djencks 2005/06/17 03:25:10
Modified: modules/core/src/java/org/openejb/corba/security/config/tss
TSSITTAbsent.java TSSITTAnonymous.java
TSSITTDistinguishedName.java
TSSITTPrincipalNameGSSUP.java
TSSITTX509CertChain.java TSSSASIdentityToken.java
TSSSASMechConfig.java
Log:
Make CSS ITT principal get subject from ContextManager. Implement SAS layer
principal identity propagation
Revision Changes Path
1.2 +9 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTAbsent.java
Index: TSSITTAbsent.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTAbsent.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- TSSITTAbsent.java 23 Apr 2005 18:44:30 -0000 1.1
+++ TSSITTAbsent.java 17 Jun 2005 07:25:10 -0000 1.2
@@ -47,7 +47,11 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
+
import org.omg.CSI.ITTAbsent;
+import org.omg.CSI.IdentityToken;
+import org.openejb.corba.security.SASException;
/**
@@ -63,5 +67,9 @@
public String getOID() {
return OID;
+ }
+
+ public Subject check(IdentityToken identityToken) throws SASException {
+ return null;
}
}
1.2 +10 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTAnonymous.java
Index: TSSITTAnonymous.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTAnonymous.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- TSSITTAnonymous.java 23 Apr 2005 18:43:49 -0000 1.1
+++ TSSITTAnonymous.java 17 Jun 2005 07:25:10 -0000 1.2
@@ -47,7 +47,11 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
+
import org.omg.CSI.ITTAnonymous;
+import org.omg.CSI.IdentityToken;
+import org.openejb.corba.security.SASException;
/**
@@ -63,5 +67,10 @@
public String getOID() {
return OID;
+ }
+
+ public Subject check(IdentityToken identityToken) throws SASException {
+ //TODO figure out if this is correct
+ return null;
}
}
1.2 +9 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTDistinguishedName.java
Index: TSSITTDistinguishedName.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTDistinguishedName.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- TSSITTDistinguishedName.java 24 Apr 2005 04:37:12 -0000 1.1
+++ TSSITTDistinguishedName.java 17 Jun 2005 07:25:10 -0000 1.2
@@ -47,7 +47,11 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
+
import org.omg.CSI.ITTDistinguishedName;
+import org.omg.CSI.IdentityToken;
+import org.openejb.corba.security.SASException;
/**
@@ -63,5 +67,9 @@
public String getOID() {
return OID;
+ }
+
+ public Subject check(IdentityToken identityToken) throws SASException {
+ throw new SASException(1, new Exception("NYI -- distinguished name
identity token"));
}
}
1.2 +41 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTPrincipalNameGSSUP.java
Index: TSSITTPrincipalNameGSSUP.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTPrincipalNameGSSUP.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- TSSITTPrincipalNameGSSUP.java 23 Apr 2005 18:43:49 -0000 1.1
+++ TSSITTPrincipalNameGSSUP.java 17 Jun 2005 07:25:10 -0000 1.2
@@ -47,8 +47,21 @@
*/
package org.openejb.corba.security.config.tss;
+import java.security.Principal;
+import javax.security.auth.Subject;
+
import org.omg.CSI.ITTPrincipalName;
+import org.omg.CSI.IdentityToken;
+import org.omg.CSI.GSS_NT_ExportedNameHelper;
import org.omg.GSSUP.GSSUPMechOID;
+import org.omg.CORBA.Any;
+import org.omg.IOP.CodecPackage.FormatMismatch;
+import org.omg.IOP.CodecPackage.TypeMismatch;
+import org.openejb.corba.security.SASException;
+import org.openejb.corba.util.Util;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
+import org.apache.geronimo.security.RealmPrincipal;
+import org.apache.geronimo.security.PrimaryRealmPrincipal;
/**
@@ -57,6 +70,11 @@
public class TSSITTPrincipalNameGSSUP extends TSSSASIdentityToken {
public static final String OID = GSSUPMechOID.value.substring(4);
+ private final String realmName;
+
+ public TSSITTPrincipalNameGSSUP(String realmName) {
+ this.realmName = realmName;
+ }
public short getType() {
return ITTPrincipalName.value;
@@ -64,5 +82,27 @@
public String getOID() {
return OID;
+ }
+
+ public Subject check(IdentityToken identityToken) throws SASException {
+ byte[] principalNameToken = identityToken.principal_name();
