summaryrefslogtreecommitdiff
path: root/BKULocal
diff options
context:
space:
mode:
Diffstat (limited to 'BKULocal')
-rw-r--r--BKULocal/pom.xml147
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java65
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java44
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java375
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java336
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java6
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java11
-rw-r--r--BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java4
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/Userdialog.properties27
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/baseconfig.xml38
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/accessControlConfig.xml96
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-01a.cerbin0 -> 1111 bytes
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-02a.cer (renamed from BKULocal/src/main/resources/at/gv/egiz/bku/local/truststore.jks)bin1037 -> 975 bytes
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-03a.cerbin0 -> 975 bytes
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-01a.cerbin0 -> 865 bytes
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-03.cerbin0 -> 979 bytes
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-SSL-03.cer26
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-03.cer27
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-01a.cer21
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-02a.cer27
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-03.cer27
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-01a.cer21
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-02a.cer27
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties53
-rw-r--r--BKULocal/src/main/resources/at/gv/egiz/bku/local/logo.pngbin4035 -> 0 bytes
-rw-r--r--BKULocal/src/main/webapp/WEB-INF/applicationContext.xml42
-rw-r--r--BKULocal/src/test/java/ConfigTest.java49
-rw-r--r--BKULocal/src/test/java/JustASandbox.java78
28 files changed, 926 insertions, 621 deletions
diff --git a/BKULocal/pom.xml b/BKULocal/pom.xml
index 341e574a..49ec95a0 100644
--- a/BKULocal/pom.xml
+++ b/BKULocal/pom.xml
@@ -1,84 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<project
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <parent>
- <artifactId>bku</artifactId>
- <groupId>at.gv.egiz</groupId>
- <version>1.0-SNAPSHOT</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <groupId>at.gv.egiz</groupId>
- <artifactId>BKULocal</artifactId>
- <packaging>war</packaging>
- <name>BKU Local</name>
- <version>1.0-SNAPSHOT</version>
- <description />
- <dependencies>
- <dependency>
- <groupId>at.gv.egiz</groupId>
- <artifactId>STAL</artifactId>
- <version>1.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz</groupId>
- <artifactId>bkucommon</artifactId>
- <version>1.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz</groupId>
- <artifactId>smcc</artifactId>
- <version>1.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz</groupId>
- <artifactId>smccSTAL</artifactId>
- <version>1.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-core</artifactId>
- <version>2.5.5</version>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.5</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-web</artifactId>
- <version>2.5.5</version>
- </dependency>
- <dependency>
- <groupId>commons-configuration</groupId>
- <artifactId>commons-configuration</artifactId>
- <version>1.5</version>
- </dependency>
- <dependency>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-support</artifactId>
- <version>2.0.8</version>
- </dependency>
- <dependency>
- <groupId>opensymphony</groupId>
- <artifactId>quartz</artifactId>
- <version>1.5.0</version>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-tx</artifactId>
- <version>2.5.5</version>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz</groupId>
- <artifactId>BKUApplet</artifactId>
- <version>1.0-SNAPSHOT</version>
- </dependency>
- </dependencies>
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <parent>
+ <artifactId>bku</artifactId>
+ <groupId>at.gv.egiz</groupId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>BKULocal</artifactId>
+ <packaging>war</packaging>
+ <name>BKU Local</name>
+ <version>1.0-SNAPSHOT</version>
+ <description />
+ <dependencies>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>STAL</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>bkucommon</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>smcc</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>smccSTAL</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-core</artifactId>
+ <version>2.5.5</version>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.5</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ <version>2.5.5</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>BKUApplet</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>BKUViewer</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
</project> \ No newline at end of file
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java
new file mode 100644
index 00000000..b547bf6a
--- /dev/null
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java
@@ -0,0 +1,65 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.bku.local.accesscontroller;
+
+import java.io.IOException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
+import org.springframework.context.ResourceLoaderAware;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;
+import at.gv.egiz.bku.local.conf.Configurator;
+
+public class SpringSecurityManager extends SecurityManagerFacade implements
+ ResourceLoaderAware {
+
+ private ResourceLoader resourceLoader;
+
+ private static Log log = LogFactory.getLog(SpringSecurityManager.class);
+
+ protected Configurator config;
+
+ public void setConfig(Configurator config) {
+ this.config = config;
+ }
+
+ public void init() {
+ String noMatch = config.getProperty("AccessController.acceptNoMatch");
+ if (noMatch != null) {
+ log.debug("Setting allow now match to: " + noMatch);
+ setAllowUnmatched(Boolean.getBoolean(noMatch));
+ }
+ String policy = config.getProperty("AccessController.policyResource");
+ log.info("Loading resource: " + policy);
+ try {
+ Resource res = resourceLoader.getResource(policy);
+ init(res.getInputStream());
+ } catch (IOException e) {
+ log.error(e);
+ }
+ }
+
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
+
+}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java
deleted file mode 100644
index 3214f4bc..00000000
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.bku.local.conf;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.quartz.JobExecutionContext;
-import org.quartz.JobExecutionException;
-import org.springframework.scheduling.quartz.QuartzJobBean;
-
-public class ConfigurationUpdater extends QuartzJobBean {
- private static Log log = LogFactory.getLog(ConfigurationUpdater.class);
- private Configurator config;
-
- @Override
- protected void executeInternal(JobExecutionContext arg0)
- throws JobExecutionException {
- log.trace("Checking config update");
- config.checkUpdate();
- }
-
- public Configurator getConfig() {
- return config;
- }
-
- public void setConfig(Configurator config) {
- this.config = config;
- }
-
-}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java
index e9510101..57a0f84f 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java
@@ -1,274 +1,103 @@
/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.bku.local.conf;
-
-import iaik.security.ecc.provider.ECCProvider;
-import iaik.xml.crypto.XSecProvider;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.net.HttpURLConnection;
-import java.security.KeyStore;
-import java.security.Provider;
-import java.security.Security;
-import java.security.cert.CertStore;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
-import java.util.Enumeration;
