Changes to allow the reading of REALM Proxy User Credentials from miCASA

in order to avoid having those credentials in the clear in the
iaRealms.xml file.
This commit is contained in:
Juan Carlos Luciani 2007-05-09 22:54:35 +00:00
parent 90afeed839
commit 9c139d4a2b
9 changed files with 282 additions and 136 deletions

View File

@ -143,7 +143,7 @@ CLASSES = $(addprefix $(BUILDDIR)/, $(JAVAFILES:%.java=%.class))
XMLSEC_LIBS = $(XMLSEC_JARS_DIR)/xmlsec-1.4.0.jar XMLSEC_LIBS = $(XMLSEC_JARS_DIR)/xmlsec-1.4.0.jar
LIBS = /usr/share/java/servletapi5.jar:/usr/share/java/xerces-j2.jar:/usr/share/java/log4j.jar LIBS = /usr/share/java/servletapi5.jar:/usr/share/java/xerces-j2.jar:/usr/share/java/log4j.jar:/usr/lib/miCASA.jar
CLASSPATH = $(XMLSEC_LIBS):$(IDENT_ABSTRACTION_DIR)/identity-abstraction.jar:$(IDENT_ABSTRACTION_DIR)/bandit-util.jar:$(IDENT_ABSTRACTION_DIR)/castor-1.0.4.jar:$(LIBS) CLASSPATH = $(XMLSEC_LIBS):$(IDENT_ABSTRACTION_DIR)/identity-abstraction.jar:$(IDENT_ABSTRACTION_DIR)/bandit-util.jar:$(IDENT_ABSTRACTION_DIR)/castor-1.0.4.jar:$(LIBS)
CUR_DIR := $(shell pwd) CUR_DIR := $(shell pwd)

View File

@ -716,6 +716,11 @@ public final class CasaIdentityToken implements IdentityToken
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
env.put(Realm.REALM_CONFIG_LOCATION, svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile)); env.put(Realm.REALM_CONFIG_LOCATION, svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
env.put(Realm.REALM_SELECTOR, sourceName); env.put(Realm.REALM_SELECTOR, sourceName);
if (svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(sourceName) == false)
{
env.put(Context.SECURITY_PRINCIPAL, svcConfig.m_realmsInfo.proxyUsernameCredential(sourceName));
env.put(Context.SECURITY_CREDENTIALS, svcConfig.m_realmsInfo.proxyPasswordCredential(sourceName));
}
int retries = 3; int retries = 3;
while (retries != 0) while (retries != 0)

View File

@ -211,6 +211,11 @@ public final class Krb5Authenticate implements AuthMechanism, Serializable
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile)); env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm()); env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm());
if (m_svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(authReqMsg.getRealm()) == false)
{
env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
}
int retries = 3; int retries = 3;
while (retries != 0) while (retries != 0)

View File

@ -186,6 +186,11 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile)); env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm()); env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm());
if (m_svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(authReqMsg.getRealm()) == false)
{
env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
}
int retries = 3; int retries = 3;
while (retries != 0) while (retries != 0)

