package at.gv.egovernment.moa.id.auth; import iaik.pki.PKIException; import iaik.security.ecc.provider.ECCProvider; import iaik.security.provider.IAIK; import java.io.IOException; import java.security.GeneralSecurityException; import javax.activation.CommandMap; import javax.activation.MailcapCommandMap; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; /** * Web application initializer * * @author Paul Ivancsics * @version $Id$ */ public class MOAIDAuthInitializer { /** a boolean identifying if the MOAIDAuthInitializer has been startet */ public static boolean initialized = false; /** * Initializes the web application components which need initialization: * logging, JSSE, MOA-ID Auth configuration, Axis, session cleaner. */ public static void initialize() throws ConfigurationException, PKIException, IOException, GeneralSecurityException { if (initialized) return; initialized = true; Logger.setHierarchy("moa.id.auth"); Logger.info("Default java file.encoding: " + System.getProperty("file.encoding")); Logger.info("Loading security providers."); IAIK.addAsProvider(); // Security.insertProviderAt(new IAIK(), 1); // Security.insertProviderAt(new ECCProvider(), 1); //JDK bug workaround according to: // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier // register content data handlers for S/MIME types MailcapCommandMap mc = new MailcapCommandMap(); CommandMap.setDefaultCommandMap(mc); // create some properties and get the default Session // Properties props = new Properties(); // props.put("mail.smtp.host", "localhost"); // Session session = Session.getDefaultInstance(props, null); // Restricts TLS cipher suites // System.setProperty( // "https.cipherSuites", // "SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_3DES_EDE_CBC_SHA"); // // actual HIGH cipher suites from OpenSSL // Mapping OpenSSL - Java // OpenSSL Java // http://www.openssl.org/docs/apps/ciphers.html http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html // via !openssl ciphers -tls1 HIGH !v! // // ADH-AES256-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA // DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA // DHE-DSS-AES256-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA // AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA // ADH-AES128-SHA TLS_DH_anon_WITH_AES_128_CBC_SHA // DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA // DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA // AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA // ADH-DES-CBC3-SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA // EDH-RSA-DES-CBC3-SHA - // EDH-DSS-DES-CBC3-SHA - // DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA if (MiscUtil.isEmpty(System.getProperty("https.cipherSuites"))) System.setProperty( "https.cipherSuites", "TLS_DH_anon_WITH_AES_128_CBC_SHA" + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + ",TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + ",TLS_RSA_WITH_AES_128_CBC_SHA" + ",TLS_RSA_WITH_AES_256_CBC_SHA" + ",SSL_DH_anon_WITH_3DES_EDE_CBC_SHA" + ",SSL_RSA_WITH_3DES_EDE_CBC_SHA" ); // load some jsse classes so that the integrity of the jars can be // verified // before the iaik jce is installed as the security provider // this workaround is only needed when sun jsse is used in conjunction // with // iaik-jce (on jdk1.3) ClassLoader cl = MOAIDAuthInitializer.class.getClassLoader(); try { cl.loadClass("javax.security.cert.Certificate"); // from jcert.jar } catch (ClassNotFoundException e) { Logger.warn(MOAIDMessageProvider.getInstance().getMessage( "init.01", null), e); } IAIK.addAsProvider(); ECCProvider.addAsProvider(); // Initializes SSLSocketFactory store SSLUtils.initialize(); // Initializes Namespace Map Constants.nSMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI); Constants.nSMap.put(Constants.ECDSA_PREFIX, "http://www.w3.org/2001/04/xmldsig-more#"); Constants.nSMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); // Initialize configuration provider AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(); //test, if MOA-ID is already configured authConf.getPublicURLPrefix(); // Initialize MOA-SP //MOA-SP is only use by API calls since MOA-ID 3.0.0 try { LoggingContextManager.getInstance().setLoggingContext( new LoggingContext("startup")); ConfigurationProvider config = ConfigurationProvider .getInstance(); new IaikConfigurator().configure(config); } catch (at.gv.egovernment.moa.spss.server.config.ConfigurationException ex) { throw new ConfigurationException("config.10", new Object[] { ex .toString() }, ex); } // Starts the session cleaner thread to remove unpicked authentication data AuthenticationSessionCleaner.start(); MOAGarbageCollector.start(); } }