From 03d4206918ca3db9554e78bf8070a11503f083d9 Mon Sep 17 00:00:00 2001 From: wbauer Date: Wed, 3 Sep 2008 12:59:26 +0000 Subject: Added skeleton for the access controller classes. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@8 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/accesscontroller/AccessChecker.java | 7 +++ .../bku/accesscontroller/AccessCheckerContext.java | 27 ++++++++ .../accesscontroller/AccessControllerFactory.java | 39 ++++++++++++ .../at/gv/egiz/bku/accesscontroller/Action.java | 19 ++++++ .../bku/accesscontroller/AuthenticationClass.java | 21 +++++++ .../accesscontroller/AuthenticationClassifier.java | 63 +++++++++++++++++++ .../gv/egiz/bku/accesscontroller/ChainChecker.java | 71 ++++++++++++++++++++++ .../gv/egiz/bku/accesscontroller/ChainResult.java | 32 ++++++++++ .../gv/egiz/bku/accesscontroller/RuleChecker.java | 69 +++++++++++++++++++++ .../gv/egiz/bku/accesscontroller/RuleResult.java | 16 +++++ .../gv/egiz/bku/accesscontroller/UserAction.java | 20 ++++++ 11 files changed, 384 insertions(+) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java new file mode 100644 index 00000000..81bf1795 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java @@ -0,0 +1,7 @@ +package at.gv.egiz.bku.accesscontroller; + +import at.gv.egiz.bku.slexceptions.SLException; + +public interface AccessChecker { + public ChainResult check(AccessCheckerContext checkCtx) throws SLException; +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java new file mode 100644 index 00000000..1206c022 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java @@ -0,0 +1,27 @@ +package at.gv.egiz.bku.accesscontroller; + +import at.gv.egiz.bku.slcommands.SLCommand; + +public class AccessCheckerContext { + private SLCommand command; + private AuthenticationClass authenticationClass; + private String peerUrl; + + public AccessCheckerContext(SLCommand cmd, AuthenticationClass ac, String url) { + this.command = cmd; + this.authenticationClass = ac; + this.peerUrl = url; + } + + public SLCommand getCommand() { + return command; + } + + public AuthenticationClass getAuthenticationClass() { + return authenticationClass; + } + + public String getPeerUrl() { + return peerUrl; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java new file mode 100644 index 00000000..9b3e563d --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -0,0 +1,39 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.Hashtable; + +public class AccessControllerFactory { + + private static AccessControllerFactory instance; + + private Hashtable chainTable = new Hashtable(); + + private AccessControllerFactory() { + } + + public static AccessControllerFactory getInstance() { + return instance; + } + + /** + * + * @param id + * @return null if there is no chain with this id. + */ + public ChainChecker getChainChecker(String id) { + return chainTable.get(id); + } + + public ChainChecker createChainChecker(String id, boolean register) { + ChainChecker cc = new ChainChecker(id); + if (register) { + chainTable.put(id, cc); + } + return cc; + } + + public void registerChainChecker(ChainChecker cc) { + chainTable.put(cc.getId(), cc); + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java new file mode 100644 index 00000000..11a22c99 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java @@ -0,0 +1,19 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum Action { + ALLOW("allow"), DENY("deny"); + private String name; + + Action(String name) { + this.name = name; + } + + public static Action fromString(String s) { + for (Action ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java new file mode 100644 index 00000000..4d58df78 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java @@ -0,0 +1,21 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum AuthenticationClass { + ANONYMOUS("anonymous"), PSEUDO_ANONYMOUS("pseudoanonymous"), CERTIFIED( + "certified"), CERTIFIED_GOV_AGENCY("certifiedGovAgency"); + + private String name; + + AuthenticationClass(String name) { + this.name = name; + } + + public static AuthenticationClass fromString(String s) { + for (AuthenticationClass ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java new file mode 100644 index 00000000..2e856f06 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -0,0 +1,63 @@ +package at.gv.egiz.bku.accesscontroller; + +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY; + +import java.net.InetAddress; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.cert.X509Certificate; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +public class AuthenticationClassifier { + private static AuthenticationClassifier instance = new AuthenticationClassifier(); + private static Log log = LogFactory.getLog(AuthenticationClassifier.class); + private final static String GOV_DOMAIN = ".gv.at"; + + private AuthenticationClassifier() { + } + + /** + * Client Certificates are currently not supported + * + */ + protected AuthenticationClass getMyAuthenticationClass(boolean isDataUrl, + URL url, X509Certificate cert) { + if (isDataUrl) { + if (url.getProtocol().equalsIgnoreCase("https")) { + try { + if (InetAddress.getByName(url.getHost()).getCanonicalHostName() + .endsWith(GOV_DOMAIN)) { + return CERTIFIED_GOV_AGENCY; + } + } catch (UnknownHostException e) { + log.error("Cannot determine host name", e); + } + if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { + return CERTIFIED_GOV_AGENCY; + } + return CERTIFIED; + } else { + return PSEUDO_ANONYMOUS; + } + } else { + return ANONYMOUS; + } + } + + /** + * + * @param isDataUrl + * @param url if the url's protocol is https a cert parameter must be provided. + * @param cert + * @return + */ + public static AuthenticationClass getAuthenticationClass(boolean isDataUrl, + URL url, X509Certificate cert) { + return instance.getMyAuthenticationClass(isDataUrl, url, cert); + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java new file mode 100644 index 00000000..242d9b02 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java @@ -0,0 +1,71 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.LinkedList; +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slexceptions.SLException; + +public class ChainChecker implements AccessChecker { + private static Log log = LogFactory.getLog(ChainChecker.class); + + private String id; + private List rules = new LinkedList(); + + /** + * + * @param id must not be null + */ + public ChainChecker(String id) { + if (id == null) { + throw new NullPointerException("Id argument must not be null"); + } + this.id = id; + } + + + public String getId() { + return id; + } + + public void addRule(RuleChecker rule) { + if (rule != null) { + rules.add(rule); + } + } + + @Override + public ChainResult check(AccessCheckerContext checkCtx) throws SLException { + log.debug("Processing chain: "+id); + for (RuleChecker rule : rules) { + log.trace("Checking rule: "+rule.getId()); + RuleResult result = rule.check(checkCtx); + if (result.matchFound()) { + log.debug("Found matching rule: "+rule.getId()); + if (result.getDelegateChainId() != null) { + // process chain + ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId()); + if (cc == null) { + log.error("Cannot delegate to chain. Unknown chain id: "+result.getDelegateChainId()); + throw new SLException(4000); + } + ChainResult cr = cc.check(checkCtx); + if (cr.matchFound()) { + return cr; + } + // if chain does not contain matching rule + // cont. here. + } else { + return result; + } + } + } + log.debug("Did not find a matching rule here"); + return new ChainResult(null, null, false); + } + + + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java new file mode 100644 index 00000000..a534f4e5 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java @@ -0,0 +1,32 @@ +package at.gv.egiz.bku.accesscontroller; + +/** + * Result of the access controller + * + */ +public class ChainResult { + private UserAction userAction; + private Action action; + private boolean matchFound; + + public ChainResult(Action action, UserAction userAction, boolean matchFound) { + this.action = action; + this.userAction = userAction; + } + + public Action getAction() { + return action; + } + + public UserAction getUserAction() { + return userAction; + } + + /** + * + * @return true if a matching rule has been found + */ + public boolean matchFound() { + return matchFound; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java new file mode 100644 index 00000000..bf46034d --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -0,0 +1,69 @@ +package at.gv.egiz.bku.accesscontroller; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slexceptions.SLRuntimeException; + +public class RuleChecker implements AccessChecker { + + private static Log log = LogFactory.getLog(RuleChecker.class); + + public static enum PEER_TYPE {HOST, IP, URL}; + + protected String id; + protected AuthenticationClass authenticationClass; + protected String commandName; + protected String peerId; + protected PEER_TYPE peerType; + protected Action action; + protected UserAction userAction; + + public RuleChecker(String id) { + if (id == null) { + throw new NullPointerException("Id argument must not be null"); + } + this.id = id; + } + + public void setAuthenticationClass(String ac) { + AuthenticationClass tmp = AuthenticationClass.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown authentication class "+ac); + } + authenticationClass = tmp; + } + + public void setAction(String ac) { + Action tmp = Action.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown action "+ac); + } + action = tmp; + } + + public void setUserAction(String uac) { + UserAction tmp = UserAction.fromString(uac); + if (tmp == null) { + throw new SLRuntimeException("Unknown user action "+uac); + } + userAction = tmp; + } + + public void setPeerId(String peerId, PEER_TYPE type) { + this.peerType = type; + this.peerId = peerId; + } + + public String getId() { + return id; + } + + @Override + public RuleResult check(AccessCheckerContext checkCtx) { + log.debug("Processing rule: "+id); + // TODO Auto-generated method stub + return null; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java new file mode 100644 index 00000000..26f42db0 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java @@ -0,0 +1,16 @@ +package at.gv.egiz.bku.accesscontroller; + + +public class RuleResult extends ChainResult { + private String chainId; + + public RuleResult(Action action, UserAction userAction, boolean matchFound, String