5 files changed, 124 insertions, 29 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
index ace8a75a..ed4b9bda 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
@@ -1,30 +1,31 @@
 /*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package at.gv.egiz.bku.accesscontroller;
 
 import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS;
 import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED;
-import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
 import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY;
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
 
-import java.net.InetAddress;
 import java.net.URL;
-import java.net.UnknownHostException;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -37,6 +38,39 @@ public class AuthenticationClassifier {
 	private AuthenticationClassifier() {
 	}
 
+	public static boolean isGovAgency(X509Certificate cert) {
+		String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
+		for (String rdn : rdns) {
+			if (rdn.startsWith("CN=")) {
+				String dns = rdn.split("=")[1];
+				log.trace("Analyzing cn dn: " + dns);
+				if (dns.endsWith(GOV_DOMAIN)) {
+					return true;
+				}
+			}
+		}
+		try {
+			Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
+			if (sanList != null) {
+				for (List<?> san : sanList) {
+					log.trace("Analyzing subj. alt name: " + san);
+					if ((Integer) san.get(0) == 2) {
+						String dns = (String) san.get(1);
+						if (dns.endsWith(GOV_DOMAIN)) {
+							return true;
+						}
+					}
+				}
+			}
+		} catch (CertificateParsingException e) {
+			log.error(e);
+		}
+		if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+			return true;
+		}
+		return false;
+	}
+
 	/**
 	 * Client Certificates are currently not supported
 	 * 
@@ -45,13 +79,8 @@ public class AuthenticationClassifier {
 			URL url, X509Certificate cert) {
 		if (isDataUrl) {
 			if (url.getProtocol().equalsIgnoreCase("https")) {
-				try {
-					if (InetAddress.getByName(url.getHost()).getCanonicalHostName()
-							.endsWith(GOV_DOMAIN)) {
-						return CERTIFIED_GOV_AGENCY;
-					}
-				} catch (UnknownHostException e) {
-					log.error("Cannot determine host name", e);
+				if (isGovAgency(cert)) {
+					return CERTIFIED_GOV_AGENCY;
 				}
 				if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
 					return CERTIFIED_GOV_AGENCY;
@@ -68,7 +97,8 @@ public class AuthenticationClassifier {
 	/**
 	 * 
 	 * @param isDataUrl
-	 * @param url if the url's protocol is https a cert parameter must be provided.
+	 * @param url
+	 *          if the url's protocol is https a cert parameter must be provided.
 	 * @param cert
 	 * @return
 	 */
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java
index ed37f08f..aaf81e51 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManager.java
@@ -99,5 +99,7 @@ public interface BindingProcessorManager {
    */
   public Set<Id> getManagedIds();
       
-  public void shutdown();
+  public void shutdown();
+  
+  public void shutdownNow();
 }
 \ No newline at end of file
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java
index 6f5ca2d2..0082de26 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/BindingProcessorManagerImpl.java
@@ -149,6 +149,11 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {
   public void shutdown() {
     log.info("Shutting down the BindingProcessorManager");
     executorService.shutdown();
+  }
+  
+  public void shutdownNow() {
+  	log.info("Shutting down the BindingProcessorManager NOW!");
+    executorService.shutdownNow();
   }
 
   /**
@@ -223,7 +228,8 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {
       throw new SLRuntimeException(
           "Clashing ids, cannot process bindingprocessor with id:"
               + aBindingProcessor.getId());
-    }
+    }
+    log.debug("processing bindingprocessor: "+aBindingProcessor.getId());
     Future<?> f = executorService.submit(aBindingProcessor);
     bindingProcessorMap.put(aBindingProcessor.getId(), new MapEntityWrapper(f,
         aBindingProcessor));
@@ -235,7 +241,8 @@ public class BindingProcessorManagerImpl implements BindingProcessorManager {
   }
 
