diff options
author | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2012-02-10 16:21:09 +0000 |
---|---|---|
committer | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2012-02-10 16:21:09 +0000 |
commit | 583d95af8f722f60cf848e603f12f6c0be0e9a59 (patch) | |
tree | 9dc0b16193bef244e0c31ff181e48caf7bdc6f74 /spss/server/serverlib/src/main | |
parent | 8038e84084386965fb44ca4492f666dd27af186e (diff) | |
download | moa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.tar.gz moa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.tar.bz2 moa-id-spss-583d95af8f722f60cf848e603f12f6c0be0e9a59.zip |
* Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur systemweit gesetzt werden kann)
* Update ExternalURIResolver mit ExternalURIVerifier der gegen Blackliste checkt
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'spss/server/serverlib/src/main')
13 files changed, 127 insertions, 335 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java deleted file mode 100644 index 42ee621e6..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java +++ /dev/null @@ -1,111 +0,0 @@ -package at.gv.egovernment.moa.spss.server;
-
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.util.Iterator;
-import java.util.List;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-
-public class MOASecurityManagerExtended extends SecurityManager {
-
- private List blacklist;
- private boolean allowExternalUris;
-
- public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {
- this.blacklist = blacklist;
- this.allowExternalUris = allowExternalUris;
- }
-
-
- /**
- * Overwrite checkConnect methods with blacklist check
- */
-
- public void checkConnect(String host, int port, Object context) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- else {
- // System.out.println("Perform checkConnect of given SecurityManager");
- super.checkConnect(host, port, context);
- }
- }
-
- public void checkConnect(String host, int port) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- else {
- // System.out.println("Perform checkConnect of given SecurityManager");
- super.checkConnect(host, port);
- }
- }
-
- private boolean checkURI(String host, int port) {
- if (allowExternalUris) {
- Iterator it = blacklist.iterator();
- while (it.hasNext()) {
- String[] array = (String[])it.next();
- String bhost = array[0];
- String bport = array[1];
- if (bport == null) {
- // check only host
- if (bhost.equalsIgnoreCase(host)) {
- // System.out.println("Security check: " + host + " blacklisted");
- return false;
- }
- }
- else {
- // check host and port
- int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- // System.out.println("Security check: " + host + ":" + port + " blacklisted");
- return false;
- }
-
- }
- }
-
- // System.out.println("Security check: " + host + ":" + port + " allowed");
- return true;
- }
- else {
- String localhost = getLocalhostName();
- if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
- // System.out.println("Security check: localhost name allowed");
- return true;
- }
-
- // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
- return false;
- }
- }
- private String getLocalhostName() {
- try {
- // save current SecurityManager
- SecurityManager sm = System.getSecurityManager();
- // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
- System.setSecurityManager(null);
-
- InetAddress localhostaddress = InetAddress.getLocalHost();
- String localhost = localhostaddress.getHostName();
-
- // set previously saved SecurityManager
- System.setSecurityManager(sm);
-
- return localhost;
-
- }
- catch (UnknownHostException e) {
- // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
- return "localhost";
- }
- }
-
-
- /**
- * Don't overwrite other methods
- */
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java deleted file mode 100644 index 530a27a48..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java +++ /dev/null @@ -1,163 +0,0 @@ -package at.gv.egovernment.moa.spss.server;
-
-
-import java.io.FileDescriptor;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.Permission;
-import java.util.Iterator;
-import java.util.List;
-
-public class MOASecurityManagerSimple extends SecurityManager {
-
- private List blacklist;
- private boolean allowExternalUris;
-
-
- public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {
- this.blacklist = blacklist;
- this.allowExternalUris = allowExternalUris;
- }
-
- /**
- * Overwrite checkConnect methods with blacklist check
- */
-
- public void checkConnect(String host, int port, Object context) {
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- }
-
- public void checkConnect(String host, int port) {
- // System.out.println("checkConnect: " + host + ":" + port);
- if (!checkURI(host, port))
- throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
- }
-
- private boolean checkURI(String host, int port) {
- if (allowExternalUris) {
- Iterator it = blacklist.iterator();
- while (it.hasNext()) {
- String[] array = (String[])it.next();
- String bhost = array[0];
- String bport = array[1];
- if (bport == null) {
- // check only host
- if (bhost.equalsIgnoreCase(host)) {
- // System.out.println("Security check: " + host + " blacklisted");
- return false;
- }
- }
- else {
- // check host and port
- int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- // System.out.println("Security check: " + host + ":" + port + " blacklisted");
- return false;
- }
-
- }
- }
-
- // System.out.println("Security check: " + host + ":" + port + " allowed");
- return true;
- }
- else {
- String localhost = getLocalhostName();
- if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
- // System.out.println("Security check: localhost name allowed");
- return true;
- }
-
- // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
- return false;
- }
- }
-
- private String getLocalhostName() {
- try {
- // save current SecurityManager
- SecurityManager sm = System.getSecurityManager();
- // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
- System.setSecurityManager(null);
-
- InetAddress localhostaddress = InetAddress.getLocalHost();
- String localhost = localhostaddress.getHostName();
-
- // set previously saved SecurityManager
- System.setSecurityManager(sm);
-
- return localhost;
-
- }
- catch (UnknownHostException e) {
- // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
- return "localhost";
- }
- }
-
-
- /**
- * Overwrite all other methods by doing nothing (as no SecurityManager is set initially)
- */
-
- public void checkAccept(String host, int port) {
- }
- public void checkAccess(Thread t) {
- }
- public void checkAccess(ThreadGroup g) {
- }
- public void checkAwtEventQueueAccess() {
- }
- public void checkCreateClassLoader() {
- }
- public void checkDelete(String file) {
- }
- public void checkExec(String cmd) {
- }
- public void checkExit(int status) {
- }
- public void checkLink(String lib) {
- }
- public void checkListen(int port) {
- }
- public void checkMemberAccess(Class arg0, int arg1) {
- }
- public void checkMulticast(InetAddress maddr, byte ttl) {
- }
- public void checkMulticast(InetAddress maddr) {
- }
- public void checkPackageAccess(String pkg) {
- }
- public void checkPackageDefinition(String pkg) {
- }
- public void checkPermission(Permission perm, Object context) {
- }
- public void checkPermission(Permission perm) {
- }
- public void checkPrintJobAccess() {
- }
- public void checkPropertiesAccess() {
- }
- public void checkPropertyAccess(String key) {
- }
- public void checkRead(FileDescriptor fd) {
- }
- public void checkRead(String file, Object context) {
- }
- public void checkRead(String file) {
- }
- public void checkSecurityAccess(String target) {
- }
- public void checkSetFactory() {
- }
- public void checkSystemClipboardAccess() {
- }
- public void checkWrite(FileDescriptor fd) {
- }
- public void checkWrite(String file) {
- }
-
-
-
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index abc781303..1211b5e94 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder { Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH); // if PermitExternalUris element does not exist - don't allow external uris - if (permitExtUris == null) - return false; + if (permitExtUris == null) + return false; else return true; @@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder { * @return */ public List buildPermitExternalUris() { - if (!allowExternalUris()) - return null; + + info("config.33", null); List blacklist = new ArrayList(); @@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder { String host = getElementValue(permitExtElem, CONF + "Host", null); String port = getElementValue(permitExtElem, CONF + "Port", null); - //System.out.println("Host:Port = " + host + ":" + port); + + if (port == null) + info("config.34", new Object[]{host}); + else + info("config.34", new Object[]{host + ":" + port}); String array[] = new String[2]; array[0] = host; @@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder { } + if(blacklist.isEmpty()) // no blacklisted uris given + info("config.36", null); + + return blacklist; } @@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder { MessageProvider msg = MessageProvider.getInstance(); String txt = msg.getMessage(messageId, args); - Logger.warn(new LogMsg(txt), t); + Logger.warn(new LogMsg(txt), t); warnings.add(txt); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index bcd9416b8..a5f861c52 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -33,9 +33,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; -import java.net.InetAddress; import java.net.URL; -import java.net.UnknownHostException; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -48,8 +46,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.DOMUtils; @@ -373,8 +369,11 @@ public class ConfigurationProvider if (allowExternalUris_) blackListedUris_ = builder.buildPermitExternalUris(); - else + else { + info("config.35", null); blackListedUris_ = null; + } + // Set set = crlRetentionIntervals.entrySet(); // Iterator i = set.iterator(); @@ -383,37 +382,7 @@ public class ConfigurationProvider // System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() ); // } - - // set SecurityManager for permitting/disallowing external URIs - SecurityManager sm = System.getSecurityManager(); - - if (sm == null) { - // no security manager exists - create a new one - Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); - sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_); - - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - - } - else { - String classname = sm.getClass().getName(); - if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") && - !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) { - // if SecurityManager is not already a MOASecurityManager - - Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); - sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_); - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - } - Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); - } - - - + } catch (Throwable t) { throw new ConfigurationException("config.11", null, t); } finally { @@ -446,7 +415,15 @@ public class ConfigurationProvider public String getDigestMethodAlgorithmName() { return digestMethodAlgorithmName; } - + + public boolean getAllowExternalUris() { + return this.allowExternalUris_; + } + + public List getBlackListedUris() { + return this.blackListedUris_; + } + /** * Return the name of the canonicalization algorithm used during signature * creation. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 02d282387..ba2513d2f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -24,12 +24,6 @@ package at.gv.egovernment.moa.spss.server.invoke; -import java.io.IOException; -import java.io.InputStream; -import java.util.Date; -import java.util.Iterator; -import java.util.List; - import iaik.IAIKException; import iaik.IAIKRuntimeException; import iaik.server.modules.cmsverify.CMSSignatureVerificationModule; @@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory; import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; import iaik.server.modules.cmsverify.CMSSignatureVerificationResult; +import java.io.IOException; +import java.io.InputStream; +import java.util.Date; +import java.util.Iterator; +import java.util.List; + import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; @@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker { */ public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request) throws MOAException { + CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory(request); VerifyCMSSignatureResponseBuilder