MOCCA TLS Server CA cert installation servlet

removed help.jsp (and jsp dependencies in jetty) moved html pages to src/main/webapp (encoding problem?) switch to BASIC download protocol in BKUWebStart (no jnlpDownloadServlet required, see template.xml) git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@474 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
author: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2009-08-26 17:31:32 +0000
committer: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2009-08-26 17:31:32 +0000
commit: 145003155c05e915b900989a27cef1271398164b (patch)
tree: 3be36976836a106a8c7ce635551dac42d08aa5ec
parent: 15d354a20c45cc5737438fe121696637f7dec1c8 (diff)
download: mocca-145003155c05e915b900989a27cef1271398164b.tar.gz
mocca-145003155c05e915b900989a27cef1271398164b.tar.bz2
mocca-145003155c05e915b900989a27cef1271398164b.zip
16 files changed, 387 insertions, 179 deletions
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java
index b871263e..6fd1ffea 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java
@@ -38,6 +38,11 @@ import org.apache.commons.logging.LogFactory;
  */
 public abstract class AbstractHelpListener implements ActionListener {
 
+  /**
+   * any locale not in the list will be mapped to 'de'
+   */
+  public static final String[] SUPPORTED_LANGUAGES = new String[] { "de" };
+  
   protected final static Log log = LogFactory.getLog(AbstractHelpListener.class);
   protected URL baseURL;
   protected Locale locale;
@@ -71,12 +76,14 @@ public abstract class AbstractHelpListener implements ActionListener {
     URL helpURL = baseURL;
     log.trace("constructing help URL: " + helpURL);
     try {
-      if (locale != null) {
-        helpURL = new URL(helpURL, locale.toString() + "/");
-        log.trace("constructing help URL: " + helpURL);
-      }
+      // not localized for now
+      //check if locale.getLanguage() supported and add default if not
+//      if (locale != null) {
+//        helpURL = new URL(helpURL, locale.toString() + "/");
+//        log.trace("constructing help URL: " + helpURL);
+//      }
       if (helpTopic != null && !"".equals(helpTopic)) {
-        helpURL = new URL(helpURL, helpTopic + ".html");
+        helpURL = new URL(helpURL, "de/" + helpTopic + ".html");
         log.trace("constructing help URL: " + helpURL);
       }
     } catch (MalformedURLException ex) {
diff --git a/BKUHelp/pom.xml b/BKUHelp/pom.xml
index ec2ad47d..6dbfd55f 100644
--- a/BKUHelp/pom.xml
+++ b/BKUHelp/pom.xml
@@ -7,6 +7,13 @@
   </parent>
   <groupId>at.gv.egiz</groupId>
   <artifactId>BKUHelp</artifactId>
-  <version>1.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>BKU Help</name>
+  <build>
+    <resources>
+      <resource>
+        <directory>src/main/webapp</directory>
+      </resource>
+    </resources>
+  </build>
 </project>
 \ No newline at end of file
diff --git a/BKULocal/pom.xml b/BKULocal/pom.xml
index 523357f2..b3487f68 100644
--- a/BKULocal/pom.xml
+++ b/BKULocal/pom.xml
@@ -111,7 +111,7 @@
     <dependency>
       <artifactId>BKUHelp</artifactId>
       <groupId>at.gv.egiz</groupId>
-      <version>1.1</version>
+      <version>1.2-SNAPSHOT</version>
     </dependency>
 		<dependency>
 			<groupId>org.springframework</groupId>
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java
new file mode 100644
index 00000000..0a9d001b
--- /dev/null
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.local.webapp;
+
+import iaik.pkcs.PKCS7CertList;
+import iaik.utils.Util;
+import java.io.IOException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class InstallCertificateServlet extends HttpServlet {
+  public static final String HTTPS_REDIRECT = "https://localhost:3496/";
+
+  public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate";
+  protected PKCS7CertList p7c;
+  private static final Log log = LogFactory.getLog(InstallCertificateServlet.class);
+
+  @Override
+  public void init() throws ServletException {
+    super.init();
+    Certificate caCert = (Certificate) getServletContext().getAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE);
+    if (caCert != null) {
+      try {
+        p7c = new PKCS7CertList();
