diff options
-rw-r--r-- | BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java | 17 | ||||
-rw-r--r-- | BKUHelp/pom.xml | 9 | ||||
-rw-r--r-- | BKULocal/pom.xml | 2 | ||||
-rw-r--r-- | BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java | 149 | ||||
-rw-r--r-- | BKULocal/src/main/webapp/WEB-INF/web.xml | 19 | ||||
-rw-r--r-- | BKULocal/src/main/webapp/img/chip16.ico | bin | 0 -> 1150 bytes | |||
-rw-r--r-- | BKULocal/src/main/webapp/img/chip48.png | bin | 0 -> 2771 bytes | |||
-rw-r--r-- | BKULocal/src/main/webapp/index.html | 56 | ||||
-rw-r--r-- | BKUOnline/pom.xml | 7 | ||||
-rw-r--r-- | BKUWebStart/pom.xml | 28 | ||||
-rw-r--r-- | BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java | 2 | ||||
-rw-r--r-- | BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java | 210 | ||||
-rw-r--r-- | BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java | 7 | ||||
-rw-r--r-- | BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java | 3 | ||||
-rw-r--r-- | BKUWebStart/src/main/jnlp/resources/version.xml | 35 | ||||
-rw-r--r-- | BKUWebStart/src/main/jnlp/template.xml | 22 |
16 files changed, 387 insertions, 179 deletions
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java index b871263e..6fd1ffea 100644 --- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java +++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/AbstractHelpListener.java @@ -38,6 +38,11 @@ import org.apache.commons.logging.LogFactory; */ public abstract class AbstractHelpListener implements ActionListener { + /** + * any locale not in the list will be mapped to 'de' + */ + public static final String[] SUPPORTED_LANGUAGES = new String[] { "de" }; + protected final static Log log = LogFactory.getLog(AbstractHelpListener.class); protected URL baseURL; protected Locale locale; @@ -71,12 +76,14 @@ public abstract class AbstractHelpListener implements ActionListener { URL helpURL = baseURL; log.trace("constructing help URL: " + helpURL); try { - if (locale != null) { - helpURL = new URL(helpURL, locale.toString() + "/"); - log.trace("constructing help URL: " + helpURL); - } + // not localized for now + //check if locale.getLanguage() supported and add default if not +// if (locale != null) { +// helpURL = new URL(helpURL, locale.toString() + "/"); +// log.trace("constructing help URL: " + helpURL); +// } if (helpTopic != null && !"".equals(helpTopic)) { - helpURL = new URL(helpURL, helpTopic + ".html"); + helpURL = new URL(helpURL, "de/" + helpTopic + ".html"); log.trace("constructing help URL: " + helpURL); } } catch (MalformedURLException ex) { diff --git a/BKUHelp/pom.xml b/BKUHelp/pom.xml index ec2ad47d..6dbfd55f 100644 --- a/BKUHelp/pom.xml +++ b/BKUHelp/pom.xml @@ -7,6 +7,13 @@ </parent> <groupId>at.gv.egiz</groupId> <artifactId>BKUHelp</artifactId> - <version>1.1</version> + <version>1.2-SNAPSHOT</version> <name>BKU Help</name> + <build> + <resources> + <resource> + <directory>src/main/webapp</directory> + </resource> + </resources> + </build> </project>
\ No newline at end of file diff --git a/BKULocal/pom.xml b/BKULocal/pom.xml index 523357f2..b3487f68 100644 --- a/BKULocal/pom.xml +++ b/BKULocal/pom.xml @@ -111,7 +111,7 @@ <dependency> <artifactId>BKUHelp</artifactId> <groupId>at.gv.egiz</groupId> - <version>1.1</version> + <version>1.2-SNAPSHOT</version> </dependency> <dependency> <groupId>org.springframework</groupId> diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java new file mode 100644 index 00000000..0a9d001b --- /dev/null +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/webapp/InstallCertificateServlet.java @@ -0,0 +1,149 @@ +/* + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package at.gv.egiz.bku.local.webapp; + +import iaik.pkcs.PKCS7CertList; +import iaik.utils.Util; +import java.io.IOException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +/** + * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at> + */ +public class InstallCertificateServlet extends HttpServlet { + public static final String HTTPS_REDIRECT = "https://localhost:3496/"; + + public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate"; + protected PKCS7CertList p7c; + private static final Log log = LogFactory.getLog(InstallCertificateServlet.class); + + @Override + public void init() throws ServletException { + super.init(); + Certificate caCert = (Certificate) getServletContext().getAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE); + if (caCert != null) { + try { + p7c = new PKCS7CertList(); + p7c.setCertificateList(new iaik.x509.X509Certificate[] { Util.convertCertificate(caCert) }); + } catch (CertificateException ex) { + log.error("failed to import local ca certificate " + SERVER_CA_CERTIFICATE_ATTRIBUTE, ex); + } + } else { + log.error("failed to import local ca certificate " + SERVER_CA_CERTIFICATE_ATTRIBUTE); + } + } + + /** + * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods. + * @param request servlet request + * @param response servlet response + * @throws ServletException if a servlet-specific error occurs + * @throws IOException if an I/O error occurs + */ + protected void processRequest(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + +// try { +// SSLContext sslCtx1 = SSLContext.getDefault(); +// log.debug("Default SSLContext (" + sslCtx1.getProtocol() + "): " + sslCtx1.getClass().getName()); +// } catch (NoSuchAlgorithmException ex) { +// log.debug("no sslContext: " + ex.getMessage(), ex); +// } +// +// try { +// SSLContext sslCtx2 = SSLContext.getInstance("TLS"); +// log.debug("TLS SSLContext: " + sslCtx2.getClass().getName()); +// +// SSLServerSocketFactory serverSocketFactory = sslCtx2.getServerSocketFactory(); +// SSLSessionContext serverSessionContext = sslCtx2.getServerSessionContext(); +// +// if (serverSocketFactory != null) { +// log.debug("SSL ServerSocketFactory: " + serverSocketFactory.getClass().getName()); +// } +// if (serverSessionContext != null) { +// log.debug("SSL ServerSessionContext: " + serverSessionContext.getClass().getName()); +// } +// } catch (NoSuchAlgorithmException ex) { +// log.debug("no sslContext: " + ex.getMessage(), ex); +// } +// +// try { +// SSLContext sslCtx3 = SSLContext.getInstance("SSLv3"); +// log.debug("TLS SSLContext: " + sslCtx3.getClass().getName()); +// } catch (NoSuchAlgorithmException ex) { +// log.debug("no sslContext: " + ex.getMessage(), ex); +// } + + + + + + if (p7c != null) { + log.debug("returning local ca certificate"); + response.setContentType("application/x-x509-ca-cert"); + p7c.writeTo(response.getOutputStream()); + response.getOutputStream().flush(); + } else { + log.debug("no local ca certificate, redirecting to " + HTTPS_REDIRECT); + response.sendRedirect(HTTPS_REDIRECT); + } + + } + + // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code."> + /** + * Handles the HTTP <code>GET</code> method. + * @param request servlet request + * @param response servlet response + * @throws ServletException if a servlet-specific error occurs + * @throws IOException if an I/O error occurs + */ + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + processRequest(request, response); + } + + /** + * Handles the HTTP <code>POST</code> method. + * @param request servlet request + * @param response servlet response + * @throws ServletException if a servlet-specific error occurs + * @throws IOException if an I/O error occurs + */ + @Override + protected void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + processRequest(request, response); + } + + /** + * Returns a short description of the servlet. + * @return a String containing servlet description + */ + @Override + public String getServletInfo() { + return "Short description"; + }// </editor-fold> +} diff --git a/BKULocal/src/main/webapp/WEB-INF/web.xml b/BKULocal/src/main/webapp/WEB-INF/web.xml index 83f33d9e..8768dbd8 100644 --- a/BKULocal/src/main/webapp/WEB-INF/web.xml +++ b/BKULocal/src/main/webapp/WEB-INF/web.xml @@ -1,5 +1,4 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <!-- Copyright 2008 Federal Chancellery Austria and Graz University of Technology @@ -16,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. --> -<web-app id="WebApp_ID"> +<web-app id="bkulocal" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>http-security-layer-request</display-name> <!-- Begin Spring Config --> @@ -36,14 +35,14 @@ <servlet-name>BKUServlet</servlet-name> <servlet-class>at.gv.egiz.bku.local.webapp.BKURequestHandler</servlet-class> </servlet> - <servlet> - <servlet-name>help</servlet-name> - <jsp-file>/help.jsp</jsp-file> - </servlet> <servlet> <servlet-name>PINManagementServlet</servlet-name> <servlet-class>at.gv.egiz.bku.local.webapp.PINManagementServlet</servlet-class> </servlet> + <servlet> + <servlet-name>InstallCertificateServlet</servlet-name> + <servlet-class>at.gv.egiz.bku.local.webapp.InstallCertificateServlet</servlet-class> + </servlet> <servlet-mapping> <servlet-name>BKUServlet</servlet-name> <url-pattern>/http-security-layer-request</url-pattern> @@ -52,16 +51,16 @@ <servlet-name>BKUServlet</servlet-name> <url-pattern>/https-security-layer-request</url-pattern> </servlet-mapping> - <servlet-mapping> - <servlet-name>help</servlet-name> - <url-pattern>/help/*</url-pattern> - </servlet-mapping> <!-- Begin BKU Config --> <servlet-mapping> <servlet-name>PINManagementServlet</servlet-name> <url-pattern>/PINManagement</url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name>InstallCertificateServlet</servlet-name> + <url-pattern>/installCertificate</url-pattern> + </servlet-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> diff --git a/BKULocal/src/main/webapp/img/chip16.ico b/BKULocal/src/main/webapp/img/chip16.ico Binary files differnew file mode 100644 index 00000000..42175127 --- /dev/null +++ b/BKULocal/src/main/webapp/img/chip16.ico diff --git a/BKULocal/src/main/webapp/img/chip48.png b/BKULocal/src/main/webapp/img/chip48.png Binary files differnew file mode 100644 index 00000000..491fbcac --- /dev/null +++ b/BKULocal/src/main/webapp/img/chip48.png diff --git a/BKULocal/src/main/webapp/index.html b/BKULocal/src/main/webapp/index.html index 537c154a..6aefe43c 100644 --- a/BKULocal/src/main/webapp/index.html +++ b/BKULocal/src/main/webapp/index.html @@ -14,21 +14,45 @@ See the License for the specific language governing permissions and limitations under the License. --> -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html> - <head> - <title>BKU Web Start - Willkommen</title> - <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> - <style type="text/css" media="all">@import "css/main.css";</style> - </head> - <body> - <h1>BKU Web Start - Willkommen</h1> - <div> - <p>Diese Seite installiert das MOCCA Zertifikat in ihrem Browser. - In jedem weiteren Browser können sie dieses durch Aufruf <a href="https://localhost:3496/index.html">dieser Seite</a> ebenso installieren.</p> - </div> - <div> - <a href="PINManagement?redirect=./index.html">PIN Verwaltung</a> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>Bürgerkarte - Willkommen</title> + <link href="help/help.css" rel="stylesheet" type="text/css" /> + <link rel="shortcut icon" href="img/chip16.ico" type="image/x-icon"/> + </head> + + <body class="twoColElsLtHdr"> + + <div id="container"> + <div id="header"> + <h1>Bürgerkarte</h1> + <!-- end #header --></div> + <div id="mainContent" style="margin: 1.5em 1.5em 0 1.5em"> + <div style="float:left; margin-right:1em"> + <img src="img/chip48.png" alt="Logo" width="48" height="48"/> </div> - </body> + <p>Um die Bürgerkartenumgebung zu verwenden installieren Sie bitte + zunächst das <a href="installCertificate">CA Zertifikat</a>. + </p> + + <p style="float:none">Weiters können Sie</p> + <ul> + <li>die <a href="help">Hilfe durchsehen</a>,</li> + <li>die <a href="PINManagement?redirect=./index.html">PIN Verwaltung starten</a> oder </li> + <li>in jedem weiteren Web-Browser das <a href="installCertificate">CA Zertifikat installieren</a>.