responseBuilder = @@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker { TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); try { - // get the signed content signedContent = getSignedContent(request); @@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker { CMSSignatureVerificationModuleFactory.getInstance(); module.setLog(new IaikLog(loggingCtx.getNodeID())); - + module.init( signature, signedContent, @@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker { while (input.read(buf) > 0); results = module.verifySignature(signingTime); + } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java index 96c20d4a4..e09ade231 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java @@ -37,6 +37,7 @@ import java.net.URLConnection; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.ExternalURIVerifier; /** * Resolve external URIs and provide them as a stream. @@ -100,6 +101,9 @@ public class ExternalURIResolver { try { // create the URL url = new URL(uriStr); + System.out.println("ExternalURIResolver: " + url); + ExternalURIVerifier.verify(url.getHost(), url.getPort()); + } catch (MalformedURLException e) { throw new MOAApplicationException("2214", new Object[] { uriStr }); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java index 993c8f7a9..b746333e6 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java @@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService { CreateXMLSignatureResponse response; try { + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.createXMLSignature(request, Collections.EMPTY_SET); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java index 67bc446b0..5b6033ce1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java @@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyCMSSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); @@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl VerifyXMLSignatureResponse response; try { + + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyXMLSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index a123dd4fc..adaf0d376 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker { module.setLog(new IaikLog(loggingCtx.getNodeID())); - //@TODO - SecurityManager sm = System.getSecurityManager(); - System.setSecurityManager(null); - result = module.verifySignature( xmlSignature, @@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker { signingTime, new TransactionId(context.getTransactionID())); - //@TODO - System.setSecurityManager(sm); } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java index 75f0b1868..3304e262f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java @@ -82,6 +82,7 @@ public class SignatureCreationService { // handle the request try { + // create a parser and builder for binding API objects to/from XML CreateXMLSignatureRequestParser requestParser = new CreateXMLSignatureRequestParser(); @@ -114,6 +115,7 @@ public class SignatureCreationService { // save response in transaction context.setResponse(response[0]); Logger.trace("---- Leaving SignatureCreationService"); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java index 38310f53b..a1caac6a7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java @@ -66,8 +66,9 @@ public class SignatureVerificationService { CMSSignatureVerificationInvoker invoker = CMSSignatureVerificationInvoker.getInstance(); Element[] response = new Element[1]; - + try { + // create a parser and builder for binding API objects to/from XML VerifyCMSSignatureRequestParser requestParser = new VerifyCMSSignatureRequestParser(); @@ -93,7 +94,8 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); - + + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); fault.setFaultDetail(new Element[] { e.toErrorResponse()}); @@ -128,7 +130,8 @@ public class SignatureVerificationService { Element[] response = new Element[1]; try { - // create a parser and builder for binding API objects to/from XML + + // create a parser and builder for binding API objects to/from XML VerifyXMLSignatureRequestParser requestParser = new VerifyXMLSignatureRequestParser(); VerifyXMLSignatureResponseBuilder responseBuilder = @@ -153,6 +156,7 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java new file mode 100644 index 000000000..9901212db --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.spss.util;
+
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+
+public class ExternalURIVerifier {
+
+ public static void verify(String host, int port) throws MOAApplicationException {
+ try {
+ ConfigurationProvider config = ConfigurationProvider.reload();
+//
+ boolean allowExternalUris = config.getAllowExternalUris();
+ List blacklist = config.getBlackListedUris();
+
+
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ System.out.println("Blacklist check: " + host + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host});
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + ":" + port});
+ }
+
+ }
+ }
+ }
+ else {
+ if (port == -1) {
+ System.out.println("No external URI allowed (" + host + ")");
+ throw new MOAApplicationException("4001", new Object[]{host});
+ }
+ else {
+ System.out.println("No external URI allowed (" + host + ":" + port + ")");
+ throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
+ }
+ }
+
+ } catch (ConfigurationException e) {
+ throw new MOAApplicationException("config.10", null);
+ }
+
+
+
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index 3920da4d9..61ad9444e 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -88,6 +88,10 @@ 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
+4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+
+
9900=Nicht klassifizierter Fehler in Subsystem
9901=Nicht klassifizierter Laufzeitfehler in Subsystem
9999=Nicht klassifizierter Fehler
@@ -134,6 +138,10 @@ config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei. config.29=Es sind folgende leichte Fehler aufgetreten:
config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden
config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).
+config.33=External URIs are allowed. Maybe a URI blacklist exists.
+config.34=Blacklisted URI: {0}.
+config.35=External URIs not allowed.
+config.36=No blacklisted URIs given.
handler.00=Starte neue Transaktion: TID={0}, Service={1}
handler.01=Aufruf von Adresse={0}
|