLASMechConfig.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- TSSNULLASMechConfig.java 14 Apr 2005 02:44:28 -0000 1.4
+++ TSSNULLASMechConfig.java 23 Apr 2005 18:44:29 -0000 1.5
@@ -47,11 +47,15 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
+
import org.omg.CORBA.ORB;
+import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.AS_ContextSec;
-import org.omg.IOP.Codec;
import org.omg.GSSUP.GSSUPMechOID;
+import org.omg.IOP.Codec;
+import org.openejb.corba.security.SASException;
import org.openejb.corba.util.Util;
@@ -71,6 +75,7 @@
/**
* Encode a virtually null AS context. Since supports is zero,
everything
* else should be ignored.
+ *
* @param orb
* @param codec
* @return
@@ -85,5 +90,9 @@
result.target_name = Util.encodeGSSExportName(GSSUPMechOID.value,
"");
return result;
+ }
+
+ public Subject check(EstablishContext msg) throws SASException {
+ return null;
}
}
1.4 +37 -34
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASMechConfig.java
Index: TSSSASMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASMechConfig.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- TSSSASMechConfig.java 28 Mar 2005 21:00:19 -0000 1.3
+++ TSSSASMechConfig.java 23 Apr 2005 18:44:30 -0000 1.4
@@ -49,10 +49,13 @@
import java.io.Serializable;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.Iterator;
+import java.util.Set;
+import javax.security.auth.Subject;
import org.omg.CORBA.ORB;
-import org.omg.CSI.ITTAbsent;
+import org.omg.CSI.EstablishContext;
import org.omg.CSI.ITTPrincipalName;
import org.omg.CSIIOP.DelegationByClient;
import org.omg.CSIIOP.IdentityAssertion;
@@ -60,6 +63,7 @@
import org.omg.CSIIOP.ServiceConfiguration;
import org.omg.IOP.Codec;
+import org.openejb.corba.security.SASException;
import org.openejb.corba.util.Util;
@@ -72,8 +76,7 @@
private short requires;
private boolean required;
private final ArrayList privilegeAuthorities = new ArrayList();
- private final ArrayList namingMechanisms = new ArrayList();
- private int identityTypes = ITTAbsent.value;
+ private final Set idTokens = new HashSet();
public TSSSASMechConfig() {
}
@@ -89,10 +92,13 @@
byte[][] n = context.supported_naming_mechanisms;
for (int i = 0; i < n.length; i++) {
- namingMechanisms.add(Util.decodeOID(n[i]));
+ String oid = Util.decodeOID(n[i]);
+
+ if (TSSITTPrincipalNameGSSUP.OID.equals(oid)) {
+ addIdentityToken(new TSSITTPrincipalNameGSSUP());
+ }
}
- identityTypes = context.supported_identity_types;
supports = context.target_supports;
requires = context.target_requires;
}
@@ -112,28 +118,10 @@
return privilegeAuthorities.size();
}
- public void addnamingMechanism(String mech) {
- namingMechanisms.add(mech);
-
- identityTypes |= ITTPrincipalName.value;
- supports |= IdentityAssertion.value;
- }
-
- public String namingMechanismAt(int i) {
- return (String) namingMechanisms.get(i);
- }
-
- public int nmSize() {
- return namingMechanisms.size();
- }
-
- public int getIdentityTypes() {
- return identityTypes;
- }
+ public void addIdentityToken(TSSSASIdentityToken token) {
+ idTokens.add(token);
- public void setIdentityTypes(int identityTypes) {
- this.identityTypes = identityTypes;
- if (identityTypes != 0) supports |= IdentityAssertion.value;
+ if (token.getType() > 0) supports |= IdentityAssertion.value;
}
public short getSupports() {
@@ -150,11 +138,11 @@
public void setRequired(boolean required) {
this.required = required;
-
- if (required) requires = (short) (supports &
DelegationByClient.value);
+ if (required) requires |= (short) (supports &
DelegationByClient.value);
}
public SAS_ContextSec encodeIOR(ORB orb, Codec codec) throws Exception {
+
SAS_ContextSec result = new SAS_ContextSec();
int i = 0;
@@ -163,17 +151,32 @@
result.privilege_authorities[i++] =
((TSSServiceConfigurationConfig) iter.next()).generateServiceConfiguration();
}
- i = 0;
- result.supported_naming_mechanisms = new
byte[namingMechanisms.size()][];
- for (Iterator iter = namingMechanisms.iterator(); iter.hasNext();) {
- result.supported_naming_mechanisms[i++] =
Util.encodeOID((String) iter.next());
+ ArrayList list = new ArrayList();
+ for (Iterator iter = idTokens.iterator(); iter.hasNext();) {
+ TSSSASIdentityToken token = (TSSSASIdentityToken) iter.next();
+
+ if (token.getType() == ITTPrincipalName.value) {
+ list.add(token);
+ }
+ result.supported_identity_types |= token.getType();
}
- result.supported_identity_types = identityTypes;
+ i = 0;
+ result.supported_naming_mechanisms = new byte[list.size()][];
+ for (Iterator iter = list.iterator(); iter.hasNext();) {
+ TSSSASIdentityToken token = (TSSSASIdentityToken) iter.next();
+
+ result.supported_naming_mechanisms[i++] =
Util.encodeOID(token.getOID());
+ }
result.target_supports = supports;
result.target_requires = requires;
+ return result;
+ }
+
+ public Subject check(EstablishContext msg) throws SASException {
+ Subject result = null;
return result;
}
1.1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTAbsent.java
Index: TSSITTAbsent.java
===================================================================
/* ====================================================================
* Redistribution and use of this software and associated documentation
* ("Software"), with or without modification, are permitted provided
* that the following conditions are met:
*
* 1. Redistributions of source code must retain copyright
* statements and notices. Redistributions must also contain a
* copy of this document.
*
* 2. Redistributions in binary form must reproduce this list of
* conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* 3. The name "OpenEJB" must not be used to endorse or promote
* products derived from this Software without prior written
* permission of The OpenEJB Group. For written permission,
* please contact [EMAIL PROTECTED]
*
* 4. Products derived from this Software may not be called "OpenEJB"
* nor may "OpenEJB" appear in their names without prior written
* permission of The OpenEJB Group. OpenEJB is a registered
* trademark of The OpenEJB Group.
*
* 5. Due credit should be given to the OpenEJB Project
* (http://openejb.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
* NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
* FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the OpenEJB Project. For more information
* please see <http://openejb.org/>.
*
* ====================================================================
*/
package org.openejb.corba.security.config.tss;
import org.omg.CSI.ITTAbsent;
/**
* @version $Rev: $ $Date: 2005/04/23 18:44:30 $
*/
public class TSSITTAbsent extends TSSSASIdentityToken {
public static final String OID = "";
public short getType() {
return ITTAbsent.value;
}
public String getOID() {
return OID;
}
}