</li> + </ul> + + <p><br class="clearfloat" /></p> + + </div> + <div id="footer"> + <p> + <a href="http://www.buergerkarte.at">Österreichische Bürgerkarte</a> | <a href="http://mocca.egovlabs.gv.at">Bürgerkartensoftware MOCCA</a> + </p> + </div> + <!-- end #container --></div> + </body> </html> + diff --git a/BKUOnline/pom.xml b/BKUOnline/pom.xml index f03bc792..9fc36d63 100644 --- a/BKUOnline/pom.xml +++ b/BKUOnline/pom.xml @@ -39,7 +39,7 @@ <dependency> <artifactId>BKUHelp</artifactId> <groupId>at.gv.egiz</groupId> - <version>1.1</version> + <version>1.2-SNAPSHOT</version> </dependency> <dependency> <groupId>commons-logging</groupId> @@ -302,12 +302,13 @@ </build> <dependencies> - <!-- not yet available in IBIBLIO, install locally --> + <!-- not yet available in IBIBLIO, install locally + | NOT REQUIRED FOR BASIC DOWNLOAD PROTOCOL <dependency> <groupId>org.codehaus.mojo.webstart</groupId> <artifactId>webstart-jnlp-servlet</artifactId> <version>1.0-6.0.02_ea_b02.1-SNAPSHOT</version> - </dependency> + </dependency--> <!-- dependency to ensure BKUWebStart is build prior to BKUOnline; | transitive dependencies shall not be included in WEB-INF/lib | and are provided in the BKUWebStart zip diff --git a/BKUWebStart/pom.xml b/BKUWebStart/pom.xml index 462146d6..cef65ac2 100644 --- a/BKUWebStart/pom.xml +++ b/BKUWebStart/pom.xml @@ -51,9 +51,11 @@ </plugin> <!-- Build the web start app - | Default is to build BKUWebStart.zip incl. jnlp for local execution - | If include-webstart is active, the jnlp will contain DownloadServlet specific placeholders (for codebase, etc) and versioning will be enabled. - | If pkcs11-sign is active (ie. the release build), pack200 will be activated, the the PKCS11 keystore will be used (and the adopted version of the plugin will be used). + | Default is to build BKUWebStart.zip incl. mocca.jnlp with versioning enabled and + | containing DownloadServlet specific placeholders (for codebase, etc). + | If pkcs11-sign is active (ie. the release build), pack200/gzip will be activated, + | the the PKCS11 keystore will be used (and the adopted version of the plugin will be used). + | If local-webstart is active, the jnlp will be prepared for local execution (development build) |--> <plugin> <artifactId>webstart-maven-plugin</artifactId> @@ -98,8 +100,8 @@ </keystoreConfig> </sign> <pack200>false</pack200> - <!--gzip>true</gzip--> - <outputJarVersions>true</outputJarVersions> + <gzip>false</gzip> + <outputJarVersions>false</outputJarVersions> <!-- unsign IAIK signed libs --> <unsignAlreadySignedJars>true</unsignAlreadySignedJars> <verbose>true</verbose> @@ -190,9 +192,6 @@ <gen>false</gen> </keystoreConfig> </sign> - <pack200>true</pack200> - <!--gzip>false</gzip--> - <outputJarVersions>true</outputJarVersions> </configuration> </plugin> </plugins> @@ -212,7 +211,6 @@ <inputTemplate>template-local.xml</inputTemplate> <outputFile>mocca-local.jnlp</outputFile> </jnlp> - <outputJarVersions>false</outputJarVersions> </configuration> </plugin> </plugins> @@ -221,6 +219,14 @@ </profiles> <dependencies> + <!-- ATTENTION update of application descriptor (jnlp file) is special... + | The JNLP Client must use the Last-Modified header field returned by + | the Web Server to determine if a newer JNLP file is present on the Web + | server. + | Don't assume changes to the descriptor (changes in dependencies) to + | appear directly on the client descriptor (even if 'update available' + | was shown to user). + | Note: Download via browser ensures the updated jnlp file is used. --> <dependency> <groupId>at.gv.egiz</groupId> <artifactId>BKULocal</artifactId> @@ -259,12 +265,12 @@ <!