+        p7c.setCertificateList(new iaik.x509.X509Certificate[] { Util.convertCertificate(caCert) });
+      } catch (CertificateException ex) {
+        log.error("failed to import local ca certificate " + SERVER_CA_CERTIFICATE_ATTRIBUTE, ex);
+      }
+    } else {
+      log.error("failed to import local ca certificate " + SERVER_CA_CERTIFICATE_ATTRIBUTE);
+    }
+  }
+
+  /**
+   * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
+   * @param request servlet request
+   * @param response servlet response
+   * @throws ServletException if a servlet-specific error occurs
+   * @throws IOException if an I/O error occurs
+   */
+  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
+          throws ServletException, IOException {
+
+//    try {
+//      SSLContext sslCtx1 = SSLContext.getDefault();
+//      log.debug("Default SSLContext (" + sslCtx1.getProtocol() + "): " + sslCtx1.getClass().getName());
+//    } catch (NoSuchAlgorithmException ex) {
+//      log.debug("no sslContext: " + ex.getMessage(), ex);
+//    }
+//
+//    try {
+//      SSLContext sslCtx2 = SSLContext.getInstance("TLS");
+//      log.debug("TLS SSLContext: " + sslCtx2.getClass().getName());
+//
+//      SSLServerSocketFactory serverSocketFactory = sslCtx2.getServerSocketFactory();
+//      SSLSessionContext serverSessionContext = sslCtx2.getServerSessionContext();
+//
+//      if (serverSocketFactory != null) {
+//        log.debug("SSL ServerSocketFactory: " + serverSocketFactory.getClass().getName());
+//      }
+//      if (serverSessionContext != null) {
+//        log.debug("SSL ServerSessionContext: " + serverSessionContext.getClass().getName());
+//      }
+//    } catch (NoSuchAlgorithmException ex) {
+//      log.debug("no sslContext: " + ex.getMessage(), ex);
+//    }
+//
+//    try {
+//      SSLContext sslCtx3 = SSLContext.getInstance("SSLv3");
+//      log.debug("TLS SSLContext: " + sslCtx3.getClass().getName());
+//    } catch (NoSuchAlgorithmException ex) {
+//      log.debug("no sslContext: " + ex.getMessage(), ex);
+//    }
+
+
+ 
+
+
+    if (p7c != null) {
+      log.debug("returning local ca certificate");
+      response.setContentType("application/x-x509-ca-cert"); 
+      p7c.writeTo(response.getOutputStream());
+      response.getOutputStream().flush();
+    } else {
+      log.debug("no local ca certificate, redirecting to " + HTTPS_REDIRECT);
+      response.sendRedirect(HTTPS_REDIRECT);
+    }
+
+  }
+
+  // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
+  /**
+   * Handles the HTTP <code>GET</code> method.
+   * @param request servlet request
+   * @param response servlet response
+   * @throws ServletException if a servlet-specific error occurs
+   * @throws IOException if an I/O error occurs
+   */
+  @Override
+  protected void doGet(HttpServletRequest request, HttpServletResponse response)
+          throws ServletException, IOException {
+    processRequest(request, response);
+  }
+
+  /**
+   * Handles the HTTP <code>POST</code> method.
+   * @param request servlet request
+   * @param response servlet response
+   * @throws ServletException if a servlet-specific error occurs
+   * @throws IOException if an I/O error occurs
+   */
+  @Override
+  protected void doPost(HttpServletRequest request, HttpServletResponse response)
+          throws ServletException, IOException {
+    processRequest(request, response);
+  }
+
+  /**
+   * Returns a short description of the servlet.
+   * @return a String containing servlet description
+   */
+  @Override
+  public String getServletInfo() {
+    return "Short description";
+  }// </editor-fold>
+}
diff --git a/BKULocal/src/main/webapp/WEB-INF/web.xml b/BKULocal/src/main/webapp/WEB-INF/web.xml
index 83f33d9e..8768dbd8 100644
--- a/BKULocal/src/main/webapp/WEB-INF/web.xml
+++ b/BKULocal/src/main/webapp/WEB-INF/web.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
 <!--
   Copyright 2008 Federal Chancellery Austria and
   Graz University of Technology
@@ -16,7 +15,7 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-<web-app id="WebApp_ID">
+<web-app id="bkulocal" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
   <display-name>http-security-layer-request</display-name>
   
