tolven-cvs-commit — Tolven CVS Commit

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/gen/util FamilyGenerator.java, 1.3, NONE

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/gen/util
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv17869/src/org/tolven/gen/util

Removed Files:
	FamilyGenerator.java 
Log Message:
Make FamilyGenerator callable from remote client

--- FamilyGenerator.java DELETED ---

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/gen FamilyGeneratorLocal.java, NONE, 1.1 FamilyGeneratorRemote.java, NONE, 1.1

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/gen
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv17869/src/org/tolven/gen

Added Files:
	FamilyGeneratorLocal.java FamilyGeneratorRemote.java 
Log Message:
Make FamilyGenerator callable from remote client

--- NEW FILE: FamilyGeneratorLocal.java ---
package org.tolven.gen;

import java.util.Date;

import org.tolven.gen.entity.FamilyUnit;

public interface FamilyGeneratorLocal {

	 /**
	  * Create a family.
	  * If family name is non-null, then we'll take it as the family name of the family otherwise we'll
	  * use a random name.
	  */
	 public FamilyUnit generateFamily( String familyName,  Date now ) throws Exception;

}

--- NEW FILE: FamilyGeneratorRemote.java ---
package org.tolven.gen;

import java.util.Date;

import org.tolven.gen.entity.FamilyUnit;

public interface FamilyGeneratorRemote {

	 /**
	  * Create a family.
	  * If family name is non-null, then we'll take it as the family name of the family otherwise we'll
	  * use a random name.
	  */
	 public FamilyUnit generateFamily( String familyName,  Date now ) throws Exception;

}

[Tolven-cvs-commit] tolvenEJB/resources/trim weight.trim, 1.2, 1.2.4.1

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenEJB/resources/trim
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv28886/resources/trim

Modified Files:
      Tag: P_JC_DATAENTRY4
	weight.trim 
Log Message:
Fix unit test. Update XSD.

Index: weight.trim
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/resources/trim/weight.trim,v
retrieving revision 1.2
retrieving revision 1.2.4.1
diff -C2 -d -r1.2 -r1.2.4.1
*** weight.trim	12 Mar 2007 08:47:12 -0000	1.2
--- weight.trim	21 Mar 2007 20:11:55 -0000	1.2.4.1
***************
*** 25,31 ****
  			</title>
  			<effectiveTime>
! 				<TS>20070101090000</TS>
  			</effectiveTime>
! 			<activityTime>
  				<null>ASKU</null>
  			</activityTime>
--- 25,34 ----
  			</title>
  			<effectiveTime>
! 				<new datatype="TS" default="now">
! 					<label language="en">Observation time</label>
! 					<input type="time"/>
! 				</new>
  			</effectiveTime>
!    			<activityTime>
  				<null>ASKU</null>
  			</activityTime>

[Tolven-cvs-commit] tolvenEJB/src/test/rules unitTest3.drl, 1.1, 1.1.12.1

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/test/rules
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv28886/src/test/rules

Modified Files:
      Tag: P_JC_DATAENTRY4
	unitTest3.drl 
Log Message:
Fix unit test. Update XSD.

Index: unitTest3.drl
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/test/rules/unitTest3.drl,v
retrieving revision 1.1
retrieving revision 1.1.12.1
diff -C2 -d -r1.1 -r1.1.12.1
*** unitTest3.drl	4 Feb 2007 16:39:57 -0000	1.1
--- unitTest3.drl	21 Mar 2007 20:11:55 -0000	1.1.12.1
***************
*** 15,19 ****
  		$trim: Trim()
  	then
! 		for (ActSlot act : $trim.getActs()) assert( act );
  		counter.bump();
  end
--- 15,19 ----
  		$trim: Trim()
  	then
! 		assert( $trim.getAct() );
  		counter.bump();
  end

[Tolven-cvs-commit] tolven/security-config build.xml,1.62,1.63

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolven/security-config
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv31131/security-config

Modified Files:
	build.xml 
Log Message:
Include official CA certificate roots (from JDK)  in the CACERTS file used by tolven in JBoss. This allows JavaMail, or other components that need to verify real certificates, to do so without being limited to the self-signed certificates created by Tolven in a development environment.

Also, remove java.home property from ant-build-properties. Let the system default be used (Ant properties are immutable so an attempt to override is a waste of time).

Index: build.xml
===================================================================
RCS file: /cvsroot/tolven/tolven/security-config/build.xml,v
retrieving revision 1.62
retrieving revision 1.63
diff -C2 -d -r1.62 -r1.63
*** build.xml	3 Dec 2006 08:54:13 -0000	1.62
--- build.xml	21 Mar 2007 15:10:59 -0000	1.63
***************
*** 4,7 ****
--- 4,8 ----
  
  	<target name="required-properties">
+ 		<fail unless="java.home" />
  		<fail unless="ldap.location" />
  		<fail unless="postgres.location" />
***************
*** 265,268 ****
--- 266,272 ----
  			<arg line="-import -noprompt -keystore tolvendev-jboss-cacerts.jks -keypass ${tolven.jboss.truststore.db.key} -storepass ${tolven.jboss.truststore} -alias tolven-demo-db-host -file tolvendev-db-cert.der" />
  		</exec>
+ 		<exec dir="${tolven.security.openssl.jboss.dir}" executable="${tolven.security.keytool.command}" failonerror="true">
+ 			<arg line="-importkeystore -noprompt -destkeystore tolvendev-jboss-cacerts.jks -deststorepass ${tolven.jboss.truststore} -srckeystore '${java.home}/lib/security/cacerts' -srcstorepass changeit" />
+ 		</exec>
  	</target>
  

[Tolven-cvs-commit] tolven/template ant-build.template,1.54,1.55

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolven/template
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv31131/template

Modified Files:
	ant-build.template 
Log Message:
Include official CA certificate roots (from JDK)  in the CACERTS file used by tolven in JBoss. This allows JavaMail, or other components that need to verify real certificates, to do so without being limited to the self-signed certificates created by Tolven in a development environment.

Also, remove java.home property from ant-build-properties. Let the system default be used (Ant properties are immutable so an attempt to override is a waste of time).

Index: ant-build.template
===================================================================
RCS file: /cvsroot/tolven/tolven/template/ant-build.template,v
retrieving revision 1.54
retrieving revision 1.55
diff -C2 -d -r1.54 -r1.55
*** ant-build.template	20 Mar 2007 09:13:56 -0000	1.54
--- ant-build.template	21 Mar 2007 15:10:59 -0000	1.55
***************
*** 9,13 ****
  postgres.location=c:/postgreSQL/8.2/
  postgres.location.browsable=true
! java.home=c:/jdk1.6.0
  jboss.location=${tolven.home}/tolven-jboss-4.0.4.GA
  jdbc.host=localhost
--- 9,13 ----
  postgres.location=c:/postgreSQL/8.2/
  postgres.location.browsable=true
! 
  jboss.location=${tolven.home}/tolven-jboss-4.0.4.GA
  jdbc.host=localhost

[Tolven-cvs-commit] tolvenWEB/web/scripts tolvenwiz.js,1.7,1.8

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenWEB/web/scripts
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv21015/web/scripts

Modified Files:
	tolvenwiz.js 
Log Message:
Fix tempoerary intake questionnaire

Index: tolvenwiz.js
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/scripts/tolvenwiz.js,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** tolvenwiz.js	12 Mar 2007 08:46:39 -0000	1.7
--- tolvenwiz.js	20 Mar 2007 19:53:07 -0000	1.8
***************
*** 1,4 ****
  // Choice lists we've got locally
! choiceList = new Object();
  
  function makeHeading( prefix, stepNumber, title ) {
--- 1,4 ----
  // Choice lists we've got locally
! choiceList = new Array();
  
  function makeHeading( prefix, stepNumber, title ) {

[Tolven-cvs-commit] tolven/template tolven.template,1.12,1.13

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolven/template
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv22563/template

Modified Files:
	tolven.template 
Log Message:
Add new (commented) properties needed for gmail mail server

Index: tolven.template
===================================================================
RCS file: /cvsroot/tolven/tolven/template/tolven.template,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** tolven.template	5 Dec 2006 07:45:13 -0000	1.12
--- tolven.template	20 Mar 2007 19:55:57 -0000	1.13
***************
*** 3,6 ****
--- 3,16 ----
  mail.smtp.auth=false
  mail.debug=false
+ 
+ # In order connect to a mail server that 
+ # requires SSL such as gmail replace above with the following:
+ #mail.smtp.host=smtp.gmail.com
+ #mail.transport.protocol=smtps
+ #mail.smtp.socketFactory.port=465
+ #mail.smtp.socketFactory.class=javax.net.ssl.SSLSocketFactory
+ #mail.smtp.socketFactory.fallback=false
+ #mail.smtp.auth=true
+ 
  tolven.timezone=America/Los_Angeles
  tolven.repository.oid=1.2
***************
*** 9,12 ****
--- 19,24 ----
  tolven.register.referenceRequired=false
  tolven.register.expiration=3600
+ 
+ # Your email server username and password
  tolven.mail.from=no...@my...
  tolven.mail.fromName=My Organization

[Tolven-cvs-commit] tolvenWEB/web/wizard wizTemplate.xhtml, 1.7, 1.8 bccIntake.xhtml, 1.5, 1.6

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenWEB/web/wizard
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv21015/web/wizard

Modified Files:
	wizTemplate.xhtml bccIntake.xhtml 
Log Message:
Fix tempoerary intake questionnaire

Index: wizTemplate.xhtml
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/wizard/wizTemplate.xhtml,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** wizTemplate.xhtml	12 Mar 2007 08:46:38 -0000	1.7
--- wizTemplate.xhtml	20 Mar 2007 19:53:08 -0000	1.8
***************
*** 80,84 ****
  	
  	<div class="navbar">
! 		<c:if test="#{menu.menuDataItem.status=='NEW'}">
  			<table width="100%">
  				<tr>
--- 80,84 ----
  	
  	<div class="navbar">
! 		<c:if test="#{menu.menuDataItem.status!='ACTIVE'}">
  			<table width="100%">
  				<tr>

Index: bccIntake.xhtml
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/wizard/bccIntake.xhtml,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** bccIntake.xhtml	17 Feb 2007 01:04:59 -0000	1.5
--- bccIntake.xhtml	20 Mar 2007 19:53:08 -0000	1.6
***************
*** 151,155 ****
  				</td></tr>
  				<tr><td>&nbsp; </td><td id="#{menu.element}-occChoices">
! 					<select id="#{menu.element}-occupationList" name="occupationList" size="10" onclick="selectionMade('occupation', this);" onkeypress="if (event.keyCode==13) selectionMade('occupation', this);" style="display:none"/>
  				</td>
  				</tr>
--- 151,155 ----
  				</td></tr>
  				<tr><td>&nbsp; </td><td id="#{menu.element}-occChoices">
! 					<select id="#{menu.element}-occupationList" name="occupationList" size="10" onclick="selectionMade('#{menu.element}-occupation', this);" onkeypress="if (event.keyCode==13) selectionMade('#{menu.element}-occupation', this);" style="display:none"/>
  				</td>
  				</tr>

[Tolven-cvs-commit] tolvenWEB/web/private userDemog.xhtml, 1.10, 1.11

[John C. <jc...@us...>]

Update of /cvsroot/tolven/tolvenWEB/web/private
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv21943/web/private

Modified Files:
	userDemog.xhtml 
Log Message:
Allow test message to be sent from demo AND activated accounts.