-- JSP support | http://jira.codehaus.org/browse/JETTY-827 | jsp-2.1-jetty-6.1.19 depends on the required jsp-2.1-glassfish jars (?) - |--> + | <dependency> <groupId>org.mortbay.jetty</groupId> <artifactId>jsp-2.1-jetty</artifactId> <version>6.1.19</version> - </dependency> + </dependency--> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java index bef2246b..923a70d9 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java @@ -56,7 +56,7 @@ public class Configurator { * configurations with less than this (major) version will be backuped and updated * allowed: MAJOR[.MINOR[.X[-SNAPSHOT]]] */ - public static final String MIN_CONFIG_VERSION = "1.0.9"; + public static final String MIN_CONFIG_VERSION = "1.2.4-SNAPSHOT"; public static final String CONFIG_DIR = ".mocca/conf/"; public static final String CERTS_DIR = ".mocca/certs/"; public static final String VERSION_FILE = ".version"; diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java index 08a0808a..3bf74d3c 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java @@ -2,9 +2,11 @@ package at.gv.egiz.bku.webstart; import at.gv.egiz.bku.utils.StreamUtil;
import java.awt.AWTPermission;
+import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.File;
+import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FilePermission;
@@ -15,8 +17,12 @@ import java.io.OutputStream; import java.lang.reflect.ReflectPermission;
import java.net.NetPermission;
import java.net.SocketPermission;
+import java.security.AllPermission;
+import java.security.KeyStore;
import java.security.Permissions;
import java.security.SecurityPermission;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.util.PropertyPermission;
import javax.smartcardio.CardPermission;
import org.apache.commons.logging.Log;
@@ -32,8 +38,9 @@ public class Container { public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
public static final String HTTPS_PORT_PROPERTY = "mocca.http.port";
-
+ public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate";
private static Log log = LogFactory.getLog(Container.class);
+
static {
if (log.isDebugEnabled()) {
//Jetty log INFO and WARN, include ignored exceptions
@@ -43,7 +50,6 @@ public class Container { //System.setProperty("DEBUG", "true");
}
}
-
private Server server;
public void init() throws IOException {
@@ -75,63 +81,98 @@ public class Container { }
log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
sslConnector.setKeystore(keystoreFile.getAbsolutePath());
- File passwdFile = new File(configDir, Configurator.PASSWD_FILE);
- BufferedReader reader = new BufferedReader(new FileReader(passwdFile));
- String pwd;
- while ((pwd = reader.readLine()) != null) {
- sslConnector.setPassword(pwd);
- sslConnector.setKeyPassword(pwd);
- }
- reader.close();
-
+ String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
+ sslConnector.setPassword(passwd);
+ sslConnector.setKeyPassword(passwd);
+
//avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
- String[] RFC4492CipherSuites = new String[] {
+ String[] RFC4492CipherSuites = new String[]{
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
- "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
- "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDH_RSA_WITH_NULL_SHA",
- "TLS_ECDH_RSA_WITH_RC4_128_SHA",
- "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDHE_RSA_WITH_NULL_SHA",
- "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDH_anon_WITH_NULL_SHA",
- "TLS_ECDH_anon_WITH_RC4_128_SHA",
- "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_NULL_SHA",
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_NULL_SHA",
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_anon_WITH_NULL_SHA",
+ "TLS_ECDH_anon_WITH_RC4_128_SHA",
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
};
sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
- server.setConnectors(new Connector[] { connector, sslConnector });
-
+ server.setConnectors(new Connector[]{connector, sslConnector});
+
WebAppContext webapp = new WebAppContext();
webapp.setLogUrlOnStart(true);
webapp.setContextPath("/");
- webapp.setExtractWAR(true);
+ webapp.setExtractWAR(true);
webapp.setParentLoaderPriority(false);
+ try {
+ // no way to get certificate from within the servlet (SSLEngine/Jetty SSLSocketConnector/SSLContext?)