   <!--  Begin Spring Config -->
@@ -36,14 +35,14 @@
     <servlet-name>BKUServlet</servlet-name>
     <servlet-class>at.gv.egiz.bku.local.webapp.BKURequestHandler</servlet-class>
   </servlet>
-  <servlet>
-      <servlet-name>help</servlet-name>
-      <jsp-file>/help.jsp</jsp-file>
-  </servlet>
     <servlet>
         <servlet-name>PINManagementServlet</servlet-name>
         <servlet-class>at.gv.egiz.bku.local.webapp.PINManagementServlet</servlet-class>
     </servlet>
+    <servlet>
+        <servlet-name>InstallCertificateServlet</servlet-name>
+        <servlet-class>at.gv.egiz.bku.local.webapp.InstallCertificateServlet</servlet-class>
+    </servlet>
     <servlet-mapping>
     <servlet-name>BKUServlet</servlet-name>
     <url-pattern>/http-security-layer-request</url-pattern>
@@ -52,16 +51,16 @@
     <servlet-name>BKUServlet</servlet-name>
     <url-pattern>/https-security-layer-request</url-pattern>
   </servlet-mapping>
-  <servlet-mapping>
-      <servlet-name>help</servlet-name>
-      <url-pattern>/help/*</url-pattern>
-  </servlet-mapping>
   <!--  Begin BKU Config -->
 
     <servlet-mapping>
         <servlet-name>PINManagementServlet</servlet-name>
         <url-pattern>/PINManagement</url-pattern>
     </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>InstallCertificateServlet</servlet-name>
+        <url-pattern>/installCertificate</url-pattern>
+    </servlet-mapping>
     <welcome-file-list>
     <welcome-file>index.html</welcome-file>
     <welcome-file>index.htm</welcome-file>
diff --git a/BKULocal/src/main/webapp/img/chip16.ico b/BKULocal/src/main/webapp/img/chip16.ico
new file mode 100644
index 00000000..42175127
--- /dev/null
+++ b/BKULocal/src/main/webapp/img/chip16.ico
diff --git a/BKULocal/src/main/webapp/img/chip48.png b/BKULocal/src/main/webapp/img/chip48.png
new file mode 100644
index 00000000..491fbcac
--- /dev/null
+++ b/BKULocal/src/main/webapp/img/chip48.png
diff --git a/BKULocal/src/main/webapp/index.html b/BKULocal/src/main/webapp/index.html
index 537c154a..6aefe43c 100644
--- a/BKULocal/src/main/webapp/index.html
+++ b/BKULocal/src/main/webapp/index.html
@@ -14,21 +14,45 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-    <head>
-        <title>BKU Web Start - Willkommen</title>
-        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-        <style type="text/css" media="all">@import "css/main.css";</style>
-    </head>
-    <body>
-        <h1>BKU Web Start - Willkommen</h1>
-        <div>
-          <p>Diese Seite installiert das MOCCA Zertifikat in ihrem Browser.
-        In jedem weiteren Browser können sie dieses durch Aufruf <a href="https://localhost:3496/index.html">dieser Seite</a> ebenso installieren.</p>
-        </div>
-        <div>
-          <a href="PINManagement?redirect=./index.html">PIN Verwaltung</a>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>Bürgerkarte - Willkommen</title>
+    <link href="help/help.css" rel="stylesheet" type="text/css" />
+    <link rel="shortcut icon" href="img/chip16.ico" type="image/x-icon"/>
+  </head>
+
+  <body class="twoColElsLtHdr">
+
+    <div id="container">
+      <div id="header">
+        <h1>Bürgerkarte</h1>
+        <!-- end #header --></div>
+      <div id="mainContent" style="margin: 1.5em 1.5em 0 1.5em">
+        <div style="float:left; margin-right:1em">
+          <img src="img/chip48.png" alt="Logo" width="48" height="48"/>
         </div>
-    </body>
+        <p>Um die Bürgerkartenumgebung zu verwenden installieren Sie bitte
+          zunächst das <a href="installCertificate">CA Zertifikat</a>.
+        </p>
+
+        <p style="float:none">Weiters können Sie</p>
+        <ul>
+          <li>die <a href="help">Hilfe durchsehen</a>,</li>
+          <li>die <a href="PINManagement?redirect=./index.html">PIN Verwaltung starten</a> oder </li>
+          <li>in jedem weiteren Web-Browser das <a href="installCertificate">CA Zertifikat installieren</a>.</li>
+        </ul>
+
+        <p><br class="clearfloat" /></p>
+
+      </div>
+      <div id="footer">
+        <p>
+          <a href="http://www.buergerkarte.at">Österreichische Bürgerkarte</a> | <a href="http://mocca.egovlabs.gv.at">Bürgerkartensoftware MOCCA</a>
+        </p>
+      </div>
+      <!-- end #container --></div>
+  </body>
 </html>
+
diff --git a/BKUOnline/pom.xml b/BKUOnline/pom.xml
index f03bc792..9fc36d63 100644
--- a/BKUOnline/pom.xml
+++ b/BKUOnline/pom.xml
@@ -39,7 +39,7 @@
     <dependency>
       <artifactId>BKUHelp</artifactId>
       <groupId>at.gv.egiz</groupId>
-      <version>1.1</version>
+      <version>1.2-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>commons-logging</groupId>
@@ -302,12 +302,13 @@
       </build>
 