+ Any any = null;
+ try {
+ any = Util.getCodec().decode_value(principalNameToken,
GSS_NT_ExportedNameHelper.type());
+ } catch (FormatMismatch formatMismatch) {
+ throw new SASException(1, formatMismatch);
+ } catch (TypeMismatch typeMismatch) {
+ throw new SASException(1, typeMismatch);
+ }
+ byte[] principalNameBytes = GSS_NT_ExportedNameHelper.extract(any);
+ String principalName = Util.decodeGSSExportName(principalNameBytes);
+ Principal basePrincipal = new GeronimoUserPrincipal(principalName);
+ Principal realmPrincipal = new RealmPrincipal(realmName,
basePrincipal);
+ Principal primaryRealmPrincipal = new
PrimaryRealmPrincipal(realmName, basePrincipal);
+ Subject subject = new Subject();
+ subject.getPrincipals().add(basePrincipal);
+ subject.getPrincipals().add(realmPrincipal);
+ subject.getPrincipals().add(primaryRealmPrincipal);
+ return subject;
}
}
1.2 +10 -2
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTX509CertChain.java
Index: TSSITTX509CertChain.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSITTX509CertChain.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- TSSITTX509CertChain.java 24 Apr 2005 04:37:12 -0000 1.1
+++ TSSITTX509CertChain.java 17 Jun 2005 07:25:10 -0000 1.2
@@ -47,7 +47,11 @@
*/
package org.openejb.corba.security.config.tss;
+import javax.security.auth.Subject;
+
import org.omg.CSI.ITTX509CertChain;
+import org.omg.CSI.IdentityToken;
+import org.openejb.corba.security.SASException;
/**
@@ -56,12 +60,16 @@
public class TSSITTX509CertChain extends TSSSASIdentityToken {
public static final String OID = "";
-
+
public short getType() {
return ITTX509CertChain.value;
}
public String getOID() {
return OID;
+ }
+
+ public Subject check(IdentityToken identityToken) throws SASException {
+ throw new SASException(1, new Exception("NYI -- cert chain identity
token"));
}
}
1.3 +8 -1
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASIdentityToken.java
Index: TSSSASIdentityToken.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASIdentityToken.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- TSSSASIdentityToken.java 24 Apr 2005 03:25:59 -0000 1.2
+++ TSSSASIdentityToken.java 17 Jun 2005 07:25:10 -0000 1.3
@@ -48,6 +48,10 @@
package org.openejb.corba.security.config.tss;
import java.io.Serializable;
+import javax.security.auth.Subject;
+
+import org.omg.CSI.IdentityToken;
+import org.openejb.corba.security.SASException;
/**
@@ -59,6 +63,8 @@
public abstract String getOID();
+ public abstract Subject check(IdentityToken identityToken) throws
SASException;
+
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof TSSSASIdentityToken)) return false;
@@ -76,4 +82,5 @@
result = 29 * result + (int) getType();
return result;
}
+
}
1.5 +63 -10
openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASMechConfig.java
Index: TSSSASMechConfig.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/config/tss/TSSSASMechConfig.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- TSSSASMechConfig.java 23 Apr 2005 18:44:30 -0000 1.4
+++ TSSSASMechConfig.java 17 Jun 2005 07:25:10 -0000 1.5
@@ -49,20 +49,20 @@
import java.io.Serializable;
import java.util.ArrayList;
-import java.util.HashSet;
+import java.util.HashMap;
import java.util.Iterator;
-import java.util.Set;
+import java.util.Map;
import javax.security.auth.Subject;
import org.omg.CORBA.ORB;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.ITTPrincipalName;
+import org.omg.CSI.IdentityToken;
import org.omg.CSIIOP.DelegationByClient;
import org.omg.CSIIOP.IdentityAssertion;
import org.omg.CSIIOP.SAS_ContextSec;
import org.omg.CSIIOP.ServiceConfiguration;
import org.omg.IOP.Codec;
-
import org.openejb.corba.security.SASException;
import org.openejb.corba.util.Util;
@@ -76,7 +76,7 @@
private short requires;
private boolean required;
private final ArrayList privilegeAuthorities = new ArrayList();
- private final Set idTokens = new HashSet();
+ private final Map idTokens = new HashMap();
public TSSSASMechConfig() {
}
@@ -94,8 +94,10 @@
for (int i = 0; i < n.length; i++) {
String oid = Util.decodeOID(n[i]);
+ //TODO is this needed?
