Adjusted default security settings for BKUOnline

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@16 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

2 files changed, 25 insertions, 56 deletions

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
index 100285ed..768bedea 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
@@ -6,14 +6,11 @@ import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;

 import java.security.NoSuchAlgorithmException;

 import java.security.Security;

-import java.security.cert.CertPath;

-import java.security.cert.CertPathBuilder;

 import java.security.cert.CertStore;

 import java.security.cert.CertificateException;

 import java.security.cert.CertificateFactory;

 import java.security.cert.CollectionCertStoreParameters;

 import java.security.cert.PKIXBuilderParameters;

-import java.security.cert.PKIXCertPathBuilderResult;

 import java.security.cert.TrustAnchor;

 import java.security.cert.X509CertSelector;

 import java.security.cert.X509Certificate;

@@ -28,9 +25,7 @@ import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManager;

 import javax.net.ssl.ManagerFactoryParameters;

 import javax.net.ssl.SSLContext;

-import javax.net.ssl.TrustManager;

 import javax.net.ssl.TrustManagerFactory;

-import javax.net.ssl.X509TrustManager;

 

 import org.apache.commons.logging.Log;

 import org.apache.commons.logging.LogFactory;

@@ -71,7 +66,6 @@ public class SpringConfigurator extends Configurator implements
 		String caDirectory = getProperty("SSL.caDirectory");

 		if (caDirectory != null) {

 			Resource caDirRes = resourceLoader.getResource(caDirectory);

-

 			File caDir = caDirRes.getFile();

 			if (!caDir.isDirectory()) {

 				log.error("Expecting directory as SSL.caDirectory parameter");

diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml
index 15d62155..e12d1abe 100644
--- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml
+++ b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml
@@ -1,39 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>

 <AccessControl>

 	<Chains>

+		<!--

+			The input chain defines filters that are applied before command

+			execution

+		-->

 		<Chain Id="InputChain">

 			<Rules>

-				<Rule Id="rule-1">

-					<AuthClass>certifiedGovAgency</AuthClass>

-					<AnyPeer />

+				<!-- there is no command implemented that requires input filtering -->

+				<Rule Id="InputChain-AllowAll">

 					<Action>

 						<RuleAction>allow</RuleAction>

 					</Action>

 					<UserInteraction>confirm</UserInteraction>

 				</Rule>

-				<Rule Id="rule-2">

-					<AuthClass>pseudoanonymous</AuthClass>

-					<AnyPeer />

+			</Rules>

+		</Chain>

+

+		<!--

+			The output chain defines filters that are applied after command

+			execution

+		-->

+		<Chain Id="OutputChain">

+			<Rules>

+				<Rule Id="OutputChain-Egov">

+					<AuthClass>certifiedGovAgency</AuthClass>

 					<Action>

-						<ChainRef>Command</ChainRef>

+						<RuleAction>allow</RuleAction>

 					</Action>

-					<UserInteraction>none</UserInteraction>

+					<UserInteraction>confirm</UserInteraction>

 				</Rule>

-				<Rule Id="rule-3">

+				<Rule Id="OutputChain-Command">

 					<AuthClass>anonymous</AuthClass>

-					<IPv4Address>127.0.0.1</IPv4Address>

 					<Action>

 						<ChainRef>Command</ChainRef>

 					</Action>

-					<UserInteraction>none</UserInteraction>

-				</Rule>

-				<Rule Id="rule-4">

-					<AuthClass>anonymous</AuthClass>

-					<DomainName>$.gv.at</DomainName>

-					<Action>

-						<RuleAction>allow</RuleAction>

-					</Action>

-					<UserInteraction>confirm</UserInteraction>

 				</Rule>

 			</Rules>

 		</Chain>

@@ -44,7 +45,7 @@
 					<AnyPeer />

 					<Command Name="Infobox*">

 						<Param Name="InfoboxIdentifier">IdentityLink</Param>

-						<Param Name="PersonIdentifier">.*</Param>

+						<Param Name="PersonIdentifier">derived</Param>

 					</Command>

 					<Action>

 						<RuleAction>allow</RuleAction>

@@ -52,42 +53,16 @@
 					<UserInteraction>confirm</UserInteraction>

 				</Rule>

 				<Rule Id="cmd-rule-2">

-					<AuthClass>certified</AuthClass>

-					<URL>https://finanzonline.bmf.gv.at/*

-					</URL>

-					<Command Name="InfoboxReadRequest">

-						<Param Name="InfoboxIdentifier">Mandates</Param>

-						<Param Name="PersonIdentifier">.*</Param>

+					<AuthClass>anonymous</AuthClass>

+					<Command Name="Infobox.*">

+						<Param Name="InfoboxIdentifier">IdentityLink</Param>

 					</Command>

 					<Action>

-						<RuleAction>allow</RuleAction>

+						<RuleAction>deny</RuleAction>

 					</Action>

 					<UserInteraction>info</UserInteraction>

 				</Rule>

 				<Rule Id="cmd-rule-3">

-					<AuthClass>certified</AuthClass>

-					<AnyPeer />

-					<Command Name="InfoboxReadRequest" />

-					<Action>

-						<RuleAction>allow</RuleAction>

-					</Action>

-					<UserInteraction>none</UserInteraction>

-				</Rule>

-				<Rule Id="cmd-rule-4">

-					<AuthClass>anonymous</AuthClass>

-					<AnyPeer />

-					<Command Name="InfoboxReadRequest" />

-					<IPv4Address>127.0.0.1</IPv4Address>

-					<Action>

-						<RuleAction>allow</RuleAction>

-					</Action>

-					<UserInteraction>none</UserInteraction>

-				</Rule>

-			</Rules>

-		</Chain>

-		<Chain Id="OutputChain">

-			<Rules>

-				<Rule Id="out-1">

 					<Action>

 						<RuleAction>allow</RuleAction>

 					</Action>