       <dependencies>
-            <!-- not yet available in IBIBLIO, install locally -->
+        <!-- not yet available in IBIBLIO, install locally
+         |   NOT REQUIRED FOR BASIC DOWNLOAD PROTOCOL
         <dependency>
           <groupId>org.codehaus.mojo.webstart</groupId>
           <artifactId>webstart-jnlp-servlet</artifactId>
           <version>1.0-6.0.02_ea_b02.1-SNAPSHOT</version>
-        </dependency>
+        </dependency-->
         <!-- dependency to ensure BKUWebStart is build prior to BKUOnline;
          |   transitive dependencies shall not be included in WEB-INF/lib
          |   and are provided in the BKUWebStart zip
diff --git a/BKUWebStart/pom.xml b/BKUWebStart/pom.xml
index 462146d6..cef65ac2 100644
--- a/BKUWebStart/pom.xml
+++ b/BKUWebStart/pom.xml
@@ -51,9 +51,11 @@
       </plugin>
 
       <!-- Build the web start app
-       |   Default is to build BKUWebStart.zip incl. jnlp for local execution
-       |   If include-webstart is active, the jnlp will contain DownloadServlet specific placeholders (for codebase, etc) and versioning will be enabled.
-       |   If pkcs11-sign is active (ie. the release build), pack200 will be activated, the the PKCS11 keystore will be used (and the adopted version of the plugin will be used).
+       |   Default is to build BKUWebStart.zip incl. mocca.jnlp with versioning enabled and
+       |   containing DownloadServlet specific placeholders (for codebase, etc).
+       |   If pkcs11-sign is active (ie. the release build), pack200/gzip will be activated,
+       |   the the PKCS11 keystore will be used (and the adopted version of the plugin will be used).
+       |   If local-webstart is active, the jnlp will be prepared for local execution (development build)
        |-->
       <plugin>
         <artifactId>webstart-maven-plugin</artifactId>
@@ -98,8 +100,8 @@
             </keystoreConfig>
           </sign>
           <pack200>false</pack200>
-          <!--gzip>true</gzip-->
-          <outputJarVersions>true</outputJarVersions>
+          <gzip>false</gzip>
+          <outputJarVersions>false</outputJarVersions>
           <!-- unsign IAIK signed libs -->
           <unsignAlreadySignedJars>true</unsignAlreadySignedJars>
           <verbose>true</verbose>
@@ -190,9 +192,6 @@
                   <gen>false</gen>
                 </keystoreConfig>
               </sign>
-              <pack200>true</pack200>
-              <!--gzip>false</gzip-->
-              <outputJarVersions>true</outputJarVersions>
             </configuration>
           </plugin>
         </plugins>
@@ -212,7 +211,6 @@
                 <inputTemplate>template-local.xml</inputTemplate>
                 <outputFile>mocca-local.jnlp</outputFile>
               </jnlp>
-              <outputJarVersions>false</outputJarVersions>
             </configuration>
           </plugin>
         </plugins>
@@ -221,6 +219,14 @@
   </profiles>
 
