From b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd Mon Sep 17 00:00:00 2001 From: mcentner Date: Wed, 5 May 2010 15:29:01 +0000 Subject: Merged feature branch mocca-1.2.13-id@r724 back to trunk. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@725 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../bku/spring/ConfigurableHostnameVerifier.java | 77 +++++++ .../egiz/bku/spring/ConfigurationFactoryBean.java | 172 +++++++++++++++ .../gv/egiz/bku/spring/PKIProfileFactoryBean.java | 235 +++++++++++++++++++++ .../at/gv/egiz/bku/spring/PKITrustManager.java | 173 +++++++++++++++ .../gv/egiz/bku/spring/SSLSocketFactoryBean.java | 109 ++++++++++ .../bku/spring/SecurityManagerFactoryBean.java | 102 +++++++++ 6 files changed, 868 insertions(+) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurableHostnameVerifier.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurationFactoryBean.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/PKITrustManager.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/SecurityManagerFactoryBean.java (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/spring') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurableHostnameVerifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurableHostnameVerifier.java new file mode 100644 index 00000000..c2f64994 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurableHostnameVerifier.java @@ -0,0 +1,77 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; + +import org.apache.commons.configuration.Configuration; + +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; + +public class ConfigurableHostnameVerifier implements HostnameVerifier { + + /** + * The configuration facade. + */ + protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String SSL_DISSABLE_HOSTNAME_VERIFICATION = "SSL.disableHostnameVerification"; + + public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks"; + + public boolean disableSslHostnameVerification() { + return configuration.getBoolean(SSL_DISSABLE_HOSTNAME_VERIFICATION, false); + } + + public boolean disableAllSslChecks() { + return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false); + } + + } + + /** + * @return the configuration + */ + public Configuration getConfiguration() { + return configurationFacade.configuration; + } + + /** + * @param configuration the configuration to set + */ + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + + @Override + public boolean verify(String hostname, SSLSession session) { + if (configurationFacade.disableAllSslChecks() || configurationFacade.disableSslHostnameVerification()) { + return true; + } else { + return HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session); + } + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurationFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurationFactoryBean.java new file mode 100644 index 00000000..a6a7c346 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/ConfigurationFactoryBean.java @@ -0,0 +1,172 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import java.io.IOException; +import java.net.URL; +import java.util.HashMap; +import java.util.Map; +import java.util.jar.Attributes; +import java.util.jar.Manifest; + +import org.apache.commons.configuration.CompositeConfiguration; +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.MapConfiguration; +import org.apache.commons.configuration.XMLConfiguration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.FactoryBean; +import org.springframework.context.ResourceLoaderAware; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + +import at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandImpl; + +/** + * This is a {@link FactoryBean} for the creation of a {@link Configuration}. + * + * @author mcentner + */ +public class ConfigurationFactoryBean implements FactoryBean, ResourceLoaderAware { + + protected static final Logger log = LoggerFactory.getLogger(ConfigurationFactoryBean.class); + + public static final String DEFAULT_CONFIG = "/WEB-INF/conf/configuration.xml"; + + public static final String MOCCA_IMPLEMENTATIONNAME_PROPERTY = "ProductName"; + + public static final String MOCCA_IMPLEMENTATIONVERSION_PROPERTY = "ProductVersion"; + + public static final String SIGNATURE_LAYOUT_PROPERTY = "SignatureLayout"; + + /** + * The URL of the configuration file. + */ + protected Resource configurationResource; + + /** + * The ResourceLoader. + */ + protected ResourceLoader resourceLoader; + + @Override + public void setResourceLoader(ResourceLoader