Index: userDemog.xhtml
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/private/userDemog.xhtml,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -d -r1.10 -r1.11
*** userDemog.xhtml	16 Jan 2007 06:44:09 -0000	1.10
--- userDemog.xhtml	20 Mar 2007 19:54:16 -0000	1.11
***************
*** 23,27 ****
  	                        <h:message for="uid" errorClass="errorMsg" infoClass="infoMsg" warnClass="warnMsg" fatalClass="fatalMsg"/>
  	                    </h:panelGroup>
! 	                       <h:commandButton action="#{reg.sendTestMessage}" value="Send Test eMail" rendered="#{reg.user.demoUser}"/>
  	                </h:panelGroup>
  	                <h:outputText value="First Name"/>
--- 23,27 ----
  	                        <h:message for="uid" errorClass="errorMsg" infoClass="infoMsg" warnClass="warnMsg" fatalClass="fatalMsg"/>
  	                    </h:panelGroup>
! 	                       <h:commandButton action="#{reg.sendTestMessage}" value="Send Test eMail" />
  	                </h:panelGroup>
  	                <h:outputText value="First Name"/>

[Tolven-cvs-commit] tolvenWEB/src/org/tolven/ajax DocServlet.java, 1.9, 1.10 InstantiateServlet.java, 1.4, 1.5

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenWEB/src/org/tolven/ajax
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11667/src/org/tolven/ajax

Modified Files:
	DocServlet.java InstantiateServlet.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: InstantiateServlet.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/ajax/InstantiateServlet.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** InstantiateServlet.java	12 Mar 2007 08:46:39 -0000	1.4
--- InstantiateServlet.java	20 Mar 2007 09:13:44 -0000	1.5
***************
*** 24,27 ****
--- 24,28 ----
  import org.tolven.doc.XMLLocal;
  import org.tolven.doc.entity.DocBase;
+ import org.tolven.security.DocProtectionLocal;
  import org.tolven.trim.util.TRIMException;
  
***************
*** 31,34 ****
--- 32,36 ----
      private DocumentLocal docBean;
      private XMLLocal xmlBean;
+     private DocProtectionLocal docProtectionBean;
  
      private ServletContext context = null;
***************
*** 46,49 ****
--- 48,52 ----
             docBean = (DocumentLocal) ctx.lookup("tolven/DocumentBean/local");
             xmlBean = (XMLLocal) ctx.lookup("tolven/XMLBean/local");
+            docProtectionBean = (DocProtectionLocal) ctx.lookup("tolven/DocProtectionBean/local");
          }
          catch (NamingException e)
***************
*** 114,118 ****
  			MenuData md = menuBean.findMenuDataItem(accountUser.getAccount().getId(), element);
  			DocBase doc = docBean.findDocument( md.getDocumentId());
! 			writer.write(doc.getContentString());
  			writer.close();
  			return;
--- 117,121 ----
  			MenuData md = menuBean.findMenuDataItem(accountUser.getAccount().getId(), element);
  			DocBase doc = docBean.findDocument( md.getDocumentId());
! 			writer.write(docProtectionBean.getDecryptedContentString(doc));
  			writer.close();
  			return;

Index: DocServlet.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/ajax/DocServlet.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** DocServlet.java	17 Feb 2007 21:14:00 -0000	1.9
--- DocServlet.java	20 Mar 2007 09:13:44 -0000	1.10
***************
*** 32,35 ****
--- 32,36 ----
  import org.tolven.doc.DocumentLocal;
  import org.tolven.doc.entity.DocImage;
+ import org.tolven.security.DocProtectionLocal;
  import org.tolven.web.security.VestibuleSecurityFilter;
  public class DocServlet extends HttpServlet {
***************
*** 41,44 ****
--- 42,46 ----
  //  @EJB 
      private DocumentLocal docBean;
+     private DocProtectionLocal docProtectionBean;
  	
  
***************
*** 64,67 ****
--- 66,70 ----
             // J2EE 1.5 has not yet defined exact XML <ejb-ref> syntax for EJB3
             docBean = (DocumentLocal) ctx.lookup("tolven/DocumentBean/local");
+            docProtectionBean = (DocProtectionLocal) ctx.lookup("tolven/DocProtectionBean/local");
          }
          catch (NamingException e)
***************
*** 163,167 ****
  		res.setContentType("image/jpeg");
  	    res.setHeader("Cache-Control", "no-cache");
! 		doc.streamJPEGThumbnail( targetWidth, targetHeight, res.getOutputStream());
  	}
  	catch(Exception e)
--- 166,170 ----
  		res.setContentType("image/jpeg");
  	    res.setHeader("Cache-Control", "no-cache");
!         docProtectionBean.streamJPEGThumbnail(doc, targetWidth, targetHeight, res.getOutputStream());
  	}
  	catch(Exception e)

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/doc/bean DocumentBean.java, 1.21, 1.22 EvaluateCCRClinical.java, 1.2, 1.3 EvaluateCCR.java, 1.1, 1.2 XMLProtectedBean.java, 1.2, 1.3 EvaluateCCRPersonal.java, 1.3, 1.4 Evaluator.java, 1.10, 1.11

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11181/src/org/tolven/doc/bean

Modified Files:
	DocumentBean.java EvaluateCCRClinical.java EvaluateCCR.java 
	XMLProtectedBean.java EvaluateCCRPersonal.java Evaluator.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: DocumentBean.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/DocumentBean.java,v
retrieving revision 1.21
retrieving revision 1.22
diff -C2 -d -r1.21 -r1.22
*** DocumentBean.java	4 Feb 2007 16:39:51 -0000	1.21
--- DocumentBean.java	20 Mar 2007 09:13:07 -0000	1.22
***************
*** 14,18 ****
  package org.tolven.doc.bean;
  
- import java.io.ByteArrayOutputStream;
  import java.io.IOException;
  import java.io.StringReader;
--- 14,17 ----
***************
*** 22,26 ****
  import javax.annotation.EJB;
  import javax.annotation.PostConstruct;
- import javax.annotation.PreDestroy;
  import javax.annotation.Resource;
  import javax.ejb.Local;
--- 21,24 ----
***************
*** 41,46 ****
  import org.tolven.admin.AdministrativeDetail;
  import org.tolven.admin.Details;
- import org.tolven.ccr.ContinuityOfCareRecord;
- import org.tolven.core.TolvenPropertiesLocal;
  import org.tolven.core.entity.Account;
  import org.tolven.core.entity.Status;
--- 39,42 ----
***************
*** 54,59 ****
  import org.tolven.doc.entity.DocImage;
  import org.tolven.doc.entity.DocXML;
! import org.tolven.gen.entity.FamilyMember;
! import org.tolven.trim.Trim;
  
  /**
--- 50,54 ----
  import org.tolven.doc.entity.DocImage;
  import org.tolven.doc.entity.DocXML;
! import org.tolven.security.DocProtectionLocal;
  
  /**
***************
*** 83,86 ****
--- 78,83 ----
      private  Queue ruleQueue; 
  
+     @EJB private DocProtectionLocal docProtectionBean;
+     
      /**
  	 * Get a document by its internal ID
***************
*** 281,285 ****
  	public long createImage( DocImage doc, long userId, long accountId, byte[] content ) {
  		long id =  createDocument( doc, userId, accountId );
! 		doc.setContent(content);
  		return id;
  	}
--- 278,282 ----
  	public long createImage( DocImage doc, long userId, long accountId, byte[] content ) {
  		long id =  createDocument( doc, userId, accountId );
!         doc.setAsEncryptedContent(content);
  		return id;
  	}
***************
*** 321,325 ****
          m.marshal( top, result );
          result.close();
!         doc.setContentString( result.toString() );
          doc.setMediaType( "text/xml");
  	}
--- 318,322 ----
          m.marshal( top, result );
          result.close();
!         doc.setAsEncryptedContentString(result.toString());
          doc.setMediaType( "text/xml");
  	}
***************
*** 336,340 ****
          JAXBContext jc = setupJAXBContext();
          Unmarshaller u = jc.createUnmarshaller();
!         JAXBElement<Details> o = (JAXBElement<Details>) u.unmarshal( new StreamSource( new StringReader( doc.getContentString() ) ) );
          Details details = o.getValue();
          return details.getDetail();
--- 333,337 ----
          JAXBContext jc = setupJAXBContext();
          Unmarshaller u = jc.createUnmarshaller();
!         JAXBElement<Details> o = (JAXBElement<Details>) u.unmarshal( new StreamSource( new StringReader( docProtectionBean.getDecryptedContentString(doc)) ) );
          Details details = o.getValue();
          return details.getDetail();

Index: XMLProtectedBean.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/XMLProtectedBean.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** XMLProtectedBean.java	27 Jan 2007 19:07:05 -0000	1.2
--- XMLProtectedBean.java	20 Mar 2007 09:13:07 -0000	1.3
***************
*** 3,6 ****
--- 3,7 ----
  import java.io.ByteArrayInputStream;
  
+ import javax.annotation.EJB;
  import javax.ejb.Local;
  import javax.ejb.Remote;
***************
*** 12,15 ****
--- 13,17 ----
  import org.tolven.doc.XMLProtectedRemote;
  import org.tolven.doc.entity.DocXML;
+ import org.tolven.security.DocProtectionLocal;
  
  @Stateless()
***************
*** 19,22 ****
--- 21,25 ----
  public class XMLProtectedBean extends XMLBean implements XMLProtectedLocal, XMLProtectedRemote {
  
+     @EJB private DocProtectionLocal docProtectionBean;
  	/**
  	 * <p>This method will unmarshal the XML content of the specified document
***************
*** 27,31 ****
  	 */
  	public Object unmarshal(DocXML doc) throws JAXBException {
! 		byte[] c = doc.getContent();
  		if (c==null) return null;
  		return unmarshal( doc.getXmlNS(), new ByteArrayInputStream( c ));
--- 30,34 ----
  	 */
  	public Object unmarshal(DocXML doc) throws JAXBException {
! 		byte[] c = docProtectionBean.getDecryptedContent(doc);
  		if (c==null) return null;
  		return unmarshal( doc.getXmlNS(), new ByteArrayInputStream( c ));

Index: Evaluator.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/Evaluator.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -d -r1.10 -r1.11
*** Evaluator.java	12 Mar 2007 08:47:09 -0000	1.10
--- Evaluator.java	20 Mar 2007 09:13:07 -0000	1.11
***************
*** 47,50 ****
--- 47,51 ----
  import org.tolven.doc.entity.DocCCR;
  import org.tolven.doc.entity.DocXML;
+ import org.tolven.security.DocProtectionLocal;
  import org.tolven.trim.Act;
  import org.tolven.trim.ActInternal;
***************
*** 71,74 ****
--- 72,76 ----
  	@EJB private MenuLocal menuLocal;
      @EJB private XMLLocal xmlBean;
+     @EJB private DocProtectionLocal docProtectionBean;
      private static final String CCRns = "urn:astm-org:CCR";	
      private static final String TRIMns = "urn:astm-org:trim:4.0";
***************
*** 86,94 ****
  				EvaluateCCR evaluateCCR = null;
  				if ("echr".equals(account.getAccountType().getKnownType())) {
! 					evaluateCCR = new EvaluateCCRClinical( documentLocal, menuLocal, xmlBean );
  					evaluateCCR.process( tm );
  				}
  				else if ("ephr".equals(account.getAccountType().getKnownType())) {
! 					evaluateCCR = new EvaluateCCRPersonal(  documentLocal, menuLocal, xmlBean );
  					evaluateCCR.process( tm );
  				} else throw new Exception( "Unknown Account type"); 
--- 88,96 ----
  				EvaluateCCR evaluateCCR = null;
  				if ("echr".equals(account.getAccountType().getKnownType())) {
! 					evaluateCCR = new EvaluateCCRClinical( documentLocal, menuLocal, xmlBean, docProtectionBean );
  					evaluateCCR.process( tm );
  				}
  				else if ("ephr".equals(account.getAccountType().getKnownType())) {
! 					evaluateCCR = new EvaluateCCRPersonal(  documentLocal, menuLocal, xmlBean, docProtectionBean );
  					evaluateCCR.process( tm );
  				} else throw new Exception( "Unknown Account type"); 
***************
*** 109,113 ****
  			docXML = documentLocal.createXMLDocument( tm.getXmlNS(), tm.getAuthorId(), tm.getAccountId() );
  			System.out.println( "Document created, id: " + docXML.getId());
! 			docXML.setContent(tm.getPayload());
  			System.out.println( "Document set payload, id: " + docXML.getId());
  			documentLocal.finalizeDocument(docXML);
--- 111,115 ----
  			docXML = documentLocal.createXMLDocument( tm.getXmlNS(), tm.getAuthorId(), tm.getAccountId() );
  			System.out.println( "Document created, id: " + docXML.getId());
!             docXML.setAsEncryptedContent(tm.getPayload());
  			System.out.println( "Document set payload, id: " + docXML.getId());
  			documentLocal.finalizeDocument(docXML);