   <dependencies>
+    <!-- ATTENTION update of application descriptor (jnlp file) is special...
+     |   The JNLP Client must use the Last-Modified header field returned by
+     |   the Web Server to determine if a newer JNLP file is present on the Web
+     |   server.
+     |   Don't assume changes to the descriptor (changes in dependencies) to
+     |   appear directly on the client descriptor (even if 'update available'
+     |   was shown to user).
+     |   Note: Download via browser ensures the updated jnlp file is used. -->
     <dependency>
       <groupId>at.gv.egiz</groupId>
       <artifactId>BKULocal</artifactId>
@@ -259,12 +265,12 @@
     <!-- JSP support
      |   http://jira.codehaus.org/browse/JETTY-827
      |   jsp-2.1-jetty-6.1.19 depends on the required jsp-2.1-glassfish jars (?)
-     |-->
+     |
     <dependency>
       <groupId>org.mortbay.jetty</groupId>
       <artifactId>jsp-2.1-jetty</artifactId>
       <version>6.1.19</version>
-    </dependency>
+    </dependency-->
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
index bef2246b..923a70d9 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
@@ -56,7 +56,7 @@ public class Configurator {
    * configurations with less than this (major) version will be backuped and updated
    * allowed: MAJOR[.MINOR[.X[-SNAPSHOT]]]
    */
-  public static final String MIN_CONFIG_VERSION = "1.0.9";
+  public static final String MIN_CONFIG_VERSION = "1.2.4-SNAPSHOT";
   public static final String CONFIG_DIR = ".mocca/conf/";
   public static final String CERTS_DIR = ".mocca/certs/";
   public static final String VERSION_FILE = ".version";
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index 08a0808a..3bf74d3c 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -2,9 +2,11 @@ package at.gv.egiz.bku.webstart;
 
 import at.gv.egiz.bku.utils.StreamUtil;
 import java.awt.AWTPermission;
+import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.BufferedReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.FilePermission;
@@ -15,8 +17,12 @@ import java.io.OutputStream;
 import java.lang.reflect.ReflectPermission;
 import java.net.NetPermission;
 import java.net.SocketPermission;
+import java.security.AllPermission;
+import java.security.KeyStore;
 import java.security.Permissions;
 import java.security.SecurityPermission;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.util.PropertyPermission;
 import javax.smartcardio.CardPermission;
 import org.apache.commons.logging.Log;
@@ -32,8 +38,9 @@ public class Container {
 
   public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
   public static final String HTTPS_PORT_PROPERTY = "mocca.http.port";
-
+  public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate";
   private static Log log = LogFactory.getLog(Container.class);
+
   static {
     if (log.isDebugEnabled()) {
       //Jetty log INFO and WARN, include ignored exceptions
@@ -43,7 +50,6 @@ public class Container {
       //System.setProperty("DEBUG", "true");
     }
   }
-
   private Server server;
 
   public void init() throws IOException {
@@ -75,63 +81,98 @@ public class Container {
     }
     log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
     sslConnector.setKeystore(keystoreFile.getAbsolutePath());
-    File passwdFile = new File(configDir, Configurator.PASSWD_FILE);
-    BufferedReader reader = new BufferedReader(new FileReader(passwdFile));
-    String pwd;
-    while ((pwd = reader.readLine()) != null) {
-      sslConnector.setPassword(pwd);
-      sslConnector.setKeyPassword(pwd);
-    }
-    reader.close();
-    
+    String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
+    sslConnector.setPassword(passwd);
+    sslConnector.setKeyPassword(passwd);
+
     //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
-    String[] RFC4492CipherSuites = new String[] {
+    String[] RFC4492CipherSuites = new String[]{
       "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-     "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-     "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-     "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-     "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-
-     "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
-     "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-
-     "TLS_ECDH_RSA_WITH_NULL_SHA",
-     "TLS_ECDH_RSA_WITH_RC4_128_SHA",
-     "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-     "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-     "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-
-     "TLS_ECDHE_RSA_WITH_NULL_SHA",
-     "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-
-     "TLS_ECDH_anon_WITH_NULL_SHA",
-     "TLS_ECDH_anon_WITH_RC4_128_SHA",
-     "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-     "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
-     "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_NULL_SHA",
+      "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_NULL_SHA",
+      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDH_anon_WITH_NULL_SHA",
+      "TLS_ECDH_anon_WITH_RC4_128_SHA",
+      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
     };
 
     sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
 
-    server.setConnectors(new Connector[] { connector, sslConnector });
-    
+    server.setConnectors(new Connector[]{connector, sslConnector});
+
     WebAppContext webapp = new WebAppContext();
     webapp.setLogUrlOnStart(true);
     webapp.setContextPath("/");
-    webapp.setExtractWAR(true); 
+    webapp.setExtractWAR(true);
     webapp.setParentLoaderPriority(false);
 
