From 583d95af8f722f60cf848e603f12f6c0be0e9a59 Mon Sep 17 00:00:00 2001 From: kstranacher Date: Fri, 10 Feb 2012 16:21:09 +0000 Subject: * Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur systemweit gesetzt werden kann) * Update ExternalURIResolver mit ExternalURIVerifier der gegen Blackliste checkt git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../java/at/gv/egovernment/moa/util/FileUtils.java | 2 +- .../gv/egovernment/moa/util/MOAEntityResolver.java | 4 + .../moa/id/auth/AuthenticationServer.java | 2 +- .../servlet/VerifyAuthenticationBlockServlet.java | 139 +++++++++--------- .../spss/server/MOASecurityManagerExtended.java | 111 -------------- .../moa/spss/server/MOASecurityManagerSimple.java | 163 --------------------- .../server/config/ConfigurationPartsBuilder.java | 20 ++- .../spss/server/config/ConfigurationProvider.java | 51 ++----- .../invoke/CMSSignatureVerificationInvoker.java | 18 +-- .../spss/server/invoke/ExternalURIResolver.java | 4 + .../invoke/SignatureCreationServiceImpl.java | 2 + .../invoke/SignatureVerificationServiceImpl.java | 4 + .../invoke/XMLSignatureVerificationInvoker.java | 6 - .../server/service/SignatureCreationService.java | 2 + .../service/SignatureVerificationService.java | 10 +- .../moa/spss/util/ExternalURIVerifier.java | 63 ++++++++ .../properties/spss_messages_de.properties | 8 + 17 files changed, 203 insertions(+), 406 deletions(-) delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java diff --git a/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java index 58a07f5e6..7effe8b4f 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/FileUtils.java @@ -44,7 +44,7 @@ public class FileUtils { * @return file content * @throws IOException on any exception thrown */ - public static byte[] readURL(String urlString) throws IOException { + public static byte[] readURL(String urlString) throws IOException { URL url = new URL(urlString); InputStream in = new BufferedInputStream(url.openStream()); byte[] content = StreamUtils.readStream(in); diff --git a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java index ae83a551d..0401108d5 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java @@ -91,9 +91,13 @@ public class MOAEntityResolver implements EntityResolver { try { URI uri = new URI(systemId); systemId = uri.getPath(); + System.out.println("MOAEntityResover: " + uri); if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) { return null; } + + //ExternalURIVerifier.verify(uri.getHost(), uri.getPort()); + } catch (MalformedURIException e) { return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index b8fa4f412..355918f2d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -419,7 +419,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { templateURL = session.getTemplateURL(); } if (templateURL != null) { - try { + try { template = new String(FileUtils.readURL(templateURL)); } catch (IOException ex) { throw new AuthenticationException( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 5ae508358..a51fa483f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -225,12 +225,13 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } else { redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID()); } - + resp.setContentType("text/html"); resp.setStatus(302); - resp.addHeader("Location", redirectURL); - Logger.debug("REDIRECT TO: " + redirectURL); + resp.addHeader("Location", redirectURL); + Logger.debug("REDIRECT TO: " + redirectURL); + } } @@ -254,72 +255,72 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { * @param session * @throws IOException */ - private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException { - - try { - AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); - ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); - SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); - - // get identitity link as byte[] - Element elem = session.getIdentityLink().getSamlAssertion(); - String s = DOMUtils.serializeNode(elem); - - System.out.println("IDL: " + s); - - byte[] idl = s.getBytes(); - - // redirect url - // build redirect(to the GetMISSessionIdSerlvet) - String redirectURL = - new DataURLBuilder().buildDataURL( - session.getAuthURL(), - GET_MIS_SESSIONID, - session.getSessionID()); - - String oaURL = session.getOAURLRequested(); - OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); - String profiles = oaParam.getMandateProfiles(); - - if (profiles == null) { - Logger.error("No Mandate/Profile for OA configured."); - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); - } - - String profilesArray[] = profiles.split(","); - for(int i = 0; i < profilesArray.length; i++) { - profilesArray[i] = profilesArray[i].trim(); - } - - String oaFriendlyName = oaParam.getFriendlyName(); - String mandateReferenceValue = session.getMandateReferenceValue(); - X509Certificate cert = session.getSignerCertificate(); - MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); - String redirectMISGUI = misSessionID.getRedirectURL(); - - if (misSessionID == null) { - Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); - throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); - } - - session.setMISSessionID(misSessionID.getSessiondId()); - - resp.setStatus(302); - resp.addHeader("Location", redirectMISGUI); - Logger.debug("REDIRECT TO: " + redirectURL); - } - catch (MOAIDException ex) { - handleError(null, ex, req, resp); - } catch (GeneralSecurityException ex) { - handleError(null, ex, req, resp); - } catch (PKIException e) { - handleError(null, e, req, resp); - } catch (MISSimpleClientException e) { - handleError(null, e, req, resp); - } catch (TransformerException e) { - handleError(null, e, req, resp); - } - } +// private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException { +// +// try { +// AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); +// ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); +// SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); +// +// // get identitity link as byte[] +// Element elem = session.getIdentityLink().getSamlAssertion(); +// String s = DOMUtils.serializeNode(elem); +// +// System.out.println("IDL: " + s); +// +// byte[] idl = s.getBytes(); +// +// // redirect url +// // build redirect(to the GetMISSessionIdSerlvet) +// String redirectURL = +// new DataURLBuilder().buildDataURL( +// session.getAuthURL(), +// GET_MIS_SESSIONID, +// session.getSessionID()); +// +// String oaURL = session.getOAURLRequested(); +// OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); +// String profiles = oaParam.getMandateProfiles(); +// +// if (profiles == null) { +// Logger.error("No Mandate/Profile for OA configured."); +// throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); +// } +// +// String profilesArray[] = profiles.split(","); +// for(int i = 0; i < profilesArray.length; i++) { +// profilesArray[i] = profilesArray[i].trim(); +// } +// +// String oaFriendlyName = oaParam.getFriendlyName(); +// String mandateReferenceValue = session.getMandateReferenceValue(); +// X509Certificate cert = session.getSignerCertificate(); +// MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); +// String redirectMISGUI = misSessionID.getRedirectURL(); +// +// if (misSessionID == null) { +// Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); +// throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); +// } +// +// session.setMISSessionID(misSessionID.getSessiondId()); +// +// resp.setStatus(302); +// resp.addHeader("Location", redirectMISGUI); +// Logger.debug("REDIRECT TO: " + redirectURL); +// } +// catch (MOAIDException ex) { +// handleError(null, ex, req, resp); +// } catch (GeneralSecurityException ex) { +// handleError(null, ex, req, resp); +// } catch (PKIException e) { +// handleError(null, e, req, resp); +// } catch (MISSimpleClientException e) { +// handleError(null, e, req, resp); +// } catch (TransformerException e) { +// handleError(null, e, req, resp); +// } +// } /** * Adds a parameter to a URL. * @param url the URL diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java deleted file mode 100644 index 42ee621e6..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java +++ /dev/null @@ -1,111 +0,0 @@ -package at.gv.egovernment.moa.spss.server; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.logging.Logger; - - -public class MOASecurityManagerExtended extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - // System.out.println("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port, context); - } - } - - public void checkConnect(String host, int port) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - // System.out.println("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port); - } - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - // System.out.println("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - // System.out.println("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - // System.out.println("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - // System.out.println("Security check: localhost name allowed"); - return true; - } - - // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Don't overwrite other methods - */ -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java deleted file mode 100644 index 530a27a48..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java +++ /dev/null @@ -1,163 +0,0 @@ -package at.gv.egovernment.moa.spss.server; - - -import java.io.FileDescriptor; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.Permission; -import java.util.Iterator; -import java.util.List; - -public class MOASecurityManagerSimple extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - - public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - public void checkConnect(String host, int port) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - // System.out.println("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - // System.out.println("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - // System.out.println("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - // System.out.println("Security check: localhost name allowed"); - return true; - } - - // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) - */ - - public void checkAccept(String host, int port) { - } - public void checkAccess(Thread t) { - } - public void checkAccess(ThreadGroup g) { - } - public void checkAwtEventQueueAccess() { - } - public void checkCreateClassLoader() { - } - public void checkDelete(String file) { - } - public void checkExec(String cmd) { - } - public void checkExit(int status) { - } - public void checkLink(String lib) { - } - public void checkListen(int port) { - } - public void checkMemberAccess(Class arg0, int arg1) { - } - public void checkMulticast(InetAddress maddr, byte ttl) { - } - public void checkMulticast(InetAddress maddr) { - } - public void checkPackageAccess(String pkg) { - } - public void checkPackageDefinition(String pkg) { - } - public void checkPermission(Permission perm, Object context) { - } - public void checkPermission(Permission perm) { - } - public void checkPrintJobAccess() { - } - public void checkPropertiesAccess() { - } - public void checkPropertyAccess(String key) { - } - public void checkRead(FileDescriptor fd) { - } - public void checkRead(String file, Object context) { - } - public void checkRead(String file) { - } - public void checkSecurityAccess(String target) { - } - public void checkSetFactory() { - } - public void checkSystemClipboardAccess() { - } - public void checkWrite(FileDescriptor fd) { - } - public void checkWrite(String file) { - } - - - -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index abc781303..1211b5e94 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder { Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH); // if PermitExternalUris element does not exist - don't allow external uris - if (permitExtUris == null) - return false; + if (permitExtUris == null) + return false; else return true; @@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder { * @return */ public List buildPermitExternalUris() { - if (!allowExternalUris()) - return null; + + info("config.33", null); List blacklist = new ArrayList(); @@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder { String host = getElementValue(permitExtElem, CONF + "Host", null); String port = getElementValue(permitExtElem, CONF + "Port", null); - //System.out.println("Host:Port = " + host + ":" + port); + + if (port == null) + info("config.34", new Object[]{host}); + else + info("config.34", new Object[]{host + ":" + port}); String array[] = new String[2]; array[0] = host; @@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder { } + if(blacklist.isEmpty()) // no blacklisted uris given + info("config.36", null); + + return blacklist; } @@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder { MessageProvider msg = MessageProvider.getInstance(); String txt = msg.getMessage(messageId, args); - Logger.warn(new LogMsg(txt), t); + Logger.warn(new LogMsg(txt), t); warnings.add(txt); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index bcd9416b8..a5f861c52 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -33,9 +33,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; -import java.net.InetAddress; import java.net.URL; -import java.net.UnknownHostException; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -48,8 +46,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.DOMUtils; @@ -373,8 +369,11 @@ public class ConfigurationProvider if (allowExternalUris_) blackListedUris_ = builder.buildPermitExternalUris(); - else + else { + info("config.35", null); blackListedUris_ = null; + } + // Set set = crlRetentionIntervals.entrySet(); // Iterator i = set.iterator(); @@ -383,37 +382,7 @@ public class ConfigurationProvider // System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() ); // } - - // set SecurityManager for permitting/disallowing external URIs - SecurityManager sm = System.getSecurityManager(); - - if (sm == null) { - // no security manager exists - create a new one - Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); - sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_); - - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - - } - else { - String classname = sm.getClass().getName(); - if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") && - !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) { - // if SecurityManager is not already a MOASecurityManager - - Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); - sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_); - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - } - Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); - } - - - + } catch (Throwable t) { throw new ConfigurationException("config.11", null, t); } finally { @@ -446,7 +415,15 @@ public class ConfigurationProvider public String getDigestMethodAlgorithmName() { return digestMethodAlgorithmName; } - + + public boolean getAllowExternalUris() { + return this.allowExternalUris_; + } + + public List getBlackListedUris() { + return this.blackListedUris_; + } + /** * Return the name of the canonicalization algorithm used during signature * creation. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 02d282387..ba2513d2f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -24,12 +24,6 @@ package at.gv.egovernment.moa.spss.server.invoke; -import java.io.IOException; -import java.io.InputStream; -import java.util.Date; -import java.util.Iterator; -import java.util.List; - import iaik.IAIKException; import iaik.IAIKRuntimeException; import iaik.server.modules.cmsverify.CMSSignatureVerificationModule; @@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory; import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; import iaik.server.modules.cmsverify.CMSSignatureVerificationResult; +import java.io.IOException; +import java.io.InputStream; +import java.util.Date; +import java.util.Iterator; +import java.util.List; + import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; @@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker { */ public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request) throws MOAException { + CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory(request); VerifyCMSSignatureResponseBuilder responseBuilder = @@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker { TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); try { - // get the signed content signedContent = getSignedContent(request); @@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker { CMSSignatureVerificationModuleFactory.getInstance(); module.setLog(new IaikLog(loggingCtx.getNodeID())); - + module.init( signature, signedContent, @@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker { while (input.read(buf) > 0); results = module.verifySignature(signingTime); + } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java index 96c20d4a4..e09ade231 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java @@ -37,6 +37,7 @@ import java.net.URLConnection; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.ExternalURIVerifier; /** * Resolve external URIs and provide them as a stream. @@ -100,6 +101,9 @@ public class ExternalURIResolver { try { // create the URL url = new URL(uriStr); + System.out.println("ExternalURIResolver: " + url); + ExternalURIVerifier.verify(url.getHost(), url.getPort()); + } catch (MalformedURLException e) { throw new MOAApplicationException("2214", new Object[] { uriStr }); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java index 993c8f7a9..b746333e6 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java @@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService { CreateXMLSignatureResponse response; try { + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.createXMLSignature(request, Collections.EMPTY_SET); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java index 67bc446b0..5b6033ce1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java @@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyCMSSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); @@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl VerifyXMLSignatureResponse response; try { + + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyXMLSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index a123dd4fc..adaf0d376 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker { module.setLog(new IaikLog(loggingCtx.getNodeID())); - //@TODO - SecurityManager sm = System.getSecurityManager(); - System.setSecurityManager(null); - result = module.verifySignature( xmlSignature, @@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker { signingTime, new TransactionId(context.getTransactionID())); - //@TODO - System.setSecurityManager(sm); } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java index 75f0b1868..3304e262f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java @@ -82,6 +82,7 @@ public class SignatureCreationService { // handle the request try { + // create a parser and builder for binding API objects to/from XML CreateXMLSignatureRequestParser requestParser = new CreateXMLSignatureRequestParser(); @@ -114,6 +115,7 @@ public class SignatureCreationService { // save response in transaction context.setResponse(response[0]); Logger.trace("---- Leaving SignatureCreationService"); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java index 38310f53b..a1caac6a7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java @@ -66,8 +66,9 @@ public class SignatureVerificationService { CMSSignatureVerificationInvoker invoker = CMSSignatureVerificationInvoker.getInstance(); Element[] response = new Element[1]; - + try { + // create a parser and builder for binding API objects to/from XML VerifyCMSSignatureRequestParser requestParser = new VerifyCMSSignatureRequestParser(); @@ -93,7 +94,8 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); - + + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); fault.setFaultDetail(new Element[] { e.toErrorResponse()}); @@ -128,7 +130,8 @@ public class SignatureVerificationService { Element[] response = new Element[1]; try { - // create a parser and builder for binding API objects to/from XML + + // create a parser and builder for binding API objects to/from XML VerifyXMLSignatureRequestParser requestParser = new VerifyXMLSignatureRequestParser(); VerifyXMLSignatureResponseBuilder responseBuilder = @@ -153,6 +156,7 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java new file mode 100644 index 000000000..9901212db --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.spss.util; + +import java.util.Iterator; +import java.util.List; + +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; + +public class ExternalURIVerifier { + + public static void verify(String host, int port) throws MOAApplicationException { + try { + ConfigurationProvider config = ConfigurationProvider.reload(); +// + boolean allowExternalUris = config.getAllowExternalUris(); + List blacklist = config.getBlackListedUris(); + + + if (allowExternalUris) { + Iterator it = blacklist.iterator(); + while (it.hasNext()) { + String[] array = (String[])it.next(); + String bhost = array[0]; + String bport = array[1]; + if (bport == null) { + // check only host + if (bhost.equalsIgnoreCase(host)) { + System.out.println("Blacklist check: " + host + " blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host}); + } + } + else { + // check host and port + int iport = new Integer(bport).intValue(); + if (bhost.equalsIgnoreCase(host) && (iport == port)) { + System.out.println("Blacklist check: " + host + ":" + port + " blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host + ":" + port}); + } + + } + } + } + else { + if (port == -1) { + System.out.println("No external URI allowed (" + host + ")"); + throw new MOAApplicationException("4001", new Object[]{host}); + } + else { + System.out.println("No external URI allowed (" + host + ":" + port + ")"); + throw new MOAApplicationException("4001", new Object[]{host + ":" + port}); + } + } + + } catch (ConfigurationException e) { + throw new MOAApplicationException("config.10", null); + } + + + + } + +} diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index 3920da4d9..61ad9444e 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -88,6 +88,10 @@ 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}") 3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}") +4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten) +4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden + + 9900=Nicht klassifizierter Fehler in Subsystem 9901=Nicht klassifizierter Laufzeitfehler in Subsystem 9999=Nicht klassifizierter Fehler @@ -134,6 +138,10 @@ config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei. config.29=Es sind folgende leichte Fehler aufgetreten: config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}). +config.33=External URIs are allowed. Maybe a URI blacklist exists. +config.34=Blacklisted URI: {0}. +config.35=External URIs not allowed. +config.36=No blacklisted URIs given. handler.00=Starte neue Transaktion: TID={0}, Service={1} handler.01=Aufruf von Adresse={0} -- cgit v1.2.3