perfsonar-dev - perfsonar: r3230 - trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService
Subject: perfsonar development work
List archive
perfsonar: r3230 - trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService
Chronological Thread
- From:
- To:
- Subject: perfsonar: r3230 - trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService
- Date: Tue, 15 Jan 2008 03:58:39 -0500
Author: rodriguez
Date: 2008-01-15 03:58:39 -0500 (Tue, 15 Jan 2008)
New Revision: 3230
Modified:
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASAction.java
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASEngine.java
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/AuthNAction.java
Log:
- Fixing a "bug" of WSS4J which doesn't validate properly timestamps
- New configuration property 'service.as.maxttl'
Modified:
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASAction.java
===================================================================
---
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASAction.java
2008-01-15 08:55:32 UTC (rev 3229)
+++
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASAction.java
2008-01-15 08:58:39 UTC (rev 3230)
@@ -1,5 +1,8 @@
package org.perfsonar.service.authService;
+import java.util.Properties;
+
+import org.apache.ws.security.components.crypto.Crypto;
import org.ggf.ns.nmwg.base.v2_0.Message;
import org.ggf.ns.nmwg.base.v2_0.Metadata;
import org.perfsonar.base.auxiliary.AuxiliaryComponentManager;
@@ -19,6 +22,8 @@
* Reference to configuration
*/
protected ConfigurationComponent configuration;
+
+ protected Properties props;
public ASAction() throws PerfSONARException {
logger = (LoggerComponent)
AuxiliaryComponentManager.getInstance()
@@ -26,6 +31,10 @@
configuration = (ConfigurationComponent)
AuxiliaryComponentManager
.getInstance().getComponent(ComponentNames.CONFIG);
}
+
+ public void setProperties(Properties props) {
+ this.props=props;
+ }
protected Metadata getMetadataFromRequest(Message request) {
// Get Metadata
@@ -37,7 +46,7 @@
}
}
- public abstract Message performAction(Message request)
+ public abstract Message performAction(Crypto tsCrypto,Message request)
throws PerfSONARException;
}
Modified:
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASEngine.java
===================================================================
---
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASEngine.java
2008-01-15 08:55:32 UTC (rev 3229)
+++
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/ASEngine.java
2008-01-15 08:58:39 UTC (rev 3230)
@@ -1,7 +1,9 @@
package org.perfsonar.service.authService;
import java.io.ByteArrayOutputStream;
+import java.io.FileInputStream;
import java.io.PrintWriter;
+import java.security.KeyStore;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
@@ -9,9 +11,11 @@
import net.geant.edugain.base.Configurator;
import net.geant.edugain.validation.Validator;
+import org.apache.ws.security.components.crypto.Crypto;
import org.ggf.ns.nmwg.base.v2_0.Message;
import org.perfsonar.base.auxiliary.AuxiliaryComponentManager;
import org.perfsonar.base.auxiliary.ComponentNames;
+import org.perfsonar.base.auxiliary.components.authn.DynamicCrypto;
import
org.perfsonar.base.auxiliary.components.configuration.ConfigurationComponent;
import org.perfsonar.base.auxiliary.components.logger.LoggerComponent;
import org.perfsonar.base.exceptions.PerfSONARException;
@@ -19,6 +23,7 @@
import org.perfsonar.service.base.engine.ServiceEngine;
public class ASEngine implements ServiceEngine {
+ public static final String MAX_TTL_TOKEN = "service.as.maxttl";
private static final String SERVICE_ENGINE_TYPE = "service.as";
private Properties props;
private List<String> acceptedTypes = null;
@@ -27,6 +32,7 @@
private Configurator cfg;
private Validator val;
+ private Crypto tsCrypto;
public ASEngine() throws PerfSONARException {
this.acceptedTypes = Arrays.asList(new String[] {
ActionType.AUTHN_EE_REQUEST });
@@ -45,19 +51,43 @@
}
logger.debug("ASEngine: loading configuration...");
loadConfiguration();
+ logger.debug("ASEngine: init crypto engine...");
+ loadKeyStore();
logger.debug("ASEngine: starting... ");
}
+
+ private void loadKeyStore() throws PerfSONARException {
+ try {
+ KeyStore ks = KeyStore.getInstance("jks");
+ ks.load(new
FileInputStream(props.getProperty(Configurator.PROPS_TRUSTSTORE_FILE)),
props.getProperty(Configurator.PROPS_TRUSTSTORE_PASSWD).toCharArray());
+ tsCrypto=new DynamicCrypto(ks);
+ } catch (Exception e) {
+ e.printStackTrace();
+ throw new PerfSONARException("error.as.crypto",e);
+ }
+ }
+
private void loadConfiguration() throws PerfSONARException {
props=new Properties();
+ String
maxTtlToken=configuration.getProperty(ASEngine.MAX_TTL_TOKEN);
+ if (maxTtlToken!=null) {
+ try {
+ int max=Integer.parseInt(maxTtlToken);
+ props.put(ASEngine.MAX_TTL_TOKEN,
String.valueOf(max));
+ logger.debug("ASEngine: setting max ttl of
token to "+max);
+ } catch (NumberFormatException e) {
+ logger.error("ASEngine: value of the
parameter service.as.maxttl is not valid. Disabled this feature");
+ }
+ }
props.put("provider",
configuration.getProperty("service.as.crypt_provider"));
props.put(Configurator.PROPS_TRUSTSTORE_PASSWD,
configuration.getProperty("service.as.truststore_password"));
props.put(Configurator.PROPS_TRUSTSTORE_FILE,configuration.getProperty("service.as.truststore_file"));
props.put(Configurator.PROPS_VALID_COMPONENTS,configuration.getProperty("service.as.valid_components"));
try {
- logger.debug("AuthNAction: getting the eduGAIN config
object...");
+ logger.debug("ASEngine: getting the eduGAIN config
object...");
cfg = Configurator.getInstance(props);
- logger.debug("AuthNAction: getting the eduGAIN
validator object...");
+ logger.debug("ASEngine: getting the eduGAIN validator
object...");
val=new Validator(props);
} catch (Throwable e) {
e.printStackTrace();
@@ -96,6 +126,7 @@
// Take an action
if (actionType.equals(ActionType.AUTHN_EE_REQUEST)) {
action = new AuthNAction(val);
+ action.setProperties(props);
}
if (action == null) {
@@ -104,7 +135,7 @@
throw new
PerfSONARException("error.common.action_not_supported", m);
}
logger.debug("ASEngine: processing message");
- Message response = action.performAction(request);
+ Message response = action.performAction(tsCrypto,request);
return response;
}
Modified:
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/AuthNAction.java
===================================================================
---
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/AuthNAction.java
2008-01-15 08:55:32 UTC (rev 3229)
+++
trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService/AuthNAction.java
2008-01-15 08:58:39 UTC (rev 3230)
@@ -1,49 +1,54 @@
package org.perfsonar.service.authService;
-import java.net.URI;
-import java.security.Key;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
import java.util.Iterator;
import net.geant.edugain.validation.ComponentID;
import net.geant.edugain.validation.Validator;
-import org.apache.xml.security.signature.Reference;
-import org.apache.xml.security.signature.SignedInfo;
-import org.apache.xml.security.signature.XMLSignature;
-import org.apache.xml.security.transforms.Transforms;
+import org.apache.axis.MessageContext;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.axis.message.SOAPHeader;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.message.token.Timestamp;
import org.ggf.ns.nmwg.base.v2_0.Data;
import org.ggf.ns.nmwg.base.v2_0.EventType;
import org.ggf.ns.nmwg.base.v2_0.Message;
import org.ggf.ns.nmwg.base.v2_0.Metadata;
import org.ggf.ns.nmwg.base.v2_0.Parameter;
-import org.opensaml.InvalidCryptoException;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
-import org.opensaml.XML;
import org.perfsonar.base.exceptions.PerfSONARException;
import org.perfsonar.service.base.authn.tokens.SecTokenManagerFactory;
import org.perfsonar.service.base.authn.tokens.SecurityToken;
+import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
public class AuthNAction extends ASAction {
public static final String
X509_ID="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";;
public static final String
SAML_ID="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";;