+ if (log.isTraceEnabled()) {
+ log.trace("local ca certificate from " + keystoreFile + " in webapp context at " + SERVER_CA_CERTIFICATE_ATTRIBUTE);
+ }
+ BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
+ KeyStore sslKeyStore = KeyStore.getInstance("JKS");
+ sslKeyStore.load(bis, passwd.toCharArray());
+ Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
+ webapp.setAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE, sslChain[sslChain.length - 1]);
+ bis.close();
+ } catch (Exception ex) {
+ log.error("Failed to load local ca certificate", ex);
+ log.warn("automated web certificate installation will not be available");
+ }
+
webapp.setWar(copyWebapp(webapp.getTempDirectory()));
webapp.setPermissions(getPermissions(webapp.getTempDirectory()));
-
+
server.setHandler(webapp);
- server.setGracefulShutdown(1000*3);
+ server.setGracefulShutdown(1000 * 3);
+ }
+
+ /**
+ * @return The first valid (not empty, no comment) line of the passwd file
+ * @throws IOException
+ */
+ protected static String readPassword(File passwdFile) throws IOException {
+ if (passwdFile.exists() && passwdFile.canRead()) {
+ BufferedReader passwdReader = null;
+ try {
+ passwdReader = new BufferedReader(new FileReader(passwdFile));
+ String passwd;
+ while ((passwd = passwdReader.readLine().trim()) != null) {
+ if (passwd.length() > 0 && !passwd.startsWith("#")) {
+ return passwd;
+ }
+ }
+ } catch (IOException ex) {
+ log.error("failed to read password from " + passwdFile, ex);
+ throw ex;
+ } finally {
+ try {
+ passwdReader.close();
+ } catch (IOException ex) {
+ }
+ }
+ }
+ throw new IOException(passwdFile + " not readable");
}
private String copyWebapp(File webappDir) throws IOException {
@@ -146,43 +187,48 @@ public class Container { private Permissions getPermissions(File webappDir) {
Permissions perms = new Permissions();
+ perms.add(new AllPermission());
+
+
+ if (false) {
+
+ // jetty-webstart (spring?)
+ perms.add(new RuntimePermission("getClassLoader"));
+
+ // standard permissions
+ perms.add(new PropertyPermission("*", "read,write"));
+ perms.add(new RuntimePermission("accessDeclaredMembers"));
+ perms.add(new RuntimePermission("accessClassInPackage.*"));
+ perms.add(new RuntimePermission("defineClassInPackage.*"));
+ perms.add(new RuntimePermission("setFactory"));
+ perms.add(new RuntimePermission("getProtectionDomain"));
+ perms.add(new RuntimePermission("modifyThread"));
+ perms.add(new RuntimePermission("modifyThreadGroup"));
+ perms.add(new RuntimePermission("setFactory"));
+ perms.add(new ReflectPermission("suppressAccessChecks"));
+
+ // MOCCA specific
+ perms.add(new SocketPermission("*", "connect,resolve"));
+ perms.add(new NetPermission("specifyStreamHandler"));
+ perms.add(new SecurityPermission("insertProvider.*"));
+ perms.add(new SecurityPermission("putProviderProperty.*"));
+ perms.add(new SecurityPermission("removeProvider.*"));
+ perms.add(new CardPermission("*", "*"));
+ perms.add(new AWTPermission("*"));
+
+ perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
+ perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
+ perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
+
+ //TODO
+// log.trace("granting file read/write permission to MOCCA local");
+// perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
- // jetty-webstart (spring?)
