summaryrefslogtreecommitdiff
path: root/BKULocal/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'BKULocal/src/main')
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java86
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java103
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java320
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties7
-rw-r--r--BKULocal/src/main/webapp/WEB-INF/applicationContext.xml6
5 files changed, 108 insertions, 414 deletions
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java
index b547bf6a..3f50fc78 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java
@@ -1,65 +1,65 @@
/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package at.gv.egiz.bku.local.accesscontroller;
import java.io.IOException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
import org.springframework.context.ResourceLoaderAware;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;
-import at.gv.egiz.bku.local.conf.Configurator;
+import at.gv.egiz.bku.conf.Configurator;
public class SpringSecurityManager extends SecurityManagerFacade implements
- ResourceLoaderAware {
+ ResourceLoaderAware {
- private ResourceLoader resourceLoader;
+ private ResourceLoader resourceLoader;
- private static Log log = LogFactory.getLog(SpringSecurityManager.class);
+ private static Log log = LogFactory.getLog(SpringSecurityManager.class);
- protected Configurator config;
+ protected Configurator config;
- public void setConfig(Configurator config) {
- this.config = config;
- }
+ public void setConfig(Configurator config) {
+ this.config = config;
+ }
- public void init() {
- String noMatch = config.getProperty("AccessController.acceptNoMatch");
- if (noMatch != null) {
- log.debug("Setting allow now match to: " + noMatch);
- setAllowUnmatched(Boolean.getBoolean(noMatch));
- }
- String policy = config.getProperty("AccessController.policyResource");
- log.info("Loading resource: " + policy);
- try {
- Resource res = resourceLoader.getResource(policy);
- init(res.getInputStream());
- } catch (IOException e) {
- log.error(e);
- }
- }
+ public void init() {
+ String noMatch = config.getProperty("AccessController.acceptNoMatch");
+ if (noMatch != null) {
+ log.debug("Setting allow now match to: " + noMatch);
+ setAllowUnmatched(Boolean.getBoolean(noMatch));
+ }
+ String policy = config.getProperty("AccessController.policyResource");
+ policy = policy.replace("${user.home}", System.getProperty("user.home"));
+ log.info("Loading resource: " + policy);
+ try {
+ Resource res = resourceLoader.getResource(policy);
+ init(res.getInputStream());
+ } catch (IOException e) {
+ log.error(e);
+ }
+ }
- @Override
- public void setResourceLoader(ResourceLoader loader) {
- this.resourceLoader = loader;
- }
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java
deleted file mode 100644
index 57a0f84f..00000000
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package at.gv.egiz.bku.local.conf;
-
-import iaik.security.ecc.provider.ECCProvider;
-import iaik.security.provider.IAIK;
-import iaik.xml.crypto.XSecProvider;
-
-import java.io.IOException;
-import java.net.HttpURLConnection;
-import java.security.Provider;
-import java.security.Security;
-import java.util.Properties;
-
-import javax.net.ssl.HttpsURLConnection;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.binding.DataUrl;
-import at.gv.egiz.bku.binding.DataUrlConnection;
-import at.gv.egiz.bku.slcommands.impl.xsect.DataObject;
-import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-
-/**
- *
- * TODO currently only the code to get started.