chainId) { + super(action, userAction, matchFound); + this.chainId = chainId; + } + + public String getDelegateChainId() { + return chainId; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java new file mode 100644 index 00000000..307ec1e5 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java @@ -0,0 +1,20 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum UserAction { + NONE("none"), INFO("info"), CONFIRM("confirm"), CONFIRM_WITH_SECRET("confirmWithSecret"); + + private String name; + + UserAction(String name) { + this.name = name; + } + + public static UserAction fromString(String s) { + for (UserAction ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} -- cgit v1.2.3 From 2f029b9cb3ebc11abe28e0b2801bacc40cb584b1 Mon Sep 17 00:00:00 2001 From: wbauer Date: Wed, 3 Sep 2008 15:19:48 +0000 Subject: Just a backup of updated accesscontroller files git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@12 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/AccessControllerFactory.java | 68 ++++++++++++- .../gv/egiz/bku/accesscontroller/ChainResult.java | 1 + .../bku/accesscontroller/InfoboxRuleChecker.java | 14 +++ .../gv/egiz/bku/accesscontroller/RuleChecker.java | 112 ++++++++++++++++++--- 4 files changed, 179 insertions(+), 16 deletions(-) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java index 9b3e563d..3b75a5f2 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -1,10 +1,38 @@ package at.gv.egiz.bku.accesscontroller; +import java.io.InputStream; import java.util.Hashtable; +import java.util.List; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.accesscontrol.config.AccessControl; +import at.gv.egiz.bku.accesscontrol.config.Chain; +import at.gv.egiz.bku.accesscontrol.config.Command; +import at.gv.egiz.bku.accesscontrol.config.ObjectFactory; +import at.gv.egiz.bku.accesscontrol.config.Rule; +import at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl; +import at.gv.egiz.bku.slexceptions.SLRuntimeException; public class AccessControllerFactory { - private static AccessControllerFactory instance; + private static AccessControllerFactory instance = new AccessControllerFactory(); + private static Log log = LogFactory.getLog(AccessControllerFactory.class); + private static JAXBContext jaxbContext; + + static { + try { + jaxbContext = JAXBContext.newInstance(ObjectFactory.class.getPackage() + .getName()); + } catch (JAXBException e) { + log.fatal("Cannot init jaxbContext", e); + } + } private Hashtable chainTable = new Hashtable(); @@ -35,5 +63,43 @@ public class AccessControllerFactory { public void registerChainChecker(ChainChecker cc) { chainTable.put(cc.getId(), cc); } + + public RuleChecker createRuleChecker(Rule rule) { + RuleChecker rc; + Command cmd = rule.getCommand(); + if (cmd != null) { + if ((cmd.getParam() != null) && (cmd.getParam().size()>0)) { + if (cmd.getName().startsWith("Infobox")) { + rc = new InfoboxRuleChecker(rule.getId()); + } else { + throw new SLRuntimeException("Cannot handle parameters for command "+cmd.getName()); + } + } else { + rc = new RuleChecker(rule.getId()); + } + } else { + rc = new RuleChecker(rule.getId()); + } + // FIXME TODO cont. here + + + return rc; + } + + + public void init(InputStream is) throws JAXBException { + Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); + AccessControl ac = (AccessControl) unmarshaller.unmarshal(is); + List chainList = ac.getChains().getChain(); + log.debug("Found "+chainList.size()+" chains in config"); + for (Chain chain : chainList) { + List ruleList = chain.getRules().getRule(); + log.debug("Found "+ruleList.size()+" rules in chain "+chain.getId()); + for (Rule rule : ruleList) { + //rule.g + } + } + + } } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java index a534f4e5..a8fb789e 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java @@ -12,6 +12,7 @@ public class ChainResult { public ChainResult(Action action, UserAction userAction, boolean matchFound) { this.action = action; this.userAction = userAction; + this.matchFound = matchFound; } public Action getAction() { diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java new file mode 100644 index 00000000..2981d24e --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java @@ -0,0 +1,14 @@ +package at.gv.egiz.bku.accesscontroller; + +/** + * Adds infobox parameter checks + * @author wbauer + * + */ +public class InfoboxRuleChecker extends RuleChecker { + + public InfoboxRuleChecker(String id) { + super(id); + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java index bf46034d..c59f5b70 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -1,23 +1,36 @@ package at.gv.egiz.bku.accesscontroller; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.UnknownHostException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import at.gv.egiz.bku.slcommands.SLCommand; import at.gv.egiz.bku.slexceptions.SLRuntimeException; public class RuleChecker implements AccessChecker { - + private static Log log = LogFactory.getLog(RuleChecker.class); - - public static enum PEER_TYPE {HOST, IP, URL}; + + public static enum PEER_TYPE { + HOST, IP, URL + }; protected String id; protected AuthenticationClass authenticationClass; protected String commandName; + protected Pattern commandNamePattern; protected String peerId; + protected