diff options
| author | wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2008-09-09 12:40:52 +0000 | 
|---|---|---|
| committer | wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2008-09-09 12:40:52 +0000 | 
| commit | a3361b40aa8f92849c50db27e349e17b87bebb1e (patch) | |
| tree | 9eb35a2f48e986a4abdebfb8afccc2b13eda17ae /bkucommon/src/main/java/at | |
| parent | fc22a7889d8da33cc7c73c922a8443329fe24c4d (diff) | |
| download | mocca-a3361b40aa8f92849c50db27e349e17b87bebb1e.tar.gz mocca-a3361b40aa8f92849c50db27e349e17b87bebb1e.tar.bz2 mocca-a3361b40aa8f92849c50db27e349e17b87bebb1e.zip | |
improved security handling and added shutdown handler
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@27 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'bkucommon/src/main/java/at')
3 files changed, 68 insertions, 29 deletions
| diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java index ace8a75a..ed4b9bda 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -1,30 +1,31 @@  /*
 -* Copyright 2008 Federal Chancellery Austria and
 -* Graz University of Technology
 -*
 -* Licensed under the Apache License, Version 2.0 (the "License");
 -* you may not use this file except in compliance with the License.
 -* You may obtain a copy of the License at
 -*
 -*     http://www.apache.org/licenses/LICENSE-2.0
 -*
 -* Unless required by applicable law or agreed to in writing, software
 -* distributed under the License is distributed on an "AS IS" BASIS,
 -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 -* See the License for the specific language governing permissions and
 -* limitations under the License.
 -*/
 + * Copyright 2008 Federal Chancellery Austria and
 + * Graz University of Technology
 + *
 + * Licensed under the Apache License, Version 2.0 (the "License");
 + * you may not use this file except in compliance with the License.
 + * You may obtain a copy of the License at
 + *
 + *     http://www.apache.org/licenses/LICENSE-2.0
 + *
 + * Unless required by applicable law or agreed to in writing, software
 + * distributed under the License is distributed on an "AS IS" BASIS,
 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 + * See the License for the specific language governing permissions and
 + * limitations under the License.
 + */
  package at.gv.egiz.bku.accesscontroller;
  import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS;
  import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED;
 -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
  import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY;
 +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
 -import java.net.InetAddress;
  import java.net.URL;
 -import java.net.UnknownHostException;
 +import java.security.cert.CertificateParsingException;
  import java.security.cert.X509Certificate;
 +import java.util.Collection;
 +import java.util.List;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
 @@ -37,6 +38,39 @@ public class AuthenticationClassifier {  	private AuthenticationClassifier() {
  	}
 +	public static boolean isGovAgency(X509Certificate cert) {
 +		String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
 +		for (String rdn : rdns) {
 +			if (rdn.startsWith("CN=")) {
 +				String dns = rdn.split("=")[1];
 +				log.trace("Analyzing cn dn: " + dns);
 +				if (dns.endsWith(GOV_DOMAIN)) {
 +					return true;
 +				}
 +			}
 +		}
 +		try {
 +			Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
 +			if (sanList != null) {
 +				for (List<?> san : sanList) {
 +					log.trace("Analyzing subj. alt name: " + san);
 +					if ((Integer) san.get(0) == 2) {
 +						String dns = (String) san.get(1);
 +						if (dns.endsWith(GOV_DOMAIN)) {
 +							return true;
 +						}
 +					}
 +				}
 +			}
 +		} catch (CertificateParsingException e) {
 +			log.error(e);
 +		}
 +		if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
 +			return true;
 +		}
 +		return false;
 +	}
 +
  	/**
  	 * Client Certificates are currently not supported
  	 * 
 @@ -45,13 +79,8 @@ public class AuthenticationClassifier {  			URL url, X509Certificate cert) {
  		if (isDataUrl) {
  			if (url.getProtocol().equalsIgnoreCase("https")) {
 -				try {
 -					if (InetAddress.getByName(url.getHost()).getCanonicalHostName()
 -							.endsWith(GOV_DOMAIN)) {
 -						return CERTIFIED_GOV_AGENCY;
 -					}
 -				} catch (UnknownHostException e) {
 -					log.error("Cannot determine host name", e);
 +				if (isGovAgency(cert)) {
 +					return CERTIFIED_GOV_AGENCY;
  				}
  				if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
  					return CERTIFIED_GOV_AGENCY;
 @@ -68,7 +97,8 @@ public class AuthenticationClassifier {  	/**
  	 * 
  	 * @param isDataUrl
 -	 * @param url if the url's protocol is https a cert parameter must be provided.
 +	 * @param url
 +	 *          if the url's protocol is https a cert parameter must be provided.
  	 * @param cert
  	 * @return
  	 */
 diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java index ed37f08f..aaf81e51 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java @@ -99,5 +99,7 @@ public interface BindingProcessorManager {     */
    public Set<Id> getManagedIds();
 -  public void shutdown();
 +  public void shutdown(); +   +  public void shutdownNow();
  }
\ No newline at end of file diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java index 6f5ca2d2..0082de26 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java @@ -149,6 +149,11 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {    public void shutdown() {
      log.info("Shutting down the BindingProcessorManager");
      executorService.shutdown();
 +  } +   +  public void shutdownNow() { +  	log.info("Shutting down the BindingProcessorManager NOW!"); +    executorService.shutdownNow();    }
    /**
 @@ -223,7 +228,8 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {        throw new SLRuntimeException(
            "Clashing ids, cannot process bindingprocessor with id:"
                + aBindingProcessor.getId());
 -    }
 +    } +    log.debug("processing bindingprocessor: "+aBindingProcessor.getId());
      Future<?> f = executorService.submit(aBindingProcessor);
      bindingProcessorMap.put(aBindingProcessor.getId(), new MapEntityWrapper(f,
          aBindingProcessor));
 @@ -235,7 +241,8 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {    }
    @Override
 -  public void removeBindingProcessor(Id sessionId) {
 +  public void removeBindingProcessor(Id sessionId) { +  	log.debug("Removing binding processor: "+sessionId);
      MapEntityWrapper wrapper = bindingProcessorMap
          .get(sessionId);
      if (wrapper == null) {
 | 