- */
-public abstract class Configurator {
-
- private Log log = LogFactory.getLog(Configurator.class);
-
- private static Configurator instance = new SpringConfigurator();
-
- protected Properties properties;
-
- protected Configurator() {
- }
-
- public static Configurator getInstance() {
- return instance;
- }
-
- protected void configUrlConnections() {
- HttpsURLConnection.setFollowRedirects(false);
- HttpURLConnection.setFollowRedirects(false);
- }
-
- protected void configureProviders() {
- log.debug("Registering security providers");
- Security.insertProviderAt(new IAIK(), 1);
- Security.insertProviderAt(new ECCProvider(false), 2);
- Security.addProvider(new STALProvider());
- XSecProvider.addAsProvider(false);
- StringBuilder sb = new StringBuilder();
- sb.append("Registered providers: ");
- int i = 1;
- for (Provider prov : Security.getProviders()) {
- sb.append((i++) + ". : " + prov);
- }
- log.debug(sb.toString());
- }
-
- protected void configViewer() {
- String bv = properties.getProperty("ValidateHashDataInputs");
- if (bv != null) {
- DataObject.enableHashDataInputValidation(Boolean.parseBoolean(bv));
- } else {
- log.warn("ValidateHashDataInputs not set, falling back to default");
- }
- }
-
- public void configure() {
- configureProviders();
- configUrlConnections();
- configViewer();
- }
-
- public void setConfiguration(Properties props) {
- this.properties = props;
- }
-
- public String getProperty(String key) {
- if (properties != null) {
- return properties.getProperty(key);
- }
- return null;
- }
-}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java
index 46668667..bcb96c2f 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java
@@ -19,41 +19,8 @@ package at.gv.egiz.bku.local.conf;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Security;
-import java.security.cert.CertPathBuilder;
-import java.security.cert.CertStore;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.LDAPCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.PKIXCertPathBuilderResult;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
+import java.io.InputStream;
import java.util.Properties;
-import java.util.Set;
-
-import javax.naming.ldap.LdapContext;
-import javax.naming.ldap.LdapReferralException;
-import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.ManagerFactoryParameters;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -61,8 +28,7 @@ import org.springframework.context.ResourceLoaderAware;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
-import at.gv.egiz.bku.binding.DataUrl;
-import at.gv.egiz.bku.binding.DataUrlConnection;
+import at.gv.egiz.bku.conf.Configurator;
import at.gv.egiz.bku.slexceptions.SLRuntimeException;
public class SpringConfigurator extends Configurator implements
@@ -73,15 +39,16 @@ public class SpringConfigurator extends Configurator implements
private ResourceLoader resourceLoader;
public SpringConfigurator() {
- File configDir = new File(System.getProperty("user.home") + "/.bku/conf");
- if (configDir.exists()) {
- log.debug("Found existing config directory: " + configDir);
- } else {
- log.info("Config dir not existing, creating new");
- if (!configDir.mkdirs()) {
- log.error("Cannot create directory: " + configDir);
- }
- }
+ // File configDir = new File(System.getProperty("user.home") +
+ // "/.bku/conf");
+ // if (configDir.exists()) {
+ // log.debug("Found existing config directory: " + configDir);
+ // } else {
+ // log.info("Config dir not existing, creating new");
+ // if (!configDir.mkdirs()) {
+ // log.error("Cannot create directory: " + configDir);
+ // }
+ // }
}
public void setResource(Resource resource) {
@@ -99,248 +66,75 @@ public class SpringConfigurator extends Configurator implements
}
}
- public void configureVersion() {
- Properties p = new Properties();
- try {
- p.load(resourceLoader.getResource("META-INF/MANIFEST.MF")
- .getInputStream());
- String version = p.getProperty("Implementation-Build");
- properties.setProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY,
- "citizen-card-environment/1.2 MOCCA " + version);
- DataUrl.setConfiguration(properties);
- log.debug("Setting user agent to: "
- + properties.getProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY));
- } catch (IOException e) {
- log.error(e);
- }
- }
-
+ @Override
public void configure() {
+ if (properties == null) {
+ defaultInit();
+ }
super.configure();
- configureSSL();
- configureVersion();
- configureNetwork();
}
- public void configureNetwork() {
- String proxy = getProperty("HTTPProxyHost");
- String portString = getProperty("HTTPProxyPort");
- if ((proxy == null) || (proxy.equals(""))) {
- log.info("No proxy configured");
- } else {
- log.info("Setting proxy to: " + proxy + ":" + portString);