-import java.util.LinkedList;
-import java.util.List;
-
-import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.ManagerFactoryParameters;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManagerFactory;
-
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.commons.configuration.XMLConfiguration;
-import org.apache.commons.configuration.reloading.FileChangedReloadingStrategy;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-import at.gv.egiz.smcc.SWCard;
-import at.gv.egiz.smcc.util.SMCCHelper;
-
-public class Configurator {
- private Log log = LogFactory.getLog(Configurator.class);
- private XMLConfiguration baseConfig;
- private XMLConfiguration specialConfig;
- private boolean autoSave = false;
-
- public Configurator() {
- super();
- init();
- configure();
- }
-
- private void init() {
- log.debug("Initializing configuration");
-
- baseConfig = new XMLConfiguration();
- try {
- baseConfig.load(getClass().getClassLoader().getResourceAsStream(
- "./at/gv/egiz/bku/local/baseconfig.xml"));
- log.debug("Successfully loaded base configuration");
- } catch (ConfigurationException e) {
- log.error("Cannot load base configuration", e);
- }
- autoSave = baseConfig.getBoolean("OverrideConfigurationFile[@autosave]");
- try {
- specialConfig = new XMLConfiguration();
- specialConfig.setFileName(baseConfig
- .getString("OverrideConfigurationFile"));
- specialConfig.load();
- } catch (Exception e) {
- log.debug("Cannot get special configuration at: "
- + baseConfig.getString("OverrideConfigurationFile") + ": " + e);
- log.debug("Creating new special configuration");
- try {
- specialConfig = new XMLConfiguration(baseConfig);
- specialConfig.setFileName(baseConfig
- .getString("OverrideConfigurationFile"));
- specialConfig.save();
- } catch (ConfigurationException e1) {
- log.error("Cannot load defaults " + e1);
- }
- }
- specialConfig.setReloadingStrategy(new FileChangedReloadingStrategy());
- specialConfig.setAutoSave(autoSave);
- }
-
- protected void configUrlConnections() {
- HttpsURLConnection.setFollowRedirects(false);
- HttpURLConnection.setFollowRedirects(false);
- }
-
- protected KeyStore loadKeyStore(String fileName, String type, String password) {
- KeyStore ks = null;
- try {
- ks = KeyStore.getInstance(type);
- InputStream is = new FileInputStream(fileName);
- if (is == null) {
- log.warn("Cannot load keystore from: " + fileName);
- }
- ks.load(is, password.toCharArray());
- for (Enumeration<String> alias = ks.aliases(); alias.hasMoreElements();) {
- log.debug("Found keystore alias: " + alias.nextElement());
- }
- } catch (Exception e) {
- log.error("Cannot config keystore", e);
- return null;
- }
- return ks;
- }
-
- protected void configSSL() {
- String trustStoreName = specialConfig.getString("SSL.trustStoreFile");
- String trustStoreType = specialConfig.getString("SSL.trustStoreType");
- String trustStorePass = specialConfig.getString("SSL.trustStorePass");
- String certStoreDirectory = specialConfig
- .getString("SSL.certStoreDirectory");
- String keyStoreName = specialConfig.getString("SSL.keyStoreFile");
- String keyStoreType = specialConfig.getString("SSL.keyStoreType");
- String keyStorePass = specialConfig.getString("SSL.keyStorePass");
-
- String caIncludeDir = specialConfig.getString("SSL.caIncludeDirectory");
-
- KeyStore trustStore = loadKeyStore(trustStoreName, trustStoreType,
- trustStorePass);
- KeyStore keyStore = null;
- if (keyStoreName != null) {
- keyStore = loadKeyStore(keyStoreName, keyStoreType, keyStorePass);
- }
-
- try {
- PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore,
- new X509CertSelector());
-
- if (certStoreDirectory != null) {
- File dir = new File(certStoreDirectory);
- if (dir.isDirectory()) {
- List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : dir.listFiles()) {
- log.debug("adding " + f.getName());
- certCollection.add((X509Certificate) cf
- .generateCertificate(new FileInputStream(f)));
- }
- CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
- certCollection);
- CertStore cs = CertStore.getInstance("Collection", csp);
- pkixParams.addCertStore(cs);
- log.debug("Added collection certstore");
- } else {
- log.error("CertstoreDirectory " + certStoreDirectory
- + " is not a directory");
- }
- }
-
- if (caIncludeDir != null) {
- File dir = new File(caIncludeDir);
- if (dir.exists() && dir.isDirectory()) {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- try {
- for (File f : dir.listFiles()) {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf
- .generateCertificate(fis);
- fis.close();
- log.debug("Adding trusted cert " + cert.getSubjectDN());
- trustStore.setCertificateEntry(cert.getSubjectDN().getName(),
- cert);
- f.delete();
- }
- } finally {
- trustStore.store(new FileOutputStream(trustStoreName),
- trustStorePass.toCharArray());
- }
- }
- }
-
- pkixParams.setRevocationEnabled(specialConfig
- .getBoolean("SSL.revocation"));
- if (specialConfig.getBoolean("SSL.revocation")) {
- System.setProperty("com.sun.security.enableCRLDP ", "true");
- Security.setProperty("ocsp.enable", "true");
- }
- System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
- log.debug("Setting revocation check to: "
- + pkixParams.isRevocationEnabled());
- ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
- pkixParams);
- TrustManagerFactory trustFab = TrustManagerFactory.getInstance("PKIX");
- trustFab.init(trustParams);
-
- KeyManager[] km = null;
- SSLContext sslCtx = SSLContext.getInstance(specialConfig
- .getString("SSL.sslProtocol"));
- if (keyStore != null) {
- KeyManagerFactory keyFab = KeyManagerFactory.getInstance("SunX509");
- keyFab.init(keyStore, keyStorePass.toCharArray());
- km = keyFab.getKeyManagers();
- }
- sslCtx.init(km, trustFab.getTrustManagers(), null);
- HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
- log.info("Successfully configured ssl");
- } catch (Exception e) {
- log.debug("Cannot init ssl", e);
- }
- }
-
- protected void configureProviders() {
- log.debug("Registering security providers");
- ECCProvider.addAsProvider(false);
- Security.addProvider(new STALProvider());
- XSecProvider.addAsProvider(false);
- StringBuffer sb = new StringBuffer();
- sb.append("Following providers are now registered: ");
- int i = 1;
- for (Provider prov : Security.getProviders()) {
- sb.append((i++) + ". : " + prov);
- }
- log.debug("Configured provider" + sb.toString());
- }
-
- protected void configureBKU() {
- if (specialConfig.containsKey("BKU.useSWCard")) {
- boolean useSWCard = specialConfig.getBoolean("BKU.useSWCard");
- log.info("Setting SW Card to: "+useSWCard);
- SMCCHelper.setUseSWCard(useSWCard);
- }
- if (specialConfig.containsKey("BKU.SWCardDirectory")) {
- //SWCard.
- }
- }
-
- public void configure() {
- configureProviders();
- configSSL();
- configUrlConnections();
- configureBKU();
-
- }
-
- public void checkUpdate() {
- if (specialConfig.getReloadingStrategy().reloadingRequired()) {
- log.info("Reloading configuration: " + specialConfig.getFileName());
- specialConfig.setAutoSave(false);
- specialConfig.clear();
- try {
- specialConfig.load();
- } catch (ConfigurationException e) {
- log.fatal(e);
- }
- specialConfig.setAutoSave(specialConfig
- .getBoolean("OverrideConfigurationFile[@autosave]"));
- configure();
- specialConfig.getReloadingStrategy().reloadingPerformed();
- }
- }
-
-}
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.local.conf;
+
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+import iaik.xml.crypto.XSecProvider;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Properties;
+
+import javax.net.ssl.HttpsURLConnection;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.bku.binding.DataUrl;
+import at.gv.egiz.bku.binding.DataUrlConnection;
+import at.gv.egiz.bku.slcommands.impl.xsect.DataObject;
+import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
+
+/**
+ *
+ * TODO currently only the code to get started.
+ */
+public abstract class Configurator {
+
+ private Log log = LogFactory.getLog(Configurator.class);
+
+ private static Configurator instance = new SpringConfigurator();
+
+ protected Properties properties;
+
+ protected Configurator() {
+ }
+
+ public static Configurator getInstance() {
+ return instance;
+ }
+
+ protected void configUrlConnections() {
+ HttpsURLConnection.setFollowRedirects(false);
+ HttpURLConnection.setFollowRedirects(false);
+ }
+
+ protected void configureProviders() {
+ log.debug("Registering security providers");
+ Security.insertProviderAt(new IAIK(), 1);
+ Security.insertProviderAt(new ECCProvider(false), 2);
+ Security.addProvider(new STALProvider());
+ XSecProvider.addAsProvider(false);
+ StringBuilder sb = new StringBuilder();
+ sb.append("Registered providers: ");
+ int i = 1;
+ for (Provider prov : Security.getProviders()) {
+ sb.append((i++) + ". : " + prov);
+ }
+ log.debug(sb.toString());
+ }
+
+ protected void configViewer() {
+ String bv = properties.getProperty("ValidateHashDataInputs");
+ if (bv != null) {
+ DataObject.enableHashDataInputValidation(Boolean.parseBoolean(bv));
+ } else {
+ log.warn("ValidateHashDataInputs not set, falling back to default");
+ }
+ }
+
+ public void configure() {
+ configureProviders();
+ configUrlConnections();
+ configViewer();
+ }
+
+ public void setConfiguration(Properties props) {
+ this.properties = props;
+ }
+
+ public String getProperty(String key) {
+ if (properties != null) {
+ return properties.getProperty(key);
+ }
+ return null;
+ }
+}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java
new file mode 100644
index 00000000..3aeb1745
--- /dev/null
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java
@@ -0,0 +1,336 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.local.conf;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.LDAPCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.context.ResourceLoaderAware;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+import at.gv.egiz.bku.binding.DataUrl;
+import at.gv.egiz.bku.binding.DataUrlConnection;
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
+
+public class SpringConfigurator extends Configurator implements
+ ResourceLoaderAware {
+
+ private final static Log log = LogFactory.getLog(SpringConfigurator.class);
+
+ private ResourceLoader resourceLoader;
+
+ public SpringConfigurator() {
+ File configDir = new File(System.getProperty("user.home") + "/.bku/conf");
+ if (configDir.exists()) {
+ log.debug("Found existing config directory: " + configDir);
+ } else {
+ log.info("Config dir not existing, creating new");
+ if (!configDir.mkdirs()) {
+ log.error("Cannot create directory: " + configDir);
+ }
+ }
+ }
+
+ public void setResource(Resource resource) {
+ log.debug("Loading config from: " + resource);
+ if (resource != null) {
+ Properties props = new Properties();
+ try {
+ props.load(resource.getInputStream());
+ super.setConfiguration(props);
+ } catch (IOException e) {
+ log.error("Cannot load config", e);
+ }
+ } else {
+ log.warn("Cannot load properties, resource: " + resource);
+ }
+ }
+
+ public void configureVersion() {
+ Properties p = new Properties();
+ try {
+ p.load(resourceLoader.getResource("META-INF/MANIFEST.MF")
+ .getInputStream());
+ String version = p.getProperty("Implementation-Build");
+ properties.setProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY,
+ "citizen-card-environment/1.2 MOCCA " + version);
+ DataUrl.setConfiguration(properties);
+ log.debug("Setting user agent to: "
+ + properties.getProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY));
+ } catch (IOException e) {
+ log.error(e);
+ }
+ }
+
+ public void configure() {
+ super.configure();
+ configureSSL();
+ configureVersion();
+ configureNetwork();
+ }
+
+ public void configureNetwork() {
+
+ }
+
+ private Set<TrustAnchor> getCACerts() throws IOException,
+ CertificateException {
+ Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
+ String caDirectory = getProperty("SSL.caDirectory");
+ if (caDirectory != null) {
+ Resource caDirRes = resourceLoader.getResource(caDirectory);
+ File caDir = caDirRes.getFile();
+ if (!caDir.isDirectory()) {
+ log.error("Expecting directory as SSL.caDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.caDirectory parameter");
+ }
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : caDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
+ fis.close();
+ log.debug("Adding trusted cert " + cert.getSubjectDN());
+ caCerts.add(new TrustAnchor(cert, null));
+ } catch (Exception e) {
+ log.error("Cannot add trusted ca", e);
+ }
+ }
+ return caCerts;
+
+ } else {
+ log.warn("No CA certificates configured");
+ }
+ return null;
+ }
+
+ private List<CertStore> getCertstore() throws IOException,
+ CertificateException, InvalidAlgorithmParameterException,
+ NoSuchAlgorithmException {
+ List<CertStore> resultList = new ArrayList<CertStore>();
+ String certDirectory = getProperty("SSL.certDirectory");
+ if (certDirectory != null) {
+ Resource certDirRes = resourceLoader.getResource(certDirectory);
+
+ File certDir = certDirRes.getFile();
+ if (!certDir.isDirectory()) {
+ log.error("Expecting directory as SSL.certDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.certDirectory parameter");
+ }
+ List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : certDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
+ certCollection.add(cert);
+ fis.close();
+ log
+ .trace("Added following cert to certstore: "
+ + cert.getSubjectDN());
+ } catch (Exception ex) {
+ log.error("Cannot add certificate", ex);
+ }
+ }
+ CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
+ certCollection);
+ resultList.add(CertStore.getInstance("Collection", csp));
+ log.info("Added collection certstore");
+ } else {
+ log.warn("No certstore directory configured");
+ }
+ String ldapHost = getProperty("SSL.ldapServer");
+ if ((ldapHost != null) && (!"".equals(ldapHost))) {
+ String ldapPortString = getProperty("SSL.ldapPort");
+ int ldapPort = 389;
+ if (ldapPortString != null) {
+ try {
+ ldapPort = Integer.parseInt(ldapPortString);
+ } catch (NumberFormatException nfe) {
+ log.error("Invalid ldap port, using default 389");
+ }
+ } else {
+ log.warn("ldap port not specified, using default 389");
+ }
+ LDAPCertStoreParameters ldapParams = new LDAPCertStoreParameters(
+ ldapHost, ldapPort);
+ resultList.add(CertStore.getInstance("LDAP", ldapParams));
+ log.info("Added LDAP certstore");
+ }
+ return resultList;
+ }
+
+ public void configureSSL() {
+ Set<TrustAnchor> caCerts = null;
+ try {
+ caCerts = getCACerts();
+ } catch (Exception e1) {
+ log.error("Cannot load CA certificates", e1);
+ }
+ List<CertStore> certStoreList = null;
+ try {
+ certStoreList = getCertstore();
+ } catch (Exception e1) {
+ log.error("Cannot load certstore certificates", e1);
+ }
+ String aia = getProperty("SSL.useAIA");
+ if ((aia == null) || (aia.equals(""))) {
+ System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
+ } else {
+ System.setProperty("com.sun.security.enableAIAcaIssuers", aia);
+ }
+ String lifetime = getProperty("SSL.cache.lifetime");
+ if ((lifetime == null) || (lifetime.equals(""))) {
+ System.setProperty("sun.security.certpath.ldap.cache.lifetime", "0");
+ } else {
+ System.setProperty("sun.security.certpath.ldap.cache.lifetime", lifetime);
+ }
+ X509CertSelector selector = new X509CertSelector();
+ PKIXBuilderParameters pkixParams;
+ try {
+ pkixParams = new PKIXBuilderParameters(caCerts, selector);
+ if ((getProperty("SSL.doRevocationChecking") != null)
+ && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
+ log.info("Enable revocation checking");
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+ Security.setProperty("ocsp.enable", "true");
+ } else {
+ log.warn("Revocation checking disabled");
+ }
+ for (CertStore cs : certStoreList) {
+ pkixParams.addCertStore(cs);
+ }
+ ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
+ pkixParams);
+ TrustManagerFactory trustFab;
+ trustFab = TrustManagerFactory.getInstance("PKIX");
+ trustFab.init(trustParams);
+ KeyManager[] km = null;
+ SSLContext sslCtx = SSLContext
+ .getInstance(getProperty("SSL.sslProtocol"));
+ sslCtx.init(km, trustFab.getTrustManagers(), null);
+ // sslCtx.init(km, new TrustManager[] { new MyTrustManager(caCerts,
+ // certStoreList) }, null);
+ HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
+ } catch (Exception e) {
+ log.error("Cannot configure SSL", e);
+ }
+ }
+
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
+}
+
+class MyTrustManager implements X509TrustManager {
+ private static Log log = LogFactory.getLog(MyTrustManager.class);
+ private Set<TrustAnchor> caCerts;
+ private List<CertStore> certStoreList;
+ private X509Certificate[] trustedCerts;
+
+ public MyTrustManager(Set<TrustAnchor> caCerts, List<CertStore> cs) {
+ this.caCerts = caCerts;
+ this.certStoreList = cs;
+ trustedCerts = new X509Certificate[caCerts.size()];
+ int i = 0;
+ for (Iterator<TrustAnchor> it = caCerts.iterator(); it.hasNext();) {
+ TrustAnchor ta = it.next();
+ trustedCerts[i++] = ta.getTrustedCert();
+ }
+
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ log.error("Did not expect this method to get called");
+ throw new CertificateException("Method not implemented");
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] certs, String arg1)
+ throws CertificateException {
+ try {
+ log.debug("Checking server certificate: " + certs[0].getSubjectDN());
+ CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX");
+ X509CertSelector selector = new X509CertSelector();
+ selector.setCertificate(certs[0]);
+ PKIXBuilderParameters pkixParams;
+ pkixParams = new PKIXBuilderParameters(caCerts, selector);
+ pkixParams.setRevocationEnabled(true); // FIXME
+ for (CertStore cs : certStoreList) {
+ pkixParams.addCertStore(cs);
+ }
+ PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) pathBuilder
+ .build(pkixParams);
+ if (log.isTraceEnabled()) {
+ StringBuffer sb = new StringBuffer();
+ for (Certificate cert : result.getCertPath().getCertificates()) {
+ sb.append(((X509Certificate) cert).getSubjectDN());
+ sb.append("->");
+ }
+ sb.append("End");
+ log.trace(sb);
+ }
+ } catch (Exception e) {
+ throw new CertificateException(e);
+ }
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return trustedCerts;
+ }
+
+} \ No newline at end of file
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
index 0bed928d..c543c8ca 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
@@ -1,7 +1,12 @@
package at.gv.egiz.bku.local.stal;
import java.awt.Container;
+import java.awt.EventQueue;
+import java.awt.Toolkit;
import java.awt.event.ActionListener;
+import java.awt.event.FocusEvent;
+import java.awt.event.FocusListener;
+import java.awt.event.WindowEvent;
import java.util.List;
import javax.swing.JDialog;
@@ -126,5 +131,4 @@ public class BKUGuiProxy implements BKUGUIFacade {
showDialog();
delegate.showWelcomeDialog();
}
-
}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java
index 6f9e72c5..4bc921aa 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java
@@ -7,6 +7,7 @@ import javax.swing.JDialog;
import at.gv.egiz.bku.gui.BKUGUIFacade;
import at.gv.egiz.bku.online.applet.BKUWorker;
+import at.gv.egiz.stal.QuitRequest;
import at.gv.egiz.stal.STALRequest;
import at.gv.egiz.stal.STALResponse;
import at.gv.egiz.stal.SignRequest;
@@ -26,8 +27,16 @@ public class SMCCSTAL extends BKUWorker {
public List<STALResponse> handleRequest(List<STALRequest> requestList) {
signatureCard = null;
List<STALResponse> responses = super.handleRequest(requestList);
- container.setVisible(false);
+ //container.setVisible(false);
return responses;
}
+ @Override
+ public STALResponse handleRequest(STALRequest request) {
+ if (request instanceof QuitRequest) {
+ container.setVisible(false);
+ }
+ return null;
+ }
+
}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java
index 97646d09..f9a8bef5 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java
@@ -53,6 +53,7 @@ public class SMCCSTALFactory implements STALFactory {
stal = new SMCCSTAL(new BKUGuiProxy(dialog, gui), dialog, resourceBundle);
dialog.setPreferredSize(new Dimension(400, 200));
dialog.setDefaultCloseOperation(WindowConstants.HIDE_ON_CLOSE);
+ dialog.pack();
Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
Dimension frameSize = dialog.getSize();
if (frameSize.height > screenSize.height) {
@@ -63,13 +64,12 @@ public class SMCCSTALFactory implements STALFactory {
}
dialog.setLocation((screenSize.width - frameSize.width) / 2,
(screenSize.height - frameSize.height) / 2);
- dialog.pack();
}
return stal;
}
@Override
- public void setLocale(Locale locale) {
+ public void setLocale(Locale locale) {
this.locale = locale;
}
}
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/Userdialog.properties b/BKULocal/src/main/resources/at/gv/egiz/bku/local/Userdialog.properties
deleted file mode 100644
index 9db6f100..00000000
--- a/BKULocal/src/main/resources/at/gv/egiz/bku/local/Userdialog.properties
+++ /dev/null
@@ -1,27 +0,0 @@
-# Copyright 2008 Federal Chancellery Austria and
-# Graz University of Technology
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#------- Insert Card Dialog -------#
-Insert.Header = Citizen Card Required
-Insert.Button.Cancel = Cancel
-Insert.Text = Please insert your Citizen Card!
-
-
-#------- PIN Dialog -------#
-Pin.Header = Please Enter PIN
-Pin.Button.OK = OK
-Pin.Button.Cancel = Cancel
-Pin.Text.Retries = <html><body>Please enter {0}.<p>{1} retries left.</body></html>
-Pin.Text.NoRetries = Please enter {0}. \ No newline at end of file
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/baseconfig.xml b/BKULocal/src/main/resources/at/gv/egiz/bku/local/baseconfig.xml
deleted file mode 100644
index 792bbccc..00000000
--- a/BKULocal/src/main/resources/at/gv/egiz/bku/local/baseconfig.xml
+++ /dev/null
@@ -1,38 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2008 Federal Chancellery Austria and
- Graz University of Technology
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<BKUConfig>
- <!-- Allows individual configuration -->
- <OverrideConfigurationFile autosave="true">
- ${sys:user.home}/.bku/conf/bkuconfig.xml</OverrideConfigurationFile>
- <SSL>
- <!--
- <trustStoreFile>truststore.jks</trustStoreFile>
- <trustStoreType>JKS</trustStoreType>
- <trustStorePass>changeMe</trustStorePass>
- <caIncludeDirectory></caIncludeDirectory>
- <certStoreDirectory></certStoreDirectory>
- <keyStoreFile>keyStore.jks</keyStoreFile>
- <keyStoreType>JKS</keyStoreType>
- <keyStorePass>changeMe</keyStorePass>
- -->
- <revocation>true</revocation>
- <sslProtocol>TLS</sslProtocol>
- </SSL>
- <BKU>
- </BKU>
-</BKUConfig> \ No newline at end of file
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/accessControlConfig.xml b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/accessControlConfig.xml
new file mode 100644
index 00000000..586a8190
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/accessControlConfig.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright 2008 Federal Chancellery Austria and Graz University of
+ Technology Licensed under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance with the
+ License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0 Unless required by
+ applicable law or agreed to in writing, software distributed under the
+ License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ CONDITIONS OF ANY KIND, either express or implied. See the License for
+ the specific language governing permissions and limitations under the
+ License.