- perms.add(new RuntimePermission("getClassLoader"));
-
- // standard permissions
- perms.add(new PropertyPermission("*", "read,write"));
- perms.add(new RuntimePermission("accessDeclaredMembers"));
- perms.add(new RuntimePermission("accessClassInPackage.*"));
- perms.add(new RuntimePermission("defineClassInPackage.*"));
- perms.add(new RuntimePermission("setFactory"));
- perms.add(new RuntimePermission("getProtectionDomain"));
- perms.add(new RuntimePermission("modifyThread"));
- perms.add(new RuntimePermission("modifyThreadGroup"));
- perms.add(new RuntimePermission("setFactory"));
- perms.add(new ReflectPermission("suppressAccessChecks"));
-
- // MOCCA specific
- perms.add(new SocketPermission("*", "connect,resolve"));
- perms.add(new NetPermission("specifyStreamHandler"));
- perms.add(new SecurityPermission("insertProvider.*"));
- perms.add(new SecurityPermission("putProviderProperty.*"));
- perms.add(new SecurityPermission("removeProvider.*"));
- perms.add(new CardPermission("*", "*"));
- perms.add(new AWTPermission("*"));
-
- perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
- perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
- perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
- perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
-
- //TODO
- log.trace("granting file read/write permission to MOCCA local");
- perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
-
+ }
return perms;
}
@@ -205,4 +251,4 @@ public class Container { public void join() throws InterruptedException {
server.join();
}
-}
\ No newline at end of file +}
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java index 0cfc14e5..0106de62 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java @@ -27,6 +27,7 @@ import java.awt.event.WindowAdapter; import java.net.BindException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
+import java.net.URI;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.util.jar.Attributes;
@@ -73,21 +74,25 @@ public class Launcher implements BKUControllerInterface, ActionListener { /** local bku uri */
public static final URL HTTP_SECURITY_LAYER_URL;
public static final URL HTTPS_SECURITY_LAYER_URL;
+ public static final URL INSTALL_CERT_URL;
public static final URL PIN_MANAGEMENT_URL;
static {
URL http = null;
URL https = null;
URL pin = null;
+ URL cert = null;
try {
http = new URL("http://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3495).intValue());
https = new URL("https://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3496).intValue());
pin = new URL(http, "/PINManagement");
+ cert = new URL(http, "/installCertificate");
} catch (MalformedURLException ex) {
log.error(ex);
} finally {
HTTP_SECURITY_LAYER_URL = http;
HTTPS_SECURITY_LAYER_URL = https;
PIN_MANAGEMENT_URL = pin;
+ INSTALL_CERT_URL = cert;
}
}
public static final String version;
@@ -273,7 +278,7 @@ public class Launcher implements BKUControllerInterface, ActionListener { Desktop desktop = Desktop.getDesktop();
if (desktop.isSupported(Desktop.Action.BROWSE)) {
try {
- desktop.browse(HTTPS_SECURITY_LAYER_URL.toURI());
+ desktop.browse(HTTP_SECURITY_LAYER_URL.toURI());
} catch (Exception ex) {
log.error("failed to open system browser, install TLS certificate manually: " + HTTPS_SECURITY_LAYER_URL, ex);
}
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index 97ca716b..fd94958e 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory; public class TLSServerCA {
public static final int CA_VALIDITY_Y = 3;
+ public static final String MOCCA_TLS_SERVER_ALIAS = "server";
public static final int SERVER_VALIDITY_Y = 3;
private final static Log log = LogFactory.getLog(TLSServerCA.class);
@@ -127,7 +128,7 @@ public class TLSServerCA { generateServerCert();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, null);
- ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