Index: EvaluateCCRClinical.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/EvaluateCCRClinical.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** EvaluateCCRClinical.java	16 Feb 2007 04:02:30 -0000	1.2
--- EvaluateCCRClinical.java	20 Mar 2007 09:13:07 -0000	1.3
***************
*** 23,31 ****
  import org.tolven.doc.entity.CCRException;
  import org.tolven.doc.entity.DocCCR;
  
  public class EvaluateCCRClinical extends EvaluateCCR {
  
! 	public EvaluateCCRClinical(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean) {
! 		super(documentLocal, menuLocal, xmlBean);
  	}
  
--- 23,32 ----
  import org.tolven.doc.entity.CCRException;
  import org.tolven.doc.entity.DocCCR;
+ import org.tolven.security.DocProtectionLocal;
  
  public class EvaluateCCRClinical extends EvaluateCCR {
  
! 	public EvaluateCCRClinical(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean, DocProtectionLocal docProtectionBean) {
! 		super(documentLocal, menuLocal, xmlBean, docProtectionBean);
  	}
  
***************
*** 34,38 ****
  		System.out.println( "Processing CCR document for clinical account: " + tm.getAccountId());
  		DocCCR docCCR = documentLocal.createCCRDocument( tm.getAuthorId(), tm.getAccountId() );
! 		docCCR.setContent(tm.getPayload());
  		documentLocal.finalizeDocument(docCCR);
  		// Get type of account
--- 35,39 ----
  		System.out.println( "Processing CCR document for clinical account: " + tm.getAccountId());
  		DocCCR docCCR = documentLocal.createCCRDocument( tm.getAuthorId(), tm.getAccountId() );
!         docCCR.setAsEncryptedContent(tm.getPayload());
  		documentLocal.finalizeDocument(docCCR);
  		// Get type of account

Index: EvaluateCCRPersonal.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/EvaluateCCRPersonal.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** EvaluateCCRPersonal.java	28 Feb 2007 06:58:18 -0000	1.3
--- EvaluateCCRPersonal.java	20 Mar 2007 09:13:07 -0000	1.4
***************
*** 16,20 ****
  import org.tolven.ccr.EncounterType;
  import org.tolven.ccr.IDType;
- import org.tolven.ccr.MedicationType;
  import org.tolven.ccr.PersonNameType;
  import org.tolven.ccr.ProblemType;
--- 16,19 ----
***************
*** 27,35 ****
  import org.tolven.doc.entity.CCRException;
  import org.tolven.doc.entity.DocCCR;
  
  public class EvaluateCCRPersonal extends EvaluateCCR {
  
! 	public EvaluateCCRPersonal(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean) {
! 		super(documentLocal, menuLocal, xmlBean);
  	}
  
--- 26,35 ----
  import org.tolven.doc.entity.CCRException;
  import org.tolven.doc.entity.DocCCR;
+ import org.tolven.security.DocProtectionLocal;
  
  public class EvaluateCCRPersonal extends EvaluateCCR {
  
! 	public EvaluateCCRPersonal(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean, DocProtectionLocal docProtectionBean) {
! 		super(documentLocal, menuLocal, xmlBean, docProtectionBean);
  	}
  
***************
*** 38,42 ****
  		System.out.println( "Processing CCR document for personal account: " + tm.getAccountId());
  		DocCCR docCCR = documentLocal.createCCRDocument( tm.getAuthorId(), tm.getAccountId() );
! 		docCCR.setContent(tm.getPayload());
  		documentLocal.finalizeDocument(docCCR);
  		// Get type of account
--- 38,42 ----
  		System.out.println( "Processing CCR document for personal account: " + tm.getAccountId());
  		DocCCR docCCR = documentLocal.createCCRDocument( tm.getAuthorId(), tm.getAccountId() );
!         docCCR.setAsEncryptedContent(tm.getPayload());
  		documentLocal.finalizeDocument(docCCR);
  		// Get type of account

Index: EvaluateCCR.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/bean/EvaluateCCR.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** EvaluateCCR.java	12 Feb 2007 07:06:05 -0000	1.1
--- EvaluateCCR.java	20 Mar 2007 09:13:07 -0000	1.2
***************
*** 1,9 ****
  package org.tolven.doc.bean;
  
- 
  import org.tolven.app.MenuLocal;
  import org.tolven.doc.DocumentLocal;
  import org.tolven.doc.XMLLocal;
! import org.tolven.doc.entity.CCRException;
  
  public abstract class EvaluateCCR {
--- 1,8 ----
  package org.tolven.doc.bean;
  
  import org.tolven.app.MenuLocal;
  import org.tolven.doc.DocumentLocal;
  import org.tolven.doc.XMLLocal;
! import org.tolven.security.DocProtectionLocal;
  
  public abstract class EvaluateCCR {
***************
*** 11,19 ****
  	protected MenuLocal menuLocal;
      protected XMLLocal xmlBean;
  
!     public EvaluateCCR(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean ) {
      	this.documentLocal = documentLocal;
      	this.menuLocal = menuLocal;
      	this.xmlBean = xmlBean;
      }
      
--- 10,20 ----
  	protected MenuLocal menuLocal;
      protected XMLLocal xmlBean;
+     protected DocProtectionLocal docProtectionBean;
  
!     public EvaluateCCR(DocumentLocal documentLocal, MenuLocal menuLocal, XMLLocal xmlBean, DocProtectionLocal docProtectionBean ) {
      	this.documentLocal = documentLocal;
      	this.menuLocal = menuLocal;
      	this.xmlBean = xmlBean;
+         this.docProtectionBean = docProtectionBean;
      }
      

[Tolven-cvs-commit] tolvenWEB/src/org/tolven/web/security GeneralSecurityFilter.java, 1.8, 1.9 SecurityFilter.java, 1.9, 1.10 VestibuleSecurityFilter.java, 1.19, 1.20

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenWEB/src/org/tolven/web/security
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11667/src/org/tolven/web/security

Modified Files:
	GeneralSecurityFilter.java SecurityFilter.java 
	VestibuleSecurityFilter.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: VestibuleSecurityFilter.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/security/VestibuleSecurityFilter.java,v
retrieving revision 1.19
retrieving revision 1.20
diff -C2 -d -r1.19 -r1.20
*** VestibuleSecurityFilter.java	8 Mar 2007 17:03:41 -0000	1.19
--- VestibuleSecurityFilter.java	20 Mar 2007 09:13:44 -0000	1.20
***************
*** 21,24 ****
--- 21,25 ----
  import java.util.Set;
  
+ import javax.management.JMException;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
***************
*** 44,51 ****
  import org.tolven.core.entity.TolvenUser;
  import org.tolven.security.LoginLocal;
- import org.tolven.security.key.PrivateKeyRing;
  import org.tolven.security.key.UserPrivateKey;
  import org.tolven.security.key.UserPublicKey;
- import org.tolven.web.TolvenContext;
  
  /**
--- 45,50 ----
***************
*** 85,89 ****
              HttpServletRequest request = (HttpServletRequest) servletRequest;
              HttpServletResponse response = (HttpServletResponse) servletResponse;
!             //System.out.println(getClass() + " :REQUEST=" + request.getRequestURL());
              if (!request.isRequestedSessionIdValid()) {
                  logout("INVALID SESSION", request, response);
--- 84,88 ----
              HttpServletRequest request = (HttpServletRequest) servletRequest;
              HttpServletResponse response = (HttpServletResponse) servletResponse;
!             System.out.println(getClass() + " :REQUEST=" + request.getRequestURL());
              if (!request.isRequestedSessionIdValid()) {
                  logout("INVALID SESSION", request, response);
***************
*** 112,121 ****
              String principalName = principal.getName();
  
!             Set<PrivateKeyRing> privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
              if (privateCredentials.isEmpty()) {
!                 logout("NO PRIVATE KEY RING", request, response);
                  return;
              }
-             PrivateKeyRing privateKeyRing = (PrivateKeyRing) privateCredentials.iterator().next();
  
              // PHASE ONE: User Authentication
--- 111,119 ----
              String principalName = principal.getName();
  
!             Set<UserPrivateKey> privateCredentials = subject.getPrivateCredentials(UserPrivateKey.class);
              if (privateCredentials.isEmpty()) {
!                 logout("No UserPrivateKey", request, response);
                  return;
              }
  
              // PHASE ONE: User Authentication
***************
*** 155,169 ****
              }
  
!             // Just asking for password causes us to forget the accountUser
!             if (request.getRequestURL().indexOf("password.jsf") != -1) {
                  session.removeAttribute(ACCOUNTUSER_ID);
                  session.removeAttribute(ACCOUNT_ID);
!             }
!             //If the user has a pass, they don't need to supply a password again
!             if ("true".equals(session.getAttribute(VESTIBULE_PASS)) || request.getRequestURL().indexOf("password.jsf") != -1) {
!                 // Let the user have the request
!             } else {
!                 ((HttpServletResponse) servletResponse).sendRedirect("password.jsf");
!                 return;
              }
  
--- 153,164 ----
              }
  
!             //If the user has a pass, they don't need to supply a password again
!             if (!"true".equals(session.getAttribute(VESTIBULE_PASS))) {
                  session.removeAttribute(ACCOUNTUSER_ID);
                  session.removeAttribute(ACCOUNT_ID);
!                 if (request.getRequestURL().indexOf("password.jsf") == -1) {
!                     ((HttpServletResponse) servletResponse).sendRedirect("password.jsf");
!                     return;
!                 }
              }
  
***************
*** 176,182 ****
                  if (justLoggedIn) {
                      accountUser = activation.findDefaultAccountUser(user);
-                     if (accountUser != null) {
-                         session.setAttribute(ACCOUNTUSER_ID, accountUser.getId());
-                     }
                  }
              } else {
--- 171,174 ----
***************
*** 191,208 ****
                  // Give TolvenUser the AccountPrivateKey for the selected account
                  if (accountUser.getAccountPrivateKey() == null) {
!                     //For backward compatibility with accounts which didn't originally have keys, we add them here
                      accountBean.setupAccountKeys(accountUser.getAccount(), accountUser, null, user);
                  }
-                 privateKeyRing.setAccountPrivateKey(accountUser.getAccountPrivateKey());
-                 session.removeAttribute(VESTIBULE_PASS);
                  session.setAttribute(ACCOUNT_ID, accountUser.getAccount().getId());
                  ((HttpServletResponse) servletResponse).sendRedirect("../private/GOTOHOME.jsf");
                  return;
              }
              // If user has not been sent on there way by here, remove all account related information...they are in the vestibule
-             privateKeyRing.setAccountPrivateKey(null);
-             //                top.setAccountUser(null);
              session.removeAttribute(ACCOUNT_ID);
              session.removeAttribute(ACCOUNTUSER_ID);
          } catch (PolicyContextException ex) {
              ex.printStackTrace();
--- 183,201 ----
                  // Give TolvenUser the AccountPrivateKey for the selected account
                  if (accountUser.getAccountPrivateKey() == null) {
!                     //TODO For backward compatibility with accounts which didn't originally have keys, we add them here
                      accountBean.setupAccountKeys(accountUser.getAccount(), accountUser, null, user);
                  }
                  session.setAttribute(ACCOUNT_ID, accountUser.getAccount().getId());
+                 session.setAttribute(ACCOUNTUSER_ID, accountUser.getId());
+                 //Clear the cache since the user account information is being updated
+                 clearAuthenticationCache(principal);
                  ((HttpServletResponse) servletResponse).sendRedirect("../private/GOTOHOME.jsf");
                  return;
              }
              // If user has not been sent on there way by here, remove all account related information...they are in the vestibule
              session.removeAttribute(ACCOUNT_ID);
              session.removeAttribute(ACCOUNTUSER_ID);
+             //System.out.println(getClass() + " GOT REQUEST=" + request.getRequestURL());
+             chain.doFilter(servletRequest, servletResponse);
          } catch (PolicyContextException ex) {
              ex.printStackTrace();
***************
*** 220,225 ****
              ex.printStackTrace();
              throw new ServletException(ex);
          }
-         chain.doFilter(servletRequest, servletResponse);
      }
  
