From: <bsc...@us...> - 2007-06-29 07:02:33
|
Revision: 1200 http://svn.sourceforge.net/unicore/?rev=1200&view=rev Author: bschuller Date: 2007-06-29 00:02:16 -0700 (Fri, 29 Jun 2007) Log Message: ----------- integrate security things; setup default handler chain in UAS startup code; add checking by SOAP action; etc Modified Paths: -------------- unicorex/uas-core/trunk/src/main/aspect/de/fzj/unicore/uas/security/Security.aj unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/JobManagement.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/StorageManagement.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystem.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystemFactory.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/UAS.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/jmx/UASAdmin.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigOutHandler.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigParseInHandler.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigSecurityInHandler.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SAMLSecurityInHandler.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/Unicore6Tokens.java unicorex/uas-core/trunk/src/test/java/de/fzj/unicore/client/functional/secure/TestSecure.java Added Paths: ----------- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/AuthNCheckingStrategy.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSignAuthNCheck.java Modified: unicorex/uas-core/trunk/src/main/aspect/de/fzj/unicore/uas/security/Security.aj =================================================================== --- unicorex/uas-core/trunk/src/main/aspect/de/fzj/unicore/uas/security/Security.aj 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/aspect/de/fzj/unicore/uas/security/Security.aj 2007-06-29 07:02:16 UTC (rev 1200) @@ -59,7 +59,7 @@ * * @author schuller */ -public aspect Security { +public final aspect Security { protected static Logger logger=Logger.getLogger("de.fzj.unicore.uas.security"); @@ -70,6 +70,7 @@ */ public Security(){ try{ + logger.config("Initialising security infrastructure."); boolean checking=Boolean.parseBoolean(UAS.getProperty(UASSecurityProperties.UAS_CHECKACCESS)); if(!checking){ logger.config("WSRF access control disabled."); @@ -83,6 +84,7 @@ } } + /** * access basic WSRF interfaces */ @@ -96,22 +98,42 @@ ; /** - * job management interface + * general uas */ + pointcut TSF(): + execution(public * + de.fzj.unicore.uas.TargetSystemFactory.*(..)) ; + + pointcut TSS(): + execution(public * + de.fzj.unicore.uas.TargetSystem.*(..)) ; + pointcut JobControl(): execution(public * de.fzj.unicore.uas.JobManagement.*(..)) ; - - /** - * storage management interface - */ pointcut StorageAccess(): execution(public * de.fzj.unicore.uas.StorageManagement.*(..)) ; - + //ADVICE + + before() : TSF() { + if(!isChecking())return; + Method m= ((MethodSignature)thisJoinPoint.getSignature()).getMethod(); + String info=m.getName(); + logger.finer("TSF: "+info); + doCheck(thisJoinPoint); + } + before() : TSS() { + if(!isChecking())return; + Method m= ((MethodSignature)thisJoinPoint.getSignature()).getMethod(); + String info=m.getName(); + logger.finer("TSS: "+info); + doCheck(thisJoinPoint); + } + before() : JobControl() { if(!isChecking())return; Method m= ((MethodSignature)thisJoinPoint.getSignature()).getMethod(); @@ -120,7 +142,6 @@ doCheck(thisJoinPoint); } - before() : StorageAccess() { if(!isChecking())return; Method m= ((MethodSignature)thisJoinPoint.getSignature()).getMethod(); @@ -135,6 +156,8 @@ doCheck(thisJoinPoint); } + + /** * performs the actual security check */ @@ -157,12 +180,12 @@ if(c==null)logger.warning("Client is <null> on "+info); //do not check server-scope (internal) use of the resources if(!i.isRequestScope() || SecurityManager.isServer(c) ){ - logger.finer("Accept server-scope action on "+i.getServiceName()+"<"+i.getUniqueID()+">"); + logger.fine("Accept server-scope action on "+i.getServiceName()+"<"+i.getUniqueID()+">"); return; } //accept trusted agents if(SecurityManager.isTrustedAgent(c)){ - logger.finer("Accept trusted-agent for action on "+i.getServiceName()+"<"+i.getUniqueID()+">"); + logger.fine("Accept trusted-agent for action on "+i.getServiceName()+"<"+i.getUniqueID()+">"); return; } String owner=""; @@ -180,7 +203,7 @@ else if(targetObj instanceof WSResource){ WSResource wsr=(WSResource)targetObj; String