aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2012-02-10 16:21:09 +0000
committerkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2012-02-10 16:21:09 +0000
commit583d95af8f722f60cf848e603f12f6c0be0e9a59 (patch)
tree9dc0b16193bef244e0c31ff181e48caf7bdc6f74
parent8038e84084386965fb44ca4492f666dd27af186e (diff)
downloadmoa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.tar.gz
moa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.tar.bz2
moa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.zip
* Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur systemweit gesetzt werden kann)
* Update ExternalURIResolver mit ExternalURIVerifier der gegen Blackliste checkt git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java2
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java139
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java111
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java163
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java20
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java51
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java18
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java4
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java2
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java4
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java6
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java2
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java10
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java63
-rw-r--r--spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties8
17 files changed, 203 insertions, 406 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
index 58a07f5e6..7effe8b4f 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java
@@ -44,7 +44,7 @@ public class FileUtils {
* @return file content
* @throws IOException on any exception thrown
*/
- public static byte[] readURL(String urlString) throws IOException {
+ public static byte[] readURL(String urlString) throws IOException {
URL url = new URL(urlString);
InputStream in = new BufferedInputStream(url.openStream());
byte[] content = StreamUtils.readStream(in);
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
index ae83a551d..0401108d5 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
@@ -91,9 +91,13 @@ public class MOAEntityResolver implements EntityResolver {
try {
URI uri = new URI(systemId);
systemId = uri.getPath();
+ System.out.println("MOAEntityResover: " + uri);
if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
return null;
}
+
+ //ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
+
} catch (MalformedURIException e) {
return null;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index b8fa4f412..355918f2d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -419,7 +419,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
templateURL = session.getTemplateURL();
}
if (templateURL != null) {
- try {
+ try {
template = new String(FileUtils.readURL(templateURL));
} catch (IOException ex) {
throw new AuthenticationException(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
index 5ae508358..a51fa483f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
@@ -225,12 +225,13 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
} else {
redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID());
}
-
+
resp.setContentType("text/html");
resp.setStatus(302);
- resp.addHeader("Location", redirectURL);
- Logger.debug("REDIRECT TO: " + redirectURL);
+ resp.addHeader("Location", redirectURL);
+ Logger.debug("REDIRECT TO: " + redirectURL);
+
}
}
@@ -254,72 +255,72 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
* @param session
* @throws IOException
*/
- private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException {
-
- try {
- AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
- ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
- SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
-
- // get identitity link as byte[]
- Element elem = session.getIdentityLink().getSamlAssertion();
- String s = DOMUtils.serializeNode(elem);
-
- System.out.println("IDL: " + s);
-
- byte[] idl = s.getBytes();
-
- // redirect url
- // build redirect(to the GetMISSessionIdSerlvet)
- String redirectURL =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- GET_MIS_SESSIONID,
- session.getSessionID());
-
- String oaURL = session.getOAURLRequested();
- OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL);
- String profiles = oaParam.getMandateProfiles();
-
- if (profiles == null) {
- Logger.error("No Mandate/Profile for OA configured.");
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
- }
-
- String profilesArray[] = profiles.split(",");
- for(int i = 0; i < profilesArray.length; i++) {
- profilesArray[i] = profilesArray[i].trim();
- }
-
- String oaFriendlyName = oaParam.getFriendlyName();
- String mandateReferenceValue = session.getMandateReferenceValue();
- X509Certificate cert = session.getSignerCertificate();
- MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory);
- String redirectMISGUI = misSessionID.getRedirectURL();
-
- if (misSessionID == null) {
- Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null.");
- throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service.");