--- 213,220 ----
              ex.printStackTrace();
              throw new ServletException(ex);
+         } catch (JMException ex) {
+             ex.printStackTrace();
+             throw new ServletException(ex);
          }
      }
  
***************
*** 230,237 ****
       */
      private void addKeysToUser(TolvenUser aTolvenUser, Subject subject) throws GeneralSecurityException {
!         Set<PrivateKeyRing> privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
!         if (privateCredentials.isEmpty())
!             throw new GeneralSecurityException(getClass() + " :No PrivateKeyRing found for " + aTolvenUser.getLdapUID());
!         UserPrivateKey userPrivateKey = privateCredentials.iterator().next().getUserPrivateKey();
          if (userPrivateKey == null)
              throw new GeneralSecurityException(getClass() + " :No UserPrivateKey found for " + aTolvenUser.getLdapUID());
--- 225,230 ----
       */
      private void addKeysToUser(TolvenUser aTolvenUser, Subject subject) throws GeneralSecurityException {
!         Set<UserPrivateKey> privateCredentials = subject.getPrivateCredentials(UserPrivateKey.class);
!         UserPrivateKey userPrivateKey = privateCredentials.iterator().next();
          if (userPrivateKey == null)
              throw new GeneralSecurityException(getClass() + " :No UserPrivateKey found for " + aTolvenUser.getLdapUID());

Index: GeneralSecurityFilter.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/security/GeneralSecurityFilter.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** GeneralSecurityFilter.java	5 Mar 2007 06:07:15 -0000	1.8
--- GeneralSecurityFilter.java	20 Mar 2007 09:13:43 -0000	1.9
***************
*** 19,22 ****
--- 19,23 ----
  import java.util.Set;
  
+ import javax.management.JMException;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
***************
*** 37,41 ****
  import org.tolven.core.entity.AccountUser;
  import org.tolven.core.entity.TolvenUser;
! import org.tolven.security.key.PrivateKeyRing;
  
  /**
--- 38,42 ----
  import org.tolven.core.entity.AccountUser;
  import org.tolven.core.entity.TolvenUser;
! import org.tolven.security.key.UserPrivateKey;
  
  /**
***************
*** 58,66 ****
  
      public String getRedirect(Principal principal) {
!     	TolvenUser user = activation.findUser(principal.getName());
!         if (0==activation.countUserAccounts(user )) {
!         	return "createAccount.jsf";	
          } else {
!         	return "selectAccount.jsf";
          }
      }
--- 59,67 ----
  
      public String getRedirect(Principal principal) {
!         TolvenUser user = activation.findUser(principal.getName());
!         if (0 == activation.countUserAccounts(user)) {
!             return "createAccount.jsf";
          } else {
!             return "selectAccount.jsf";
          }
      }
***************
*** 96,137 ****
              }
  
!             Set<PrivateKeyRing> privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
              if (privateCredentials.isEmpty()) {
!                 logout("NO PRIVATE KEY RING", request, response);
                  return;
              }
!             PrivateKeyRing privateKeyRing = (PrivateKeyRing) privateCredentials.iterator().next();
!             if (privateKeyRing.getAccountPrivateKey() == null) {
!                 response.sendRedirect("../vestibule/" + getRedirect( principal )+"?" + request.getQueryString());
                  return;
              }
              if (request.getRequestURL().indexOf("dispatch.jsf") != -1 || request.getRequestURL().indexOf("GOTOHOME") != -1) {
!                 HttpSession session = request.getSession();
!                 Object accountUserIdObj = session.getAttribute(VestibuleSecurityFilter.ACCOUNTUSER_ID);
!                 if (accountUserIdObj == null) {
!                     response.sendRedirect("../vestibule/" + getRedirect( principal ));
!                     return;
!                 }
!                 AccountUser accountUser = activation.findAccountUser(((Long) accountUserIdObj).longValue());
                  if (accountUser == null) {
!                 	response.sendRedirect("../vestibule/" + getRedirect( principal ));
                      return;
                  }
                  // Make absolutely certain the user owns this account
!                 if(!principal.getName().equals(accountUser.getUser().getLdapUID())) {
                      logout(principal.getName() + " DOES NOT MATCH ACCOUNTUSER", request, response);
                  }
                  ((HttpServletResponse) servletResponse).sendRedirect("../private/" + accountUser.getAccount().getAccountType().getHomePage());
                  return;
              }
! 			HttpSession session = request.getSession();
! 			// If we don't have an accountUserId, we have no business being here
! 			Long accountUserId = (Long) session.getAttribute(VestibuleSecurityFilter.ACCOUNTUSER_ID);
! 			// Set accountUser in request for the duration of this request
! 			request.setAttribute("accountUser", activation.findAccountUser( accountUserId ));
! 	        chain.doFilter(servletRequest, servletResponse);
          } catch (PolicyContextException ex) {
              ex.printStackTrace();
              throw new ServletException(ex);
          }
      }
--- 97,136 ----
              }
  
!             Set<UserPrivateKey> privateCredentials = subject.getPrivateCredentials(UserPrivateKey.class);
              if (privateCredentials.isEmpty()) {
!                 logout("NO UserPrivateKey", request, response);
                  return;
              }
!             HttpSession session = request.getSession();
!             Long accountUserIdObj = (Long) session.getAttribute(VestibuleSecurityFilter.ACCOUNTUSER_ID);
!             if (accountUserIdObj == null) {
!                 response.sendRedirect("../vestibule/" + getRedirect(principal) + "?" + request.getQueryString());
                  return;
              }
              if (request.getRequestURL().indexOf("dispatch.jsf") != -1 || request.getRequestURL().indexOf("GOTOHOME") != -1) {
!                 AccountUser accountUser = activation.findAccountUser(accountUserIdObj.longValue());
                  if (accountUser == null) {
!                     response.sendRedirect("../vestibule/" + getRedirect(principal));
                      return;
                  }
                  // Make absolutely certain the user owns this account
!                 if (!principal.getName().equals(accountUser.getUser().getLdapUID())) {
                      logout(principal.getName() + " DOES NOT MATCH ACCOUNTUSER", request, response);
                  }
+                 clearAuthenticationCache(principal);
                  ((HttpServletResponse) servletResponse).sendRedirect("../private/" + accountUser.getAccount().getAccountType().getHomePage());
                  return;
              }
!             session.removeAttribute(VestibuleSecurityFilter.VESTIBULE_PASS);
!             // Set accountUser in request for the duration of this request
!             request.setAttribute("accountUser", activation.findAccountUser(accountUserIdObj));
!             //System.out.println(getClass() + " GOT REQUEST=" + request.getRequestURL());
!             chain.doFilter(servletRequest, servletResponse);
          } catch (PolicyContextException ex) {
              ex.printStackTrace();
              throw new ServletException(ex);
+         } catch (JMException ex) {
+             ex.printStackTrace();
+             throw new ServletException(ex);
          }
      }

Index: SecurityFilter.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/security/SecurityFilter.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** SecurityFilter.java	6 Feb 2007 08:18:40 -0000	1.9
--- SecurityFilter.java	20 Mar 2007 09:13:43 -0000	1.10
***************
*** 15,18 ****
--- 15,24 ----
  
  import java.io.IOException;
+ import java.security.Principal;
+ 
+ import javax.management.JMException;
+ import javax.management.MBeanServer;
+ import javax.management.MBeanServerFactory;
+ import javax.management.ObjectName;
  import javax.servlet.Filter;
  import javax.servlet.ServletException;
***************
*** 36,38 ****
--- 42,53 ----
      }
  
+     protected void clearAuthenticationCache(Principal principal) throws JMException {
+         System.out.println(getClass() + " clearAuthenticationCache");
+         MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
+         ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
+         String[] signature = { "java.lang.String", Principal.class.getName() };
+         Object[] params = { "tolvenLDAP", principal };
+         server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
+     }
+ 
  }

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/security/bean DocProtectionBean.java, 1.1, 1.2 LoginBean.java, 1.6, 1.7

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/security/bean
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11181/src/org/tolven/security/bean

Modified Files:
	LoginBean.java 
Added Files:
	DocProtectionBean.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

--- NEW FILE: DocProtectionBean.java ---
/*
 *  Copyright (C) 2006 Tolven Inc 
 *
 * This library is free software; you can redistribute it and/or modify it under the terms of 
 * the GNU Lesser General Public License as published by the Free Software Foundation; either 
 * version 2.1 of the License, or (at your option) any later version.
 * 
 * This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
 * See the GNU Lesser General Public License for more details.
 * 
 * Contact: in...@to...
 */
package org.tolven.security.bean;

import java.io.IOException;
import java.io.OutputStream;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.acl.Group;
import java.util.Set;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.ejb.Local;
import javax.ejb.Stateless;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;

import org.apache.commons.codec.binary.Base64;
import org.jboss.annotation.security.SecurityDomain;
import org.tolven.security.DocProtectionLocal;
import org.tolven.security.key.AccountPrivateKey;
import org.tolven.security.key.UserPrivateKey;
import org.tolven.security.DocContentSecurity;
import org.tolven.security.ImageDocContentSecurity;

import com.sun.image.codec.jpeg.ImageFormatException;

/**
 * This class protects the DocBase content by handling its encryption and decryption.
 * 
 * @author Joseph Isaac
 * 
 */
@Stateless()
@Local(DocProtectionLocal.class)
@SecurityDomain("tolvenLDAP")
//TODO This class should probably be in the same package as DocBase in order to protect the DocBase methods from public view
public class DocProtectionBean implements DocProtectionLocal {

    /**
     * Currently assumes all content is encrypted and only the authorized loggedInUser will succeed in getting the readable content
     * This method calls decryption each time it is called.
     * Decryption takes CPU time and it requires access to security policy which means
     * the caller must have permission to call this method.
     * @param encryptedContent
     * @return
     */
    public byte[] getDecryptedContent(DocContentSecurity doc) {
        System.out.println("DocProtectedBean.getDecryptedContent");
        if (doc.getContent() == null)
            return doc.getContent();
        try {
            Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
            if (subject == null)
                throw new IllegalStateException("No Subject found in PolicyContext");
            //TODO: Assume one Principal at this time. Should the Principal be identified in the Subject or via ejbContext?
            Principal principal = null;
            Object obj = null;
            for (java.util.Iterator iter = subject.getPrincipals().iterator(); iter.hasNext();) {
                obj = iter.next();
                if (obj instanceof Principal && !(obj instanceof Group)) {
                    principal = (Principal) obj;
                    break;
                }
            }
            if (principal == null)
                throw new IllegalStateException("No Principal found in Subject");
            Set<UserPrivateKey> userPrivateKeys = subject.getPrivateCredentials(UserPrivateKey.class);
            if (userPrivateKeys.isEmpty())
                throw new RuntimeException(": No UserPrivateKey found in Subject " + principal.getName());
            UserPrivateKey userPrivateKey = userPrivateKeys.iterator().next();
            PrivateKey privateKey = userPrivateKey.getPrivateKey();
            Set<AccountPrivateKey> accountPrivateKeys = subject.getPrivateCredentials(AccountPrivateKey.class);
            if (accountPrivateKeys.isEmpty())
                throw new RuntimeException(": No AccountPrivateKey found in Subject " + principal.getName());
            AccountPrivateKey activeAccountPrivateKey = accountPrivateKeys.iterator().next();
            System.out.println(getClass() + " Decryption AccountPrivateKey=" + activeAccountPrivateKey);
            if (doc.getDocumentSecretKey() == null) {
                //TODO: For backward compatibility, we no longer throw an exception here, since older accounts never had a documenSecretKey and
                // were thus never encrypted
                //throw new RuntimeException("Content cannot be decrypted without a documentSecretKey");
                System.out.println(getClass() + " No DocumentSecretKey found for doc id=" + doc.getId());
                return doc.getContent();
            }
            SecretKey docSecretKey = doc.getDocumentSecretKey().getSecretKey(activeAccountPrivateKey.getPrivateKey(privateKey));
            Cipher cipher = Cipher.getInstance(docSecretKey.getAlgorithm());
            cipher.init(Cipher.DECRYPT_MODE, docSecretKey);
            return cipher.doFinal(doc.getContent());
        } catch (Exception ex) {
            ex.printStackTrace();
            return "THIS DOCUMENT CANNOT BE DECRYPTED".getBytes();
        }
    }