+    try {
+      // no way to get certificate from within the servlet (SSLEngine/Jetty SSLSocketConnector/SSLContext?)
+      if (log.isTraceEnabled()) {
+        log.trace("local ca certificate from " + keystoreFile + " in webapp context at " + SERVER_CA_CERTIFICATE_ATTRIBUTE);
+      }
+      BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
+      KeyStore sslKeyStore = KeyStore.getInstance("JKS");
+      sslKeyStore.load(bis, passwd.toCharArray());
+      Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
+      webapp.setAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE, sslChain[sslChain.length - 1]);
+      bis.close();
+    } catch (Exception ex) {
+      log.error("Failed to load local ca certificate", ex);
+      log.warn("automated web certificate installation will not be available");
+    }
+
     webapp.setWar(copyWebapp(webapp.getTempDirectory()));
     webapp.setPermissions(getPermissions(webapp.getTempDirectory()));
-    
+
     server.setHandler(webapp);
-    server.setGracefulShutdown(1000*3);
+    server.setGracefulShutdown(1000 * 3);
+  }
+
+  /**
+   * @return The first valid (not empty, no comment) line of the passwd file
+   * @throws IOException
+   */
+  protected static String readPassword(File passwdFile) throws IOException {
+    if (passwdFile.exists() && passwdFile.canRead()) {
+      BufferedReader passwdReader = null;
+      try {
+        passwdReader = new BufferedReader(new FileReader(passwdFile));
+        String passwd;
+        while ((passwd = passwdReader.readLine().trim()) != null) {
+          if (passwd.length() > 0 && !passwd.startsWith("#")) {
+            return passwd;
+          }
+        }
+      } catch (IOException ex) {
+        log.error("failed to read password from " + passwdFile, ex);
+        throw ex;
+      } finally {
+        try {
+          passwdReader.close();
+        } catch (IOException ex) {
+        }
+      }
+    }
+    throw new IOException(passwdFile + " not readable");
   }
 
   private String copyWebapp(File webappDir) throws IOException {
@@ -146,43 +187,48 @@ public class Container {
 
   private Permissions getPermissions(File webappDir) {
     Permissions perms = new Permissions();
+    perms.add(new AllPermission());
+
+
+    if (false) {
+
+      // jetty-webstart (spring?)
+      perms.add(new RuntimePermission("getClassLoader"));
+
+      // standard permissions
+      perms.add(new PropertyPermission("*", "read,write"));
+      perms.add(new RuntimePermission("accessDeclaredMembers"));
+      perms.add(new RuntimePermission("accessClassInPackage.*"));
+      perms.add(new RuntimePermission("defineClassInPackage.*"));
+      perms.add(new RuntimePermission("setFactory"));
+      perms.add(new RuntimePermission("getProtectionDomain"));
+      perms.add(new RuntimePermission("modifyThread"));
+      perms.add(new RuntimePermission("modifyThreadGroup"));
+      perms.add(new RuntimePermission("setFactory"));
+      perms.add(new ReflectPermission("suppressAccessChecks"));
+
+      // MOCCA specific
+      perms.add(new SocketPermission("*", "connect,resolve"));
+      perms.add(new NetPermission("specifyStreamHandler"));
+      perms.add(new SecurityPermission("insertProvider.*"));
+      perms.add(new SecurityPermission("putProviderProperty.*"));
+      perms.add(new SecurityPermission("removeProvider.*"));
+      perms.add(new CardPermission("*", "*"));
+      perms.add(new AWTPermission("*"));
+
+      perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
+      perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
+      perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
+      perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
+
+      //TODO
+//    log.trace("granting file read/write permission to MOCCA local");
+//    perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
 