resourceLoader) { + this.resourceLoader = resourceLoader; + } + + /** + * @return the configurationURL + */ + public Resource getConfigurationResource() { + return configurationResource; + } + + /** + * @param configurationResource the configurationURL to set + */ + public void setConfigurationResource(Resource configurationResource) { + this.configurationResource = configurationResource; + } + + protected Configuration getDefaultConfiguration() + throws ConfigurationException, IOException { + Resource resource = resourceLoader.getResource(DEFAULT_CONFIG); + XMLConfiguration xmlConfiguration = new XMLConfiguration(); + xmlConfiguration.load(resource.getInputStream()); + xmlConfiguration.setURL(resource.getURL()); + return xmlConfiguration; + } + + protected Configuration getVersionConfiguration() throws IOException { + + Map map = new HashMap(); + map.put(MOCCA_IMPLEMENTATIONNAME_PROPERTY, "MOCCA"); + + // implementation version + String version = null; + try { + Resource resource = resourceLoader.getResource("META-INF/MANIFEST.MF"); + Manifest properties = new Manifest(resource.getInputStream()); + Attributes attributes = properties.getMainAttributes(); + // TODO: replace by Implementation-Version ? + version = attributes.getValue("Implementation-Build"); + } catch (Exception e) { + log.warn("Failed to get implemenation version from manifest. {}", e.getMessage()); + } + + if (version == null) { + version="UNKNOWN"; + } + map.put(MOCCA_IMPLEMENTATIONVERSION_PROPERTY, version); + + // signature layout + try { + String classContainer = CreateXMLSignatureCommandImpl.class.getProtectionDomain() + .getCodeSource().getLocation().toString(); + URL manifestUrl = new URL("jar:" + classContainer + + "!/META-INF/MANIFEST.MF"); + Manifest manifest = new Manifest(manifestUrl.openStream()); + Attributes attributes = manifest.getMainAttributes(); + String signatureLayout = attributes.getValue("SignatureLayout"); + if (signatureLayout != null) { + map.put(SIGNATURE_LAYOUT_PROPERTY, signatureLayout); + } + } catch (Exception e) { + log.warn("Failed to get signature layout from manifest.", e); + } + + + return new MapConfiguration(map); + + } + + @Override + public Object getObject() throws Exception { + + log.info("Configuration resource is {}.", configurationResource); + + CompositeConfiguration configuration; + if (configurationResource == null) { + // initialize default configuration + log.warn("Initializing with default configuration."); + configuration = new CompositeConfiguration(); + } else { + // initialize with writable configuration + URL url = configurationResource.getURL(); + XMLConfiguration writableConfiguration = new XMLConfiguration(url); + configuration = new CompositeConfiguration(writableConfiguration); + log.info("Initialized with configuration from '{}'.", url); + } + configuration.addConfiguration(getDefaultConfiguration()); + configuration.addConfiguration(getVersionConfiguration()); + return configuration; + } + + @Override + public Class getObjectType() { + return Configuration.class; + } + + @Override + public boolean isSingleton() { + return true; + } + + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java new file mode 100644 index 00000000..97a0d872 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java @@ -0,0 +1,235 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import iaik.logging.LogConfigurationException; +import iaik.logging.LoggerConfig; +import iaik.logging.impl.TransactionIdImpl; +import iaik.pki.DefaultPKIConfiguration; +import iaik.pki.DefaultPKIProfile; +import iaik.pki.PKIException; +import iaik.pki.PKIFactory; +import iaik.pki.PKIProfile; +import iaik.pki.revocation.RevocationSourceTypes; +import iaik.pki.store.certstore.CertStoreParameters; +import iaik.pki.store.certstore.directory.DefaultDirectoryCertStoreParameters; +import iaik.pki.store.truststore.DefaultTrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreTypes; + +import java.io.File; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.Properties; + +import org.apache.commons.configuration.CompositeConfiguration; +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.FileConfiguration; +import org.springframework.beans.factory.FactoryBean; +import org.springframework.context.ResourceLoaderAware; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + +import at.gv.egiz.bku.conf.IAIKLogAdapterFactory; +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; + +public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { + + /** + * The configuration facade. + */ + protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String SSL_CERT_DIRECTORY = "SSL.certDirectory"; + + public static final String SSL_CERT_DIRECTORY_DEFAULT = "classpath:at/gv/egiz/bku/certs/certStore"; + + public static final String SSL_CA_DIRECTORY = "SSL.caDirectory"; + + public static final String SSL_CA_DIRECTORY_DEFAULT = "classpath:at/gv/egiz/bku/certs/trustStore"; + + public URL getCertDirectory() throws MalformedURLException { + return getURL(SSL_CERT_DIRECTORY); + } + + public URL getCaDirectory() throws MalformedURLException { + return getURL(SSL_CA_DIRECTORY); + } + + private URL getURL(String key) throws MalformedURLException { + String url = configuration.getString(key); + if (url == null || url.isEmpty()) { + return null; + } + return new URL(getBasePath(key), configuration.getString(key)); + } + + private URL getBasePath(String key) { + Configuration configuration = this.configuration; + if (configuration instanceof CompositeConfiguration) { + CompositeConfiguration compositeConfiguration = (CompositeConfiguration) configuration; + for (int i = 0; i < compositeConfiguration.getNumberOfConfigurations(); i++) { + if (compositeConfiguration.getConfiguration(i).containsKey(key)) { + configuration = compositeConfiguration.getConfiguration(i); + break; + } + } + } + if (configuration instanceof FileConfiguration) { + return ((FileConfiguration) configuration).getURL(); + } + return null; + } + + } + + + private ResourceLoader resourceLoader; + + protected String trustProfileId; + + @Override + public void setResourceLoader(ResourceLoader loader) { + this.resourceLoader = loader; + } + + /** + * @return the configuration + */ + public Configuration getConfiguration() { + return configurationFacade.configuration; + } + + /** + * @param configuration the configuration to set + */ + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + /** + * @return the trustProfileId + */ + public String getTrustProfileId() { + return trustProfileId; + } + + /** + * @param trustProfileId the trustProfileId to set + */ + public void setTrustProfileId(String trustProfileId) { + this.trustProfileId = trustProfileId; + } + + protected File getDirectory(String url) throws IOException { + Resource resource = resourceLoader.getResource(url); + File path = resource.getFile(); + if (!path.exists() && !path.isDirectory()) { + throw new IOException("URL '" + url + "' is not a directory."); + } + return path; + } + + protected void configureIAIKLogging() { + // initialize IAIK logging for PKI module + iaik.logging.LogFactory.configure(new LoggerConfig() { + + @Override + public Properties getProperties() throws LogConfigurationException { + return null; + } + + @Override + public String getNodeId() { + return "pki"; + } + + @Override + public String getFactory() { + return IAIKLogAdapterFactory.class.getName(); + } + }); + } + + protected void configurePkiFactory() throws MalformedURLException, PKIException, IOException { + + URL url = configurationFacade.getCertDirectory(); + File certDirectory = (url != null) + ? getDirectory(url.toString()) + : getDirectory(ConfigurationFacade.SSL_CERT_DIRECTORY_DEFAULT); + + CertStoreParameters[] certStoreParameters = { new DefaultDirectoryCertStoreParameters( + "CS", certDirectory.getAbsolutePath(), true, false) }; + + DefaultPKIConfiguration pkiConfiguration = new DefaultPKIConfiguration(certStoreParameters); + + + PKIFactory pkiFactory = PKIFactory.getInstance(); + pkiFactory.configure(pkiConfiguration, new TransactionIdImpl("Configure-PKI")); + } + + protected TrustStoreProfile createDirectoryTrustStoreProfile() throws MalformedURLException, IOException { + + URL url = configurationFacade.getCaDirectory(); + File caDirectory = (url != null) + ? getDirectory(url.toString()) + : getDirectory(ConfigurationFacade.SSL_CA_DIRECTORY_DEFAULT); + + return new DefaultTrustStoreProfile(trustProfileId, + TrustStoreTypes.DIRECTORY, caDirectory.getAbsolutePath()); + + } + + @Override + public Object getObject() throws Exception { + + configureIAIKLogging(); + + PKIFactory pkiFactory = PKIFactory.getInstance(); + + if (!pkiFactory.isAlreadyConfigured()) { + configurePkiFactory(); + } + + TrustStoreProfile trustProfile = createDirectoryTrustStoreProfile(); + + DefaultPKIProfile pkiProfile = new DefaultPKIProfile(trustProfile); + + pkiProfile.setAutoAddCertificates(true); + pkiProfile.setPreferredServiceOrder(new String[] { + RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL }); + + return pkiProfile; + } + + @Override + public Class getObjectType() { + return PKIProfile.class; + } + + @Override + public boolean isSingleton() { + return false; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKITrustManager.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKITrustManager.java new file mode 100644 index 00000000..36fdcd06 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKITrustManager.java @@ -0,0 +1,173 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import iaik.logging.TransactionId; +import iaik.pki.PKIException; +import iaik.pki.PKIFactory; +import iaik.pki.PKIModule; +import iaik.pki.PKIProfile; +import iaik.pki.store.truststore.TrustStore; +import iaik.pki.store.truststore.TrustStoreException; +import iaik.pki.store.truststore.TrustStoreFactory; + +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Date; + +import javax.net.ssl.X509TrustManager; + +import org.apache.commons.configuration.Configuration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; + +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; + +public class PKITrustManager implements X509TrustManager { + + Logger log = LoggerFactory.getLogger(PKITrustManager.class); + + protected PKIProfile pkiProfile; + + /** + * The configuration facade. + */ + protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks"; + + public boolean disableAllSslChecks() { + return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false); + } + + } + + /** + * @return the configuration + */ + public Configuration getConfiguration() { + return configurationFacade.configuration; + } + + /** + * @param configuration the configuration to set + */ + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + /** + * @return the pkiProfile + */ + public PKIProfile getPkiProfile() { + return pkiProfile; + } + + /** + * @param pkiProfile the pkiProfile to set + */ + public void setPkiProfile(PKIProfile pkiProfile) { + this.pkiProfile = pkiProfile; + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + checkServerTrusted(chain, authType); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + + if (pkiProfile == null) { + throw new CertificateException("No PKI profile set. Configuration error."); + } + + if (configurationFacade.disableAllSslChecks()) { + log.warn("SSL certificate validation disabled. " + + "Accepted certificate {}.", chain[0].getSubjectDN()); + } else { + + iaik.x509.X509Certificate[] certs = convertCerts(chain); + + TransactionId tid = new MDCTransactionId(); + try { + PKIModule pkiModule = PKIFactory.getInstance().getPKIModule(pkiProfile); + if (!pkiModule.validateCertificate(new Date(), certs[0], certs, null, + tid).isCertificateValid()) { + throw new CertificateException("Certificate not valid."); + } + } catch (PKIException e) { + log.warn("Failed to validate certificate.", e); + throw new CertificateException("Failed to validate certificate. " + e.getMessage()); + } + + } + + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + + if (pkiProfile == null) { + log.warn("No PKI profile set. Configuration error."); + return new X509Certificate[] {}; + } + + TransactionId tid = new MDCTransactionId(); + + try { + + TrustStore trustStore = TrustStoreFactory.getInstance(pkiProfile.getTrustStoreProfile(), tid); + return (X509Certificate[]) trustStore.getTrustedCertificates(tid).toArray(); + + } catch (TrustStoreException e) { + log.warn("Failed to get list of accepted issuers.", e); + return new X509Certificate[] {}; + } + + } + + private static iaik.x509.X509Certificate[] convertCerts( + X509Certificate[] certs) throws CertificateException { + iaik.x509.X509Certificate[] retVal = new iaik.x509.X509Certificate[certs.length]; + int i = 0; + for (X509Certificate cert : certs) { + if (cert instanceof iaik.x509.X509Certificate) { + retVal[i++] = (iaik.x509.X509Certificate) cert; + } else { + retVal[i++] = new iaik.x509.X509Certificate(cert.getEncoded()); + } + } + return retVal; + } + + private static class MDCTransactionId implements TransactionId { + @Override + public String getLogID() { + String sessionId = MDC.get("SessionId"); + return (sessionId != null) ? sessionId : "PKITrustManager"; + } + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java new file mode 100644 index 00000000..f6dbddd6 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java @@ -0,0 +1,109 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import iaik.pki.PKIProfile; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; + +import org.apache.commons.configuration.Configuration; +import org.springframework.beans.factory.FactoryBean; + +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; + +public