info=wsr.getServiceName()+"<"+wsr.getUniqueID()+">"; - logger.finer("Checking access on WSRF service "+info); + logger.fine("Checking access on WSRF service "+info); // Map<String,Object> map=(Map<String,Object>)UGSSecurityInHandler.getMessageContext().getProperty(WSRFInstance.WSRF_SECURITYCONTEXT); // Unicore5Tokens ugs=(Unicore5Tokens)map.get(UGSSecurityInHandler.UGSToken); @@ -217,7 +240,9 @@ } private boolean isChecking(){ - return Boolean.parseBoolean(UAS.getProperty(UASSecurityProperties.UAS_CHECKACCESS)); + boolean checking=Boolean.parseBoolean(UAS.getProperty(UASSecurityProperties.UAS_CHECKACCESS)); + logger.fine("Checking = " + checking); + return checking; } } Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/JobManagement.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/JobManagement.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/JobManagement.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -75,7 +75,6 @@ public static final QName RPStorageReference=StorageReferenceDocument.type.getDocumentElementName(); - @WebMethod(action = "http://unigrids.org/2006/04/services/jms/JobManagement/StartRequest") public org.unigrids.x2006.x04.services.jms.StartResponseDocument Start( org.unigrids.x2006.x04.services.jms.StartDocument in) Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/StorageManagement.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/StorageManagement.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/StorageManagement.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -53,6 +53,14 @@ //Porttype public static final QName SMS_PORT=new QName(SMS_NS,"StorageManagement"); + //actions + public static final String ACTION_EXPORT="http://unigrids.org/2006/04/services/sms/StorageManagement/ExportFileRequest"; + public static final String ACTION_IMPORT="http://unigrids.org/2006/04/services/sms/StorageManagement/ImportFileRequest"; + public static final String ACTION_SEND="http://unigrids.org/2006/04/services/sms/StorageManagement/SendFileRequest"; + public static final String ACTION_RECEIVE="http://unigrids.org/2006/04/services/sms/StorageManagement/ReceiveFileRequest"; + public static final String ACTION_DELETE="http://unigrids.org/2006/04/services/sms/StorageManagement/DeleteRequest"; + public static final String ACTION_RENAME="http://unigrids.org/2006/04/services/sms/StorageManagement/RenameRequest"; + /** * protocol(s) used to access the storage */ @@ -84,12 +92,12 @@ org.unigrids.x2006.x04.services.sms.CreateDirectoryDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/DeleteRequest") + @WebMethod(action = ACTION_DELETE) public org.unigrids.x2006.x04.services.sms.DeleteResponseDocument Delete( org.unigrids.x2006.x04.services.sms.DeleteDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/RenameRequest") + @WebMethod(action = ACTION_RENAME) public org.unigrids.x2006.x04.services.sms.RenameResponseDocument Rename( org.unigrids.x2006.x04.services.sms.RenameDocument in) throws BaseFault; @@ -99,22 +107,22 @@ org.unigrids.x2006.x04.services.sms.ChangePermissionsDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/ImportFileRequest") + @WebMethod(action = ACTION_IMPORT) public org.unigrids.x2006.x04.services.sms.ImportFileResponseDocument ImportFile( org.unigrids.x2006.x04.services.sms.ImportFileDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/ExportFileRequest") + @WebMethod(action = ACTION_EXPORT) public org.unigrids.x2006.x04.services.sms.ExportFileResponseDocument ExportFile( org.unigrids.x2006.x04.services.sms.ExportFileDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/ReceiveFileRequest") + @WebMethod(action = ACTION_RECEIVE) public org.unigrids.x2006.x04.services.sms.ReceiveFileResponseDocument ReceiveFile( org.unigrids.x2006.x04.services.sms.ReceiveFileDocument in) throws BaseFault; - @WebMethod(action = "http://unigrids.org/2006/04/services/sms/StorageManagement/SendFileRequest") + @WebMethod(action = ACTION_SEND) public org.unigrids.x2006.x04.services.sms.SendFileResponseDocument SendFile( org.unigrids.x2006.x04.services.sms.SendFileDocument in) throws BaseFault; Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystem.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystem.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystem.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -65,6 +65,10 @@ //Porttype public static final QName TSS_PORT=new QName(TSS_NS,"TargetSystem"); + //action for "Submit" + public static final String ACTION_SUBMIT="http://unigrids.org/2006/04/services/tss/TargetSystem/SubmitRequest"; + + //target system resourceproperty QNames public static final QName RPNumberOfJobs = TotalNumberOfJobsDocument.type.getDocumentElementName(); @@ -78,7 +82,7 @@ public static final QName RPMemoryPerNode = IndividualPhysicalMemoryDocument.type.getDocumentElementName(); public static final QName RPTextInfo = TextInfoDocument.type.getDocumentElementName(); - @WebMethod(action = "http://unigrids.org/2006/04/services/tss/TargetSystem/SubmitRequest") + @WebMethod(action = ACTION_SUBMIT) public org.unigrids.x2006.x04.services.tss.SubmitResponseDocument Submit( org.unigrids.x2006.x04.services.tss.SubmitDocument in) throws BaseFault; Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystemFactory.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystemFactory.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/TargetSystemFactory.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -54,7 +54,11 @@ //Porttype public static final QName TSF_PORT=new QName(TSF_NS,"TargetSystemFactory"); - @WebMethod(action = "http://unigrids.org/2006/04/services/tsf/TargetSystemFactory/CreateTSR") + //action for "CreateTSR" + public static final String ACTION_CREATETSR="http://unigrids.org/2006/04/services/tsf/TargetSystemFactory/CreateTSR"; + + + @WebMethod(action = ACTION_CREATETSR) public org.unigrids.x2006.x04.services.tsf.CreateTSRResponseDocument CreateTSR( org.unigrids.x2006.x04.services.tsf.CreateTSRDocument in) throws BaseFault; Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/UAS.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/UAS.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/UAS.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -38,7 +38,6 @@ import java.io.InputStream; import java.lang.management.ManagementFactory; import java.util.ArrayList; -import java.util.Collection; import java.util.List; import java.util.Observer; import java.util.Properties; @@ -50,8 +49,6 @@ import org.codehaus.xfire.XFire; import org.codehaus.xfire.XFireFactory; -import org.codehaus.xfire.handler.Handler; -import org.codehaus.xfire.service.Service; import de.fzj.unicore.uas.discovery.GatewayFinder; import de.fzj.unicore.uas.fts.FileTransfer; @@ -68,16 +65,16 @@ import de.fzj.unicore.uas.security.DSigOutHandler; import de.fzj.unicore.uas.security.DSigParseInHandler; import de.fzj.unicore.uas.security.DSigSecurityInHandler; +import de.fzj.unicore.uas.security.DSignAuthNCheck; import de.fzj.unicore.uas.security.ETDTrustDelegationInHandler; import de.fzj.unicore.uas.security.IUASSecurityProperties; import de.fzj.unicore.uas.security.SAMLSecurityInHandler; -import de.fzj.unicore.uas.security.SecurityOutHandler; +import de.fzj.unicore.uas.security.SecurityManager; import de.fzj.unicore.uas.security.UASSecurityProperties; import de.fzj.unicore.uas.util.Constants; import de.fzj.unicore.wsrflite.Kernel; import de.fzj.unicore.wsrflite.jetty.JettyServer; import de.fzj.unicore.wsrflite.utils.ServiceConfigReader; -import de.fzj.unicore.wsrflite.xfire.CheckUnderstoodHeadersHandler; import de.fzj.unicore.wsrflite.xfire.XFireKernel; import de.fzj.unicore.wsrflite.xmlbeans.sg.ServiceGroupEntry; @@ -300,19 +297,31 @@ System.out.println("Deploying default atomic services to WSRFlite."); deployDefault(); } + + //add understood header QNames + XFireKernel.addUnderstoodHeaders(Constants.supported); + //if appropriate, register with a dynamically discovered gateway configureDynamicGateway(); //add default security handlers addDefaultSecurityHandlers(); - //add additional security handlers - addCustomSecurityHandlers(); - //add understood header QNames - XFireKernel.addUnderstoodHeaders(Constants.supported); - + //configure the default authentication check policy + registerDefaultAuthNStrategies(); + + //print some config info + StringBuffer sb=new StringBuffer(); + for(String x: SecurityManager.getSOAPActionsRequiringSignatures())sb.append(x+"\n"); + logger.config("Actions requiring signatures: "+sb.toString()); + } + + private void registerDefaultAuthNStrategies(){ + SecurityManager.registerAuthNCheckingStrategies(new DSignAuthNCheck()); + } + //register with a gateway that is dynamically discovered private void configureDynamicGateway(){ if(!Boolean.parseBoolean(getProperty(AUTOREGISTER_WITH_GATEWAY_KEY,"false"))){ @@ -323,72 +332,17 @@ return; } - //add any custom security handlers - private void addCustomSecurityHandlers(){ - Collection<Service>services=XFireKernel.getServices(); - String customHandlerClassName=UAS.getProperty(CUSTOM_SECURITYINHANDLER_KEY); - //in... - if(customHandlerClassName != null) - { - try{ - for(String className: customHandlerClassName.split(" ")){ - if(className!