+ -->
+<AccessControl>
+ <Chains>
+ <!--
+ The input chain defines filters that are applied before command
+ execution
+ -->
+ <Chain Id="InputChain">
+ <Rules>
+ <!-- there is no command implemented that requires input filtering -->
+ <Rule Id="InputChain-AllowAll">
+ <Action>
+ <RuleAction>allow</RuleAction>
+ </Action>
+ <UserInteraction>confirm</UserInteraction>
+ </Rule>
+ </Rules>
+ </Chain>
+
+ <!--
+ The output chain defines filters that are applied after command
+ execution
+ -->
+ <Chain Id="OutputChain">
+ <Rules>
+ <Rule Id="OutputChain-Egov">
+ <AuthClass>anonymous</AuthClass>
+ <Action>
+ <RuleAction>allow</RuleAction>
+ </Action>
+ <UserInteraction>confirm</UserInteraction>
+ </Rule>
+ <Rule Id="OutputChain-Command">
+ <AuthClass>anonymous</AuthClass>
+ <Action>
+ <ChainRef>Command</ChainRef>
+ </Action>
+ </Rule>
+ </Rules>
+ </Chain>
+ <Chain Id="Command">
+ <Rules>
+ <Rule Id="cmd-rule-1">
+ <AuthClass>certified</AuthClass>
+ <Command Name="Infobox.*">
+ <Param Name="InfoboxIdentifier">IdentityLink</Param>
+ <Param Name="PersonIdentifier">derived</Param>
+ </Command>
+ <Action>
+ <RuleAction>allow</RuleAction>
+ </Action>
+ <UserInteraction>confirm</UserInteraction>
+ </Rule>
+ <Rule Id="cmd-rule-localhost">
+ <AuthClass>anonymous</AuthClass>
+ <IPv4Address>127.0.0.1</IPv4Address>
+ <Command Name="Infobox.*">
+ <Param Name="InfoboxIdentifier">IdentityLink</Param>
+ <Param Name="PersonIdentifier">derived</Param>
+ </Command>
+ <Action>
+ <RuleAction>allow</RuleAction>
+ </Action>
+ <UserInteraction>confirm</UserInteraction>
+ </Rule>
+ <Rule Id="cmd-rule-2">
+ <AuthClass>anonymous</AuthClass>
+ <Command Name="Infobox.*">
+ <Param Name="InfoboxIdentifier">IdentityLink</Param>
+ </Command>
+ <Action>
+ <RuleAction>deny</RuleAction>
+ </Action>
+ <UserInteraction>info</UserInteraction>
+ </Rule>
+ <Rule Id="cmd-rule-3">
+ <Action>
+ <RuleAction>allow</RuleAction>
+ </Action>
+ </Rule>
+ </Rules>
+ </Chain>
+ </Chains>
+</AccessControl>
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-01a.cer
new file mode 100644
index 00000000..f9fef65f
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-01a.cer
Binary files differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/truststore.jks b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-02a.cer
index c773f037..36a442b8 100644
--- a/BKULocal/src/main/resources/at/gv/egiz/bku/local/truststore.jks
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-02a.cer
Binary files differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-03a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-03a.cer
new file mode 100644
index 00000000..ab9e0cd7
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-Qual-03a.cer
Binary files differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-01a.cer
new file mode 100644
index 00000000..efa28178
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-01a.cer
Binary files differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-03.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-03.cer
new file mode 100644
index 00000000..33e77636
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-Trust-nQual-03.cer
Binary files differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-SSL-03.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-SSL-03.cer
new file mode 100644
index 00000000..ee859434
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-SSL-03.cer
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEdzCCA1+gAwIBAgIDAmU4MA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBBLVRydXN0LW5R
+dWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAzMB4XDTA2MDgxNjIyMDAw
+MFoXDTE2MDgxNjIyMDAwMFowgYcxCzAJBgNVBAYTAkFUMUgwRgYDVQQKDD9BLVRy
+dXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0ZW52
+ZXJrZWhyIEdtYkgxFjAUBgNVBAsMDWEtc2lnbi1TU0wtMDMxFjAUBgNVBAMMDWEt
+c2lnbi1TU0wtMDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMjPM6
+PqgdPBPV4Efudpytt2Y4GZJfjeRdZo5SCuULDvvL+23xxBWnR3scFvfE1ekHN/YK
+k+2/qhU2B2ntoSNJSyDchNM8YPc9Lx67zZyhQTZgbBzh3IZAVb/hwuRRRV68JCBj
+r3r6v7IbwjH5XcVISdB4szx0z93aAQyKW9QkV+tD5a1vWFETvdHsZeVmDzfqcdsG
+AznPJw+9HrImCsswCWYUgPcFRkPNjj2r2NoyckVN781aWmNTAqJPf/Ckj9l9pUIt
+Vjhy8XNJW4iVDBkkykBXcGSkIau0ypJrRjsD1jKqUTIRZ/y2HlyltmwWi8OuyBLd
+LaHDbjc0b6JmqoivAgMBAAGjgeMwgeAwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4E
+CgQIQD6h02K0A90wEwYDVR0jBAwwCoAIRGqVZ1V5EU8wDgYDVR0PAQH/BAQDAgEG
+MIGUBgNVHR8EgYwwgYkwgYaggYOggYCGfmxkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQv
+b3U9QS1UcnVzdC1uUXVhbC0wMyxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJl
+dm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1
+dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEAHKlnV3R9sbXojtONugyazkZCEzmC
+nZF1Dz4cOL0vPzzvS8MVWtG43zAgVI1NT/0ETSWsXD3YfzRi+f+/CxrGn0gwZX2t
+VGx+Z9w5ufiy1vuhxDUPmpos1TbJ4Wv3Une0E7iuHmNLg5qVlKeHWpcU8t1Y0nCt
+eRz34Qm87AVAykta33XST1fYvGoPKsDtn3qx9ye/pcbDvWjPwmqF2UUoql+d5hmJ
+Umgzwezqk4I+FS98BrnaPgC5UVFHg+yUjiUDLjYy7UvDZ5Led6kkLXuzVhQolLvr
+KTrGp5k42PG2MMkw8f6GMF/6yePXgzFMCRN8ReR7J5Htv33SytLRmFRd8g==
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-03.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-03.cer
new file mode 100644
index 00000000..7e67be95
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-03.cer
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgzCCA2ugAwIBAgIDAarsMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBBLVRydXN0LW5R
+dWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAzMB4XDTA1MTExMzIzMDAw
+MFoXDTE1MTExMzIzMDAwMFowgZMxCzAJBgNVBAYTAkFUMUgwRgYDVQQKDD9BLVRy
+dXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0ZW52
+ZXJrZWhyIEdtYkgxHDAaBgNVBAsME2Etc2lnbi1jb3Jwb3JhdGUtMDMxHDAaBgNV
+BAMME2Etc2lnbi1jb3Jwb3JhdGUtMDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCp44qY+AiVXlcnHoKvch9s3ujoWFNktvcteIPwK7s0mb/uxTUW9UIF
+Die9n3AbyTsJE6R3nZYSJVHHi+1DKD72/WEo/B5NOOtd6KUMfJgca1tDmcsIwhFn
+82qkZrbNQwdIIdLe6+nDmjd9UBIaKv7yy1kq20jh09HOK3/bWhafVQE7EAgDfNrn
+8f0JfnnF0EA/La5kkg878L22fh9lRzt8H21THqJPtK4/e9SttjrJnPhFk2/MjAGS
+uaDufG6BV5Hnn7klR5qm5q32ypleLA6Zi4m9jRCVtPd4jRPYM40XpRkrJuFw+lxp
+rejfEZt/SRh1eQXiXDUgtgX8OaIylH9pAgMBAAGjgeMwgeAwDwYDVR0TAQH/BAUw
+AwEB/zARBgNVHQ4ECgQIQj75YZ1a5XIwEwYDVR0jBAwwCoAIRGqVZ1V5EU8wDgYD
+VR0PAQH/BAQDAgEGMIGUBgNVHR8EgYwwgYkwgYaggYOggYCGfmxkYXA6Ly9sZGFw
+LmEtdHJ1c3QuYXQvb3U9QS1UcnVzdC1uUXVhbC0wMyxvPUEtVHJ1c3QsYz1BVD9j
+ZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2Vy
+dGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEARu7e1SyBRjlA
+g/thtFwtKQRvopTZKWj2LWpEdvPvwThOvf8Depnas+ly5af8r8YzsqJzfX3XWvhN
+qOOI24g5FmXfCUTq/kbtaeTq/AqV94793IJfcilPnpMOEHMqXNDiRUoAgR/9EVj8
+mDVvL2lLlJzeAltqOD5Bi9QwguaD2/3/E5ymFnqkf1dnlXbo8AhcwPEzReNKn1eM
+Ilg4FwP1bP0HUK3Fyz1UQ/Hncg+MS7c+SkjpNEd4sH7/GdxuQs5Sk7IRwot1+sbX
+3CkkPhSqiUzig9raxJYrtbb2kyiUO8+d5HzRyoP4BNzsdZdPc0gDYweXg5qarHOQ
+16IEOtBmKg==
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-01a.cer
new file mode 100644
index 00000000..0c68e593
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-01a.cer
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIDAOJEMA0GCSqGSIb3DQEBBQUAMFUxCzAJBgNVBAYTAkFUMRAwDgYDVQQK
+EwdBLVRydXN0MRkwFwYDVQQLExBBLVRydXN0LW5RdWFsLTAxMRkwFwYDVQQDExBBLVRydXN0LW5R
+dWFsLTAxMB4XDTA0MTEzMDIzMDAwMFoXDTA4MTEzMDIzMDAwMFowgZ8xCzAJBgNVBAYTAkFUMUgw
+RgYDVQQKEz9BLVRydXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0
+ZW52ZXJrZWhyIEdtYkgxIjAgBgNVBAsTGWEtc2lnbi1jb3Jwb3JhdGUtbGlnaHQtMDExIjAgBgNV
+BAMTGWEtc2lnbi1jb3Jwb3JhdGUtbGlnaHQtMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDGC65v8rni63DojEBriynPwRqNCp14/SkN5ROkTUGNvLSabfSJV4PKGLTzasPAaChwX0g/
+kebahFM3R7nIyeVx2YB8VRvC4I/spP/mCs5+6pf1N+6Kiq4NcswgNBBfqAteaQIylBMy6HDkjoXY
+X/c+SxjyrqAkeZCK+SHMOraXCO1PZHWbYwleKXf4R2Z6ayEfJ2XWeVuqqon76WHp/POI0RADBchA
+6Vm1ROzSAHz39bay1TZunQXSs3VQ9cE3uQPjN+80efmf0ZgNF0sXsDTssoZg2feTANSOkTGM1bMC
+5xe1hWFL8MZNe4yZ+NSgFN2fofb8BPvyQAW0no2PNA6PAgMBAAGjgbMwgbAwDwYDVR0TAQH/BAUw
+AwEB/zARBgNVHQ4ECgQITp5/1C/JHx8wEwYDVR0jBAwwCoAITlnOxwIyhzAwDgYDVR0PAQH/BAQD
+AgEGMGUGA1UdHwReMFwwWqBYoFaGVGxkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9QS1UcnVzdC1u
+UXVhbC0wMSxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0PzANBgkqhkiG
+9w0BAQUFAAOCAQEAOtuz2GqnTibk/poCLrdYKpZSrLyfWFsJJpfBYA9HMasnfpJBCHgRHJud6DAO
+xD900Vhmwy66D8dqsN3+fR8Bx8ZMKspnFN1B2Wz7LWOxMaKqP3JolJ/oVwzJRm0afcUMAfAumkc5
+Yqu0nC5qCF9zYY9YbJklh84uEzEg9j85kuRBHOCUc+5MVrnv7WPbirx6c95YFqXBQ0arA5QE9zYq
+MDO8aUYPOWEHgtrVI+kMwELYHqLDX7i9VqsXhgFPeVz1wIV7s/i3budGeHMS6hjnyIc30FqM7CTY
+fcvqVNZliErbjD1k1W1gMgvjLJowNvQC0W7K9/yoQhwTqtNMR4WZwA==
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-02a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-02a.cer
new file mode 100644
index 00000000..c300891d
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-02a.cer
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEizCCA3OgAwIBAgIDAOSoMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRgwFgYDVQQLDA9BLVRydXN0LVF1
+YWwtMDIxGDAWBgNVBAMMD0EtVHJ1c3QtUXVhbC0wMjAeFw0wNDEyMTQyMzAwMDBa
+Fw0xNDEyMTMyMzAwMDBaMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVz
+dCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVy
+a2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIw
+IAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAk6V4oEauvXgEICqgjTbGHaiDhBVo2nosX23osoKM
+LTkkO/nOCgpdCYpLKgURxwrgHgVh9XT99yxhy6lDwt2rASajj0sQ1fY5BmWVyrXS
+dQ78ISMPb73XaG4M8H7PJFcsVEo9n8veVQwnMY5mSWy0r1IO8n93Bjbmmi4Zt8oS
+p9olWo5/8ByYW8S/AKZuQx+q+bFJv7geuApVjK2iVFe8yQqHhAgDsAsDlMvxDAQ/
+vhrGwHRv8N3sLsjirnbf5S2dGLDjASOMUFvwfLQd7gHH7PV37Xa+aQqa97eE6O4O
+sIhcGRYhoLk/tWTBDapcgHJ0yTtrftuwORVteLUAy0gBNwIDAQABo4HhMIHeMA8G
+A1UdEwEB/wQFMAMBAf8wEQYDVR0OBAoECEkcWDpP6A0DMBMGA1UdIwQMMAqACEI9
+KySmwUXOMA4GA1UdDwEB/wQEAwIBBjCBkgYDVR0fBIGKMIGHMIGEoIGBoH+GfWxk
+YXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9QS1UcnVzdC1RdWFsLTAyLG89QS1UcnVz
+dCxjPUFUP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/YmFzZT9vYmplY3RjbGFz
+cz1laWRDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUAA4IBAQBH
+opWG7LKmPBvuGjZnRV4KGKzzUYVuxSRS1E0VIUPbVLf5xW2r5uUpR8ud5EpiPrcw
+k6K0dzu2Vb4ZbMIP+6J16S/0qvTp/3A/3q87+nJ+ot+IT8GZFJfSw18th2WmZdzR
+ShbM6sgViPtGsFROCdWeiHl248w2+zG+09sf8Bu3UyvwLRAiiKaxuwVdQ9kc0TL3
+gvv+K5eisWWthQOX2IF2jGSEqoAVwfHhl7bc9Vt7XnJSpQFebHnsIVuV4Mv6w4ww
+86hQPCLLvvV7wWDiBQ8l2FWneX0pNH3Wg+A1TRUoptc+pPDdpoP272MDm4fXyPKV
+7QgIaIK+gXNUj2GGt1K9
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-03.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-03.cer
new file mode 100644
index 00000000..2251ca22
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-light-03.cer
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEjzCCA3egAwIBAgIDAartMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBBLVRydXN0LW5R
+dWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAzMB4XDTA1MTExMzIzMDAw
+MFoXDTE1MTExMzIzMDAwMFowgZ8xCzAJBgNVBAYTAkFUMUgwRgYDVQQKDD9BLVRy
+dXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0ZW52
+ZXJrZWhyIEdtYkgxIjAgBgNVBAsMGWEtc2lnbi1jb3Jwb3JhdGUtbGlnaHQtMDMx
+IjAgBgNVBAMMGWEtc2lnbi1jb3Jwb3JhdGUtbGlnaHQtMDMwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC359oitbHkkEgdErRPeBdkcYRK2DLdxfcnn+SI
+umSEYzWVscRTchPKSzb7f1a6EHPbB5WZsGJaUDX9KfTqsJNMo+7bASKk3gsLVxNZ
+qY2t2G+y8HvREYYejDOIzjAkcBQrt+nvuBUlGYVJQjEuyAn18f2vG0Y3VNvZFGKn
+PK8AVycUMk0Uw21RbK3vX5tbbPgQ/kcZkN4czi5VHepMvf6hAwwLoJj+KL9zxm8j
+yPK88qCBKAjMNCpZKsEhyanw1CjYbVmHs45Q5W6FBtqDcS6Iq4mC6TtUPGtCTuoH
+7/JLuhEp075ohp87v3fSlzeLJjBpkUDP9U8Tv7l2euD0t1UVAgMBAAGjgeMwgeAw
+DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIQZFpHL+t2JgwEwYDVR0jBAwwCoAI
+RGqVZ1V5EU8wDgYDVR0PAQH/BAQDAgEGMIGUBgNVHR8EgYwwgYkwgYaggYOggYCG
+fmxkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9QS1UcnVzdC1uUXVhbC0wMyxvPUEt
+VHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0
+Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOC
+AQEADTRIaQtPwoPS6/TpyBhOw4wAHk/RM4gkLT76URPY2sUHihxqy+8qEElN+f5l
+I61myCP3IFTClflcHVR1QCoMg0ZI5/EcQTI8Dgd5iQkXuVjh3wCj87Ka2Tu7d1K+
+i9VJ4BR/ph/qmPKR7Lx/PtATw/vWo4k2rbt5o1QwixZ7CPt+BF9xCaAC4uL0bB0M
+9M3i9W2ePmqX6WIB3jMkT9FQC0KihPPfw/17KddNi4rFMMEiTyKvJTtTqDnIAwWW
+TqsL1G7oxMMtnnYaKWMQ6gQiOiRzCY7efcAi/3YwUX6ULW5zxqapNs1vqEbSGsQE
+l1eFl67HBZHYAPdoHGUnZF0KaQ==
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-01a.cer
new file mode 100644
index 00000000..2d7f1a03
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-01a.cer
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIDAOKKMA0GCSqGSIb3DQEBBQUAMFUxCzAJBgNVBAYTAkFUMRAwDgYDVQQK
+EwdBLVRydXN0MRkwFwYDVQQLExBBLVRydXN0LW5RdWFsLTAxMRkwFwYDVQQDExBBLVRydXN0LW5R
+dWFsLTAxMB4XDTA0MTIwNTIzMDAwMFoXDTA4MTEzMDIzMDAwMFowgaExCzAJBgNVBAYTAkFUMUgw
+RgYDVQQKEz9BLVRydXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0
+ZW52ZXJrZWhyIEdtYkgxIzAhBgNVBAsTGmEtc2lnbi1jb3Jwb3JhdGUtbWVkaXVtLTAxMSMwIQYD
+VQQDExphLXNpZ24tY29ycG9yYXRlLW1lZGl1bS0wMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANEbZyIMIXZYBjTj/+3TrNGssRKNNdTedQlWB3vJQWLzeG89Kzmhy1WDX8IqDrMtvpXH
+5w6urK3ZT7HGu2Jldrib8rkEOdE9+uNGRtkP8Kuz//CvdXCbIDvBLqgvWn9a3Sl/rUicPqKwcEcN
+bP2Q0iU6NvvALmoqs93PymfTZlkGOwzUe+O88huXkauGWT/DkJd4JYDNJ0wlaGrJa+OorT4Izk1J
+EipqqedUjsAj4Gq3SKrZKG/H/CkoH9uWTzrzFgg8zQhCES4AClo84XVk//EIv3ABDw4hr+lqV1nF
+eXch9o4mLIe5u045471YLJLmyuCPDopb8U2VUoyldpMx+Y8CAwEAAaOBszCBsDAPBgNVHRMBAf8E
+BTADAQH/MBEGA1UdDgQKBAhOuHKxmCmfZDATBgNVHSMEDDAKgAhOWc7HAjKHMDAOBgNVHQ8BAf8E
+BAMCAQYwZQYDVR0fBF4wXDBaoFigVoZUbGRhcDovL2xkYXAuYS10cnVzdC5hdC9vdT1BLVRydXN0
+LW5RdWFsLTAxLG89QS1UcnVzdCxjPUFUP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/MA0GCSqG
+SIb3DQEBBQUAA4IBAQDaukYSeJVxWAh8QShqGqA6Plp9aXCTzwl9hE2gb+/xGPASo+NVQi/sUa0+
+bx29oSJaW6lKzdHQLAx4dwW9XTpJ+0mebB4fQfYHH0lGc1O4au/4O9k+C3SrD6x4WeY9k/SpUFu1
+qjzH+tjta81UWtU7Jve1BhckNwdOFx7cR8fdW+pUQSDV9XnPJfyb+gb9KWhvX+XAbgJoXW1HjJOO
+P5sx6mFhMb3UqAfKQVoAuGbl4+uxIThBTqpICkaaD8WLdukqQjomUMDRbWIf6SblPuOEpPi1G/WM
+qkTkpqX77Wkj08QY/yj5DDrsYJ5NymnWvu7jcoxCFCKvEQ8Q4g7AYKnG
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-02a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-02a.cer
new file mode 100644
index 00000000..194d4d7c
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/a-sign-corporate-medium-02a.cer
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEjTCCA3WgAwIBAgIDAOSpMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRgwFgYDVQQLDA9BLVRydXN0LVF1
+YWwtMDIxGDAWBgNVBAMMD0EtVHJ1c3QtUXVhbC0wMjAeFw0wNDEyMTQyMzAwMDBa
+Fw0xNDEyMTMyMzAwMDBaMIGhMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVz
+dCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVy
+a2VociBHbWJIMSMwIQYDVQQLDBphLXNpZ24tY29ycG9yYXRlLW1lZGl1bS0wMjEj
+MCEGA1UEAwwaYS1zaWduLWNvcnBvcmF0ZS1tZWRpdW0tMDIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCuaTBb6rHd5JZqAdvpmGIl5ne0Hg6GbpJvBeCI
+U6l9Rs8ebMY6aIS++qJOE9rnJHdfZNzLzduuoWEzEuwm9a/azQThM+eT+xlG/Vcf
+NuOQTTjAuXHLvYQ7WxSrBIT/kmAyqJgq/DEPvdX4jmCtVkuZ1gbxYIChLOVBWkVC
+FCK49BuXECtNy5fzK/GyfouZOVoQgiQ1YfecqzibcwO0t+f68Pvp/s6HESAH5tXY
+PdENDw4c/W/qKaeR87jPq98AJ8Lr4bmjWLjK8/ITtGglnJy8osFz22oR7f6fbWl6
+5LdhJ3giM68WEabQcZkw8cx3RDOzbnL2Kn+PVNHHyp3Wh849AgMBAAGjgeEwgd4w
+DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISoLnpz/+q98wEwYDVR0jBAwwCoAI
+Qj0rJKbBRc4wDgYDVR0PAQH/BAQDAgEGMIGSBgNVHR8EgYowgYcwgYSggYGgf4Z9
+bGRhcDovL2xkYXAuYS10cnVzdC5hdC9vdT1BLVRydXN0LVF1YWwtMDIsbz1BLVRy
+dXN0LGM9QVQ/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdD9iYXNlP29iamVjdGNs
+YXNzPWVpZENlcnRpZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggEB
+ABqg1oRs/TZ0hJLJRV/xJglFzgn2fDAXeoVvWnAE09F1d0n+ZorKAKbMfiZ2CuKs
+M0AhU23/5zM90DdrtYWXpa+P8ONALZtHJIqGfVuRKYJq7jY5TpE3yRkTcrp47smp
+WqTwUgG+0aBeU9m+ZtGUFOsBkq+MudD8IZGc7VcLd1n4ltND9ITjX20hu01ju56c
+YC69vFa5hmIccXg/Q3dGEV5Amx8MTQJluG3QvqBOY74yrAFICvK1zsvu+vOGvJQj
+i+PxKlbQdehrV82VDxyfSjpEUADWMGRfE5vg4YBGgfRosh4w7a6ThD2LMLFPmIhy
+P6+VGUBCm2tMDDOo9DVkXFs=
+-----END CERTIFICATE-----
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties
new file mode 100644
index 00000000..93796a7e
--- /dev/null
+++ b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/defaultConf.properties
@@ -0,0 +1,53 @@
+#
+# Copyright 2008 Federal Chancellery Austria and
+# Graz University of Technology
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+# Configuration for online CCE
+
+# security manager configuration
+AccessController.acceptUnmatched=false
+AccessController.policyResource=classpath:at/gv/egiz/bku/local/conf/accessControlConfig.xml
+
+# ------------BEGIN SSL Config --------------------
+# SSL configuration for connections to external
+# resources (e.g. data urls)
+
+# directory where certificates for
+# chain constructions can be placed
+SSL.certDirectory=classpath:at/gv/egiz/bku/local/conf/certs/certStore
+
+# a LDAP repository
+SSL.ldapServer=
+SSL.ldapPort=389
+
+# Directory where trusted CA
+# certificates are placed
+SSL.caDirectory=classpath:at/gv/egiz/bku/local/conf/certs/CACerts
+
+SSL.doRevocationChecking=true
+SSL.sslProtocol=TLS
+
+SSL.cache.lifetime=3600
+# use authority info access extension to find ca certs.