-    // jetty-webstart (spring?)
-    perms.add(new RuntimePermission("getClassLoader"));
-
-    // standard permissions
-    perms.add(new PropertyPermission("*", "read,write"));
-    perms.add(new RuntimePermission("accessDeclaredMembers"));
-    perms.add(new RuntimePermission("accessClassInPackage.*"));
-    perms.add(new RuntimePermission("defineClassInPackage.*"));
-    perms.add(new RuntimePermission("setFactory"));
-    perms.add(new RuntimePermission("getProtectionDomain"));
-    perms.add(new RuntimePermission("modifyThread"));
-    perms.add(new RuntimePermission("modifyThreadGroup"));
-    perms.add(new RuntimePermission("setFactory"));
-    perms.add(new ReflectPermission("suppressAccessChecks"));
-
-    // MOCCA specific
-    perms.add(new SocketPermission("*", "connect,resolve"));
-    perms.add(new NetPermission("specifyStreamHandler"));
-    perms.add(new SecurityPermission("insertProvider.*"));
-    perms.add(new SecurityPermission("putProviderProperty.*"));
-    perms.add(new SecurityPermission("removeProvider.*"));
-    perms.add(new CardPermission("*", "*"));
-    perms.add(new AWTPermission("*"));
-
-    perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
-    perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
-    perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
-    perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
-    perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
-    perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
-    perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
-
-    //TODO
-    log.trace("granting file read/write permission to MOCCA local");
-    perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
-
+    }
     return perms;
   }
 
@@ -205,4 +251,4 @@ public class Container {
   public void join() throws InterruptedException {
     server.join();
   }
-}
-\ No newline at end of file
+}
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java
index 0cfc14e5..0106de62 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java
@@ -27,6 +27,7 @@ import java.awt.event.WindowAdapter;
 import java.net.BindException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.util.jar.Attributes;
@@ -73,21 +74,25 @@ public class Launcher implements BKUControllerInterface, ActionListener {
   /** local bku uri */
   public static final URL HTTP_SECURITY_LAYER_URL;
   public static final URL HTTPS_SECURITY_LAYER_URL;
+  public static final URL INSTALL_CERT_URL;
   public static final URL PIN_MANAGEMENT_URL;
   static {
     URL http = null;
     URL https = null;
     URL pin = null;
+    URL cert = null;
     try {
       http = new URL("http://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3495).intValue());
       https = new URL("https://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3496).intValue());
       pin = new URL(http, "/PINManagement");
+      cert = new URL(http, "/installCertificate");
     } catch (MalformedURLException ex) {
       log.error(ex);
     } finally {
       HTTP_SECURITY_LAYER_URL = http;
       HTTPS_SECURITY_LAYER_URL = https;
       PIN_MANAGEMENT_URL = pin;
+      INSTALL_CERT_URL = cert;
     }
   }
   public static final String version;
@@ -273,7 +278,7 @@ public class Launcher implements BKUControllerInterface, ActionListener {
           Desktop desktop = Desktop.getDesktop();
           if (desktop.isSupported(Desktop.Action.BROWSE)) {
             try {
-              desktop.browse(HTTPS_SECURITY_LAYER_URL.toURI());
+              desktop.browse(HTTP_SECURITY_LAYER_URL.toURI());
             } catch (Exception ex) {
               log.error("failed to open system browser, install TLS certificate manually: " + HTTPS_SECURITY_LAYER_URL, ex);
             }
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java
index 97ca716b..fd94958e 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
 
 public class TLSServerCA {
   public static final int CA_VALIDITY_Y = 3;
+  public static final String MOCCA_TLS_SERVER_ALIAS = "server";
   public static final int SERVER_VALIDITY_Y = 3;
   private final static Log log = LogFactory.getLog(TLSServerCA.class);
 