=null){ - try{ - Class clazz=Class.forName(className); - Handler handler=(Handler)clazz.newInstance(); - logger.config("Have security handler "+className); - for(Service s: services){ - s.addInHandler(handler); - logger.config("Added incoming handler on service <"+s.getSimpleName()+">"); - } - }catch(Exception e){ - logger.log(Level.SEVERE,"Could not set security in-handler.",e); - } - } - } - }catch(Exception e){ - logger.log(Level.SEVERE,"Could not set security in-handler.",e); - } - } - //out... - customHandlerClassName=UAS.getProperty(CUSTOM_SECURITYOUTHANDLER_KEY); - if(customHandlerClassName != null) - { - try{ - for(String className: customHandlerClassName.split(" ")){ - if(className!=null){ - try{ - Class clazz=Class.forName(className); - Handler handler=(Handler)clazz.newInstance(); - if(handler instanceof SecurityOutHandler){ - ((SecurityOutHandler)handler).doInit(UAS.getSecurityProperties()); - } - logger.config("Have security handler "+className); - for(Service s: services){ - s.addOutHandler(handler); - logger.config("Added outgoing handler on service <"+s.getSimpleName()+">"); - } - }catch(Exception e){ - logger.log(Level.SEVERE,"Could not set security out-handler.",e); - } - } - } - }catch(Exception e){ - logger.log(Level.SEVERE,"Could not set security out-handler.",e); - } - } - } - //add standard security handlers @SuppressWarnings("unchecked") private void addDefaultSecurityHandlers(){ XFire xfire=XFireFactory.newInstance().getXFire(); - List in=xfire.getInHandlers(); - in.add(new DSigParseInHandler()); - in.add(new DSigSecurityInHandler()); - in.add(new SAMLSecurityInHandler()); - in.add(new ETDTrustDelegationInHandler()); + List s=xfire.getInHandlers(); + logger.config("Configuring default security handler chain."); + s.add(new DSigParseInHandler()); + s.add(new DSigSecurityInHandler()); + s.add(new SAMLSecurityInHandler()); + s.add(new ETDTrustDelegationInHandler()); List out=xfire.getOutHandlers(); DSigOutHandler o1=new DSigOutHandler(); o1.doInit(UAS.getSecurityProperties()); Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/jmx/UASAdmin.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/jmx/UASAdmin.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/jmx/UASAdmin.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -74,7 +74,7 @@ } public String[] getServicesRequiringSignatures(){ - return SecurityManager.getServicesRequiringSignatures(); + return SecurityManager.getSOAPActionsRequiringSignatures(); } public void toggleAccessControl(){ Added: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/AuthNCheckingStrategy.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/AuthNCheckingStrategy.java (rev 0) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/AuthNCheckingStrategy.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -0,0 +1,19 @@ +package de.fzj.unicore.uas.security; + +import de.fzj.unicore.uas.security.util.ResourceDescriptor; + +/** + * a check for authentication + */ +public interface AuthNCheckingStrategy { + + /** + * + * @param tokens - security tokens from the message + * @param action - the SOAP action that is about to be invoked + * @param d - the resource that is about to be accessed + * @throws AuthenticationException - an unchecked exception that signifies AuthN failure + */ + public void checkAuthentication(SecurityTokens tokens, String action, ResourceDescriptor d) throws AuthenticationException; + +} Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigOutHandler.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigOutHandler.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigOutHandler.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -85,7 +85,6 @@ } public synchronized void doInit(IUASSecurityProperties sec){ - logger.config("Configuring handler with security settings "+sec.toString()); try{ this.password = sec.getKeystorePassword(); String ksName = sec.getKeystore(); Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigParseInHandler.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigParseInHandler.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigParseInHandler.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -57,7 +57,6 @@ public DSigParseInHandler() { - logger.config("Configuring DOM parser for digital signature handler."); setPhase(Phase.PARSE); before(ReadHeadersHandler.class.getName()); } @@ -67,16 +66,12 @@ if(!UAS.getBooleanProperty(IUASSecurityProperties.UAS_REQUIRE_SIGNATURES))return; String action = (String) ctx.getInMessage().getProperty(SoapConstants.SOAP_ACTION); - if (action == null || actionShouldBeSigned(action)){ + + if (action == null || SecurityManager.needSignature(action)){ buildDOM(ctx); } } - protected boolean actionShouldBeSigned(String action) - { - //TODO - return true; - } protected void buildDOM(MessageContext ctx) throws XMLStreamException, ParserConfigurationException { Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigSecurityInHandler.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigSecurityInHandler.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSigSecurityInHandler.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -26,21 +26,25 @@ import pl.edu.icm.unicore.security.dsig.DSigException; import pl.edu.icm.unicore.security.dsig.DigSignatureUtil; - import de.fzj.unicore.uas.UAS; import de.fzj.unicore.wsrflite.WSRFInstance; -import de.fzj.unicore.wsrflite.xfire.XFireKernel; /** - * Checks if there is signatrue in SOAP header. If it is present then it is - * verified with CONSIGNOR certificate (thus consignor certificate must be the - * same as signer in header). + * Checks if there is signature in the SOAP header. If it is present then it is + * verified with CONSIGNOR certificate (i.e. the consignor certificate MUST be the + * same as signer in header).</br> + * + * According to the verification check there is a special parameter set in + * the security tokens.</br> + * + * @see Unicore6Tokens + * @see SecurityTokens + * * <p> * This handler must be AFTER handler that sets consignor into context and * AFTER {@link DSigParseInHandler} (which in PARSE phase). * <p> - * According to verification check there is special parameter appended to security context. * * @author K. Benedyczak */ @@ -50,7 +54,13 @@ DSigSecurityInHandler.class.getName()); public final static String SIGNATURE_STATUS_KEY = DSigSecurityInHandler.class.getName() + "_signature"; - public enum SIGNATURE_STATUS {UNCHECKED, UNSIGNED, OK, WRONG, OK_BUT_NOT_IN_POLICY}; + public enum SIGNATURE_STATUS { + UNCHECKED, + UNSIGNED, + OK, + WRONG, + OK_BUT_NOT_IN_POLICY + }; public final static String SIGNATURE_PRESENT_KEY = DSigSecurityInHandler.class.getName() + "_signature_present"; @@ -65,32 +75,47 @@ public DSigSecurityInHandler() { - logger.config("Configuring digital signature handler."); setPhase(Phase.POLICY); + after(DSigParseInHandler.class.getName()); + after(SAMLSecurityInHandler.class.getName()); } @SuppressWarnings("unchecked") public void invoke(MessageContext ctx) throws Exception { - if(!UAS.getBooleanProperty(IUASSecurityProperties.UAS_REQUIRE_SIGNATURES))return; + if(!UAS.getBooleanProperty(IUASSecurityProperties.UAS_REQUIRE_SIGNATURES)){ + return; + } - long start = System.currentTimeMillis(); - Map<String,Object> map = (Map<String, Object>) - ctx.getProperty(WSRFInstance.WSRF_SECURITYCONTEXT); + Map<String,Object> map = (Map<String, Object>)ctx.getProperty(WSRFInstance.WSRF_SECURITYCONTEXT); if (map == null) { logger.warning("No security context found. Maybe you " + - "need to add a security handler?"); + "need to add a security handler?"); return; } + + Document doc = (Document) ctx.getProperty(DSigParseInHandler.DOCUMENT_DOM_KEY); + if (doc == null) + { + logger.finer("No DOM representation of message found, " + + "signature won't be checked"); + map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNSIGNED); + return; + } + + long start = System.currentTimeMillis(); + SecurityTokens authn = (SecurityTokens) map.get(SecurityTokens.KEY); if (authn == null || authn.getConsignorCertificate() == null) { - logger.fine("No consignor found in security context so" + + logger.finer("No consignor found in security context so" + " skipping signature verification."); map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNCHECKED); return; } + + PublicKey consignorsKey = authn.getConsignorCertificate().getPublicKey(); InMessage