diff options
Diffstat (limited to 'BKUOnline/src')
7 files changed, 64 insertions, 275 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java index 3d0df8c4..5795478b 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java @@ -25,7 +25,7 @@ import org.springframework.core.io.Resource; import org.springframework.core.io.ResourceLoader;
import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;
-import at.gv.egiz.bku.online.conf.Configurator;
+import at.gv.egiz.bku.conf.Configurator;
public class SpringSecurityManager extends SecurityManagerFacade implements
ResourceLoaderAware {
@@ -60,5 +60,4 @@ public class SpringSecurityManager extends SecurityManagerFacade implements public void setResourceLoader(ResourceLoader loader) {
this.resourceLoader = loader;
}
-
}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java deleted file mode 100644 index c09abcc1..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright 2008 Federal Chancellery Austria and - * Graz University of Technology - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package at.gv.egiz.bku.online.conf; - -import iaik.security.ecc.provider.ECCProvider; -import iaik.security.provider.IAIK; -import iaik.xml.crypto.XSecProvider; - -import java.io.IOException; -import java.net.HttpURLConnection; -import java.security.Provider; -import java.security.Security; -import java.util.Properties; - -import javax.net.ssl.HttpsURLConnection; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.binding.DataUrl; -import at.gv.egiz.bku.binding.DataUrlConnection; -import at.gv.egiz.bku.slcommands.impl.xsect.DataObject; -import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider; - -/** - * - * TODO currently only the code to get started. - */ -public abstract class Configurator { - - private Log log = LogFactory.getLog(Configurator.class); - - private static Configurator instance = new SpringConfigurator(); - - protected Properties properties; - - protected Configurator() { - } - - public static Configurator getInstance() { - return instance; - } - - protected void configUrlConnections() { - HttpsURLConnection.setFollowRedirects(false); - HttpURLConnection.setFollowRedirects(false); - } - - protected void configureProviders() { - log.debug("Registering security providers"); - Security.insertProviderAt(new IAIK(), 1); - Security.insertProviderAt(new ECCProvider(false), 2); - Security.addProvider(new STALProvider()); - XSecProvider.addAsProvider(false); - StringBuilder sb = new StringBuilder(); - sb.append("Registered providers: "); - int i = 1; - for (Provider prov : Security.getProviders()) { - sb.append((i++) + ". : " + prov); - } - log.debug(sb.toString()); - } - - protected void configViewer() { - DataObject.enableHashDataInputValidation(Boolean.parseBoolean(properties.getProperty("ValidateHashDataInputs"))); - } - - public void configure() { - configureProviders(); - configUrlConnections(); - configViewer(); - } - - public void setConfiguration(Properties props) { - this.properties = props; - } - - public String getProperty(String key) { - if (properties != null) { - return properties.getProperty(key); - } - return null; - } -} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java index d213dd36..a369d829 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java @@ -17,31 +17,9 @@ package at.gv.egiz.bku.online.conf;
import java.io.File;
-import java.io.FileInputStream;
import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Security;
-import java.security.cert.CertStore;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
+import java.io.InputStream;
import java.util.Properties;
-import java.util.Set;
-
-import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.ManagerFactoryParameters;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -49,8 +27,8 @@ import org.springframework.context.ResourceLoaderAware; import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
-import at.gv.egiz.bku.binding.DataUrl;
-import at.gv.egiz.bku.binding.DataUrlConnection;
+import at.gv.egiz.bku.conf.Configurator;
+import at.gv.egiz.bku.online.webapp.SpringBKUServlet;
import at.gv.egiz.bku.slexceptions.SLRuntimeException;
import at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory;
@@ -76,41 +54,8 @@ public class SpringConfigurator extends Configurator implements }
}
- public void configureVersion() {
- Properties p = new Properties();
- try {
- p.load(resourceLoader.getResource("META-INF/MANIFEST.MF")
- .getInputStream());