    /**
     * Return the contents of the document as base64 encoded.
     * This method calls decryption each time it is called.
     * Decryption takes CPU time and it requires access to security policy which means
     * the caller must have permission to call this method.
     */
    public String getDecryptedContentB64(DocContentSecurity doc) {
        return new String(Base64.encodeBase64(getDecryptedContent(doc)));
    }


    /**
     * Return the content as a string. This method calls decryption each time it is called.
     * Decryption takes CPU time and it requires access to security policy which means
     * the caller must have permission to call this method.
     * @return
     */
    public String getDecryptedContentString(DocContentSecurity doc) {
        byte[] c = getDecryptedContent(doc);
        if (c == null)
            return null;
        return new String(c);
    }

    /**
     * Create a JPEG thumbnail of the underlying image and encode it to the output stream provided.
     * The aspect ratio of the underlying image is retained. As a result, the thumbnail is scaled to fit in
     * the specified rectangle. Whitespace is added if the image does not match the aspect ratio of the rectangle. 
     * @param targetWidth
     * @param targetHeight
     * @param stream
     * @throws ImageFormatException
     * @throws IOException
     */
    public void streamJPEGThumbnail(ImageDocContentSecurity doc, int targetWidth, int targetHeight, OutputStream stream) throws ImageFormatException, IOException {
        doc.streamJPEGThumbnail(getDecryptedContent(doc), targetWidth, targetHeight, stream);
    }

}

Index: LoginBean.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/security/bean/LoginBean.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** LoginBean.java	28 Feb 2007 03:45:11 -0000	1.6
--- LoginBean.java	20 Mar 2007 09:13:07 -0000	1.7
***************
*** 74,77 ****
--- 74,81 ----
      }
  
+     private AccountUser findAccountUser(long accountUserId) {
+         return em.find(AccountUser.class, accountUserId);
+     }
+     
      /**
       * Return an AccountPrivateKey given an AccountUserId
***************
*** 80,84 ****
       */
      public AccountPrivateKey findAccountPrivateKey(long anAccountUserId) {
!         AccountUser accountUser = activationBean.findAccountUser(anAccountUserId);
          if (accountUser == null)
              throw new RuntimeException("Could not find AccountUser with id=" + anAccountUserId);
--- 84,88 ----
       */
      public AccountPrivateKey findAccountPrivateKey(long anAccountUserId) {
!         AccountUser accountUser = findAccountUser(anAccountUserId);
          if (accountUser == null)
              throw new RuntimeException("Could not find AccountUser with id=" + anAccountUserId);
***************
*** 92,96 ****
       */
      public AccountPublicKey findAccountPublicKey(long anAccountUserId) {
!         AccountUser accountUser = activationBean.findAccountUser(anAccountUserId);
          if (accountUser == null)
              throw new RuntimeException("Could not find AccountUser with id=" + anAccountUserId);
--- 96,100 ----
       */
      public AccountPublicKey findAccountPublicKey(long anAccountUserId) {
!         AccountUser accountUser = findAccountUser(anAccountUserId);
          if (accountUser == null)
              throw new RuntimeException("Could not find AccountUser with id=" + anAccountUserId);

[Tolven-cvs-commit] tolvenWEB/web/five/test docDetail.xhtml, 1.3, 1.4

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenWEB/web/five/test
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11667/web/five/test

Modified Files:
	docDetail.xhtml 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: docDetail.xhtml
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/five/test/docDetail.xhtml,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** docDetail.xhtml	20 Jan 2007 19:25:51 -0000	1.3
--- docDetail.xhtml	20 Mar 2007 09:13:44 -0000	1.4
***************
*** 40,44 ****
  </h:form>
  <pre>
! #{ccr.docXML.contentString}
  </pre>
         </div>
--- 40,44 ----
  </h:form>
  <pre>
! #{ccr.docXMLContentString}
  </pre>
         </div>

[Tolven-cvs-commit] tolven/jboss-config security-service.xml, 1.2, 1.3

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolven/jboss-config
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11760/jboss-config

Added Files:
	security-service.xml 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

--- NEW FILE: security-service.xml ---
<server>
   <!-- ==================================================================== -->
   <!-- Security                                                             -->
   <!-- ==================================================================== -->

   <mbean code="org.jboss.security.plugins.SecurityConfig"
      name="jboss.security:service=SecurityConfig">
      <attribute name="LoginConfig">jboss.security:service=XMLLoginConfig</attribute>
   </mbean>
   <mbean code="org.jboss.security.auth.login.XMLLoginConfig"
      name="jboss.security:service=XMLLoginConfig">
      <attribute name="ConfigResource">login-config.xml</attribute>
   </mbean>

   <!-- JAAS security manager and realm mapping -->
   <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
      name="jboss.security:service=JaasSecurityManager">
      <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
      <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
      <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
      in seconds.
      If you want to disable caching of security credentials, set this to 0 to
      force authentication to occur every time. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheTimeout">1800</attribute>
      <!-- DefaultCacheResolution: Specifies the default timed cache policy
      resolution in seconds. This controls the interval at which the cache
      current timestamp is updated and should be less than the DefaultCacheTimeout
      in order for the timeout to be meaningful. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheResolution">60</attribute>
	
      <attribute name="CallbackHandlerClassName">org.tolven.web.security.auth.UsernamePasswordAccountUserIdCallbackHandler</attribute>
   </mbean>
</server>

[Tolven-cvs-commit] tolvenBrowse/src/org/tolven/index BrowseSecurityFilter.java, 1.1, 1.2 BrowseBase.java, 1.1, 1.2 Browse.java, 1.1, 1.2

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenBrowse/src/org/tolven/index
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11711/src/org/tolven/index

Modified Files:
	BrowseSecurityFilter.java BrowseBase.java Browse.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: BrowseSecurityFilter.java
===================================================================
RCS file: /cvsroot/tolven/tolvenBrowse/src/org/tolven/index/BrowseSecurityFilter.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** BrowseSecurityFilter.java	24 Feb 2007 21:58:05 -0000	1.1
--- BrowseSecurityFilter.java	20 Mar 2007 09:13:48 -0000	1.2
***************
*** 7,17 ****
  import java.util.Date;
  import java.util.List;
- import java.util.Set;
  
  import javax.annotation.EJB;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  import javax.security.auth.Subject;
- import javax.security.auth.login.LoginContext;
  import javax.security.jacc.PolicyContext;
  import javax.servlet.Filter;
--- 7,19 ----
  import java.util.Date;
  import java.util.List;
  
  import javax.annotation.EJB;
+ import javax.management.JMException;
+ import javax.management.MBeanServer;
+ import javax.management.MBeanServerFactory;
+ import javax.management.ObjectName;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  import javax.security.auth.Subject;
  import javax.security.jacc.PolicyContext;
  import javax.servlet.Filter;
***************
*** 27,32 ****
  import org.tolven.core.entity.AccountUser;
  import org.tolven.core.entity.TolvenUser;
- import org.tolven.security.auth.UsernamePasswordAccountUserIdCallbackHandler;
- import org.tolven.security.key.PrivateKeyRing;
  
  /**
--- 29,32 ----
***************
*** 106,115 ****
                      System.out.println("Account id " + Long.toString(accountId) + " accepted");
                      long accountUserId = new Long(accountUser.getId());
!                     Set<PrivateKeyRing> privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
!                     if (privateCredentials.isEmpty())
!                         throw new ServletException("No PrivateKeyRing");
!                     PrivateKeyRing privateKeyRing = (PrivateKeyRing) privateCredentials.iterator().next();
!                     privateKeyRing.setAccountPrivateKey(accountUser.getAccountPrivateKey());
                      request.getSession().setAttribute("accountUserId", accountUserId);
                      response.sendRedirect("view.browse");
                      return;
--- 106,113 ----
                      System.out.println("Account id " + Long.toString(accountId) + " accepted");
                      long accountUserId = new Long(accountUser.getId());
!                     request.getSession().setAttribute("accountId", accountUser.getAccount().getId());
                      request.getSession().setAttribute("accountUserId", accountUserId);
+                     //Clear the cache since the user account information is being updated
+                     clearAuthenticationCache(principal);
                      response.sendRedirect("view.browse");
                      return;
***************
*** 123,126 ****
--- 121,133 ----
      }
  
+     private void clearAuthenticationCache(Principal principal) throws JMException {
+         System.out.println(getClass() + " clearAuthenticationCache");
+         MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
+         ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
+         String[] signature = { "java.lang.String", Principal.class.getName() };
+         Object[] params = { "tolvenLDAP", principal };
+         server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
+     }
+ 
      public void init(FilterConfig config) throws ServletException {
          try

Index: BrowseBase.java
===================================================================
RCS file: /cvsroot/tolven/tolvenBrowse/src/org/tolven/index/BrowseBase.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** BrowseBase.java	24 Feb 2007 21:58:05 -0000	1.1
--- BrowseBase.java	20 Mar 2007 09:13:48 -0000	1.2
***************
*** 10,14 ****
  import javax.naming.NamingException;
  import javax.security.auth.Subject;
- import javax.security.auth.login.LoginContext;
  import javax.security.jacc.PolicyContext;
  import javax.servlet.ServletConfig;
--- 10,13 ----
***************
*** 24,27 ****
--- 23,27 ----
  import org.tolven.doc.DocumentLocal;
  import org.tolven.doc.XMLProtectedLocal;
+ import org.tolven.security.DocProtectionLocal;
  /**
   * The base class for sample HTTP functions. We supply page header and footer functions here.
***************
*** 38,41 ****
--- 38,42 ----
      @EJB protected XMLProtectedLocal xmlProtectedBean;
      @EJB protected ActivationLocal activationLocal;
+     @EJB protected DocProtectionLocal docProtectionBean;
  
  	@Override
***************
*** 50,53 ****
--- 51,55 ----
             xmlProtectedBean = (XMLProtectedLocal) ctx.lookup("tolven/XMLProtectedBean/local");
             activationLocal = (ActivationLocal) ctx.lookup("tolven/ActivationBean/local");
+            docProtectionBean = (DocProtectionLocal) ctx.lookup("tolven/DocProtectionBean/local");
          }
          catch (NamingException e)

Index: Browse.java
===================================================================
RCS file: /cvsroot/tolven/tolvenBrowse/src/org/tolven/index/Browse.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** Browse.java	24 Feb 2007 21:58:05 -0000	1.1
--- Browse.java	20 Mar 2007 09:13:48 -0000	1.2
***************
*** 5,18 ****
  import java.util.Date;
  import java.util.Enumeration;
- import java.util.HashMap;
  import java.util.LinkedList;
  import java.util.List;
  import java.util.Map;
  