msg = ctx.getInMessage(); @@ -98,35 +123,27 @@ Element header = msg.getHeader(); if (header == null) { - logger.finest("No header found, skipping signature verification."); + logger.finer("No header found, skipping signature verification."); map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNSIGNED); return; } + Element secHeader = header.getChild("Security", WSS_NS); if (secHeader == null) { - logger.finest("No security header element found, " + + logger.finer("No security header element found, " + "skipping signature verification."); map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNSIGNED); return; } if (secHeader.getChild("Signature", XMLDS_NS) == null) { - logger.finest("No Signature was found in header, " + + logger.finer("No Signature was found in header, " + "skipping signature verification."); map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNSIGNED); return; } - Document doc = (Document) ctx.getProperty(DSigParseInHandler.DOCUMENT_DOM_KEY); - if (doc == null) - { - logger.fine("No DOM representation of message found, " + - "signature won't be checked"); - map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.UNSIGNED); - return; - } - //signature is there, and we are supposed to //check it, so we put a token in the message context //which can be used later to decide whether the OUT message @@ -137,14 +154,14 @@ boolean signedOK; try { - logger.finest("Starting signature verification"); + logger.finest("Starting signature verification"); signedOK = verifySignature(doc, consignorsKey); } catch (Exception e) { logger.warning("Error while checking signature of request: " + e + "\n" + e.getCause()); - map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.WRONG); - return; + map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.WRONG); + return; } if (signedOK) { @@ -156,6 +173,7 @@ map.put(SIGNATURE_STATUS_KEY, SIGNATURE_STATUS.OK); + authn.setMessageSignatureStatus(SIGNATURE_STATUS.OK); } else { logger.warning("Signature present but INCORRECT!!"); Added: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSignAuthNCheck.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSignAuthNCheck.java (rev 0) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/DSignAuthNCheck.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -0,0 +1,45 @@ +package de.fzj.unicore.uas.security; + +import java.util.logging.Level; +import java.util.logging.Logger; + +import de.fzj.unicore.uas.UAS; +import de.fzj.unicore.uas.security.DSigSecurityInHandler.SIGNATURE_STATUS; +import de.fzj.unicore.uas.security.util.ResourceDescriptor; + +/** + * if the requested action requires it, check whether we have + * a valid signature + */ +public class DSignAuthNCheck implements AuthNCheckingStrategy { + + private static Logger logger=Logger.getLogger(DSignAuthNCheck.class.getName()); + + public DSignAuthNCheck(){ + logger.config("Initialise AuthN check for digital signature."); + } + + public void checkAuthentication(SecurityTokens tokens, String action, + ResourceDescriptor d) throws AuthenticationException { + + if(!UAS.getBooleanProperty(IUASSecurityProperties.UAS_REQUIRE_SIGNATURES))return; + + String soapAction=(String)tokens.getContext().get(SecurityTokens.SOAP_ACTION); + if(soapAction==null){ + logger.log(Level.SEVERE,"SOAP handler pipeline is not set up correctly."); + throw new AuthenticationException("Internal server error. Please contact the system administrator."); + } + logger.fine("Check authentication for <"+soapAction+">"); + if(!SecurityManager.needSignature(soapAction)) return; + + //OK now check if we have a signature and it is OK + + if(!SIGNATURE_STATUS.OK.equals(tokens.getMessageSignatureStatus())){ + String msg="Authentication failed on <"+d.toString()+">: valid signature is required for <"+action+">"; + logger.info(msg); + throw new AuthenticationException(msg); + } + + } + +} Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SAMLSecurityInHandler.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SAMLSecurityInHandler.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SAMLSecurityInHandler.