- String version = p.getProperty("Implementation-Build");
- properties.setProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY,
- "citizen-card-environment/1.2 MOCCA " + version);
- DataUrl.setConfiguration(properties);
- log.debug("Setting user agent to: "
- + properties.getProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY));
- } catch (IOException e) {
- log.error(e);
- }
- }
-
- public void configure() {
- super.configure();
- configureSSL();
- configureVersion();
- configureNetwork();
- }
-
public void configureNetwork() {
- String proxyHost = getProperty("HTTPProxyHost");
- String proxyPort = getProperty("HTTPProxyPort");
- if (proxyPort == null) {
- proxyPort = "80";
- }
- if (proxyHost != null) {
- log.debug("Setting proxy server to: " + proxyHost + ":" + proxyPort);
- System.setProperty("http.proxyHost", proxyHost);
- System.setProperty("http.proxyPort", proxyPort);
- }
- log.debug("No proxy specified");
+ super.configureNetwork();
String appletTimeout = getProperty("AppletTimeout");
if ((appletTimeout != null)) {
try {
@@ -122,128 +67,60 @@ public class SpringConfigurator extends Configurator implements }
}
-
- private Set<TrustAnchor> getCACerts() throws IOException,
- CertificateException {
- Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
- String caDirectory = getProperty("SSL.caDirectory");
- if (caDirectory != null) {
- Resource caDirRes = resourceLoader.getResource(caDirectory);
- File caDir = caDirRes.getFile();
- if (!caDir.isDirectory()) {
- log.error("Expecting directory as SSL.caDirectory parameter");
- throw new SLRuntimeException(
- "Expecting directory as SSL.caDirectory parameter");
- }
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : caDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- fis.close();
- log.debug("Adding trusted cert " + cert.getSubjectDN());
- caCerts.add(new TrustAnchor(cert, null));
- } catch (Exception e) {
- log.error("Cannot add trusted ca", e);
- }
- }
- return caCerts;
-
- } else {
- log.warn("No CA certificates configured");
- }
- return null;
+
+ public void configure() {
+ super.configure();
+ SpringBKUServlet.setConfigurator(this);
}
- private CertStore getCertstore() throws IOException, CertificateException,
- InvalidAlgorithmParameterException, NoSuchAlgorithmException {
- String certDirectory = getProperty("SSL.certDirectory");
- if (certDirectory != null) {
- Resource certDirRes = resourceLoader.getResource(certDirectory);
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
- File certDir = certDirRes.getFile();
+ private File getDirectory(String property) {
+ if (property != null) {
+ Resource certDirRes = resourceLoader.getResource(property);
+ File certDir;
+ try {
+ certDir = certDirRes.getFile();
+ } catch (IOException e) {
+ log.error("Cannot get cert directory", e);
+ throw new SLRuntimeException(e);
+ }
if (!certDir.isDirectory()) {
log.error("Expecting directory as SSL.certDirectory parameter");
throw new SLRuntimeException(
"Expecting directory as SSL.certDirectory parameter");
}
- List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : certDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- certCollection.add(cert);
- fis.close();
- log
- .trace("Added following cert to certstore: "
- + cert.getSubjectDN());
- } catch (Exception ex) {
- log.error("Cannot add certificate", ex);
- }
- }
- CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
- certCollection);
- return CertStore.getInstance("Collection", csp);
-
- } else {
- log.warn("No certstore configured");
+ return certDir;
}
return null;
+
}
- public void configureSSL() {
- Set<TrustAnchor> caCerts = null;
- try {
- caCerts = getCACerts();
- } catch (Exception e1) {
- log.error("Cannot load CA certificates", e1);
- }
- CertStore certStore = null;
- try {
- certStore = getCertstore();
- } catch (Exception e1) {
- log.error("Cannot load certstore certificates", e1);
- }
- System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
- try {
- X509CertSelector selector = new X509CertSelector();
- PKIXBuilderParameters pkixParams;
- pkixParams = new PKIXBuilderParameters(caCerts, selector);
- if ((getProperty("SSL.doRevocationChecking") != null)
- && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
- log.info("Enable revocation checking");
- pkixParams.setRevocationEnabled(true);
- System.setProperty("com.sun.security.enableCRLDP", "true");
- Security.setProperty("ocsp.enable", "true");
- } else {
- log.warn("Revocation checking disabled");