- import javax.security.auth.login.LoginContext;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
- import javax.xml.bind.JAXBException;
  
  import org.tolven.app.bean.MenuPath;
--- 5,15 ----
***************
*** 23,28 ****
  import org.tolven.core.entity.AccountUser;
  import org.tolven.doc.entity.DocBase;
- import org.tolven.doc.entity.DocXML;
- import org.tolven.trim.util.TRIMException;
  
  /**
--- 20,23 ----
***************
*** 337,341 ****
  	    writer.write( "<p><em>Document referenced by this menuData item: " + docId + "</em></p>");
  		DocBase doc = documentLocal.findDocument(docId);
! 	    writePreformatted( doc.getContentString(), writer );
  	}
  	
--- 332,336 ----
  	    writer.write( "<p><em>Document referenced by this menuData item: " + docId + "</em></p>");
  		DocBase doc = documentLocal.findDocument(docId);
! 	    writePreformatted( docProtectionBean.getDecryptedContentString(doc), writer );
  	}
  	

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/security/key PrivateKeyRing.java, 1.2, NONE

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/security/key
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11181/src/org/tolven/security/key

Removed Files:
	PrivateKeyRing.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

--- PrivateKeyRing.java DELETED ---

[Tolven-cvs-commit] tolvenMobileServer/src/org/tolven/mobile MobileSecurityFilter.java, 1.2, 1.3

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenMobileServer/src/org/tolven/mobile
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11748/src/org/tolven/mobile

Modified Files:
	MobileSecurityFilter.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: MobileSecurityFilter.java
===================================================================
RCS file: /cvsroot/tolven/tolvenMobileServer/src/org/tolven/mobile/MobileSecurityFilter.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** MobileSecurityFilter.java	28 Feb 2007 07:01:28 -0000	1.2
--- MobileSecurityFilter.java	20 Mar 2007 09:13:52 -0000	1.3
***************
*** 2,13 ****
  
  import java.io.IOException;
- import java.io.Writer;
  import java.security.Principal;
  import java.security.acl.Group;
  import java.util.Date;
  import java.util.List;
- import java.util.Set;
  
  import javax.annotation.EJB;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
--- 2,15 ----
  
  import java.io.IOException;
  import java.security.Principal;
  import java.security.acl.Group;
  import java.util.Date;
  import java.util.List;
  
  import javax.annotation.EJB;
+ import javax.management.JMException;
+ import javax.management.MBeanServer;
+ import javax.management.MBeanServerFactory;
+ import javax.management.ObjectName;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
***************
*** 26,30 ****
  import org.tolven.core.entity.AccountUser;
  import org.tolven.core.entity.TolvenUser;
- import org.tolven.security.key.PrivateKeyRing;
  
  /**
--- 28,31 ----
***************
*** 93,102 ****
                      System.out.println("Account id " + Long.toString(accountId) + " accepted");
                      long accountUserId = new Long(accountUser.getId());
!                     Set<PrivateKeyRing> privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
!                     if (privateCredentials.isEmpty())
!                         throw new ServletException("No PrivateKeyRing");
!                     PrivateKeyRing privateKeyRing = (PrivateKeyRing) privateCredentials.iterator().next();
!                     privateKeyRing.setAccountPrivateKey(accountUser.getAccountPrivateKey());
                      request.getSession().setAttribute("accountUserId", accountUserId);
                  }
              }
--- 94,101 ----
                      System.out.println("Account id " + Long.toString(accountId) + " accepted");
                      long accountUserId = new Long(accountUser.getId());
!                     request.getSession().setAttribute("accountId", accountUser.getAccount().getId());
                      request.getSession().setAttribute("accountUserId", accountUserId);
+                     //Clear the cache since the user account information is being updated
+                     clearAuthenticationCache(principal);
                  }
              }
***************
*** 110,113 ****
--- 109,121 ----
      }
  
+     private void clearAuthenticationCache(Principal principal) throws JMException {
+         System.out.println(getClass() + " clearAuthenticationCache");
+         MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
+         ObjectName jaasMgr = new ObjectName("jboss.security:service=JaasSecurityManager");
+         String[] signature = { "java.lang.String", Principal.class.getName() };
+         Object[] params = { "tolvenLDAP", principal };
+         server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
+     }
+ 
      public void init(FilterConfig config) throws ServletException {
          try

[Tolven-cvs-commit] tolvenEJB/src/org/tolven/doc/entity DocBase.java, 1.22, 1.23 DocImage.java, 1.1, 1.2

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/entity
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11181/src/org/tolven/doc/entity

Modified Files:
	DocBase.java DocImage.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: DocImage.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/entity/DocImage.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** DocImage.java	31 Aug 2006 05:18:28 -0000	1.1
--- DocImage.java	20 Mar 2007 09:13:07 -0000	1.2
***************
*** 17,20 ****
--- 17,22 ----
  import javax.swing.ImageIcon;
  
+ import org.tolven.security.ImageDocContentSecurity;
+ 
  import com.sun.image.codec.jpeg.ImageFormatException;
  import com.sun.image.codec.jpeg.JPEGCodec;
***************
*** 28,32 ****
  @Entity
  @DiscriminatorValue("IMG")
! public class DocImage extends DocBase {
  
  	/**
--- 30,34 ----
  @Entity
  @DiscriminatorValue("IMG")
! public class DocImage extends DocBase implements ImageDocContentSecurity {
  
  	/**
***************
*** 45,50 ****
  	 * @throws IOException
  	 */
! 	public void streamJPEGThumbnail( int targetWidth, int targetHeight, OutputStream stream) throws ImageFormatException, IOException{
! 		Image sourceImage = new ImageIcon(Toolkit.getDefaultToolkit().createImage(getContent() )).getImage();
  		float hscale = ((float)targetWidth)/((float)sourceImage.getWidth(null));
  		float vscale = ((float)targetHeight)/((float)sourceImage.getHeight(null));
--- 47,52 ----
  	 * @throws IOException
  	 */
! 	public void streamJPEGThumbnail(byte[] unencryptedContent, int targetWidth, int targetHeight, OutputStream stream) throws ImageFormatException, IOException{
! 		Image sourceImage = new ImageIcon(Toolkit.getDefaultToolkit().createImage(unencryptedContent)).getImage();
  		float hscale = ((float)targetWidth)/((float)sourceImage.getWidth(null));
  		float vscale = ((float)targetHeight)/((float)sourceImage.getHeight(null));

Index: DocBase.java
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/src/org/tolven/doc/entity/DocBase.java,v
retrieving revision 1.22
retrieving revision 1.23
diff -C2 -d -r1.22 -r1.23
*** DocBase.java	18 Feb 2007 02:10:13 -0000	1.22
--- DocBase.java	20 Mar 2007 09:13:07 -0000	1.23
***************
*** 14,24 ****
  package org.tolven.doc.entity;
  
- import java.io.PrintStream;
  import java.io.Serializable;
- import java.security.Principal;
- import java.security.PrivateKey;
  import java.security.PublicKey;
- import java.security.acl.Group;
- import java.util.Set;
  
  import javax.crypto.Cipher;
--- 14,19 ----
***************
*** 40,53 ****
  import javax.persistence.ManyToOne;
  import javax.persistence.Table;
- import javax.security.auth.Subject;
- import javax.security.jacc.PolicyContext;
  
  import org.apache.commons.codec.binary.Base64;
  import org.tolven.core.entity.Account;
  import org.tolven.core.entity.TolvenUser;
! import org.tolven.security.key.AccountPrivateKey;
  import org.tolven.security.key.DocumentSecretKey;
- import org.tolven.security.key.PrivateKeyRing;
- import org.tolven.security.key.UserPrivateKey;
  
  
--- 35,44 ----
  import javax.persistence.ManyToOne;
  import javax.persistence.Table;
  
  import org.apache.commons.codec.binary.Base64;
  import org.tolven.core.entity.Account;
  import org.tolven.core.entity.TolvenUser;
! import org.tolven.security.DocContentSecurity;
  import org.tolven.security.key.DocumentSecretKey;
  
  
***************
*** 61,65 ****
  @DiscriminatorColumn(name="DISC", discriminatorType=DiscriminatorType.STRING,length=10)
  @DiscriminatorValue("DOC")
! public class DocBase implements Serializable {
      
      /**
--- 52,56 ----
  @DiscriminatorColumn(name="DISC", discriminatorType=DiscriminatorType.STRING,length=10)
  @DiscriminatorValue("DOC")
! public class DocBase implements DocContentSecurity, Serializable {
      
      /**
***************
*** 161,260 ****
  
  	/**
!      * Return the raw contents of the document. This method calls decryption each time it is called.
!      * Decryption takes CPU time and it requires access to security policy which means
!      * the caller must have permission to call this method.
       */
      public byte[] getContent() {
!    		return getDecryptedContent(content);
!     }
! 
! 	
!     /**
!      * Currently assumes all content is encrypted and only the authorized loggedInUser will succeed in getting the readable content
!      * @param encryptedContent
!      * @return
!      */
!     private byte[] getDecryptedContent(byte[] encryptedContent) {
!     	System.out.println( "DocBase.getDecryptedContent");
!         if (encryptedContent == null)
!             return encryptedContent;
!         try {
!             if (account == null)
!                 throw new RuntimeException("Content cannot be retrieved from a document which is not associated with an account");
!             Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
!             if (subject == null)
!                 throw new IllegalStateException("No Subject found in PolicyContext");
!             //TODO: Assume one Principal at this time. Should the Principal be identified in the Subject or via ejbContext?
!             Principal principal = null;
!             Object obj = null;
!             for (java.util.Iterator iter = subject.getPrincipals().iterator(); iter.hasNext();) {
!                 obj = iter.next();
!                 if (obj instanceof Principal && !(obj instanceof Group)) {
!                     principal = (Principal) obj;
!                     break;
!                 }
!             }
!             if (principal == null)
!                 throw new IllegalStateException("No Principal found in Subject");
!             Set privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
!             if (privateCredentials.isEmpty())
!                 throw new RuntimeException(": No PrivateKeyRing found in Subject " + principal.getName());
!             PrivateKeyRing privateKeyRing = (PrivateKeyRing)privateCredentials.iterator().next();
!             UserPrivateKey userPrivateKey = privateKeyRing.getUserPrivateKey();
!             PrivateKey privateKey = userPrivateKey.getPrivateKey();
!             AccountPrivateKey activeAccountPrivateKey = privateKeyRing.getAccountPrivateKey();
!             if (documentSecretKey == null) {
!                 //TODO: For backward compatibility, we no longer throw an exception here, since older accounts never had a documenSecretKey and
!                 // were thus never encrypted
!                 //throw new RuntimeException("Content cannot be decrypted without a documentSecretKey");
!                 return encryptedContent;
!             }
!             if (activeAccountPrivateKey == null) {
!                 //TODO: No AccountPrivateKey means the content cannot be decrypted....for now give it back as encryptedContent
!                 return encryptedContent;
!             }
!             SecretKey docSecretKey = documentSecretKey.getSecretKey(activeAccountPrivateKey.getPrivateKey(privateKey));
!             Cipher cipher = Cipher.getInstance(docSecretKey.getAlgorithm());
!             cipher.init(Cipher.DECRYPT_MODE, docSecretKey);
!             return cipher.doFinal(encryptedContent);
!         } catch (Exception ex) {
!             ex.printStackTrace();
!             return "THIS DOCUMENT CANNOT BE DECRYPTED".getBytes();
!         }
      }
  
      /**
!      * Return the content as a string. This method calls decryption each time it is called.
!      * Decryption takes CPU time and it requires access to security policy which means
!      * the caller must have permission to call this method.
!      * @return
       */
!     public String getContentString() {
!     	byte [] c = getContent();
!     	if (c==null) return null;
!         return new String(c);
      }
  
!     public void setContent(byte[] content) {
!         this.content = getEncryptedContent(content);
      }
  