- }
-
- session.setMISSessionID(misSessionID.getSessiondId());
-
- resp.setStatus(302);
- resp.addHeader("Location", redirectMISGUI);
- Logger.debug("REDIRECT TO: " + redirectURL);
- }
- catch (MOAIDException ex) {
- handleError(null, ex, req, resp);
- } catch (GeneralSecurityException ex) {
- handleError(null, ex, req, resp);
- } catch (PKIException e) {
- handleError(null, e, req, resp);
- } catch (MISSimpleClientException e) {
- handleError(null, e, req, resp);
- } catch (TransformerException e) {
- handleError(null, e, req, resp);
- }
- }
+// private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException {
+//
+// try {
+// AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
+// ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
+// SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
+//
+// // get identitity link as byte[]
+// Element elem = session.getIdentityLink().getSamlAssertion();
+// String s = DOMUtils.serializeNode(elem);
+//
+// System.out.println("IDL: " + s);
+//
+// byte[] idl = s.getBytes();
+//
+// // redirect url
+// // build redirect(to the GetMISSessionIdSerlvet)
+// String redirectURL =
+// new DataURLBuilder().buildDataURL(
+// session.getAuthURL(),
+// GET_MIS_SESSIONID,
+// session.getSessionID());
+//
+// String oaURL = session.getOAURLRequested();
+// OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL);
+// String profiles = oaParam.getMandateProfiles();
+//
+// if (profiles == null) {
+// Logger.error("No Mandate/Profile for OA configured.");
+// throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
+// }
+//
+// String profilesArray[] = profiles.split(",");
+// for(int i = 0; i < profilesArray.length; i++) {
+// profilesArray[i] = profilesArray[i].trim();
+// }
+//
+// String oaFriendlyName = oaParam.getFriendlyName();
+// String mandateReferenceValue = session.getMandateReferenceValue();
+// X509Certificate cert = session.getSignerCertificate();
+// MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory);
+// String redirectMISGUI = misSessionID.getRedirectURL();
+//
+// if (misSessionID == null) {
+// Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null.");
+// throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service.");
+// }
+//
+// session.setMISSessionID(misSessionID.getSessiondId());
+//
+// resp.setStatus(302);
+// resp.addHeader("Location", redirectMISGUI);
+// Logger.debug("REDIRECT TO: " + redirectURL);
+// }
+// catch (MOAIDException ex) {
+// handleError(null, ex, req, resp);
+// } catch (GeneralSecurityException ex) {
+// handleError(null, ex, req, resp);
+// } catch (PKIException e) {
+// handleError(null, e, req, resp);
+// } catch (MISSimpleClientException e) {
+// handleError(null, e, req, resp);
+// } catch (TransformerException e) {
+// handleError(null, e, req, resp);
+// }
+// }
/**
* Adds a parameter to a URL.
* @param url the URL
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
deleted file mode 100644
index 42ee621e6..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
+++ /dev/null
@@ -1,111 +0,0 @@
-package at.gv.egovernment.moa.spss.server;
-
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.util.Iterator;
-import java.util.List;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-
-public class MOASecurityManagerExtended extends SecurityManager {
-
- private List blacklist;
- private boolean allowExternalUris;
-
- public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {
- this.blacklist = blacklist;
- this.allowExternalUris = allowExternalUris;
- }
-
-
- /**
- * Overwrite checkConnect methods with blacklist check
- */
-
- public void checkConnect(String host, int port, Object context) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- else {
- // System.out.println("Perform checkConnect of given SecurityManager");
- super.checkConnect(host, port, context);
- }
- }
-
- public void checkConnect(String host, int port) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- else {
- // System.out.println("Perform checkConnect of given SecurityManager");
- super.checkConnect(host, port);
- }
- }
-
- private boolean checkURI(String host, int port) {
- if (allowExternalUris) {
- Iterator it = blacklist.iterator();
- while (it.hasNext()) {
- String[] array = (String[])it.next();
- String bhost = array[0];
- String bport = array[1];
- if (bport == null) {
- // check only host
- if (bhost.equalsIgnoreCase(host)) {
- // System.out.println("Security check: " + host + " blacklisted");
- return false;
- }
- }
- else {
- // check host and port
- int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- // System.out.println("Security check: " + host + ":" + port + " blacklisted");
- return false;
- }
-
- }
- }
-
- // System.out.println("Security check: " + host + ":" + port + " allowed");
- return true;
- }
- else {
- String localhost = getLocalhostName();
- if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
- // System.out.println("Security check: localhost name allowed");
- return true;
- }
-
- // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
- return false;
- }
- }
- private String getLocalhostName() {
- try {
- // save current SecurityManager
- SecurityManager sm = System.getSecurityManager();
- // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
