From 7d3f6235a46f70323defa9910da240e61ca684b3 Mon Sep 17 00:00:00 2001 From: wbauer Date: Wed, 1 Oct 2008 07:30:55 +0000 Subject: Moved main parts of the configuration to bkucommon git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@78 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/SpringSecurityManager.java | 3 +- .../at/gv/egiz/bku/online/conf/Configurator.java | 98 ---------- .../egiz/bku/online/conf/SpringConfigurator.java | 209 +++++---------------- .../gv/egiz/bku/online/webapp/ResultServlet.java | 6 +- .../egiz/bku/online/webapp/SpringBKUServlet.java | 14 +- .../gv/egiz/bku/online/conf/defaultConf.properties | 5 + .../src/main/webapp/WEB-INF/applicationContext.xml | 4 +- 7 files changed, 64 insertions(+), 275 deletions(-) delete mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java (limited to 'BKUOnline/src') diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java index 3d0df8c4..5795478b 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java @@ -25,7 +25,7 @@ import org.springframework.core.io.Resource; import org.springframework.core.io.ResourceLoader; import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade; -import at.gv.egiz.bku.online.conf.Configurator; +import at.gv.egiz.bku.conf.Configurator; public class SpringSecurityManager extends SecurityManagerFacade implements ResourceLoaderAware { @@ -60,5 +60,4 @@ public class SpringSecurityManager extends SecurityManagerFacade implements public void setResourceLoader(ResourceLoader loader) { this.resourceLoader = loader; } - } diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java deleted file mode 100644 index c09abcc1..00000000 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright 2008 Federal Chancellery Austria and - * Graz University of Technology - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package at.gv.egiz.bku.online.conf; - -import iaik.security.ecc.provider.ECCProvider; -import iaik.security.provider.IAIK; -import iaik.xml.crypto.XSecProvider; - -import java.io.IOException; -import java.net.HttpURLConnection; -import java.security.Provider; -import java.security.Security; -import java.util.Properties; - -import javax.net.ssl.HttpsURLConnection; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.binding.DataUrl; -import at.gv.egiz.bku.binding.DataUrlConnection; -import at.gv.egiz.bku.slcommands.impl.xsect.DataObject; -import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider; - -/** - * - * TODO currently only the code to get started. - */ -public abstract class Configurator { - - private Log log = LogFactory.getLog(Configurator.class); - - private static Configurator instance = new SpringConfigurator(); - - protected Properties properties; - - protected Configurator() { - } - - public static Configurator getInstance() { - return instance; - } - - protected void configUrlConnections() { - HttpsURLConnection.setFollowRedirects(false); - HttpURLConnection.setFollowRedirects(false); - } - - protected void configureProviders() { - log.debug("Registering security providers"); - Security.insertProviderAt(new IAIK(), 1); - Security.insertProviderAt(new ECCProvider(false), 2); - Security.addProvider(new STALProvider()); - XSecProvider.addAsProvider(false); - StringBuilder sb = new StringBuilder(); - sb.append("Registered providers: "); - int i = 1; - for (Provider prov : Security.getProviders()) { - sb.append((i++) + ". : " + prov); - } - log.debug(sb.toString()); - } - - protected void configViewer() { - DataObject.enableHashDataInputValidation(Boolean.parseBoolean(properties.getProperty("ValidateHashDataInputs"))); - } - - public void configure() { - configureProviders(); - configUrlConnections(); - configViewer(); - } - - public void setConfiguration(Properties props) { - this.properties = props; - } - - public String getProperty(String key) { - if (properties != null) { - return properties.getProperty(key); - } - return null; - } -} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java index d213dd36..a369d829 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java @@ -17,31 +17,9 @@ package at.gv.egiz.bku.online.conf; import java.io.File; -import java.io.FileInputStream; import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import java.security.Security; -import java.security.cert.CertStore; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.PKIXBuilderParameters; -import java.security.cert.TrustAnchor; -import java.security.cert.X509CertSelector; -import java.security.cert.X509Certificate; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; +import java.io.InputStream; import java.util.Properties; -import java.util.Set; - -import javax.net.ssl.CertPathTrustManagerParameters; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; -import javax.net.ssl.ManagerFactoryParameters; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManagerFactory; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -49,8 +27,8 @@ import org.springframework.context.ResourceLoaderAware; import org.springframework.core.io.Resource; import org.springframework.core.io.ResourceLoader; -import at.gv.egiz.bku.binding.DataUrl; -import at.gv.egiz.bku.binding.DataUrlConnection; +import at.gv.egiz.bku.conf.Configurator; +import at.gv.egiz.bku.online.webapp.SpringBKUServlet; import at.gv.egiz.bku.slexceptions.SLRuntimeException; import at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory; @@ -76,41 +54,8 @@ public class SpringConfigurator extends Configurator implements } } - public void configureVersion() { - Properties p = new Properties(); - try { - p.load(resourceLoader.getResource("META-INF/MANIFEST.MF") - .getInputStream()); - String version = p.getProperty("Implementation-Build"); - properties.setProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY, - "citizen-card-environment/1.2 MOCCA " + version); - DataUrl.setConfiguration(properties); - log.debug("Setting user agent to: " - + properties.getProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY)); - } catch (IOException e) { - log.error(e); - } - } - - public void configure() { - super.configure(); - configureSSL(); - configureVersion(); - configureNetwork(); - } - public void configureNetwork() { - String proxyHost = getProperty("HTTPProxyHost"); - String proxyPort = getProperty("HTTPProxyPort"); - if (proxyPort == null) { - proxyPort = "80"; - } - if (proxyHost != null) { - log.debug("Setting proxy server to: " + proxyHost + ":" + proxyPort); - System.setProperty("http.proxyHost", proxyHost); - System.setProperty("http.proxyPort", proxyPort); - } - log.debug("No proxy specified"); + super.configureNetwork(); String appletTimeout = getProperty("AppletTimeout"); if ((appletTimeout != null)) { try { @@ -122,128 +67,60 @@ public class SpringConfigurator extends Configurator implements } } - - private Set getCACerts() throws IOException, - CertificateException { - Set caCerts = new HashSet(); - String caDirectory = getProperty("SSL.caDirectory"); - if (caDirectory != null) { - Resource caDirRes = resourceLoader.getResource(caDirectory); - File caDir = caDirRes.getFile(); - if (!caDir.isDirectory()) { - log.error("Expecting directory as SSL.caDirectory parameter"); - throw new SLRuntimeException( - "Expecting directory as SSL.caDirectory parameter"); - } - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - for (File f : caDir.listFiles()) { - try { - FileInputStream fis = new FileInputStream(f); - X509Certificate cert = (X509Certificate) cf.generateCertificate(fis); - fis.close(); - log.debug("Adding trusted cert " + cert.getSubjectDN()); - caCerts.add(new TrustAnchor(cert, null)); - } catch (Exception e) { - log.error("Cannot add trusted ca", e); - } - } - return caCerts; - - } else { - log.warn("No CA certificates configured"); - } - return null; + + public void configure() { + super.configure(); + SpringBKUServlet.setConfigurator(this); } - private CertStore getCertstore() throws IOException, CertificateException, - InvalidAlgorithmParameterException, NoSuchAlgorithmException { - String certDirectory = getProperty("SSL.certDirectory"); - if (certDirectory != null) { - Resource certDirRes = resourceLoader.getResource(certDirectory); + @Override + public void setResourceLoader(ResourceLoader loader) { + this.resourceLoader = loader; + } - File certDir = certDirRes.getFile(); + private File getDirectory(String property) { + if (property != null) { + Resource certDirRes = resourceLoader.getResource(property); + File certDir; + try { + certDir = certDirRes.getFile(); + } catch (IOException e) { + log.error("Cannot get cert directory", e); + throw new SLRuntimeException(e); + } if (!certDir.isDirectory()) { log.error("Expecting directory as SSL.certDirectory parameter"); throw new SLRuntimeException( "Expecting directory as SSL.certDirectory parameter"); } - List certCollection = new LinkedList(); - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - for (File f : certDir.listFiles()) { - try { - FileInputStream fis = new FileInputStream(f); - X509Certificate cert = (X509Certificate) cf.generateCertificate(fis); - certCollection.add(cert); - fis.close(); - log - .trace("Added following cert to certstore: " - + cert.getSubjectDN()); - } catch (Exception ex) { - log.error("Cannot add certificate", ex); - } - } - CollectionCertStoreParameters csp = new CollectionCertStoreParameters( - certCollection); - return CertStore.getInstance("Collection", csp); - - } else { - log.warn("No certstore configured"); + return certDir; } return null; + } - public void configureSSL() { - Set caCerts = null; - try { - caCerts = getCACerts(); - } catch (Exception e1) { - log.error("Cannot load CA certificates", e1); - } - CertStore certStore = null; - try { - certStore = getCertstore(); - } catch (Exception e1) { - log.error("Cannot load certstore certificates", e1); - } - System.setProperty("com.sun.security.enableAIAcaIssuers", "true"); - try { - X509CertSelector selector = new X509CertSelector(); - PKIXBuilderParameters pkixParams; - pkixParams = new PKIXBuilderParameters(caCerts, selector); - if ((getProperty("SSL.doRevocationChecking") != null) - && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) { - log.info("Enable revocation checking"); - pkixParams.setRevocationEnabled(true); - System.setProperty("com.sun.security.enableCRLDP", "true"); - Security.setProperty("ocsp.enable", "true"); - } else { - log.warn("Revocation checking disabled"); - pkixParams.setRevocationEnabled(false); - } - pkixParams.addCertStore(certStore); - ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters( - pkixParams); - TrustManagerFactory trustFab; - try { - trustFab = TrustManagerFactory.getInstance("PKIX"); - trustFab.init(trustParams); - KeyManager[] km = null; - SSLContext sslCtx = SSLContext - .getInstance(getProperty("SSL.sslProtocol")); - sslCtx.init(km, trustFab.getTrustManagers(), null); - HttpsURLConnection - .setDefaultSSLSocketFactory(sslCtx.getSocketFactory()); - } catch (Exception e) { - log.error("Cannot configure SSL", e); - } + @Override + protected File getCADir() { + String caDirectory = getProperty("SSL.caDirectory"); + return getDirectory(caDirectory); + } - } catch (InvalidAlgorithmParameterException e) { - log.error("Cannot configure SSL", e); - } + @Override + protected File getCertDir() { + String certDirectory = getProperty("SSL.certDirectory"); + return getDirectory(certDirectory); } @Override - public void setResourceLoader(ResourceLoader loader) { - this.resourceLoader = loader; + protected InputStream getManifest() { + Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF"); + if (r != null) { + try { + return r.getInputStream(); + } catch (IOException e) { + log.error("Cannot read manifest data:", e); + } + } + return null; } } \ No newline at end of file diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java index b70a6274..9e69099d 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java @@ -31,7 +31,7 @@ import org.apache.commons.logging.LogFactory; import at.gv.egiz.bku.binding.HTTPBindingProcessor; import at.gv.egiz.bku.binding.HttpUtil; import at.gv.egiz.bku.binding.IdFactory; -import at.gv.egiz.bku.online.conf.Configurator; +import at.gv.egiz.bku.conf.Configurator; /** * Delivers the result to the browser @@ -108,8 +108,8 @@ public class ResultServlet extends SpringBKUServlet { resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1 resp.setHeader("Pragma", "no-cache"); // HTTP 1.0 resp.setDateHeader("Expires", 0); - if (Configurator.getInstance().getProperty(USER_AGENT_PROPERTY_KEY) != null) { - resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, Configurator.getInstance().getProperty( + if (configurator.getProperty(USER_AGENT_PROPERTY_KEY) != null) { + resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, configurator.getProperty( USER_AGENT_PROPERTY_KEY)); } else { resp.setHeader(HttpUtil.HTTP_HEADER_USER_AGENT, diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java index ec062e42..2c6f522e 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java @@ -16,16 +16,22 @@ */ package at.gv.egiz.bku.online.webapp; -import javax.servlet.http.HttpServlet; - -import at.gv.egiz.bku.binding.BindingProcessorManager; -import at.gv.egiz.bku.online.conf.Configurator; +import javax.servlet.http.HttpServlet; + +import at.gv.egiz.bku.binding.BindingProcessorManager; +import at.gv.egiz.bku.conf.Configurator; public abstract class SpringBKUServlet extends HttpServlet { public final static String BEAN_NAME="bindingProcessorManager"; + protected static Configurator configurator; + protected BindingProcessorManager getBindingProcessorManager() { return (BindingProcessorManager) getServletContext().getAttribute(BEAN_NAME); + } + + public static void setConfigurator(Configurator conf) { + configurator = conf; } } diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties index 73d89f22..d7fc5ae9 100644 --- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties +++ b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties @@ -36,6 +36,10 @@ SSL.caDirectory=classpath:at/gv/egiz/bku/online/conf/certs/CACerts SSL.doRevocationChecking=true SSL.sslProtocol=TLS +SSL.cache.lifetime=3600 + +# use authority info access extension to find ca certs. +SSL.useAIA=true # ------------ END SSL Config -------------------- @@ -44,3 +48,4 @@ AppletTimeout=300000 #HTTPProxyHost=taranis.iaik.tugraz.at #HTTPProxyPort=8888 +#DefaultSocketTimeout=200 diff --git a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml index 04b07ba4..b074da59 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml @@ -45,8 +45,8 @@ - + -- cgit v1.2.3