@@ -127,7 +128,7 @@ public class TLSServerCA {
       generateServerCert();
       KeyStore ks = KeyStore.getInstance("JKS");
       ks.load(null, null);
-      ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
+      ks.setKeyEntry(MOCCA_TLS_SERVER_ALIAS, serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
       return ks;
 //    } catch (Exception e) {
 //      log.error("Cannot generate certificate", e);
diff --git a/BKUWebStart/src/main/jnlp/resources/version.xml b/BKUWebStart/src/main/jnlp/resources/version.xml
index 451fe038..5e504b68 100644
--- a/BKUWebStart/src/main/jnlp/resources/version.xml
+++ b/BKUWebStart/src/main/jnlp/resources/version.xml
@@ -91,41 +91,6 @@
   </resource>
   <resource>
     <pattern>
-      <name>jsp-2.1-jetty-6.1.19.jar</name>
-      <version-id>6.1.19</version-id>
-    </pattern>
-    <file>jsp-2.1-jetty-6.1.19.jar</file>
-  </resource>
-  <resource>
-    <pattern>
-      <name>jsp-2.1-glassfish-9.1.1.B60.25.p0.jar</name>
-      <version-id>9.1.1.B60.25.p0</version-id>
-    </pattern>
-    <file>jsp-2.1-glassfish-9.1.1.B60.25.p0.jar</file>
-  </resource>
-  <resource>
-    <pattern>
-      <name>jsp-api-2.1-glassfish-9.1.1.B60.25.p0.jar</name>
-      <version-id>9.1.1.B60.25.p0</version-id>
-    </pattern>
-    <file>jsp-api-2.1-glassfish-9.1.1.B60.25.p0.jar</file>
-  </resource>
-  <resource>
-    <pattern>
-      <name>ant-1.6.5.jar</name>
-      <version-id>1.6.5</version-id>
-    </pattern>
-    <file>ant-1.6.5.jar</file>
-  </resource>
-  <resource>
-    <pattern>
-      <name>core-3.1.1.jar</name>
-      <version-id>3.1.1</version-id>
-    </pattern>
-    <file>core-3.1.1.jar</file>
-  </resource>
-  <resource>
-    <pattern>
       <name>slf4j-api-1.5.8.jar</name>
       <version-id>1.5.8</version-id>
     </pattern>
diff --git a/BKUWebStart/src/main/jnlp/template.xml b/BKUWebStart/src/main/jnlp/template.xml
index a8ee0341..8181bc31 100644
--- a/BKUWebStart/src/main/jnlp/template.xml
+++ b/BKUWebStart/src/main/jnlp/template.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<jnlp spec="$jnlpspec" codebase="$$codebase" context="$$context" href="$$name">
+<jnlp spec="$jnlpspec" codebase="http://localhost:8080/webstart/" context="http://localhost:8080" href="mocca.jnlp">
 
   <information>
     <!--title>$project.Name</title-->
@@ -9,15 +9,15 @@
     <homepage href="$project.Url"/>
     <description>$project.Description (BKU) MOCCA Web Start</description>
     <description kind="short">$project.Description</description>
-    <icon kind="shortcut" href="img/chip16.png" width="16" height="16" version="2.0"/>
-    <icon kind="shortcut" href="img/chip24.png" width="24" height="24" version="2.0"/>
-    <icon kind="shortcut" href="img/chip32.png" width="32" height="32" version="2.0"/>
-    <icon kind="shortcut" href="img/chip48.png" width="48" height="48" version="2.0"/>
-    <icon kind="default" href="img/chip16.png" width="16" height="16" version="2.0"/>
-    <icon kind="default" href="img/chip24.png" width="24" height="24" version="2.0"/>
-    <icon kind="default" href="img/chip32.png" width="32" height="32" version="2.0"/>
-    <icon kind="default" href="img/chip48.png" width="48" height="48" version="2.0"/>
-    <icon kind="splash" href="img/splash.png" version="2.0"/>
+    <icon kind="shortcut" href="img/chip16.png" width="16" height="16"/>
+    <icon kind="shortcut" href="img/chip24.png" width="24" height="24"/>
+    <icon kind="shortcut" href="img/chip32.png" width="32" height="32"/>
+    <icon kind="shortcut" href="img/chip48.png" width="48" height="48"/>
+    <icon kind="default" href="img/chip16.png" width="16" height="16"/>
+    <icon kind="default" href="img/chip24.png" width="24" height="24"/>
+    <icon kind="default" href="img/chip32.png" width="32" height="32"/>
+    <icon kind="default" href="img/chip48.png" width="48" height="48"/>
+    <icon kind="splash" href="img/splash.png"/>
     <shortcut online="false">
       <desktop/>
       <menu submenu="e-Government"/>
@@ -39,13 +39,11 @@
 
   <resources os="Mac OS X">
     <java version="$j2seVersion" java-vm-args="-d32"/>
-    <property name="jnlp.versionEnabled" value="true"/>
      $dependencies
   </resources>
 
   <resources>
     <java version="$j2seVersion"/>
-    <property name="jnlp.versionEnabled" value="true"/>
      $dependencies
   </resources>
author	clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2009-08-26 17:31:32 +0000
committer	clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2009-08-26 17:31:32 +0000
commit	145003155c05e915b900989a27cef1271398164b (patch)
tree	3be36976836a106a8c7ce635551dac42d08aa5ec
parent	15d354a20c45cc5737438fe121696637f7dec1c8 (diff)
download	mocca-145003155c05e915b900989a27cef1271398164b.tar.gz mocca-145003155c05e915b900989a27cef1271398164b.tar.bz2 mocca-145003155c05e915b900989a27cef1271398164b.zip