!     private byte[] getEncryptedContent(byte[] content) {
!         if (content == null)
!             //TODO: Then presumably the content could not have been encrypted
!             return content;
          try {
!             if (account == null)
                  throw new RuntimeException("Content cannot be added to a document which is not associated with an account");
!             PublicKey accountPublicKey = account.getPublicKey();
              if (accountPublicKey == null) {
!                 //TODO: No accountPublicKey means the content cannot be encrypted....for now give it back as content
!                 return content;
              }
-             documentSecretKey = DocumentSecretKey.getInstance();
-             SecretKey docSecretKey = documentSecretKey.init(accountPublicKey);
-             Cipher cipher = Cipher.getInstance(docSecretKey.getAlgorithm());
-             cipher.init(Cipher.ENCRYPT_MODE, docSecretKey);
-             return cipher.doFinal(content);
          } catch (Exception ex) {
              ex.printStackTrace();
--- 152,195 ----
  
  	/**
!      * Return the raw contents of the document.
       */
      public byte[] getContent() {
!    		return content;
      }
  
      /**
!      * Set the raw encrypted contents for this document
!      * @param content
       */
!     private void setContent(byte[] content) {
!         this.content = content;
      }
  
!     //TODO This method should be protected using package protection for use by the DocProtectionBean
!     public DocumentSecretKey getDocumentSecretKey() {
!         return documentSecretKey;
      }
  
!     /**
!      * Set the content of this document to an encrypted byte array.
!      */
!     public void setAsEncryptedContent(byte[] unencryptedContent) {
          try {
!             if (!isEditable())
!                 throw new RuntimeException("Document is not editable");
!             if (getAccount() == null)
                  throw new RuntimeException("Content cannot be added to a document which is not associated with an account");
!             PublicKey accountPublicKey = getAccount().getPublicKey();
              if (accountPublicKey == null) {
!                 //TODO: No accountPublicKey means the content cannot be encrypted....for now backward compatibility and demo set content unencrypted
!                 System.out.println(getClass() + " No AccountPublicKey found for doc id=" + getId());
!                 setContent(unencryptedContent);
!             } else {
!                 documentSecretKey = DocumentSecretKey.getInstance();
!                 SecretKey docSecretKey = documentSecretKey.init(accountPublicKey);
!                 Cipher cipher = Cipher.getInstance(docSecretKey.getAlgorithm());
!                 cipher.init(Cipher.ENCRYPT_MODE, docSecretKey);
!                 setContent(cipher.doFinal(unencryptedContent));
              }
          } catch (Exception ex) {
              ex.printStackTrace();
***************
*** 263,283 ****
      }
  
-     public void setContentString(String content) {
-         setContent(content.getBytes());
-     }
      /**
!      * Return the contents of the document as base64 encoded.
       */
!     public String getContentB64() {
!         return new String(Base64.encodeBase64(getContent()));
      }
  
      /**
!      * Set the content of this document from a base 64 encoded string.
       */
!     public void setContentB64(String content) {
!         setContent(Base64.decodeBase64(content.getBytes()));
      }
!     
      /**
       * Return the Media type for this document.
--- 198,215 ----
      }
  
      /**
!      * Set the content of this document from a base 64 encoded string.
       */
!     public void setAsEncryptedContentB64(String content) {
!         setAsEncryptedContent(Base64.decodeBase64(content.getBytes()));
      }
  
      /**
!      * Set the content of this document to a string which is encrypted.
       */
!     public void setAsEncryptedContentString(String content) {
!         setAsEncryptedContent(content.getBytes());
      }
! 
      /**
       * Return the Media type for this document.

[Tolven-cvs-commit] tolvenWEB/src/org/tolven/web DocAction.java, 1.13, 1.14 TopAction.java, 1.45, 1.46 TRIMAction.java, 1.2, 1.3 TolvenAction.java, 1.7, 1.8 RegisterAction.java, 1.46, 1.47 AccountAction.java, 1.12, 1.13 MenuAction.java, 1.38, 1.39

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenWEB/src/org/tolven/web
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11667/src/org/tolven/web

Modified Files:
	DocAction.java TopAction.java TRIMAction.java 
	TolvenAction.java RegisterAction.java AccountAction.java 
	MenuAction.java 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: AccountAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/AccountAction.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** AccountAction.java	28 Feb 2007 07:06:12 -0000	1.12
--- AccountAction.java	20 Mar 2007 09:13:43 -0000	1.13
***************
*** 17,27 ****
  
  import javax.annotation.EJB;
- import javax.faces.context.ExternalContext;
- import javax.faces.context.FacesContext;
  import javax.faces.model.DataModel;
  import javax.faces.model.ListDataModel;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
- import javax.servlet.http.HttpSession;
  
  import org.tolven.core.ActivationLocal;
--- 17,24 ----
***************
*** 107,114 ****
  		}
          // Save accountUserId in session for subsequent request
!         ExternalContext ctx = FacesContext.getCurrentInstance().getExternalContext();
!         HttpSession session = ((HttpSession) ctx.getSession(true));
!         session.setAttribute(VestibuleSecurityFilter.ACCOUNTUSER_ID, new Long( accountUser.getId()));
! //        getTop().updatePrivateKeyRing();
          return "success";
  	}
--- 104,110 ----
  		}
          // Save accountUserId in session for subsequent request
!         setSessionAttribute(VestibuleSecurityFilter.ACCOUNTUSER_ID, new Long( accountUser.getId()));
!         //TODO The Account and its id can be obtained from accountUser, so is ACCOUNT_ID necessary?
!         setSessionAttribute(VestibuleSecurityFilter.ACCOUNT_ID, new Long( accountUser.getAccount().getId()));
          return "success";
  	}

Index: RegisterAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/RegisterAction.java,v
retrieving revision 1.46
retrieving revision 1.47
diff -C2 -d -r1.46 -r1.47
*** RegisterAction.java	8 Mar 2007 17:07:23 -0000	1.46
--- RegisterAction.java	20 Mar 2007 09:13:43 -0000	1.47
***************
*** 431,434 ****
--- 431,435 ----
           }
           HttpSession session = (HttpSession)FacesContext.getCurrentInstance().getExternalContext().getSession(false);
+          System.out.println(getClass() + " REGISTER ACTION :VESTIBULE_PASS=" + session.getAttribute(VestibuleSecurityFilter.VESTIBULE_PASS));
           session.setAttribute(VestibuleSecurityFilter.VESTIBULE_PASS, "true");
           return "success";

Index: TolvenAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/TolvenAction.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** TolvenAction.java	17 Feb 2007 23:07:32 -0000	1.7
--- TolvenAction.java	20 Mar 2007 09:13:43 -0000	1.8
***************
*** 27,31 ****
  import javax.faces.context.FacesContext;
  
- import org.tolven.security.key.PrivateKeyRing;
  import org.tolven.security.key.UserPrivateKey;
  import org.tolven.web.security.VestibuleSecurityFilter;
--- 27,30 ----
***************
*** 46,54 ****
  	}
  
! 	protected Object getRequestAttribute( String name ) {
! 		HttpServletRequest req = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest();
! //		System.out.println( "Request attribute: " + name + "=" + req.getAttribute(name));
! 		return req.getAttribute( name );
! 	}
  
  	protected Object getRequestParameter( String name ) {
--- 45,58 ----
  	}
  
!     protected Object getRequestAttribute( String name ) {
!         HttpServletRequest req = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest();
! //      System.out.println( "Request attribute: " + name + "=" + req.getAttribute(name));
!         return req.getAttribute( name );
!     }
! 
!     protected void setSessionAttribute(String name, Object anObject) {
!         Map<String,Object> sessionMap = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();
!         sessionMap.put(name, anObject);
!     }
  
  	protected Object getRequestParameter( String name ) {
***************
*** 102,119 ****
       */
      public UserPrivateKey getSubjectUserPrivateKey() throws PolicyContextException, GeneralSecurityException {
-         return getSubjectPrivateKeyRing().getUserPrivateKey();
-     }
- 
-     /**
-      * Return the PrivateKeyRing for the user
-      * @return
-      * @throws PolicyContextException
-      * @throws GeneralSecurityException
-      */
-     public PrivateKeyRing getSubjectPrivateKeyRing() throws PolicyContextException, GeneralSecurityException {
          Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
          if (subject == null)
              throw new GeneralSecurityException("No Subject found in PolicyContext");
!         Set privateCredentials = subject.getPrivateCredentials(PrivateKeyRing.class);
          if (privateCredentials.isEmpty()) {
              Principal principal = null;
--- 106,113 ----
       */
      public UserPrivateKey getSubjectUserPrivateKey() throws PolicyContextException, GeneralSecurityException {
          Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
          if (subject == null)
              throw new GeneralSecurityException("No Subject found in PolicyContext");
!         Set privateCredentials = subject.getPrivateCredentials(UserPrivateKey.class);
          if (privateCredentials.isEmpty()) {
              Principal principal = null;
***************
*** 129,135 ****
                      throw new GeneralSecurityException("No Principal found in PolicyContext Subject");
              String principalName = principal.getName();
!             throw new GeneralSecurityException(": No PrivateKeyRing found for " + principalName);
          }
!         return (PrivateKeyRing) privateCredentials.iterator().next();
      }
  
--- 123,129 ----
                      throw new GeneralSecurityException("No Principal found in PolicyContext Subject");
              String principalName = principal.getName();
!             throw new GeneralSecurityException(": No UserPrivateKey found for " + principalName);
          }
!         return (UserPrivateKey) privateCredentials.iterator().next();
      }
  

Index: MenuAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/MenuAction.java,v
retrieving revision 1.38
retrieving revision 1.39
diff -C2 -d -r1.38 -r1.39
*** MenuAction.java	12 Mar 2007 08:46:38 -0000	1.38
--- MenuAction.java	20 Mar 2007 09:13:43 -0000	1.39
***************
*** 66,69 ****
--- 66,70 ----
  import org.tolven.gen.entity.FamilyMember;
  import org.tolven.gen.model.GenMedicalCCR;
+ import org.tolven.security.DocProtectionLocal;
  import org.tolven.trim.util.TRIMException;
  /**
***************
*** 90,93 ****
--- 91,95 ----
      protected XMLLocal xmlLocal;
      protected CreatorLocal creatorBean;
+     protected DocProtectionLocal docProtectionBean;
      private String givenName;
      private String value;
***************
*** 106,109 ****
--- 108,112 ----
  	           xmlProtectedLocal = (XMLProtectedLocal) ctx.lookup("tolven/XMLProtectedBean/local");
  	           xmlLocal = (XMLLocal) ctx.lookup("tolven/XMLBean/local");
+                docProtectionBean = (DocProtectionLocal) ctx.lookup("tolven/DocProtectionBean/local");
  	}
  	
***************
*** 352,355 ****
--- 355,368 ----
  	}
  
+ 	/**
+ 	 * This method is needed because menuData only contains documentId, a separate query is needed
+ 	 * to get the document itself.
+ 	 * @return
+ 	 * @throws Exception
+ 	 */
+ 	public String getDrilldownItemDocContentString()  throws Exception {
+ 		return docProtectionBean.getDecryptedContentString(getDrilldownItemDoc());
+ 	}
+ 
  	public DocCCR getDocCCR( ) throws Exception {
  		MenuData md = getDrilldownItem();

Index: TopAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/TopAction.java,v
retrieving revision 1.45
retrieving revision 1.46
diff -C2 -d -r1.45 -r1.46
*** TopAction.java	28 Feb 2007 07:03:19 -0000	1.45
--- TopAction.java	20 Mar 2007 09:13:43 -0000	1.46
***************
*** 15,24 ****
  
  import java.io.IOException;
- import java.security.GeneralSecurityException;
  import java.util.LinkedList;
  import java.util.List;
- import java.util.Map;
  import java.util.Properties;
- import java.util.Set;
  
  import javax.faces.context.ExternalContext;
--- 15,21 ----
***************
*** 26,47 ****
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
- import javax.security.auth.Subject;
- import javax.security.jacc.PolicyContext;
- import javax.security.jacc.PolicyContextException;
- import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpSession;
  