- System.setSecurityManager(null);
-
- InetAddress localhostaddress = InetAddress.getLocalHost();
- String localhost = localhostaddress.getHostName();
-
- // set previously saved SecurityManager
- System.setSecurityManager(sm);
-
- return localhost;
-
- }
- catch (UnknownHostException e) {
- // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
- return "localhost";
- }
- }
-
-
- /**
- * Don't overwrite other methods
- */
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
deleted file mode 100644
index 530a27a48..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
+++ /dev/null
@@ -1,163 +0,0 @@
-package at.gv.egovernment.moa.spss.server;
-
-
-import java.io.FileDescriptor;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.Permission;
-import java.util.Iterator;
-import java.util.List;
-
-public class MOASecurityManagerSimple extends SecurityManager {
-
- private List blacklist;
- private boolean allowExternalUris;
-
-
- public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {
- this.blacklist = blacklist;
- this.allowExternalUris = allowExternalUris;
- }
-
- /**
- * Overwrite checkConnect methods with blacklist check
- */
-
- public void checkConnect(String host, int port, Object context) {
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- }
-
- public void checkConnect(String host, int port) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- }
-
- private boolean checkURI(String host, int port) {
- if (allowExternalUris) {
- Iterator it = blacklist.iterator();
- while (it.hasNext()) {
- String[] array = (String[])it.next();
- String bhost = array[0];
- String bport = array[1];
- if (bport == null) {
- // check only host
- if (bhost.equalsIgnoreCase(host)) {
- // System.out.println("Security check: " + host + " blacklisted");
- return false;
- }
- }
- else {
- // check host and port
- int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- // System.out.println("Security check: " + host + ":" + port + " blacklisted");
- return false;
- }
-
- }
- }
-
- // System.out.println("Security check: " + host + ":" + port + " allowed");
- return true;
- }
- else {
- String localhost = getLocalhostName();
- if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
- // System.out.println("Security check: localhost name allowed");
- return true;
- }
-
- // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
- return false;
- }
- }
-
- private String getLocalhostName() {
- try {
- // save current SecurityManager
- SecurityManager sm = System.getSecurityManager();
- // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
- System.setSecurityManager(null);
-
- InetAddress localhostaddress = InetAddress.getLocalHost();
- String localhost = localhostaddress.getHostName();
-
- // set previously saved SecurityManager
- System.setSecurityManager(sm);
-
- return localhost;
-
- }
- catch (UnknownHostException e) {
- // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
- return "localhost";
- }
- }
-
-
- /**
- * Overwrite all other methods by doing nothing (as no SecurityManager is set initially)
- */
-
- public void checkAccept(String host, int port) {
- }
- public void checkAccess(Thread t) {
- }
- public void checkAccess(ThreadGroup g) {
- }
- public void checkAwtEventQueueAccess() {
- }
- public void checkCreateClassLoader() {
- }
- public void checkDelete(String file) {
- }
- public void checkExec(String cmd) {
- }
- public void checkExit(int status) {
- }
- public void checkLink(String lib) {
- }
- public void checkListen(int port) {
- }
- public void checkMemberAccess(Class arg0, int arg1) {
- }
- public void checkMulticast(InetAddress maddr, byte ttl) {
- }
- public void checkMulticast(InetAddress maddr) {
- }
- public void checkPackageAccess(String pkg) {
- }
- public void checkPackageDefinition(String pkg) {
- }
- public void checkPermission(Permission perm, Object context) {
- }
- public void checkPermission(Permission perm) {
- }
- public void checkPrintJobAccess() {
- }
- public void checkPropertiesAccess() {
- }
- public void checkPropertyAccess(String key) {
- }
- public void checkRead(FileDescriptor fd) {
- }
- public void checkRead(String file, Object context) {
- }
- public void checkRead(String file) {
- }
- public void checkSecurityAccess(String target) {
- }
- public void checkSetFactory() {
- }
- public void checkSystemClipboardAccess() {
- }
- public void checkWrite(FileDescriptor fd) {
- }
- public void checkWrite(String file) {
- }
-
-
-
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index abc781303..1211b5e94 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder {
Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH);
// if PermitExternalUris element does not exist - don't allow external uris
- if (permitExtUris == null)
- return false;
+ if (permitExtUris == null)
+ return false;
else
return true;
@@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder {
* @return
*/
public List buildPermitExternalUris() {
- if (!allowExternalUris())
- return null;
+
+ info("config.33", null);
List blacklist = new ArrayList();
@@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder {
String host = getElementValue(permitExtElem, CONF + "Host", null);
String port = getElementValue(permitExtElem, CONF + "Port", null);
- //System.out.println("Host:Port = " + host + ":" + port);
+
+ if (port == null)
+ info("config.34", new Object[]{host});
+ else
+ info("config.34", new Object[]{host + ":" + port});
String array[] = new String[2];
array[0] = host;
@@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder {
}
+ if(blacklist.isEmpty()) // no blacklisted uris given
+ info("config.36", null);
+
+
return blacklist;
}
@@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder {
MessageProvider msg = MessageProvider.getInstance();
String txt = msg.getMessage(messageId, args);
- Logger.warn(new LogMsg(txt), t);
+ Logger.warn(new LogMsg(txt), t);
warnings.add(txt);
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index bcd9416b8..a5f861c52 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -33,9 +33,7 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
-import java.net.InetAddress;
import java.net.URL;
-import java.net.UnknownHostException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -48,8 +46,6 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.logging.LogMsg;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple;
import at.gv.egovernment.moa.spss.util.MessageProvider;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -373,8 +369,11 @@ public class ConfigurationProvider
if (allowExternalUris_)
blackListedUris_ = builder.buildPermitExternalUris();
- else
+ else {
+ info("config.35", null);
blackListedUris_ = null;
+ }
+
// Set set = crlRetentionIntervals.entrySet();
// Iterator i = set.iterator();
@@ -383,37 +382,7 @@ public class ConfigurationProvider
// System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() );
// }
-
- // set SecurityManager for permitting/disallowing external URIs
- SecurityManager sm = System.getSecurityManager();
-
- if (sm == null) {
- // no security manager exists - create a new one
- Logger.debug(new LogMsg("Create new MOASecurityManagerSimple"));
- sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_);
-
-
- Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
- System.setSecurityManager(sm);
-
- }
- else {
- String classname = sm.getClass().getName();
- if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") &&
- !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) {
- // if SecurityManager is not already a MOASecurityManager
-
- Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)"));
- sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_);
-
- Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
- System.setSecurityManager(sm);
- }
- Logger.debug(new LogMsg("No new MOASecurityManager instantiated"));
- }
-
-
-
+
} catch (Throwable t) {
throw new ConfigurationException("config.11", null, t);
} finally {
@@ -446,7 +415,15 @@ public class ConfigurationProvider
public String getDigestMethodAlgorithmName() {
return digestMethodAlgorithmName;
}
-
+
+ public boolean getAllowExternalUris() {
+ return this.allowExternalUris_;
+ }
+
+ public List getBlackListedUris() {
+ return this.blackListedUris_;
+ }
+
/**
* Return the name of the canonicalization algorithm used during signature
* creation.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 02d282387..ba2513d2f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -24,12 +24,6 @@
package at.gv.egovernment.moa.spss.server.invoke;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-
import iaik.IAIKException;
import iaik.IAIKRuntimeException;
import iaik.server.modules.cmsverify.CMSSignatureVerificationModule;
@@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory;
import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile;
import iaik.server.modules.cmsverify.CMSSignatureVerificationResult;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+
import at.gv.egovernment.moa.logging.LoggingContext;
import at.gv.egovernment.moa.logging.LoggingContextManager;
-
import at.gv.egovernment.moa.spss.MOAApplicationException;
import at.gv.egovernment.moa.spss.MOAException;
import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
@@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker {
*/
public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request)
throws MOAException {
+
CMSSignatureVerificationProfileFactory profileFactory =
new CMSSignatureVerificationProfileFactory(request);
VerifyCMSSignatureResponseBuilder responseBuilder =
@@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker {
TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
try {
-
// get the signed content
signedContent = getSignedContent(request);
@@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker {
CMSSignatureVerificationModuleFactory.getInstance();
module.setLog(new IaikLog(loggingCtx.getNodeID()));
-
+
module.init(
signature,
signedContent,
@@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker {
while (input.read(buf) > 0);
results = module.verifySignature(signingTime);
+
} catch (IAIKException e) {
MOAException moaException = IaikExceptionMapper.getInstance().map(e);
throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
index 96c20d4a4..e09ade231 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
@@ -37,6 +37,7 @@ import java.net.URLConnection;
import at.gv.egovernment.moa.spss.MOAApplicationException;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.ExternalURIVerifier;
/**
* Resolve external URIs and provide them as a stream.