- pkixParams.setRevocationEnabled(false);
- }
- pkixParams.addCertStore(certStore);
- ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
- pkixParams);
- TrustManagerFactory trustFab;
- try {
- trustFab = TrustManagerFactory.getInstance("PKIX");
- trustFab.init(trustParams);
- KeyManager[] km = null;
- SSLContext sslCtx = SSLContext
- .getInstance(getProperty("SSL.sslProtocol"));
- sslCtx.init(km, trustFab.getTrustManagers(), null);
- HttpsURLConnection
- .setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
- } catch (Exception e) {
- log.error("Cannot configure SSL", e);
- }
+ @Override
+ protected File getCADir() {
+ String caDirectory = getProperty("SSL.caDirectory");
+ return getDirectory(caDirectory);
+ }
- } catch (InvalidAlgorithmParameterException e) {
- log.error("Cannot configure SSL", e);
- }
+ @Override
+ protected File getCertDir() {
+ String certDirectory = getProperty("SSL.certDirectory");
+ return getDirectory(certDirectory);
}
@Override
- public void setResourceLoader(ResourceLoader loader) {
- this.resourceLoader = loader;
+ protected InputStream getManifest() {
+ Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF");
+ if (r != null) {
+ try {
+ return r.getInputStream();
+ } catch (IOException e) {
+ log.error("Cannot read manifest data:", e);
+ }
+ }
+ return null;
}
}
\ No newline at end of file diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java index b70a6274..9e69099d 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java @@ -31,7 +31,7 @@ import org.apache.commons.logging.LogFactory; import at.gv.egiz.bku.binding.HTTPBindingProcessor; import at.gv.egiz.bku.binding.HttpUtil; import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.online.conf.Configurator; +import at.gv.egiz.bku.conf.Configurator; /** * Delivers the result to the browser @@ -108,8 +108,8 @@ public class ResultServlet extends SpringBKUServlet { resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1
resp.setHeader("Pragma", "no-cache"); // HTTP 1.0
resp.setDateHeader("Expires", 0); - if (Configurator.getInstance().getProperty(USER_AGENT_PROPERTY_KEY) != null) { - resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, Configurator.getInstance().getProperty( + if (configurator.getProperty(USER_AGENT_PROPERTY_KEY) != null) { + resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, configurator.getProperty( USER_AGENT_PROPERTY_KEY)); } else { resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java index ec062e42..2c6f522e 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java @@ -16,16 +16,22 @@ */ package at.gv.egiz.bku.online.webapp;
-import javax.servlet.http.HttpServlet;
-
-import at.gv.egiz.bku.binding.BindingProcessorManager;
-import at.gv.egiz.bku.online.conf.Configurator; +import javax.servlet.http.HttpServlet; + +import at.gv.egiz.bku.binding.BindingProcessorManager; +import at.gv.egiz.bku.conf.Configurator; public abstract class SpringBKUServlet extends HttpServlet {
public final static String BEAN_NAME="bindingProcessorManager"; + protected static Configurator configurator; + protected BindingProcessorManager getBindingProcessorManager() {
return (BindingProcessorManager) getServletContext().getAttribute(BEAN_NAME);
+ } + + public static void setConfigurator(Configurator conf) { + configurator = conf; }
}
diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties index 73d89f22..d7fc5ae9 100644 --- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties +++ b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties @@ -36,6 +36,10 @@ SSL.caDirectory=classpath:at/gv/egiz/bku/online/conf/certs/CACerts SSL.doRevocationChecking=true
SSL.sslProtocol=TLS
+SSL.cache.lifetime=3600
+
+# use authority info access extension to find ca certs.
+SSL.useAIA=true
# ------------ END SSL Config --------------------
@@ -44,3 +48,4 @@ AppletTimeout=300000 #HTTPProxyHost=taranis.iaik.tugraz.at
#HTTPProxyPort=8888
+#DefaultSocketTimeout=200
diff --git a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml index 04b07ba4..b074da59 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml @@ -45,8 +45,8 @@ </bean>
<!-- Configure Configuration -->
- <bean id="configurator" factory-method="getInstance" class="at.gv.egiz.bku.online.conf.SpringConfigurator"
- init-method="configure">
+ <bean id="configurator" class="at.gv.egiz.bku.online.conf.SpringConfigurator"
+ init-method="configure" scope="singleton">
<property name="resource" value="classpath:at/gv/egiz/bku/online/conf/defaultConf.properties"/>
</bean>
|