if (TSSITTPrincipalNameGSSUP.OID.equals(oid)) {
- addIdentityToken(new TSSITTPrincipalNameGSSUP());
+ //TODO this doesn't make sense if we plan to use this for
identity check.
+ addIdentityToken(new TSSITTPrincipalNameGSSUP(null));
}
}
@@ -119,7 +121,7 @@
}
public void addIdentityToken(TSSSASIdentityToken token) {
- idTokens.add(token);
+ idTokens.put(new Integer(token.getType()), token);
if (token.getType() > 0) supports |= IdentityAssertion.value;
}
@@ -152,7 +154,7 @@
}
ArrayList list = new ArrayList();
- for (Iterator iter = idTokens.iterator(); iter.hasNext();) {
+ for (Iterator iter = idTokens.values().iterator(); iter.hasNext();) {
TSSSASIdentityToken token = (TSSSASIdentityToken) iter.next();
if (token.getType() == ITTPrincipalName.value) {
@@ -176,8 +178,59 @@
}
public Subject check(EstablishContext msg) throws SASException {
- Subject result = null;
+// Subject result = null;
- return result;
+// try {
+ if (msg.identity_token != null) {
+ IdentityToken identityToken = msg.identity_token;
+ int discriminator = identityToken.discriminator();
+ TSSSASIdentityToken tssIdentityToken = (TSSSASIdentityToken)
idTokens.get(new Integer(discriminator));
+ if (tssIdentityToken == null) {
+ throw new SASException(1, new Exception("Unsupported
IdentityTokenType: " + discriminator));
+ } else {
+ return tssIdentityToken.check(identityToken);
+ }
+ } else {
+ return null;
+ }
+// switch (discriminator) {
+// case org.omg.CSI.ITTAbsent.value:
+// break;
+// case org.omg.CSI.ITTAnonymous.value:
+// //TODO implement this one or figure out if this is
correct???
+// break;
+// case ITTPrincipalName.value:
+// byte[] principalNameToken =
identityToken.principal_name();
+// Any any =
Util.getCodec().decode_value(principalNameToken,
GSS_NT_ExportedNameHelper.type());
+// byte[] principalNameBytes =
GSS_NT_ExportedNameHelper.extract(any);
+// String principalName =
Util.decodeGSSExportName(principalNameBytes);
+// Principal basePrincipal = new
GeronimoUserPrincipal(principalName);
+// //TODO parameterize or otherwise select realm name
+// Principal wrappedPrincipal = new
RealmPrincipal("cts-properties-realm", basePrincipal);
+// result = new Subject();
+// result.getPrincipals().add(basePrincipal);
+// result.getPrincipals().add(wrappedPrincipal);
+// break;
+// case org.omg.CSI.ITTX509CertChain.value:
+// byte[] ccChainBytes =
identityToken.certificate_chain();
+// //TODO implement this one
+// throw new SASException(1, new Exception("NYI --
cert chain identity token"));
+// case org.omg.CSI.ITTDistinguishedName.value:
+// //TODO implement this one
+// throw new SASException(1, new Exception("NYI --
distinguished name identity token"));
+// default:
+// throw new SASException(1);
+// }
+//
+// }
+// } catch (TypeMismatch typeMismatch) {
+// throw new SASException(1, typeMismatch);
+// } catch (FormatMismatch formatMismatch) {
+// throw new SASException(1, formatMismatch);
+//// } catch (UnsupportedEncodingException e) {
+//// throw new SASException(1, e);
+// }
+//
+// return result;
}
}