   @Override
-  public void removeBindingProcessor(Id sessionId) {
+  public void removeBindingProcessor(Id sessionId) {
+  	log.debug("Removing binding processor: "+sessionId);
     MapEntityWrapper wrapper = bindingProcessorMap
         .get(sessionId);
     if (wrapper == null) {
diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifierTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifierTest.java
new file mode 100644
index 00000000..c339704e
--- /dev/null
+++ b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifierTest.java
@@ -0,0 +1,28 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import static org.junit.Assert.assertTrue;
+
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class AuthenticationClassifierTest {
+
+	private X509Certificate atrust;
+
+	@Before
+	public void setUp() throws Exception {
+		atrust = (X509Certificate) CertificateFactory.getInstance("X509")
+				.generateCertificate(
+						getClass().getClassLoader().getResourceAsStream(
+								"at/gv/egiz/bku/accesscontroller/www.a-trust.at.crt"));
+	}
+
+	@Test
+	public void testATrust() {
+		assertTrue(AuthenticationClassifier.isGovAgency(atrust));
+	}
+
+}
diff --git a/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/www.a-trust.at.crt b/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/www.a-trust.at.crt
new file mode 100644
index 00000000..11cde026
--- /dev/null
+++ b/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/www.a-trust.at.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyjCCA7KgAwIBAgIDA4LFMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRYwFAYDVQQLDA1hLXNpZ24tU1NM
+LTAzMRYwFAYDVQQDDA1hLXNpZ24tU1NMLTAzMB4XDTA3MTIxMTExMTQ0NFoXDTEy
+MTIxMTExMTQ0NFowYTELMAkGA1UEBhMCQVQxEDAOBgNVBAoMB0EtVHJ1c3QxEDAO
+BgNVBAsMB0EtVHJ1c3QxFzAVBgNVBAMMDnd3dy5hLXRydXN0LmF0MRUwEwYDVQQF
+Eww2NDk2ODY0MDkzMzkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK2oRtJ4
+R9ipr/NUH5F4p86cjWtzT1g+ytpjg1lwh4HNY+lTjdUcx/VKBrtf0N8qnMK1UHhA
+LLvvZeKTFi3L15i5or1WjZRi4RfH/4vcL0o1w/91liwMOKH3D30omnVceuxmQp2j
+V9QrGPbz0/IsP51cnBWCBTWGqgfBebB8v1FLAgMBAAGjggHmMIIB4jATBgNVHSME
+DDAKgAhAPqHTYrQD3TByBggrBgEFBQcBAQRmMGQwJwYIKwYBBQUHMAGGG2h0dHA6
+Ly9vY3NwLmEtdHJ1c3QuYXQvb2NzcDA5BggrBgEFBQcwAoYtaHR0cDovL3d3dy5h
+LXRydXN0LmF0L2NlcnRzL2Etc2lnbi1zc2wtMDMuY3J0MEsGA1UdIAREMEIwQAYG
+KigAEQEUMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2Nz
+L2NwL2Etc2lnbi1zc2wwgY8GA1UdHwSBhzCBhDCBgaB/oH2Ge2xkYXA6Ly9sZGFw
+LmEtdHJ1c3QuYXQvb3U9YS1zaWduLVNTTC0wMyxvPUEtVHJ1c3QsYz1BVD9jZXJ0
+aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlm
+aWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQIRu1a/pOZZpMwDgYDVR0PAQH/BAQD
+AgWgMEoGA1UdEQRDMEGBEW9mZmljZUBhLXRydXN0LmF0gg53d3cuYS10cnVzdC5h
+dIIcemRhLnNvemlhbHZlcnNpY2hlcnVuZy5ndi5hdDAJBgNVHRMEAjAAMA0GCSqG
+SIb3DQEBBQUAA4IBAQCQGheDpci0lnSEoKw/N3tbJqn/KG49/OWZcsw6XZiAEHsx
+Rx9TlNJhL2d/SqFXBmmqfR496gdzTb4823WJsmXtyBY2t5ZnmD9tY5oJi5bHKchO
+50QCd1x24HzH1mxPReCJzRxzLEM/znojEMdYqQ5Y+BZuj7n9BY+l2nY0Qnhn09FE
+dxXAfNcuZnZavLJgk7vTBg8OFkAh6DJ21ACxf/y+rN53gKFK4Jh+PodRu0J2tK8B
+wAZg7HlnT8U7tcEsf1JnsBhlzAWCHgZc6whgBbDHFs6WSFWuobKN+maU91g/Tvgk
+Obos/EhVNti54Zhu1PO9RSKpKkwzTJT4kmGtaOJN
+-----END CERTIFICATE-----