+SSL.useAIA=true
+
+# ------------ END SSL Config --------------------
+
+ValidateHashDataInputs=true
+
+
+
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/logo.png b/BKULocal/src/main/resources/at/gv/egiz/bku/local/logo.png
deleted file mode 100644
index eee4be4f..00000000
--- a/BKULocal/src/main/resources/at/gv/egiz/bku/local/logo.png
+++ /dev/null
Binary files differ
diff --git a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
index c0ffc927..c6a5088a 100644
--- a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
@@ -20,7 +20,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
<bean id="STALFactory" class="at.gv.egiz.bku.local.stal.SMCCSTALFactory"
scope="singleton" />
- <bean id="commandInvoker" class="at.gv.egiz.bku.binding.SLCommandInvokerImpl" />
+
<bean id="bindingProcessorManager" class="at.gv.egiz.bku.binding.BindingProcessorManagerImpl"
scope="singleton">
<constructor-arg ref="STALFactory"></constructor-arg>
@@ -37,33 +37,21 @@
</property>
</bean>
- <!-- Configure Configuration -->
- <bean id="configurator" class="at.gv.egiz.bku.local.conf.Configurator"
- scope="singleton">
+ <bean id="accessController" class="at.gv.egiz.bku.local.accesscontroller.SpringSecurityManager"
+ scope="singleton" init-method="init">
+ <property name="config" ref="configurator"/>
+ </bean>
+
+ <bean id="commandInvoker" class="at.gv.egiz.bku.binding.SLCommandInvokerImpl">
+ <property name="securityManager" ref="accessController" />
</bean>
- <!-- Configure timer to check config update -->
- <bean id="configUpdater"
- class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean">
- <property name="targetObject" ref="configurator" />
- <property name="targetMethod" value="checkUpdate" />
- </bean>
- <bean id="configTrigger"
- class="org.springframework.scheduling.quartz.SimpleTriggerBean">
- <property name="jobDetail" ref="configUpdater"></property>
- <property name="startDelay" value="10000"></property>
- <property name="repeatInterval" value="30000"></property>
- </bean>
- <bean class="org.springframework.scheduling.quartz.SchedulerFactoryBean">
- <property name="triggers">
- <list>
- <ref bean="configTrigger" />
- </list>
- </property>
- <property name="quartzProperties">
- <props>
- <prop key="org.quartz.threadPool.threadCount">1</prop>
- </props>
- </property>
+ <!-- Configure Configuration -->
+ <bean id="configurator" factory-method="getInstance" class="at.gv.egiz.bku.local.conf.SpringConfigurator"
+ init-method="configure">
+ <!-- <property name="resource" value="classpath:at/gv/egiz/bku/local/conf/defaultConf.properties"/> -->
+ <property name="resource" value="classpath:at/gv/egiz/bku/local/conf/defaultConf.properties"/>
</bean>
+
+
</beans> \ No newline at end of file
diff --git a/BKULocal/src/test/java/ConfigTest.java b/BKULocal/src/test/java/ConfigTest.java
deleted file mode 100644
index 558d1c47..00000000
--- a/BKULocal/src/test/java/ConfigTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-import java.net.URL;
-
-import org.apache.commons.configuration.Configuration;
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.commons.configuration.ConfigurationFactory;
-import org.junit.Ignore;
-
-@Ignore
-public class ConfigTest {
-
-
- private void testConfig() throws ConfigurationException {
- ConfigurationFactory factory = new ConfigurationFactory();
- URL configURL = getClass().getResource("/config.xml");
- factory.setConfigurationURL(configURL);
- Configuration config = factory.getConfiguration();
- System.out.println("-------->: "+config.getInt("hans"));
- }
-
- /**
- * @param args
- */
- public static void main(String[] args) {
- ConfigTest ct = new ConfigTest();
- try {
- ct.testConfig();
- } catch (ConfigurationException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
- }
-
-}
diff --git a/BKULocal/src/test/java/JustASandbox.java b/BKULocal/src/test/java/JustASandbox.java
deleted file mode 100644
index b151df92..00000000
--- a/BKULocal/src/test/java/JustASandbox.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-import java.io.ByteArrayOutputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URL;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.net.ssl.HttpsURLConnection;
-
-import org.junit.Ignore;
-
-import at.gv.egiz.bku.local.conf.Configurator;
-import at.gv.egiz.bku.local.stal.SMCCSTALFactory;
-import at.gv.egiz.bku.utils.StreamUtil;
-import at.gv.egiz.stal.InfoboxReadRequest;
-import at.gv.egiz.stal.STAL;
-import at.gv.egiz.stal.STALRequest;
-import at.gv.egiz.stal.STALResponse;
-import at.gv.egiz.stal.SignRequest;
-import at.gv.egiz.stal.SignResponse;
-
-@Ignore
-public class JustASandbox {
-
- /**
- * @param args
- * @throws IOException
- */
- public static void main(String[] args) throws IOException {
-
- Configurator cfg = new Configurator();
- URL url = new URL("https://demo.egiz.gv.at");
- HttpsURLConnection uc = (HttpsURLConnection) url.openConnection();
- uc.connect();
- System.exit(-1);
-
- InfoboxReadRequest req = new InfoboxReadRequest();
- req.setInfoboxIdentifier("SecureSignatureKeypair");
-
- ByteArrayOutputStream os = new ByteArrayOutputStream();
- InputStream is = JustASandbox.class.getClassLoader().getResourceAsStream("at/gv/egiz/bku/local/stal/sigInfo.xml");
- StreamUtil.copyStream(is, os);
- SignRequest sr = new SignRequest();
- sr.setSignedInfo(os.toByteArray());
- sr.setKeyIdentifier("SecureSignatureKeypair"); //os.toByteArray(), "SecureSignatureKeypair", null);
- STAL stal = (new SMCCSTALFactory()).createSTAL();
-
- List<STALRequest> reqList = new ArrayList<STALRequest>(2);
- reqList.add(req);
- reqList.add(sr);
-
- List<STALResponse> resp = stal.handleRequest(reqList);
- System.out.println(resp.get(0));
- System.out.println(resp.get(1));
- FileOutputStream fos = new FileOutputStream("c:/tmp/seq_now.der");
- SignResponse sir = (SignResponse) resp.get(1);
- fos.write(sir.getSignatureValue());
- fos.close();
- }
-
-}