- System.setProperty("proxyHost", proxy);
- System.setProperty("proxyPort", portString);
- }
- String timeout = getProperty("DefaultSocketTimeout");
- if ((timeout != null) && (!timeout.equals(""))) {
- System.setProperty("sun.net.client.defaultConnectTimeout", timeout);
+ public void defaultInit() {
+ Properties props = new Properties();
+ try {
+ props.load(new FileInputStream(System.getProperty("user.home")
+ + "/.mocca/war/mocca.war"));
+ super.setConfiguration(props);
+ } catch (IOException e) {
+ log.error("Cannot load config", e);
}
}
- private Set<TrustAnchor> getCACerts() throws IOException,
- CertificateException {
- Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
- String caDirectory = getProperty("SSL.caDirectory");
- if (caDirectory != null) {
- Resource caDirRes = resourceLoader.getResource(caDirectory);
- File caDir = caDirRes.getFile();
- if (!caDir.isDirectory()) {
- log.error("Expecting directory as SSL.caDirectory parameter");
- throw new SLRuntimeException(
- "Expecting directory as SSL.caDirectory parameter");
- }
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : caDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- fis.close();
- log.debug("Adding trusted cert " + cert.getSubjectDN());
- caCerts.add(new TrustAnchor(cert, null));
- } catch (Exception e) {
- log.error("Cannot add trusted ca", e);
- }
- }
- return caCerts;
-
- } else {
- log.warn("No CA certificates configured");
- }
- return null;
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
}
- private List<CertStore> getCertstore() throws IOException,
- CertificateException, InvalidAlgorithmParameterException,
- NoSuchAlgorithmException {
- List<CertStore> resultList = new ArrayList<CertStore>();
- String certDirectory = getProperty("SSL.certDirectory");
- if (certDirectory != null) {
- Resource certDirRes = resourceLoader.getResource(certDirectory);
-
- File certDir = certDirRes.getFile();
+ private File getDirectory(String property) {
+ property = property
+ .replace("${user.home}", System.getProperty("user.home"));
+ if (property != null) {
+ Resource certDirRes = resourceLoader.getResource(property);
+ File certDir;
+ try {
+ certDir = certDirRes.getFile();
+ } catch (IOException e) {
+ log.error("Cannot get cert directory", e);
+ throw new SLRuntimeException(e);
+ }
if (!certDir.isDirectory()) {
log.error("Expecting directory as SSL.certDirectory parameter");
throw new SLRuntimeException(
"Expecting directory as SSL.certDirectory parameter");
}
- List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : certDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- certCollection.add(cert);
- fis.close();
- log
- .trace("Added following cert to certstore: "
- + cert.getSubjectDN());
- } catch (Exception ex) {
- log.error("Cannot add certificate", ex);
- }
- }
- CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
- certCollection);
- resultList.add(CertStore.getInstance("Collection", csp));
- log.info("Added collection certstore");
- } else {
- log.warn("No certstore directory configured");
- }
- String ldapHost = getProperty("SSL.ldapServer");
- if ((ldapHost != null) && (!"".equals(ldapHost))) {
- String ldapPortString = getProperty("SSL.ldapPort");
- int ldapPort = 389;
- if (ldapPortString != null) {
- try {
- ldapPort = Integer.parseInt(ldapPortString);
- } catch (NumberFormatException nfe) {
- log.error("Invalid ldap port, using default 389");
- }
- } else {
- log.warn("ldap port not specified, using default 389");
- }
- LDAPCertStoreParameters ldapParams = new LDAPCertStoreParameters(
- ldapHost, ldapPort);
- resultList.add(CertStore.getInstance("LDAP", ldapParams));
- log.info("Added LDAP certstore");
+ return certDir;
}
- return resultList;
- }
-
- public void configureSSL() {
- Set<TrustAnchor> caCerts = null;
- try {
- caCerts = getCACerts();
- } catch (Exception e1) {
- log.error("Cannot load CA certificates", e1);
- }
- List<CertStore> certStoreList = null;
- try {
- certStoreList = getCertstore();
- } catch (Exception e1) {
- log.error("Cannot load certstore certificates", e1);
- }
- String aia = getProperty("SSL.useAIA");
- if ((aia == null) || (aia.equals(""))) {
- System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
- } else {
- System.setProperty("com.sun.security.enableAIAcaIssuers", aia);
- }
- String lifetime = getProperty("SSL.cache.lifetime");
- if ((lifetime == null) || (lifetime.equals(""))) {
- System.setProperty("sun.security.certpath.ldap.cache.lifetime", "0");
- } else {
- System.setProperty("sun.security.certpath.ldap.cache.lifetime", lifetime);
- }
- X509CertSelector selector = new X509CertSelector();
- PKIXBuilderParameters pkixParams;
- try {
- pkixParams = new PKIXBuilderParameters(caCerts, selector);