+ ks.setKeyEntry(MOCCA_TLS_SERVER_ALIAS, serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
return ks;
// } catch (Exception e) {
// log.error("Cannot generate certificate", e);
diff --git a/BKUWebStart/src/main/jnlp/resources/version.xml b/BKUWebStart/src/main/jnlp/resources/version.xml index 451fe038..5e504b68 100644 --- a/BKUWebStart/src/main/jnlp/resources/version.xml +++ b/BKUWebStart/src/main/jnlp/resources/version.xml @@ -91,41 +91,6 @@ </resource> <resource> <pattern> - <name>jsp-2.1-jetty-6.1.19.jar</name> - <version-id>6.1.19</version-id> - </pattern> - <file>jsp-2.1-jetty-6.1.19.jar</file> - </resource> - <resource> - <pattern> - <name>jsp-2.1-glassfish-9.1.1.B60.25.p0.jar</name> - <version-id>9.1.1.B60.25.p0</version-id> - </pattern> - <file>jsp-2.1-glassfish-9.1.1.B60.25.p0.jar</file> - </resource> - <resource> - <pattern> - <name>jsp-api-2.1-glassfish-9.1.1.B60.25.p0.jar</name> - <version-id>9.1.1.B60.25.p0</version-id> - </pattern> - <file>jsp-api-2.1-glassfish-9.1.1.B60.25.p0.jar</file> - </resource> - <resource> - <pattern> - <name>ant-1.6.5.jar</name> - <version-id>1.6.5</version-id> - </pattern> - <file>ant-1.6.5.jar</file> - </resource> - <resource> - <pattern> - <name>core-3.1.1.jar</name> - <version-id>3.1.1</version-id> - </pattern> - <file>core-3.1.1.jar</file> - </resource> - <resource> - <pattern> <name>slf4j-api-1.5.8.jar</name> <version-id>1.5.8</version-id> </pattern> diff --git a/BKUWebStart/src/main/jnlp/template.xml b/BKUWebStart/src/main/jnlp/template.xml index a8ee0341..8181bc31 100644 --- a/BKUWebStart/src/main/jnlp/template.xml +++ b/BKUWebStart/src/main/jnlp/template.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="utf-8"?> -<jnlp spec="$jnlpspec" codebase="$$codebase" context="$$context" href="$$name"> +<jnlp spec="$jnlpspec" codebase="http://localhost:8080/webstart/" context="http://localhost:8080" href="mocca.jnlp"> <information> <!--title>$project.Name</title--> @@ -9,15 +9,15 @@ <homepage href="$project.Url"/> <description>$project.Description (BKU) MOCCA Web Start</description> <description kind="short">$project.Description</description> - <icon kind="shortcut" href="img/chip16.png" width="16" height="16" version="2.0"/> - <icon kind="shortcut" href="img/chip24.png" width="24" height="24" version="2.0"/> - <icon kind="shortcut" href="img/chip32.png" width="32" height="32" version="2.0"/> - <icon kind="shortcut" href="img/chip48.png" width="48" height="48" version="2.0"/> - <icon kind="default" href="img/chip16.png" width="16" height="16" version="2.0"/> - <icon kind="default" href="img/chip24.png" width="24" height="24" version="2.0"/> - <icon kind="default" href="img/chip32.png" width="32" height="32" version="2.0"/> - <icon kind="default" href="img/chip48.png" width="48" height="48" version="2.0"/> - <icon kind="splash" href="img/splash.png" version="2.0"/> + <icon kind="shortcut" href="img/chip16.png" width="16" height="16"/> + <icon kind="shortcut" href="img/chip24.png" width="24" height="24"/> + <icon kind="shortcut" href="img/chip32.png" width="32" height="32"/> + <icon kind="shortcut" href="img/chip48.png" width="48" height="48"/> + <icon kind="default" href="img/chip16.png" width="16" height="16"/> + <icon kind="default" href="img/chip24.png" width="24" height="24"/> + <icon kind="default" href="img/chip32.png" width="32" height="32"/> + <icon kind="default" href="img/chip48.png" width="48" height="48"/> + <icon kind="splash" href="img/splash.png"/> <shortcut online="false"> <desktop/> <menu submenu="e-Government"/> @@ -39,13 +39,11 @@ <resources os="Mac OS X"> <java version="$j2seVersion" java-vm-args="-d32"/> - <property name="jnlp.versionEnabled" value="true"/> $dependencies </resources> <resources> <java version="$j2seVersion"/> - <property name="jnlp.versionEnabled" value="true"/> $dependencies </resources> |