class SSLSocketFactoryBean implements FactoryBean { + + protected PKIProfile pkiProfile; + + /** + * The configuration facade. + */ + protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade implements MoccaConfigurationFacade { + + private Configuration configuration; + + public static final String SSL_PROTOCOL = "SSL.sslProtocol"; + + public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks"; + + public String getSslProtocol() { + return configuration.getString(SSL_PROTOCOL, "TLS"); + } + + public boolean disableAllSslChecks() { + return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false); + } + + } + + /** + * @return the configuration + */ + public Configuration getConfiguration() { + return configurationFacade.configuration; + } + + /** + * @param configuration the configuration to set + */ + public void setConfiguration(Configuration configuration) { + configurationFacade.configuration = configuration; + } + + /** + * @return the pkiProfile + */ + public PKIProfile getPkiProfile() { + return pkiProfile; + } + + /** + * @param pkiProfile the pkiProfile to set + */ + public void setPkiProfile(PKIProfile pkiProfile) { + this.pkiProfile = pkiProfile; + } + + @Override + public Object getObject() throws Exception { + + PKITrustManager pkiTrustManager = new PKITrustManager(); + pkiTrustManager.setConfiguration(configurationFacade.configuration); + pkiTrustManager.setPkiProfile(pkiProfile); + + SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol()); + sslContext.init(null, new TrustManager[] {pkiTrustManager}, null); + + return sslContext.getSocketFactory(); + } + + @Override + public Class getObjectType() { + return SSLSocketFactory.class; + } + + @Override + public boolean isSingleton() { + return false; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SecurityManagerFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SecurityManagerFactoryBean.java new file mode 100644 index 00000000..4e9e4d76 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SecurityManagerFactoryBean.java @@ -0,0 +1,102 @@ +/* +* Copyright 2009 Federal Chancellery Austria and +* Graz University of Technology +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +package at.gv.egiz.bku.spring; + +import org.apache.commons.configuration.Configuration; +import org.springframework.beans.factory.FactoryBean; +import org.springframework.context.ResourceLoaderAware; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + +import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade; + +public class SecurityManagerFactoryBean implements ResourceLoaderAware, + FactoryBean { + + protected ResourceLoader resourceLoader; + + protected ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + public class ConfigurationFacade { + + protected ConfigurationFacade() { + } + + public static final String ACCESSCONTROLLER_POLICYRESOURCE = "AccessController.PolicyResource"; + + public static final String ACCESSCONTROLLER_DEFAULT_POLICYRESOURCE = "classpath:/at/gv/egiz/bku/accesscontrol/config/accessControlConfig.xml"; + + public static final String ACCESSCONTROLLER_ACCEPTNOMATCH = "AccessController.AcceptNoMatch"; + + public static final boolean ACCESSCONTROLLER_DEFAULT_ACCEPTNOMATCH = false; + + protected String getPolicyResource() { + return configuration.getString(ACCESSCONTROLLER_POLICYRESOURCE, ACCESSCONTROLLER_DEFAULT_POLICYRESOURCE); + } + + protected boolean getAcceptNoMatch() { + return configuration.getBoolean(ACCESSCONTROLLER_ACCEPTNOMATCH, ACCESSCONTROLLER_DEFAULT_ACCEPTNOMATCH); + } + + } + + protected Configuration configuration; + + /** + * @return the configuration + */ + public Configuration getConfiguration() { + return configuration; + } + + /** + * @param configuration the configuration to set + */ + public void setConfiguration(Configuration configuration) { + this.configuration = configuration; + } + + @Override + public void setResourceLoader(ResourceLoader resourceLoader) { + this.resourceLoader = resourceLoader; + } + + @Override + public Object getObject() throws Exception { + + SecurityManagerFacade sm = new SecurityManagerFacade(); + sm.setAllowUnmatched(configurationFacade.getAcceptNoMatch()); + + Resource policyResource = resourceLoader.getResource(configurationFacade.getPolicyResource()); + sm.init(policyResource.getInputStream()); + + return sm; + + } + + @Override + public Class getObjectType() { + return SecurityManagerFacade.class; + } + + @Override + public boolean isSingleton() { + return true; + } + +} -- cgit v1.2.3