diff options
author | wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2008-09-05 11:40:49 +0000 |
---|---|---|
committer | wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2008-09-05 11:40:49 +0000 |
commit | 68b3d73c291753f19d04682306ae67125dbbd431 (patch) | |
tree | 28041df31ef94e8902047d0f824d616cbee1b801 /BKUOnline | |
parent | ead5dc6d62e7fd6325ea164625b02a6b6fbb226e (diff) | |
download | mocca-68b3d73c291753f19d04682306ae67125dbbd431.tar.gz mocca-68b3d73c291753f19d04682306ae67125dbbd431.tar.bz2 mocca-68b3d73c291753f19d04682306ae67125dbbd431.zip |
Adjusted default security settings for BKUOnline
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@16 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline')
-rw-r--r-- | BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java | 6 | ||||
-rw-r--r-- | BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml | 75 |
2 files changed, 25 insertions, 56 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java index 100285ed..768bedea 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java @@ -6,14 +6,11 @@ import java.io.IOException; import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
@@ -28,9 +25,7 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -71,7 +66,6 @@ public class SpringConfigurator extends Configurator implements String caDirectory = getProperty("SSL.caDirectory");
if (caDirectory != null) {
Resource caDirRes = resourceLoader.getResource(caDirectory);
-
File caDir = caDirRes.getFile();
if (!caDir.isDirectory()) {
log.error("Expecting directory as SSL.caDirectory parameter");
diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml index 15d62155..e12d1abe 100644 --- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml +++ b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/accessControlConfig.xml @@ -1,39 +1,40 @@ <?xml version="1.0" encoding="UTF-8"?>
<AccessControl>
<Chains>
+ <!--
+ The input chain defines filters that are applied before command
+ execution
+ -->
<Chain Id="InputChain">
<Rules>
- <Rule Id="rule-1">
- <AuthClass>certifiedGovAgency</AuthClass>
- <AnyPeer />
+ <!-- there is no command implemented that requires input filtering -->
+ <Rule Id="InputChain-AllowAll">
<Action>
<RuleAction>allow</RuleAction>
</Action>
<UserInteraction>confirm</UserInteraction>
</Rule>
- <Rule Id="rule-2">
- <AuthClass>pseudoanonymous</AuthClass>
- <AnyPeer />
+ </Rules>
+ </Chain>
+
+ <!--
+ The output chain defines filters that are applied after command
+ execution
+ -->
+ <Chain Id="OutputChain">
+ <Rules>
+ <Rule Id="OutputChain-Egov">
+ <AuthClass>certifiedGovAgency</AuthClass>
<Action>
- <ChainRef>Command</ChainRef>
+ <RuleAction>allow</RuleAction>
</Action>
- <UserInteraction>none</UserInteraction>
+ <UserInteraction>confirm</UserInteraction>
</Rule>
- <Rule Id="rule-3">
+ <Rule Id="OutputChain-Command">
<AuthClass>anonymous</AuthClass>
- <IPv4Address>127.0.0.1</IPv4Address>
<Action>
<ChainRef>Command</ChainRef>
</Action>
- <UserInteraction>none</UserInteraction>
- </Rule>
- <Rule Id="rule-4">
- <AuthClass>anonymous</AuthClass>
- <DomainName>$.gv.at</DomainName>
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>confirm</UserInteraction>
</Rule>
</Rules>
</Chain>
@@ -44,7 +45,7 @@ <AnyPeer />
<Command Name="Infobox*">
<Param Name="InfoboxIdentifier">IdentityLink</Param>
- <Param Name="PersonIdentifier">.*</Param>
+ <Param Name="PersonIdentifier">derived</Param>
</Command>
<Action>
<RuleAction>allow</RuleAction>
@@ -52,42 +53,16 @@ <UserInteraction>confirm</UserInteraction>
</Rule>
<Rule Id="cmd-rule-2">
- <AuthClass>certified</AuthClass>
- <URL>https://finanzonline.bmf.gv.at/*
- </URL>
- <Command Name="InfoboxReadRequest">
- <Param Name="InfoboxIdentifier">Mandates</Param>
- <Param Name="PersonIdentifier">.*</Param>
+ <AuthClass>anonymous</AuthClass>
+ <Command Name="Infobox.*">
+ <Param Name="InfoboxIdentifier">IdentityLink</Param>
</Command>
<Action>
- <RuleAction>allow</RuleAction>
+ <RuleAction>deny</RuleAction>
</Action>
<UserInteraction>info</UserInteraction>
</Rule>
<Rule Id="cmd-rule-3">
- <AuthClass>certified</AuthClass>
- <AnyPeer />
- <Command Name="InfoboxReadRequest" />
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>none</UserInteraction>
- </Rule>
- <Rule Id="cmd-rule-4">
- <AuthClass>anonymous</AuthClass>
- <AnyPeer />
- <Command Name="InfoboxReadRequest" />
- <IPv4Address>127.0.0.1</IPv4Address>
- <Action>
- <RuleAction>allow</RuleAction>
- </Action>
- <UserInteraction>none</UserInteraction>
- </Rule>
- </Rules>
- </Chain>
- <Chain Id="OutputChain">
- <Rules>
- <Rule Id="out-1">
<Action>
<RuleAction>allow</RuleAction>
</Action>
|