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -22,6 +22,7 @@ import org.codehaus.xfire.MessageContext; import org.codehaus.xfire.handler.AbstractHandler; import org.codehaus.xfire.handler.Phase; +import org.codehaus.xfire.soap.SoapConstants; import org.codehaus.xfire.transport.http.XFireServletController; import org.jdom.Attribute; import org.jdom.Element; @@ -144,7 +145,10 @@ if (consignor != null) { - map.put(TOKEN_KEY, new Unicore6Tokens(user,consignor)); + SecurityTokens t=new Unicore6Tokens(user,consignor); + String action = (String) ctx.getInMessage().getProperty(SoapConstants.SOAP_ACTION); + t.getContext().put(SecurityTokens.SOAP_ACTION, action); + map.put(TOKEN_KEY, t); map.put(UASWSResourceImpl.SCOPE_KEY, UASWSResourceImpl.SCOPE_REQUEST); } Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -37,7 +37,10 @@ import java.net.URL; import java.security.cert.CertPath; import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Set; import java.util.logging.Level; @@ -50,11 +53,15 @@ import com.sun.xacml.ctx.ResponseCtx; import com.sun.xacml.ctx.Result; +import de.fzj.unicore.uas.StorageManagement; +import de.fzj.unicore.uas.TargetSystem; +import de.fzj.unicore.uas.TargetSystemFactory; import de.fzj.unicore.uas.UAS; import de.fzj.unicore.uas.security.util.RequestBuilder; import de.fzj.unicore.uas.security.util.ResourceDescriptor; import de.fzj.unicore.wsrflite.Kernel; import de.fzj.unicore.wsrflite.xfire.http.AuthSSLProtocolSocketFactory; +import de.fzj.unicore.wsrflite.xmlbeans.ResourceLifetime; import de.fzj.unicore.xnjs.aaa.AuthToken; import de.fzj.unicore.xnjs.aaa.Client; import de.fzj.unicore.xnjs.aaa.Role; @@ -77,7 +84,35 @@ private static X509Certificate serverCert=null; private static X509Certificate gatewayCert=null; + private static List<String>soapActionsRequiringSignatures=new ArrayList<String>(); + + private static List<AuthNCheckingStrategy>authNCheckStrategies=new ArrayList<AuthNCheckingStrategy>(); + + /** + * for the atomic services, this is the list of + * SOAP actions (i.e. methods) where we require + * a digital signature + */ + public static final String[] soapActionsForDSig=new String[]{ + TargetSystemFactory.ACTION_CREATETSR, + TargetSystem.ACTION_SUBMIT, + StorageManagement.ACTION_DELETE, + StorageManagement.ACTION_RECEIVE, + StorageManagement.ACTION_RENAME, + StorageManagement.ACTION_SEND, + StorageManagement.ACTION_IMPORT, + StorageManagement.ACTION_EXPORT, + ResourceLifetime.WSRL_DESTROY, + ResourceLifetime.WSRL_SCHEDULED, + }; + + + static{ + addSOAPActionsRequiringSignatures(soapActionsForDSig); + } + + /** * get the certificate of the server * @return */ @@ -222,10 +257,18 @@ * @param d - the resource being accessed */ public static void checkAuthentication(SecurityTokens tokens, String action, ResourceDescriptor d){ + logger.fine("Check "+action); + for(AuthNCheckingStrategy s: authNCheckStrategies){ + s.checkAuthentication(tokens, action, d); + } + } - //TODO this should use the Strategy pattern to - //allow registering policies as needed by services - + /** + * register checking strategies + * @param strategies - {@link AuthNCheckingStrategy} objects + */ + public static void registerAuthNCheckingStrategies(AuthNCheckingStrategy ... strategies){ + authNCheckStrategies.addAll(Arrays.asList(strategies)); } @@ -358,19 +401,27 @@ /** * The current list of services that require signed messages * - * TODO - * * @return String[] with entries of the form "ServiceName/MethodSpec" */ - public static String[] getServicesRequiringSignatures(){ - return new String[]{}; + public static String[] getSOAPActionsRequiringSignatures(){ + return soapActionsRequiringSignatures.toArray(new String[soapActionsRequiringSignatures.size()]); } + /** + * add SOAP actions to the special list requiring signed messages + * @param actions + */ + public static void addSOAPActionsRequiringSignatures(String ... actions){ + soapActionsRequiringSignatures.addAll(Arrays.asList(actions)); + } + public static boolean needSignature(String soapAction){ + if(soapAction==null)return false; + boolean b=soapActionsRequiringSignatures.contains(soapAction); + logger.finer("Check <"+soapAction+"> = "+b); + return b; + } - - - public static class NullAuthoriser implements IAuthoriser{ public NullAuthoriser(){} public Map<String, String> authorise(SecurityTokens tokens) { Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -47,15 +47,6 @@ public interface SecurityTokens { /** - * the status of a possible message signature - */ - public enum SignatureStatus { - NO_SIGNATURE, - SIGNATURE_INVALID, - SIGNATURE_VALID, - } - - /** * key for storing the security tokens in the security context */ public