Pattern peerIdPattern; protected PEER_TYPE peerType; protected Action action; protected UserAction userAction; + protected String chainId; public RuleChecker(String id) { if (id == null) { @@ -27,43 +40,112 @@ public class RuleChecker implements AccessChecker { } public void setAuthenticationClass(String ac) { - AuthenticationClass tmp = AuthenticationClass.fromString(ac); + AuthenticationClass tmp = AuthenticationClass.fromString(ac); if (tmp == null) { - throw new SLRuntimeException("Unknown authentication class "+ac); + throw new SLRuntimeException("Unknown authentication class " + ac); } authenticationClass = tmp; } - + public void setAction(String ac) { Action tmp = Action.fromString(ac); if (tmp == null) { - throw new SLRuntimeException("Unknown action "+ac); + throw new SLRuntimeException("Unknown action " + ac); } action = tmp; } - + public void setUserAction(String uac) { - UserAction tmp = UserAction.fromString(uac); + UserAction tmp = UserAction.fromString(uac); if (tmp == null) { - throw new SLRuntimeException("Unknown user action "+uac); + throw new SLRuntimeException("Unknown user action " + uac); } userAction = tmp; } - + + public void setChainId(String chainId) { + this.chainId = chainId; + } + public void setPeerId(String peerId, PEER_TYPE type) { this.peerType = type; this.peerId = peerId; + peerIdPattern = Pattern.compile(peerId); } - + + public void setCommandName(String commandName) { + this.commandName = commandName; + commandNamePattern = Pattern.compile(commandName); + } + public String getId() { return id; } + protected boolean matchAuthenticationClass(AuthenticationClass cls) { + if (this.authenticationClass == null) { + return true; + } + return this.authenticationClass.compareTo(cls) <= 0; + } + + protected boolean matchCommandName(SLCommand cmd) { + if (commandName == null) { + return true; + } + Matcher matcher = commandNamePattern.matcher(cmd.getName()); + return matcher.matches(); + } + + protected boolean matchPeerId(String peerUrl) { + if (peerId == null) { + return true; + } + if (peerType == PEER_TYPE.URL) { + Matcher matcher = peerIdPattern.matcher(peerUrl); + return matcher.matches(); + } else { + try { + URL url = new URL(peerUrl); + if (peerType == PEER_TYPE.HOST) { + try { + String host = url.getHost(); + String hostName = InetAddress.getByName(host).getCanonicalHostName(); + Matcher matcher = peerIdPattern.matcher(hostName); + return matcher.matches(); + } catch (UnknownHostException e) { + log.error("Cannot resolve hostname", e); + return false; + } + } else { + try { + String hostAddr = InetAddress.getByName(url.getHost()) + .getHostAddress(); + Matcher matcher = peerIdPattern.matcher(hostAddr); + return matcher.matches(); + } catch (UnknownHostException e) { + log.error("Cannot resolve host address", e); + return false; + } + } + } catch (MalformedURLException e) { + log.error("Cannot parse url", e); + return false; + } + } + } + @Override public RuleResult check(AccessCheckerContext checkCtx) { - log.debug("Processing rule: "+id); - // TODO Auto-generated method stub - return null; + log.debug("Processing rule: " + id); + if (matchAuthenticationClass(checkCtx.getAuthenticationClass()) + && matchCommandName(checkCtx.getCommand()) + && matchPeerId(checkCtx.getPeerUrl())) { + log.debug("Match found for rule: " + id); + return new RuleResult(action, userAction, true, chainId); + } + log.debug("No match found for rule: " + id); + return new RuleResult(action, userAction, false, chainId); } } -- cgit v1.2.3 From e0f2c64ad6360e2ecec983cb5e0a60f812672106 Mon Sep 17 00:00:00 2001 From: wbauer Date: Thu, 4 Sep 2008 14:56:54 +0000 Subject: finished access controller, accessed it from command invoker and configured everything within onlinebku git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@14 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/AccessControllerFactory.java | 76 ++++++++++----- .../gv/egiz/bku/accesscontroller/ChainChecker.java | 6 +- .../bku/accesscontroller/CommandParamChecker.java | 52 +++++++++++ .../bku/accesscontroller/InfoboxParamChecker.java | 58 ++++++++++++ .../bku/accesscontroller/InfoboxRuleChecker.java | 14 --- .../gv/egiz/bku/accesscontroller/RuleChecker.java | 72 +++++++++++---- .../accesscontroller/SecurityManagerFacade.java | 102 +++++++++++++++++++++ 7 files changed, 325 insertions(+), 55 deletions(-) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java delete mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java index 3b75a5f2..cd837cd7 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -15,8 +15,9 @@ import at.gv.egiz.bku.accesscontrol.config.AccessControl; import at.gv.egiz.bku.accesscontrol.config.Chain; import at.gv.egiz.bku.accesscontrol.config.Command; import at.gv.egiz.bku.accesscontrol.config.ObjectFactory; +import at.gv.egiz.bku.accesscontrol.config.Param; import at.gv.egiz.bku.accesscontrol.config.Rule; -import at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl; +import at.gv.egiz.bku.accesscontroller.RuleChecker.PEER_TYPE; import at.gv.egiz.bku.slexceptions.SLRuntimeException; public class AccessControllerFactory { @@ -24,6 +25,8 @@ public class AccessControllerFactory { private static AccessControllerFactory instance = new AccessControllerFactory(); private static Log log = LogFactory.getLog(AccessControllerFactory.class); private static JAXBContext jaxbContext; + public static String INPUT_CHAIN = "InputChain"; + public static String OUTPUT_CHAIN = "OutputChain"; static { try { @@ -63,43 +66,72 @@ public class AccessControllerFactory { public void registerChainChecker(ChainChecker cc) { chainTable.put(cc.getId(), cc); } - + + public CommandParamChecker createParamChecker(String cmd) { + if ((cmd != null) && (cmd.startsWith("Infobox"))) { + return new InfoboxParamChecker(); + } else { + return null; + } + } + public RuleChecker createRuleChecker(Rule rule) { RuleChecker rc; + rc = new RuleChecker(rule.getId()); Command cmd = rule.getCommand(); if (cmd != null) { - if ((cmd.getParam() != null) && (cmd.getParam().size()>0)) { - if (cmd.getName().startsWith("Infobox")) { - rc = new InfoboxRuleChecker(rule.getId()); - } else { - throw new SLRuntimeException("Cannot handle parameters for command "+cmd.getName()); - } - } else { - rc = new RuleChecker(rule.getId()); + rc.setCommandName(cmd.getName()); + for (Param p : cmd.getParam()) { + rc.addParameter(p.getName(), p.getValue()); } - } else { - rc = new RuleChecker(rule.getId()); } - // FIXME TODO cont. here - - - return rc; + rc.setAuthenticationClass(rule.getAuthClass()); + if (rule.getIPv4Address() != null) { + rc.setPeerId(rule.getIPv4Address(), PEER_TYPE.IP); + } else if (rule.getDomainName() != null) { + rc.setPeerId(rule.getDomainName(), PEER_TYPE.HOST); + } else if (rule.getURL() != null) { + rc.setPeerId(rule.getURL(), PEER_TYPE.URL); + } + rc.setAction(rule.getAction().getRuleAction()); + rc.setChainId(rule.getAction().getChainRef()); + rc.setUserAction(rule.getUserInteraction()); + return rc; } - - + public void init(InputStream is) throws JAXBException { + chainTable.clear(); Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); AccessControl ac = (AccessControl) unmarshaller.unmarshal(is); List chainList = ac.getChains().getChain(); - log.debug("Found "+chainList.size()+" chains in config"); + log.debug("Found " + chainList.size() + " chains in config"); for (Chain chain : chainList) { + log.trace("Creating chain: " + chain.getId()); + ChainChecker cc = createChainChecker(chain.getId(), false); List ruleList = chain.getRules().getRule(); - log.debug("Found "+ruleList.size()+" rules in chain "+chain.getId()); + log + .debug("Found " + ruleList.size() + " rules in chain " + + chain.getId()); for (Rule rule : ruleList) { - //rule.g + log.trace("Creating rule: " + rule.getId()); + cc.addRule(createRuleChecker(rule)); + } + registerChainChecker(cc); + } + validate(); + } + + private void validate() { + for (ChainChecker chain : chainTable.values()) { + for (RuleChecker rule : chain.getRules()) { + if (rule.getChainId() != null) { + log.trace("Checking reference to chain: "+rule.getChainId()); + if (getChainChecker(rule.getChainId()) == null) { + throw new SLRuntimeException("Invalid reference to unknown chain: "+rule.getChainId()); + } + } } } - } } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java index 242d9b02..a290fe8d 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java @@ -1,5 +1,6 @@ package at.gv.egiz.bku.accesscontroller; +import java.util.Collections; import java.util.LinkedList; import java.util.List; @@ -35,6 +36,10 @@ public class ChainChecker implements AccessChecker { rules.add(rule); } } + + public List getRules() { + return Collections.unmodifiableList(rules); + } @Override public ChainResult check(AccessCheckerContext checkCtx) throws SLException { @@ -43,7 +48,6 @@ public class ChainChecker implements AccessChecker { log.trace("Checking rule: "+rule.getId()); RuleResult result = rule.check(checkCtx); if (result.matchFound()) { - log.debug("Found matching rule: "+rule.getId()); if (result.getDelegateChainId() != null) { // process chain ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId()); diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java new file mode 100644 index 00000000..3927c3c9 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java @@ -0,0 +1,52 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.LinkedList; +import java.util.List; + +import at.gv.egiz.bku.slcommands.SLCommand; + +public abstract class CommandParamChecker { + + protected List> paramList = new LinkedList>(); + + public static class Tupel { + private T key; + private Q val; + + public Tupel(T key, Q val) { + if ((key == null) || (val == null)) { + throw new NullPointerException("Tupel key and value must not be null"); + } + this.key = key; + this.val = val; + } + + public T getKey() { + return key; + } + + public Q getVal() { + return val; + } + + @SuppressWarnings("unchecked") + public boolean equals(Object other) { + if (other instanceof Tupel) { + Tupel ot = (Tupel) other; + return (key.equals(ot.key) && val.equals(ot.val)); + } + return false; + } + + public int hashCode() { + return key.hashCode(); + } + } + + public void addParameter(String key, String value) { + paramList.add(new Tupel(key, value)); + } + + public abstract boolean checkParameter(SLCommand cmd); + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java new file mode 100644 index 00000000..33689ae0 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java @@ -0,0 +1,58 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slcommands.InfoboxReadCommand; +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slexceptions.SLRuntimeException; + +public class InfoboxParamChecker extends CommandParamChecker { + private static Log log = LogFactory.getLog(InfoboxParamChecker.class); + + public final static String INFOBOX_ID = "InfoboxIdentifier"; + public final static String PERSON_ID = "PersonIdentifier"; + public final static String DERIVED = "derived"; + + @Override + public boolean checkParameter(SLCommand cmd) { + if (paramList.size() == 0) { + return true; + } + + if (cmd instanceof InfoboxReadCommand) { + InfoboxReadCommand irc = (InfoboxReadCommand) cmd; + for (Tupel param : paramList) { + if (param.getKey().equals(INFOBOX_ID)) { + if (!param.getVal().equals(irc.getInfoboxIdentifier())) { + return false; + } + } else if (param.getKey().equals(PERSON_ID)) { + if (param.getVal().equals(DERIVED)) { + if (irc.getIdentityLinkDomainId() == null) { + return false; + } + } else { + Pattern p = Pattern.compile(param.getVal()); + Matcher m = p.matcher(irc.getIdentityLinkDomainId()); + if (!m.matches()) { + return false; + } + } + + } else { + throw new SLRuntimeException("Cannot handle parameter " + + param.getKey()); + } + } + return true; + } else { + log.error("Cannot handle parameter for command: " + cmd.getName()); + throw new SLRuntimeException("Cannot handle parameters for command: " + + cmd.getName()); + } + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java deleted file mode 100644 index 2981d24e..00000000 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java +++ /dev/null @@ -1,14 +0,0 @@ -package at.gv.egiz.bku.accesscontroller; - -/** - * Adds infobox parameter checks - * @author wbauer - * - */ -public class InfoboxRuleChecker extends RuleChecker { - - public InfoboxRuleChecker(String id) { - super(id); - } - -} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java index c59f5b70..b0bf7fac 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -31,6 +31,7 @@ public class RuleChecker implements AccessChecker { protected Action action; protected UserAction userAction; protected String chainId; + protected CommandParamChecker paramChecker; public RuleChecker(String id) { if (id == null) { @@ -40,27 +41,33 @@ public class RuleChecker implements AccessChecker { } public void setAuthenticationClass(String ac) { - AuthenticationClass tmp = AuthenticationClass.fromString(ac); - if (tmp == null) { - throw new SLRuntimeException("Unknown authentication class " + ac); + if (ac != null) { + AuthenticationClass tmp = AuthenticationClass.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown authentication class " + ac); + } + authenticationClass = tmp; } - authenticationClass = tmp; } public void setAction(String ac) { - Action tmp = Action.fromString(ac); - if (tmp == null) { - throw new SLRuntimeException("Unknown action " + ac); + if (ac != null) { + Action tmp = Action.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown action " + ac); + } + action = tmp; } - action = tmp; } public void setUserAction(String uac) { - UserAction tmp = UserAction.fromString(uac); - if (tmp == null) { - throw new SLRuntimeException("Unknown user action " + uac); + if (uac != null) { + UserAction tmp = UserAction.fromString(uac); + if (tmp == null) { + throw new SLRuntimeException("Unknown user action " + uac); + } + userAction = tmp; } - userAction = tmp; } public void setChainId(String chainId) { @@ -76,6 +83,22 @@ public class RuleChecker implements AccessChecker { public void setCommandName(String commandName) { this.commandName = commandName; commandNamePattern = Pattern.compile(commandName); + paramChecker = AccessControllerFactory.getInstance().createParamChecker( + commandName); + } + + /** + * Make sure to set the commandName first + * + * @param key + * @param value + */ + public void addParameter(String key, String value) { + if (paramChecker == null) { + throw new IllegalArgumentException("Cannot set parameters for command " + + commandName); + } + paramChecker.addParameter(key, value); } public String getId() { @@ -83,22 +106,30 @@ public class RuleChecker implements AccessChecker { } protected boolean matchAuthenticationClass(AuthenticationClass cls) { - if (this.authenticationClass == null) { + if ((this.authenticationClass == null) || (cls == null)) { return true; } return this.authenticationClass.compareTo(cls) <= 0; } protected boolean matchCommandName(SLCommand cmd) { - if (commandName == null) { + if ((commandName == null) || (cmd == null)) { return true; } Matcher matcher = commandNamePattern.matcher(cmd.getName()); - return matcher.matches(); + if (matcher.matches()) { + if (paramChecker != null) { + return paramChecker.checkParameter(cmd); + } else { + return true; + } + } else { + return false; + } } protected boolean matchPeerId(String peerUrl) { - if (peerId == null) { + if ((peerId == null) || (peerUrl == null)) { return true; } if (peerType == PEER_TYPE.URL) { @@ -110,7 +141,8 @@ public class RuleChecker implements AccessChecker { if (peerType == PEER_TYPE.HOST) { try { String host = url.getHost(); - String hostName = InetAddress.getByName(host).getCanonicalHostName(); + String hostName = InetAddress.getByName(host) + .getCanonicalHostName(); Matcher matcher = peerIdPattern.matcher(hostName); return matcher.matches(); } catch (UnknownHostException e) { @@ -143,9 +175,13 @@ public class RuleChecker implements AccessChecker { && matchPeerId(checkCtx.getPeerUrl())) { log.debug("Match found for rule: " + id); return new RuleResult(action, userAction, true, chainId); - } + } log.debug("No match found for rule: " + id); return new RuleResult(action, userAction, false, chainId); } + public String getChainId() { + return chainId; + } + } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java new file mode 100644 index 00000000..32242772 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java @@ -0,0 +1,102 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.io.InputStream; + +import javax.xml.bind.JAXBException; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slcommands.SLCommand; +import at.gv.egiz.bku.slcommands.SLSourceContext; +import at.gv.egiz.bku.slcommands.SLTargetContext; + +/** + * Facade for the access controller + */ +public class SecurityManagerFacade { + + private static Log log = LogFactory.getLog(SecurityManagerFacade.class); + + private boolean allowUnmatched = false; + private ChainChecker inputFilter = null; + private ChainChecker outputFilter = null; + + public boolean mayInvokeCommand(SLCommand cmd, SLSourceContext ctx) { + if (inputFilter != null) { + AuthenticationClass ac = AuthenticationClassifier.getAuthenticationClass( + ctx.isSourceIsDataURL(), ctx.getSourceUrl(), ctx + .getSourceCertificate()); + AccessCheckerContext acc = new AccessCheckerContext(cmd, ac, ctx + .getSourceUrl().toString()); + try { + ChainResult cr = inputFilter.check(acc); + if (cr.matchFound()) { + if (cr.getAction() == Action.ALLOW) { + return true; + } else { + return false; + } + } else { + return allowUnmatched; + } + } catch (Exception e) { + log.error(e); + return false; + } + } else { + log.warn("No input chain defined"); + return allowUnmatched; + } + } + + public boolean maySendResult(SLCommand cmd, SLTargetContext ctx) { + if (outputFilter != null) { + AuthenticationClass ac = AuthenticationClassifier.getAuthenticationClass( + ctx.isTargetIsDataURL(), ctx.getTargetUrl(), ctx + .getTargetCertificate()); + AccessCheckerContext acc = new AccessCheckerContext(cmd, ac, ctx + .getTargetUrl().toString()); + try { + ChainResult cr = outputFilter.check(acc); + if (cr.matchFound()) { + if (cr.getAction() == Action.ALLOW) { + return true; + } else { + return false; + } + } else { + return allowUnmatched; + } + } catch (Exception e) { + log.error(e); + return false; + } + } else { + log.warn("No output chain defined"); + return allowUnmatched; + } + } + + /** + * Default policy if not match was found + * + * @param allow + */ + public void setAllowUnmatched(boolean allow) { + this.allowUnmatched = allow; + } + + public void init(InputStream is) { + inputFilter = null; + outputFilter = null; + AccessControllerFactory fab = AccessControllerFactory.getInstance(); + try { + fab.init(is); + } catch (JAXBException e) { + log.error(e); + } + inputFilter = fab.getChainChecker(AccessControllerFactory.INPUT_CHAIN); + outputFilter = fab.getChainChecker(AccessControllerFactory.OUTPUT_CHAIN); + } +} -- cgit v1.2.3 From 14d74dd27c32a02b5301a0755f3fe174d7e3c9f6 Mon Sep 17 00:00:00 2001 From: wbauer Date: Fri, 5 Sep 2008 12:05:55 +0000 Subject: added file headers git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@17 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../at/gv/egiz/bku/accesscontroller/AccessChecker.java | 16 ++++++++++++++++ .../egiz/bku/accesscontroller/AccessCheckerContext.java | 16 ++++++++++++++++ .../bku/accesscontroller/AccessControllerFactory.java | 16 ++++++++++++++++ .../java/at/gv/egiz/bku/accesscontroller/Action.java | 16 ++++++++++++++++ .../egiz/bku/accesscontroller/AuthenticationClass.java | 16 ++++++++++++++++ .../bku/accesscontroller/AuthenticationClassifier.java | 16 ++++++++++++++++ .../at/gv/egiz/bku/accesscontroller/ChainChecker.java | 16 ++++++++++++++++ .../at/gv/egiz/bku/accesscontroller/ChainResult.java | 16 ++++++++++++++++ .../egiz/bku/accesscontroller/CommandParamChecker.java | 16 ++++++++++++++++ .../egiz/bku/accesscontroller/InfoboxParamChecker.java | 16 ++++++++++++++++ .../at/gv/egiz/bku/accesscontroller/RuleChecker.java | 16 ++++++++++++++++ .../java/at/gv/egiz/bku/accesscontroller/RuleResult.java | 16 ++++++++++++++++ .../egiz/bku/accesscontroller/SecurityManagerFacade.java | 16 ++++++++++++++++ .../java/at/gv/egiz/bku/accesscontroller/UserAction.java | 16 ++++++++++++++++ 14 files changed, 224 insertions(+) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java index 81bf1795..d930c74e 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import at.gv.egiz.bku.slexceptions.SLException; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java index 1206c022..60935678 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import at.gv.egiz.bku.slcommands.SLCommand; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java index cd837cd7..19fec084 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.io.InputStream; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java index 11a22c99..f3d15ad6 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; public enum Action { diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java index 4d58df78..3c442a6d 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; public enum AuthenticationClass { diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java index 2e856f06..ace8a75a 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java index a290fe8d..716f81e4 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.util.Collections; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java index a8fb789e..a5547cab 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; /** diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java index 3927c3c9..003eb2f7 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.util.LinkedList; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java index 33689ae0..8fa328de 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.util.regex.Matcher; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java index b0bf7fac..1cba89ef 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.net.InetAddress; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java index 26f42db0..706615c2 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java index 32242772..482d3ecb 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; import java.io.InputStream; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java index 307ec1e5..c1f7028b 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java @@ -1,3 +1,19 @@ +/* +* Copyright 2008 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ package at.gv.egiz.bku.accesscontroller; public enum UserAction { -- cgit v1.2.3 From a3361b40aa8f92849c50db27e349e17b87bebb1e Mon Sep 17 00:00:00 2001 From: wbauer Date: Tue, 9 Sep 2008 12:40:52 +0000 Subject: improved security handling and added shutdown handler git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@27 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/AuthenticationClassifier.java | 82 +++++++++++++++------- 1 file changed, 56 insertions(+), 26 deletions(-) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java index ace8a75a..ed4b9bda 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -1,30 +1,31 @@ /* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package at.gv.egiz.bku.accesscontroller; import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS; import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED; -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS; import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS; -import java.net.InetAddress; import java.net.URL; -import java.net.UnknownHostException; +import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.List; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -37,6 +38,39 @@ public class AuthenticationClassifier { private AuthenticationClassifier() { } + public static boolean isGovAgency(X509Certificate cert) { + String[] rdns = (cert.getSubjectX500Principal().getName()).split(","); + for (String rdn : rdns) { + if (rdn.startsWith("CN=")) { + String dns = rdn.split("=")[1]; + log.trace("Analyzing cn dn: " + dns); + if (dns.endsWith(GOV_DOMAIN)) { + return true; + } + } + } + try { + Collection> sanList = cert.getSubjectAlternativeNames(); + if (sanList != null) { + for (List san : sanList) { + log.trace("Analyzing subj. alt name: " + san); + if ((Integer) san.get(0) == 2) { + String dns = (String) san.get(1); + if (dns.endsWith(GOV_DOMAIN)) { + return true; + } + } + } + } + } catch (CertificateParsingException e) { + log.error(e); + } + if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { + return true; + } + return false; + } + /** * Client Certificates are currently not supported * @@ -45,13 +79,8 @@ public class AuthenticationClassifier { URL url, X509Certificate cert) { if (isDataUrl) { if (url.getProtocol().equalsIgnoreCase("https")) { - try { - if (InetAddress.getByName(url.getHost()).getCanonicalHostName() - .endsWith(GOV_DOMAIN)) { - return CERTIFIED_GOV_AGENCY; - } - } catch (UnknownHostException e) { - log.error("Cannot determine host name", e); + if (isGovAgency(cert)) { + return CERTIFIED_GOV_AGENCY; } if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { return CERTIFIED_GOV_AGENCY; @@ -68,7 +97,8 @@ public class AuthenticationClassifier { /** * * @param isDataUrl - * @param url if the url's protocol is https a cert parameter must be provided. + * @param url + * if the url's protocol is https a cert parameter must be provided. * @param cert * @return */ -- cgit v1.2.3 From 77a19e106e4128c21dd2d1270fdc8d930e415247 Mon Sep 17 00:00:00 2001 From: wbauer Date: Thu, 18 Dec 2008 08:58:39 +0000 Subject: Fixed BUG #366, changed applet name in BKUOnline to have no version number git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@253 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java index ed4b9bda..61d3d7a5 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -65,7 +65,8 @@ public class AuthenticationClassifier { } catch (CertificateParsingException e) { log.error(e); } - if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { + if ((cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) + || (cert.getExtensionValue("1.2.40.0.10.1.1.2") != null)) { return true; } return false; -- cgit v1.2.3