+ private final String
WSSECHEADER_TIMESTAMP_NS="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";;
+ private final String WSSECHEADER_TIMESTAMP="Timestamp";
+
private static String TYPE_RESPONSE = "AuthNEEResponse";
private static String EVENT_TYPE_SUCCESS = "success.as.authn";
private static String SEC_TOKEN_PARAM = "SecurityToken";
private Validator val;
+ static final WSSecurityEngine secEngine = new WSSecurityEngine();
public AuthNAction(Validator val) throws PerfSONARException {
super();
this.val=val;
}
@Override
- public Message performAction(Message request) throws
PerfSONARException {
+ public Message performAction(Crypto tsCrypto,Message request) throws
PerfSONARException {
SecurityToken st=new
SecurityToken(SecTokenManagerFactory.getDefaultSecTokenManager());
if (!st.hasSecTokenInRequest()) {
String m = "AuthNAction: The request has not sent a
valid Security Token";
@@ -57,11 +62,15 @@
if (sentSecToken!=null&&
sentSecToken.getParameterValue()!=null&&
sentSecToken.getParameterValue().equals(AuthNAction.X509_ID)) {
+ checkWSSecHeader(tsCrypto);
+ checkTimeStampInfo();
return processX509AuthN(request);
}
else if (sentSecToken!=null&&
sentSecToken.getParameterValue()!=null&&
sentSecToken.getParameterValue().equals(AuthNAction.SAML_ID)) {
+ checkWSSecHeader(tsCrypto);
+ checkTimeStampInfo();
return processSAMLAuthN(request);
}
else {
@@ -72,6 +81,60 @@
}
}
+ private void checkTimeStampInfo() throws PerfSONARException {
+ Calendar now=Calendar.getInstance();
+ String maxttl=props.getProperty(ASEngine.MAX_TTL_TOKEN);
+ if (maxttl!=null) {
+ int max=Integer.parseInt(maxttl);
+ MessageContext mc=MessageContext.getCurrentContext();
+ try {
+ org.apache.axis.Message
m=mc.getCurrentMessage();
+ SOAPHeader sh=(SOAPHeader)m.getSOAPHeader();
+ NodeList
nl=sh.getElementsByTagNameNS(WSSECHEADER_TIMESTAMP_NS,WSSECHEADER_TIMESTAMP);
+ if (nl.getLength()>0) {
+ Element e=(Element)nl.item(0);
+ Timestamp ts=new Timestamp(e);
+ long
start=ts.getCreated().getTimeInMillis();
+ long
end=ts.getExpires().getTimeInMillis();
+ if
(now.before(ts.getCreated())||now.after(ts.getExpires())) {
+ logger.error("AuthNAction:
security token not valid. The token was created before or after right now");
+ throw new
PerfSONARException("error.authn.timestamp","Security token not valid. The
token was created before or after right now");
+ }
+ if ((end-start)>max) {
+ logger.error("AuthNAction:
security token not valid. The valid period of time of the token is too long.
Max allowed is "+max);
+ throw new
PerfSONARException("error.authn.timestamp","The valid period of time of the
token is too long. Max allowed is "+max);
+ }
+ }
+ else {
+ logger.error("AuthNAction: security
token not valid. It's not included the timestamp information");
+ throw new
PerfSONARException("error.authn.timestamp","AuthNAction: It's not included
the timestamp information");
+ }
+ } catch (PerfSONARException e) {
+ throw e;
+ } catch (Exception e) {
+ e.printStackTrace();
+ String m = "AuthNAction: Error getting the
SOAP envelope of the authN request";
+ logger.error(m);
+ throw new PerfSONARException("error.authn.soap", m);
+ }
+ }
+ }
+
+ private void checkWSSecHeader(Crypto tsCrypto) throws
PerfSONARException {
+ MessageContext mc=MessageContext.getCurrentContext();
+ try {
+ org.apache.axis.Message m=mc.getCurrentMessage();
+ SOAPEnvelope env=m.getSOAPEnvelope();
+ Document doc=env.getAsDocument();
+ secEngine.processSecurityHeader(doc, null, null,
tsCrypto);
+ } catch (Exception e) {
+ e.printStackTrace();
+ String m = "Error getting the SOAP envelope of the
authN request";
+ logger.error(m);
+ throw new PerfSONARException("error.authn.soap", m);
+ }
+ }
+
private Message processSAMLAuthN(Message request) throws
PerfSONARException {
logger.debug("AuthNAction: Processing the authN using the
SAML assertion");
SecurityToken st=new
SecurityToken(SecTokenManagerFactory.getDefaultSecTokenManager());
- perfsonar: r3230 - trunk/geant2_java-as/src/main/java/org/perfsonar/service/authService, svnlog, 01/15/2008
Archive powered by MHonArc 2.6.16.