@@ -100,6 +101,9 @@ public class ExternalURIResolver {
try {
// create the URL
url = new URL(uriStr);
+ System.out.println("ExternalURIResolver: " + url);
+ ExternalURIVerifier.verify(url.getHost(), url.getPort());
+
} catch (MalformedURLException e) {
throw new MOAApplicationException("2214", new Object[] { uriStr });
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
index 993c8f7a9..b746333e6 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
@@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService {
CreateXMLSignatureResponse response;
try {
+
Configurator.getInstance().init();
ServiceContextUtils.setUpContexts();
response = invoker.createXMLSignature(request, Collections.EMPTY_SET);
+
return response;
} finally {
ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
index 67bc446b0..5b6033ce1 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
@@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl
Configurator.getInstance().init();
ServiceContextUtils.setUpContexts();
response = invoker.verifyCMSSignature(request);
+
return response;
} finally {
ServiceContextUtils.tearDownContexts();
@@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl
VerifyXMLSignatureResponse response;
try {
+
+
Configurator.getInstance().init();
ServiceContextUtils.setUpContexts();
response = invoker.verifyXMLSignature(request);
+
return response;
} finally {
ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index a123dd4fc..adaf0d376 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker {
module.setLog(new IaikLog(loggingCtx.getNodeID()));
- //@TODO
- SecurityManager sm = System.getSecurityManager();
- System.setSecurityManager(null);
-
result =
module.verifySignature(
xmlSignature,
@@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker {
signingTime,
new TransactionId(context.getTransactionID()));
- //@TODO
- System.setSecurityManager(sm);
} catch (IAIKException e) {
MOAException moaException = IaikExceptionMapper.getInstance().map(e);
throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
index 75f0b1868..3304e262f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
@@ -82,6 +82,7 @@ public class SignatureCreationService {
// handle the request
try {
+
// create a parser and builder for binding API objects to/from XML
CreateXMLSignatureRequestParser requestParser =
new CreateXMLSignatureRequestParser();
@@ -114,6 +115,7 @@ public class SignatureCreationService {
// save response in transaction
context.setResponse(response[0]);
Logger.trace("---- Leaving SignatureCreationService");
+
} catch (MOAException e) {
AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
index 38310f53b..a1caac6a7 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
@@ -66,8 +66,9 @@ public class SignatureVerificationService {
CMSSignatureVerificationInvoker invoker =
CMSSignatureVerificationInvoker.getInstance();
Element[] response = new Element[1];
-
+
try {
+
// create a parser and builder for binding API objects to/from XML
VerifyCMSSignatureRequestParser requestParser =
new VerifyCMSSignatureRequestParser();
@@ -93,7 +94,8 @@ public class SignatureVerificationService {
// save response in transaction
context.setResponse(response[0]);
-
+
+
} catch (MOAException e) {
AxisFault fault = AxisFault.makeFault(e);
fault.setFaultDetail(new Element[] { e.toErrorResponse()});
@@ -128,7 +130,8 @@ public class SignatureVerificationService {
Element[] response = new Element[1];
try {
- // create a parser and builder for binding API objects to/from XML
+
+ // create a parser and builder for binding API objects to/from XML
VerifyXMLSignatureRequestParser requestParser =
new VerifyXMLSignatureRequestParser();
VerifyXMLSignatureResponseBuilder responseBuilder =
@@ -153,6 +156,7 @@ public class SignatureVerificationService {
// save response in transaction
context.setResponse(response[0]);
+
} catch (MOAException e) {
AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
new file mode 100644
index 000000000..9901212db
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -0,0 +1,63 @@
+package at.gv.egovernment.moa.spss.util;
+
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+
+public class ExternalURIVerifier {
+
+ public static void verify(String host, int port) throws MOAApplicationException {
+ try {
+ ConfigurationProvider config = ConfigurationProvider.reload();
+//
+ boolean allowExternalUris = config.getAllowExternalUris();
+ List blacklist = config.getBlackListedUris();
+
+
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ System.out.println("Blacklist check: " + host + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host});
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + ":" + port});
+ }
+
+ }
+ }
+ }
+ else {
+ if (port == -1) {
+ System.out.println("No external URI allowed (" + host + ")");
+ throw new MOAApplicationException("4001", new Object[]{host});
+ }
+ else {
+ System.out.println("No external URI allowed (" + host + ":" + port + ")");
+ throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
+ }
+ }
+
+ } catch (ConfigurationException e) {
+ throw new MOAApplicationException("config.10", null);
+ }
+
+
+
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 3920da4d9..61ad9444e 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -88,6 +88,10 @@
3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
+4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+
+
9900=Nicht klassifizierter Fehler in Subsystem
9901=Nicht klassifizierter Laufzeitfehler in Subsystem
9999=Nicht klassifizierter Fehler
@@ -134,6 +138,10 @@ config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei.
config.29=Es sind folgende leichte Fehler aufgetreten:
config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden
config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).
+config.33=External URIs are allowed. Maybe a URI blacklist exists.
+config.34=Blacklisted URI: {0}.
+config.35=External URIs not allowed.
+config.36=No blacklisted URIs given.
handler.00=Starte neue Transaktion: TID={0}, Service={1}
handler.01=Aufruf von Adresse={0}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 13:31:48 +0000