- if ((getProperty("SSL.doRevocationChecking") != null)
- && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
- log.info("Enable revocation checking");
- System.setProperty("com.sun.security.enableCRLDP", "true");
- Security.setProperty("ocsp.enable", "true");
- } else {
- log.warn("Revocation checking disabled");
- }
- for (CertStore cs : certStoreList) {
- pkixParams.addCertStore(cs);
- }
- ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
- pkixParams);
- TrustManagerFactory trustFab;
- trustFab = TrustManagerFactory.getInstance("PKIX");
- trustFab.init(trustParams);
- KeyManager[] km = null;
- SSLContext sslCtx = SSLContext
- .getInstance(getProperty("SSL.sslProtocol"));
- String disableAll = getProperty("SSL.disableAllChecks");
- if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
- log.warn("--------------------------------------");
- log.warn(" Disabling SSL Certificate Validation ");
- log.warn("--------------------------------------");
-
- sslCtx.init(km, new TrustManager[] { new MyTrustManager(caCerts,
- certStoreList) }, null);
- } else {
- sslCtx.init(km, trustFab.getTrustManagers(), null);
- }
- HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
- } catch (Exception e) {
- log.error("Cannot configure SSL", e);
- }
- String disableAll = getProperty("SSL.disableAllChecks");
- if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
- log.warn("---------------------------------");
- log.warn(" Disabling Hostname Verification ");
- log.warn("---------------------------------");
- HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- }
- }
-
- @Override
- public void setResourceLoader(ResourceLoader loader) {
- this.resourceLoader = loader;
- }
-}
-
-class MyTrustManager implements X509TrustManager {
- private static Log log = LogFactory.getLog(MyTrustManager.class);
- private X509Certificate[] trustedCerts;
+ return null;
- public MyTrustManager(Set<TrustAnchor> caCerts, List<CertStore> cs) {
- trustedCerts = new X509Certificate[caCerts.size()];
- int i = 0;
- for (Iterator<TrustAnchor> it = caCerts.iterator(); it.hasNext();) {
- TrustAnchor ta = it.next();
- trustedCerts[i++] = ta.getTrustedCert();
- }
}
@Override
- public void checkClientTrusted(X509Certificate[] arg0, String arg1)
- throws CertificateException {
- log.error("Did not expect this method to get called");
- throw new CertificateException("Method not implemented");
+ protected File getCADir() {
+ String caDirectory = getProperty("SSL.caDirectory");
+ return getDirectory(caDirectory);
}
@Override
- public void checkServerTrusted(X509Certificate[] certs, String arg1)
- throws CertificateException {
- log.warn("-------------------------------------");
- log.warn("SSL Certificate Validation Disabled !");
- log.warn("-------------------------------------");
+ protected File getCertDir() {
+ String certDirectory = getProperty("SSL.certDirectory");
+ return getDirectory(certDirectory);
}
@Override
- public X509Certificate[] getAcceptedIssuers() {
- return trustedCerts;
+ protected InputStream getManifest() {
+ Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF");
+ if ((r != null) && r.isReadable()) {
+ try {
+ return r.getInputStream();
+ } catch (IOException e) {
+ log.error("Cannot read manifest data:" + e);
+ }
+ }
+ return null;
}
-
} \ No newline at end of file
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties
index 29bdd1ed..8ae5bf6d 100644
--- a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties
@@ -51,10 +51,11 @@ SSL.disableAllChecks=false
# ------------ END SSL Config --------------------
ValidateHashDataInputs=true
+AppletTimeout=300000
-HTTPProxyHost=
-HTTPProxyPort=
-DefaultSocketTimeout=200
+#HTTPProxyHost=
+#HTTPProxyPort=
+#DefaultSocketTimeout=200
diff --git a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
index c6a5088a..a4003a2a 100644
--- a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
@@ -21,6 +21,7 @@
<bean id="STALFactory" class="at.gv.egiz.bku.local.stal.SMCCSTALFactory"
scope="singleton" />
+
<bean id="bindingProcessorManager" class="at.gv.egiz.bku.binding.BindingProcessorManagerImpl"
scope="singleton">
<constructor-arg ref="STALFactory"></constructor-arg>
@@ -47,10 +48,11 @@
</bean>
<!-- Configure Configuration -->
- <bean id="configurator" factory-method="getInstance" class="at.gv.egiz.bku.local.conf.SpringConfigurator"
+
+ <bean id="configurator" class="at.gv.egiz.bku.local.conf.SpringConfigurator"
init-method="configure">
<!-- <property name="resource" value="classpath:at/gv/egiz/bku/local/conf/defaultConf.properties"/> -->
- <property name="resource" value="classpath:at/gv/egiz/bku/local/conf/defaultConf.properties"/>
+ <property name="resource" value="file:${user.home}/.mocca/conf/defaultConf.properties"/>
</bean>