- import org.tolven.app.MenuLocal;
  import org.tolven.core.ActivationLocal;
- import org.tolven.core.InvitationLocal;
  import org.tolven.core.entity.AccountUser;
- import org.tolven.core.entity.Status;
  import org.tolven.core.entity.TolvenUser;
  import org.tolven.security.LDAPLocal;
- import org.tolven.security.LoginLocal;
  import org.tolven.security.TolvenPerson;
- import org.tolven.security.key.PrivateKeyRing;
- import org.tolven.security.key.UserPrivateKey;
- import org.tolven.security.key.UserPublicKey;
  import org.tolven.web.security.VestibuleSecurityFilter;
  
--- 23,33 ----
***************
*** 54,59 ****
  	private LDAPLocal ldap;
  	private ActivationLocal activation;
- 	private LoginLocal loginBean;
-     private InvitationLocal invitationBean;
         
          
--- 40,43 ----
***************
*** 83,88 ****
             // J2EE 1.5 has not yet defined exact XML <ejb-ref> syntax for EJB3
             activation = (ActivationLocal) ctx.lookup("tolven/ActivationBean/local");
-            loginBean = (LoginLocal) ctx.lookup("tolven/LoginBean/local");
-            invitationBean = (InvitationLocal) ctx.lookup("tolven/InvitationBean/local");
             ldap = (LDAPLocal) ctx.lookup("tolven/LDAPBean/local");
         ignoreDefault = false;
--- 67,70 ----

Index: DocAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/DocAction.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** DocAction.java	17 Feb 2007 23:07:32 -0000	1.13
--- DocAction.java	20 Mar 2007 09:13:43 -0000	1.14
***************
*** 14,41 ****
  
  package org.tolven.web;
- import java.util.ArrayList;
  import java.util.List;
  import java.util.Map;
  
  import javax.annotation.EJB;
- import javax.el.ELException;
  import javax.faces.application.Application;
  import javax.faces.context.FacesContext;
- import javax.faces.model.SelectItem;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
- import javax.servlet.http.HttpSession;
- import javax.xml.bind.JAXBException;
  
- import org.tolven.app.entity.MenuData;
- import org.tolven.ccr.ContinuityOfCareRecord;
  import org.tolven.doc.DocumentLocal;
- import org.tolven.doc.XMLLocal;
  import org.tolven.doc.XMLProtectedLocal;
  import org.tolven.doc.entity.DocBase;
- import org.tolven.doc.entity.DocCCR;
  import org.tolven.doc.entity.DocImage;
  import org.tolven.doc.entity.DocXML;
! import org.tolven.web.security.VestibuleSecurityFilter;
  
  /**
--- 14,32 ----
  
  package org.tolven.web;
  import java.util.List;
  import java.util.Map;
  
  import javax.annotation.EJB;
  import javax.faces.application.Application;
  import javax.faces.context.FacesContext;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  
  import org.tolven.doc.DocumentLocal;
  import org.tolven.doc.XMLProtectedLocal;
  import org.tolven.doc.entity.DocBase;
  import org.tolven.doc.entity.DocImage;
  import org.tolven.doc.entity.DocXML;
! import org.tolven.security.DocProtectionLocal;
  
  /**
***************
*** 57,60 ****
--- 48,52 ----
    @EJB protected DocumentLocal docBean;
    @EJB   protected XMLProtectedLocal xmlProtectedBean;
+   @EJB private DocProtectionLocal docProtectionBean;
  
      /** Creates a new instance of DocAction 
***************
*** 66,69 ****
--- 58,62 ----
          docBean = (DocumentLocal) ctx.lookup("tolven/DocumentBean/local");
          xmlProtectedBean = (XMLProtectedLocal) ctx.lookup("tolven/XMLProtectedBean/local");
+         docProtectionBean = (DocProtectionLocal) ctx.lookup("tolven/DocProtectionBean/local");
          setContent("This is some more content in B64 - We'll see how big it can be and if it can handle non-printable characters in a while" );
      }
***************
*** 76,80 ****
      	doc = new DocBase();
      	doc.setMediaType( "text/plain" );
!     	doc.setContentString( content );
      	docBean.createDocument( doc, getSessionTolvenUserId(), getSessionAccountId() );
      	return "success";
--- 69,73 ----
      	doc = new DocBase();
      	doc.setMediaType( "text/plain" );
!         doc.setAsEncryptedContentString(content);
      	docBean.createDocument( doc, getSessionTolvenUserId(), getSessionAccountId() );
      	return "success";
***************
*** 111,128 ****
  	}
  
! 	/**
! 	 * Type-safe method to return the current XML-based document, if any.
! 	 * @return
! 	 * @throws Exception
! 	 */
      public DocXML getDocXML( ) throws Exception {
!     	DocBase d = getDoc();
!     	if (d==null) return null;
!     	if (!(d instanceof DocXML)) {
! 			System.out.println( "Document is not CCR " + d.getId() + " Class: " + d.getClass().getName());
! 			return null;
! 		}
! 		return (DocXML) d;
! 	}
  
  	public long getDocumentId() {
--- 104,132 ----
  	}
  
!     /**
!      * Type-safe method to return the current XML-based document, if any.
!      * @return
!      * @throws Exception
!      */
      public DocXML getDocXML( ) throws Exception {
!         DocBase d = getDoc();
!         if (d==null) return null;
!         if (!(d instanceof DocXML)) {
!             System.out.println( "Document is not CCR " + d.getId() + " Class: " + d.getClass().getName());
!             return null;
!         }
!         return (DocXML) d;
!     }
! 
!     /**
!      * Type-safe method to return the current XML-based document, if any.
!      * @return
!      * @throws Exception
!      */
!     public String getDocXMLContentString( ) throws Exception {
!         DocXML d = getDocXML();
!         if (d==null) return null;
!         return docProtectionBean.getDecryptedContentString(d);
!     }
  
  	public long getDocumentId() {

Index: TRIMAction.java
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/src/org/tolven/web/TRIMAction.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** TRIMAction.java	12 Mar 2007 08:46:38 -0000	1.2
--- TRIMAction.java	20 Mar 2007 09:13:43 -0000	1.3
***************
*** 65,69 ****
  		ByteArrayOutputStream trimXML = new ByteArrayOutputStream() ;
  		xmlLocal.marshalTRIM(trim, trimXML);
! 		doc.setContent(trimXML.toByteArray());
  		return "success";
  	}
--- 65,69 ----
  		ByteArrayOutputStream trimXML = new ByteArrayOutputStream() ;
  		xmlLocal.marshalTRIM(trim, trimXML);
! 		doc.setAsEncryptedContent(trimXML.toByteArray());
  		return "success";
  	}

[Tolven-cvs-commit] tolven/installer/template ant-build.template, 1.5, 1.6

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolven/installer/template
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11760/installer/template

Modified Files:
	ant-build.template 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: ant-build.template
===================================================================
RCS file: /cvsroot/tolven/tolven/installer/template/ant-build.template,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** ant-build.template	24 Feb 2007 23:59:09 -0000	1.5
--- ant-build.template	20 Mar 2007 09:13:56 -0000	1.6
***************
*** 78,81 ****
--- 78,82 ----
  tolvenBrowse.location=${tolven.home}/tolvenBrowse
  tolvenMobileServer.location=${tolven.home}/tolvenMobileServer
+ tolvenSecurity.location=${tolven.home}/tolvenSecurity
  
  jboss-rules.location=${tolven.location}/lib/jboss-rules

[Tolven-cvs-commit] tolven/template ant-build.template,1.53,1.54

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolven/template
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11760/template

Modified Files:
	ant-build.template 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: ant-build.template
===================================================================
RCS file: /cvsroot/tolven/tolven/template/ant-build.template,v
retrieving revision 1.53
retrieving revision 1.54
diff -C2 -d -r1.53 -r1.54
*** ant-build.template	19 Mar 2007 00:53:22 -0000	1.53
--- ant-build.template	20 Mar 2007 09:13:56 -0000	1.54
***************
*** 83,86 ****
--- 83,87 ----
  tolvenMobileServer.location=${tolven.home}/tolvenMobileServer
  tolvenMobileClient.location=${tolven.home}/tolvenMobileClient
+ tolvenSecurity.location=${tolven.home}/tolvenSecurity
  
  jboss-rules.location=${tolven.location}/lib/jboss-rules

[Tolven-cvs-commit] tolvenWEB/web/five xml.xhtml,1.3,1.4

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenWEB/web/five
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11667/web/five

Modified Files:
	xml.xhtml 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: xml.xhtml
===================================================================
RCS file: /cvsroot/tolven/tolvenWEB/web/five/xml.xhtml,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** xml.xhtml	16 Jan 2007 06:42:48 -0000	1.3
--- xml.xhtml	20 Mar 2007 09:13:44 -0000	1.4
***************
*** 12,16 ****
  Document: #{menu.drilldownItem.documentId}
  <pre>
! #{menu.drilldownItemDoc.contentString} 
  </pre> 
  
--- 12,16 ----
  Document: #{menu.drilldownItem.documentId}
  <pre>
! #{menu.drilldownItemDocContentString} 
  </pre> 
  

[Tolven-cvs-commit] tolvenEJB build.xml,1.18,1.19

[Joseph I. <jos...@us...>]

Update of /cvsroot/tolven/tolvenEJB
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv11181

Modified Files:
	build.xml 
Log Message:
Provided two interfaces for DocProctectionBean: DocContentSecurity and ImageDocContentSecurity in an attempt to decouple the security for direct dependence on Tolven entities. Removed the PrivateKeyRing class and will now place UserPrivateKey and AccountPrivateKey directly in the Subject's privateCredentials. Clarified the filter sequencing code. Web tier now distinguishes the current account solely by the session accountUserId/accountId attributes, rather than the AccountPrivateKey in the PrivateKeyRing of the web tier Subject. Reauthentications are now occur byf clearing the cache for the principal, which  via the KeyLoginModule, results in the keys for the selected Account making their way to the EJB tier Subject for use in the EJB tier. In the EJB tier, the content of DocBase is now protected by DocProtectionBean, which belongs to the tovlenLDAP SecurityDomain. In order to replace the default JBoss CallbackHandler, the class needs to be available to the server before tolven.ear is deployed. A separate tolvenSecurity.jar is now being created.

Index: build.xml
===================================================================
RCS file: /cvsroot/tolven/tolvenEJB/build.xml,v
retrieving revision 1.18
retrieving revision 1.19
diff -C2 -d -r1.18 -r1.19
*** build.xml	12 Mar 2007 08:47:12 -0000	1.18
--- build.xml	20 Mar 2007 09:13:06 -0000	1.19
***************
*** 3,6 ****
--- 3,7 ----
  	<property file="../tolven/resources/ant-build.properties"/>
  	<path id="project.classpath">
+         <pathelement location="${tolvenSecurity.location}/build/tolvenSecurity.jar"/>
          <pathelement location="${tolvenEJB.location}/bin"/>
  		<!-- JAXB must be before jboss-client -->
***************
*** 79,83 ****
  				<include name="*.jar"/>
  			</zipfileset >
! 			<zipfileset dir="${tolvenEJB.location}/build/bin" includes="**/*.class"/>
  			<zipfileset dir="${tolvenEJB.location}/conf" prefix="META-INF"/>
  			<zipfileset dir="${tolvenEJB.location}/resources/"/>
--- 80,84 ----
  				<include name="*.jar"/>
  			</zipfileset >
! 			<zipfileset dir="${tolvenEJB.location}/build/bin" includes="**/*.class" excludes="**/AccountUserIdCallback.class" />
  			<zipfileset dir="${tolvenEJB.location}/conf" prefix="META-INF"/>
  			<zipfileset dir="${tolvenEJB.location}/resources/"/>