static final String KEY=SecurityTokens.class.getName()+".key"; @@ -124,6 +115,12 @@ public static final String ATTRIBUTE_PROJECT="project"; /** + * SOAP action being invoked + */ + public static final String SOAP_ACTION="REQUEST.soapAction"; + + + /** * get a context for making the authorisation decision<br/> * This may be used to convey information to the authorisation service. * For example, the service or service instance that is accessed, @@ -159,7 +156,8 @@ * get the message signature status * @return the {@link SignatureStatus} of the current message */ - public SignatureStatus getMessageSignatureStatus(); + public DSigSecurityInHandler.SIGNATURE_STATUS getMessageSignatureStatus(); + public void setMessageSignatureStatus(DSigSecurityInHandler.SIGNATURE_STATUS status); } Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/Unicore6Tokens.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/Unicore6Tokens.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/Unicore6Tokens.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -39,6 +39,8 @@ import javax.security.auth.x500.X500Principal; +import de.fzj.unicore.uas.security.DSigSecurityInHandler.SIGNATURE_STATUS; + /** * Unicore 6 style security tokens extracted from the request * (user, consignor X.509 cert path objects) @@ -50,7 +52,7 @@ public CertPath consignor; - public SignatureStatus signatureStatus=SignatureStatus.NO_SIGNATURE; + public SIGNATURE_STATUS signatureStatus=SIGNATURE_STATUS.UNCHECKED; private Map<String, Object> context; @@ -97,12 +99,11 @@ return (X509Certificate)consignor.getCertificates().get(0); } - public SignatureStatus getMessageSignatureStatus() { + public SIGNATURE_STATUS getMessageSignatureStatus() { return signatureStatus; } - - public void setMessageSignatureStatus(SignatureStatus status) { - this.signatureStatus=status; + + public void setMessageSignatureStatus(SIGNATURE_STATUS status) { + signatureStatus=status; } - } Modified: unicorex/uas-core/trunk/src/test/java/de/fzj/unicore/client/functional/secure/TestSecure.java =================================================================== --- unicorex/uas-core/trunk/src/test/java/de/fzj/unicore/client/functional/secure/TestSecure.java 2007-06-28 14:19:37 UTC (rev 1199) +++ unicorex/uas-core/trunk/src/test/java/de/fzj/unicore/client/functional/secure/TestSecure.java 2007-06-29 07:02:16 UTC (rev 1200) @@ -37,6 +37,8 @@ import java.io.OutputStream; import java.util.Random; +import javax.xml.namespace.QName; + import junit.framework.TestCase; import org.codehaus.xfire.addressing.AddressingOutHandler; @@ -62,6 +64,8 @@ import de.fzj.unicore.uas.util.AddressingUtil; import de.fzj.unicore.wsrflite.security.ISecurityProperties; import de.fzj.unicore.wsrflite.utils.StopWatch; +import de.fzj.unicore.wsrflite.xfire.CheckUnderstoodHeadersHandler; +import de.fzj.unicore.wsrflite.xfire.XFireKernel; import de.fzj.unicore.xnjs.jsdl.JSDLUtils; /** @@ -91,7 +95,7 @@ System.out.println("Using registry at "+regEPR); UAS.setProperty(IUASSecurityProperties.UAS_REQUIRE_SIGNATURES, true); - + XFireKernel.addUnderstoodHeaders(new QName[]{DSigOutHandler.WS_SECURITY}); firstTime=false; } @@ -113,11 +117,13 @@ ISecurityProperties.WSRF_SSL_TRUSTPASS + "=the!user"+"\n"+ ISecurityProperties.WSRF_WSS+ "=false"+"\n" +IUASSecurityProperties.UAS_OUTHANDLER_NAME+"="+DSigOutHandler.class.getName()+"\n" + +IUASSecurityProperties.UAS_INHANDLER_NAME+"="+CheckUnderstoodHeadersHandler.class.getName()+"\n" + ; protected IUASSecurityProperties getSecurityProperties(){ UASSecurityProperties uas= new UASSecurityProperties(new ByteArrayInputStream(sprops.getBytes())); - uas.setSignMessage(true); + uas.setSignMessage(false); return uas; } @@ -134,7 +140,7 @@ System.out.println("timing start..."); long s=System.currentTimeMillis(); - long N=200; + long N=1; for(int i=0;i<N;i++){ tsf.getCurrentTime(); if(i%100==0)System.out.print("."); @@ -143,9 +149,10 @@ System.out.println("\ntiming end..."); System.out.println("Did "+N+" requests in "+(e-s)+" millis, that is "+1000*N/(e-s) +" req/sec."); -// -// TSSClient tss=tsf.createTSS(); -// SubmitDocument in=SubmitDocument.Factory.newInstance(); + + TSSClient tss=tsf.createTSS(); + + SubmitDocument in=SubmitDocument.Factory.newInstance(); // in.addNewSubmit().setJobDefinition(getJob().getJobDefinition()); // JobClient job=tss.submit(in); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |