From 8038e84084386965fb44ca4492f666dd27af186e Mon Sep 17 00:00:00 2001 From: kstranacher Date: Fri, 10 Feb 2012 00:02:07 +0000 Subject: Update zu Blacklisten git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1237 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/spss/MOASecurityManagerExtended.java | 111 -------------- .../moa/spss/MOASecurityManagerSimple.java | 165 --------------------- .../spss/server/MOASecurityManagerExtended.java | 111 ++++++++++++++ .../moa/spss/server/MOASecurityManagerSimple.java | 163 ++++++++++++++++++++ .../spss/server/config/ConfigurationProvider.java | 19 +-- .../invoke/XMLSignatureVerificationInvoker.java | 7 + 6 files changed, 291 insertions(+), 285 deletions(-) delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java (limited to 'spss') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java deleted file mode 100644 index ab9c01daa..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java +++ /dev/null @@ -1,111 +0,0 @@ -package at.gv.egovernment.moa.spss; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.logging.Logger; - - -public class MOASecurityManagerExtended extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - Logger.debug("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - Logger.debug("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port, context); - } - } - - public void checkConnect(String host, int port) { - Logger.debug("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - Logger.debug("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port); - } - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - Logger.debug("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - Logger.debug("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - Logger.debug("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - Logger.debug("Security check: localhost name allowed"); - return true; - } - - Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Don't overwrite other methods - */ -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java deleted file mode 100644 index 361a75e4c..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java +++ /dev/null @@ -1,165 +0,0 @@ -package at.gv.egovernment.moa.spss; - -import java.io.FileDescriptor; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.Permission; -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.logging.Logger; - -public class MOASecurityManagerSimple extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - - public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - //Logger.debug("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - public void checkConnect(String host, int port) { - //Logger.debug("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - //Logger.debug("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - //Logger.debug("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - //Logger.debug("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - //Logger.debug("Security check: localhost name allowed"); - return true; - } - - //Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - //Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) - */ - - public void checkAccept(String host, int port) { - } - public void checkAccess(Thread t) { - } - public void checkAccess(ThreadGroup g) { - } - public void checkAwtEventQueueAccess() { - } - public void checkCreateClassLoader() { - } - public void checkDelete(String file) { - } - public void checkExec(String cmd) { - } - public void checkExit(int status) { - } - public void checkLink(String lib) { - } - public void checkListen(int port) { - } - public void checkMemberAccess(Class arg0, int arg1) { - } - public void checkMulticast(InetAddress maddr, byte ttl) { - } - public void checkMulticast(InetAddress maddr) { - } - public void checkPackageAccess(String pkg) { - } - public void checkPackageDefinition(String pkg) { - } - public void checkPermission(Permission perm, Object context) { - } - public void checkPermission(Permission perm) { - } - public void checkPrintJobAccess() { - } - public void checkPropertiesAccess() { - } - public void checkPropertyAccess(String key) { - } - public void checkRead(FileDescriptor fd) { - } - public void checkRead(String file, Object context) { - } - public void checkRead(String file) { - } - public void checkSecurityAccess(String target) { - } - public void checkSetFactory() { - } - public void checkSystemClipboardAccess() { - } - public void checkWrite(FileDescriptor fd) { - } - public void checkWrite(String file) { - } - - - -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java new file mode 100644 index 000000000..42ee621e6 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java @@ -0,0 +1,111 @@ +package at.gv.egovernment.moa.spss.server; + +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.Iterator; +import java.util.List; + +import at.gv.egovernment.moa.logging.Logger; + + +public class MOASecurityManagerExtended extends SecurityManager { + + private List blacklist; + private boolean allowExternalUris; + + public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) { + this.blacklist = blacklist; + this.allowExternalUris = allowExternalUris; + } + + + /** + * Overwrite checkConnect methods with blacklist check + */ + + public void checkConnect(String host, int port, Object context) { + // System.out.println("checkConnect: " + host + ":" + port); + if (!checkURI(host, port)) + throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); + else { + // System.out.println("Perform checkConnect of given SecurityManager"); + super.checkConnect(host, port, context); + } + } + + public void checkConnect(String host, int port) { + // System.out.println("checkConnect: " + host + ":" + port); + if (!checkURI(host, port)) + throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); + else { + // System.out.println("Perform checkConnect of given SecurityManager"); + super.checkConnect(host, port); + } + } + + private boolean checkURI(String host, int port) { + if (allowExternalUris) { + Iterator it = blacklist.iterator(); + while (it.hasNext()) { + String[] array = (String[])it.next(); + String bhost = array[0]; + String bport = array[1]; + if (bport == null) { + // check only host + if (bhost.equalsIgnoreCase(host)) { + // System.out.println("Security check: " + host + " blacklisted"); + return false; + } + } + else { + // check host and port + int iport = new Integer(bport).intValue(); + if (bhost.equalsIgnoreCase(host) && (iport == port)) { + // System.out.println("Security check: " + host + ":" + port + " blacklisted"); + return false; + } + + } + } + + // System.out.println("Security check: " + host + ":" + port + " allowed"); + return true; + } + else { + String localhost = getLocalhostName(); + if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { + // System.out.println("Security check: localhost name allowed"); + return true; + } + + // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); + return false; + } + } + private String getLocalhostName() { + try { + // save current SecurityManager + SecurityManager sm = System.getSecurityManager(); + // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) + System.setSecurityManager(null); + + InetAddress localhostaddress = InetAddress.getLocalHost(); + String localhost = localhostaddress.getHostName(); + + // set previously saved SecurityManager + System.setSecurityManager(sm); + + return localhost; + + } + catch (UnknownHostException e) { + // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); + return "localhost"; + } + } + + + /** + * Don't overwrite other methods + */ +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java new file mode 100644 index 000000000..530a27a48 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java @@ -0,0 +1,163 @@ +package at.gv.egovernment.moa.spss.server; + + +import java.io.FileDescriptor; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.Permission; +import java.util.Iterator; +import java.util.List; + +public class MOASecurityManagerSimple extends SecurityManager { + + private List blacklist; + private boolean allowExternalUris; + + + public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) { + this.blacklist = blacklist; + this.allowExternalUris = allowExternalUris; + } + + /** + * Overwrite checkConnect methods with blacklist check + */ + + public void checkConnect(String host, int port, Object context) { + if (!checkURI(host, port)) + throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); + } + + public void checkConnect(String host, int port) { + // System.out.println("checkConnect: " + host + ":" + port); + if (!checkURI(host, port)) + throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); + } + + private boolean checkURI(String host, int port) { + if (allowExternalUris) { + Iterator it = blacklist.iterator(); + while (it.hasNext()) { + String[] array = (String[])it.next(); + String bhost = array[0]; + String bport = array[1]; + if (bport == null) { + // check only host + if (bhost.equalsIgnoreCase(host)) { + // System.out.println("Security check: " + host + " blacklisted"); + return false; + } + } + else { + // check host and port + int iport = new Integer(bport).intValue(); + if (bhost.equalsIgnoreCase(host) && (iport == port)) { + // System.out.println("Security check: " + host + ":" + port + " blacklisted"); + return false; + } + + } + } + + // System.out.println("Security check: " + host + ":" + port + " allowed"); + return true; + } + else { + String localhost = getLocalhostName(); + if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { + // System.out.println("Security check: localhost name allowed"); + return true; + } + + // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); + return false; + } + } + + private String getLocalhostName() { + try { + // save current SecurityManager + SecurityManager sm = System.getSecurityManager(); + // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) + System.setSecurityManager(null); + + InetAddress localhostaddress = InetAddress.getLocalHost(); + String localhost = localhostaddress.getHostName(); + + // set previously saved SecurityManager + System.setSecurityManager(sm); + + return localhost; + + } + catch (UnknownHostException e) { + // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); + return "localhost"; + } + } + + + /** + * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) + */ + + public void checkAccept(String host, int port) { + } + public void checkAccess(Thread t) { + } + public void checkAccess(ThreadGroup g) { + } + public void checkAwtEventQueueAccess() { + } + public void checkCreateClassLoader() { + } + public void checkDelete(String file) { + } + public void checkExec(String cmd) { + } + public void checkExit(int status) { + } + public void checkLink(String lib) { + } + public void checkListen(int port) { + } + public void checkMemberAccess(Class arg0, int arg1) { + } + public void checkMulticast(InetAddress maddr, byte ttl) { + } + public void checkMulticast(InetAddress maddr) { + } + public void checkPackageAccess(String pkg) { + } + public void checkPackageDefinition(String pkg) { + } + public void checkPermission(Permission perm, Object context) { + } + public void checkPermission(Permission perm) { + } + public void checkPrintJobAccess() { + } + public void checkPropertiesAccess() { + } + public void checkPropertyAccess(String key) { + } + public void checkRead(FileDescriptor fd) { + } + public void checkRead(String file, Object context) { + } + public void checkRead(String file) { + } + public void checkSecurityAccess(String target) { + } + public void checkSetFactory() { + } + public void checkSystemClipboardAccess() { + } + public void checkWrite(FileDescriptor fd) { + } + public void checkWrite(String file) { + } + + + +} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 9e0a7fd53..bcd9416b8 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -48,8 +48,8 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.MOASecurityManagerExtended; -import at.gv.egovernment.moa.spss.MOASecurityManagerSimple; +import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended; +import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.DOMUtils; @@ -386,29 +386,30 @@ public class ConfigurationProvider // set SecurityManager for permitting/disallowing external URIs SecurityManager sm = System.getSecurityManager(); + if (sm == null) { // no security manager exists - create a new one - //Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); + Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_); - //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); + Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); System.setSecurityManager(sm); } else { String classname = sm.getClass().getName(); - if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerSimple") && - !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerExtended")) { + if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") && + !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) { // if SecurityManager is not already a MOASecurityManager - // Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); + Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_); - //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); + Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); System.setSecurityManager(sm); } - //Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); + Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index a57c807a1..a123dd4fc 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -212,6 +212,10 @@ public class XMLSignatureVerificationInvoker { module.setLog(new IaikLog(loggingCtx.getNodeID())); + //@TODO + SecurityManager sm = System.getSecurityManager(); + System.setSecurityManager(null); + result = module.verifySignature( xmlSignature, @@ -219,6 +223,9 @@ public class XMLSignatureVerificationInvoker { profile, signingTime, new TransactionId(context.getTransactionID())); + + //@TODO + System.setSecurityManager(sm); } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; -- cgit v1.2.3