View File

@ -37,10 +37,14 @@ import org.bandit.util.config.Realm;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.Map; import java.util.Map;
import java.util.HashMap; import java.util.HashMap;
import com.novell.casa.NetCredential;
import com.novell.casa.MiCasa;
/** /**
* RealmsInfo class. * RealmsInfo class.
* <p> * <p>
@ -73,6 +77,9 @@ public class RealmsInfo
// Map for holding ream key/values // Map for holding ream key/values
protected Map<String, String> m_keyValueMap = new HashMap<String, String>(); protected Map<String, String> m_keyValueMap = new HashMap<String, String>();
protected String[] m_searchRoots = null; protected String[] m_searchRoots = null;
protected boolean m_proxyUserCredentialsInRealmsFile = true;
protected String m_proxyUserName = null;
protected String m_proxyUserPassword = null;
} }
// Map for holding ream information // Map for holding ream information
@ -87,7 +94,10 @@ public class RealmsInfo
RealmsInfo(String realmConfigFilePath) throws Exception RealmsInfo(String realmConfigFilePath) throws Exception
{ {
// Go through all of the configured realms // Go through all of the configured realms
FileReader fileReader = new FileReader(realmConfigFilePath); FileReader fileReader = null;
try
{
fileReader = new FileReader(realmConfigFilePath);
RealmsType realmsType = Realms.unmarshal(fileReader); RealmsType realmsType = Realms.unmarshal(fileReader);
for (int i = 0; i < realmsType.getRealmsTypeItemCount(); i++) for (int i = 0; i < realmsType.getRealmsTypeItemCount(); i++)
{ {
@ -99,6 +109,7 @@ public class RealmsInfo
RealmInfo realmInfo = new RealmInfo(); RealmInfo realmInfo = new RealmInfo();
RealmTypeItem[] realmTypeItems = realm.getRealmTypeItem(); RealmTypeItem[] realmTypeItems = realm.getRealmTypeItem();
String principalName = null; String principalName = null;
String principalPassword = null;
for (int ii = 0; ii < realmTypeItems.length; ii++) for (int ii = 0; ii < realmTypeItems.length; ii++)
{ {
// Find the configure Proxy User Name for the realm and any configured // Find the configure Proxy User Name for the realm and any configured
@ -115,6 +126,11 @@ public class RealmsInfo
// We found the proxy user name. Save it in case it is needed later. // We found the proxy user name. Save it in case it is needed later.
principalName = env[iii].getValue(); principalName = env[iii].getValue();
} }
else if (env[iii].getProp().equalsIgnoreCase("java.naming.security.credentials"))
{
// We found the proxy password. Save it in case it is needed later.
principalPassword = env[iii].getValue();
}
else if (env[iii].getProp().equalsIgnoreCase("com.novell.casa.authtoksvc.searchroot")) else if (env[iii].getProp().equalsIgnoreCase("com.novell.casa.authtoksvc.searchroot"))
{ {
// We are dealing with a search root, keep track of it. Make sure to preserve the order // We are dealing with a search root, keep track of it. Make sure to preserve the order
@ -165,6 +181,25 @@ public class RealmsInfo
} }
} }
// Check if we need to read the proxy user credentials from miCASA
if (principalName == null || principalPassword == null)
{
realmInfo.m_proxyUserCredentialsInRealmsFile = false;
// We need to access miCASA to obtain the credentials
try
{
MiCasa store = new MiCasa();
NetCredential nc = store.getCredential(0, realm.getId(), null, 0);
realmInfo.m_proxyUserName = principalName = nc.getUsername();
realmInfo.m_proxyUserPassword = principalPassword = nc.getPassword();
}
catch (Exception e)
{
m_log.warn("Constructor()- Exception caught obtaining proxy user credentials from miCASA, msg = " + e.getMessage());
}
}
// Check if we must try to determine the directory type // Check if we must try to determine the directory type
if (realmInfo.m_keyValueMap.get(RealmType) == null) if (realmInfo.m_keyValueMap.get(RealmType) == null)
{ {
@ -181,6 +216,11 @@ public class RealmsInfo
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory"); env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
env.put(Realm.REALM_CONFIG_LOCATION, realmConfigFilePath); env.put(Realm.REALM_CONFIG_LOCATION, realmConfigFilePath);
env.put(Realm.REALM_SELECTOR, realm.getId()); env.put(Realm.REALM_SELECTOR, realm.getId());
if (realmInfo.m_proxyUserCredentialsInRealmsFile == false)
{
env.put(Context.SECURITY_PRINCIPAL, realmInfo.m_proxyUserName);
env.put(Context.SECURITY_CREDENTIALS, realmInfo.m_proxyUserPassword);
}
int retries = 3; int retries = 3;
while (retries != 0) while (retries != 0)
@ -246,6 +286,25 @@ public class RealmsInfo
} }
} }
} }
catch (Exception e)
{
m_log.error("Constructor()- Exception caught, msg = " + e.getMessage());
}
finally
{
if (fileReader != null)
{
try
{
fileReader.close();
}
catch (IOException e)
{
// Do nothing
}
}
}
}
/** /**
* Get Realm Type. * Get Realm Type.
@ -306,4 +365,50 @@ public class RealmsInfo
else else
return null; return null;
} }
/**
* Proxy Credentials In Realms File.
*
* @param realmId Realm id.
* @return True if present.
*/
final boolean proxyCredentialsInRealmFile(String realmId)
{
RealmInfo realmInfo = m_realmsMap.get(realmId);
if (realmInfo != null)
return realmInfo.m_proxyUserCredentialsInRealmsFile;
else
// Assume yes
return true;
}
/**
* Proxy Username Credential.
*
* @param realmId Realm id.
* @return Username or null.
*/
final String proxyUsernameCredential(String realmId)
{
RealmInfo realmInfo = m_realmsMap.get(realmId);
if (realmInfo != null)
return realmInfo.m_proxyUserName;
else
return null;
}
/**
* Proxy Password Credential.
*
* @param realmId Realm id.
* @return Password or null.
*/
final String proxyPasswordCredential(String realmId)
{
RealmInfo realmInfo = m_realmsMap.get(realmId);
if (realmInfo != null)
return realmInfo.m_proxyUserPassword;
else
return null;
}
} }

View File

@ -54,4 +54,4 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar
# "foo/*.jar": Add all the JARs of the specified folder as class # "foo/*.jar": Add all the JARs of the specified folder as class
# repositories # repositories
# "foo/bar.jar": Add bar.jar as a class repository # "foo/bar.jar": Add bar.jar as a class repository
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar,/usr/share/java/identity-abstraction/*.jar shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar,/usr/share/java/identity-abstraction/*.jar,/usr/lib/miCASA.jar

View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Wed May 9 16:38:14 MDT 2007 - jluciani@novell.com
- Added the capability to read REALM credentials from miCASA to
avoid having the credentials in the clear in the iaRealms.xml
file. This change adds a dependency on CASA and partially
addresses BUG265414.
- Created a utility that allows users to edit the iaRealms.xml
file. This was necessary to support the CASA ATS Yast Module
enhancements.
- Fixed settings and policy utilities to output error messages
to stderr instead of stdout to avoid messing up the CASA ATS
Yast Module.
- Fixed the SPEC files to set the appropriate home folder for
the casaatsd user.
- Temporary changed the SPEC files to allow the casaatsd user
to have a shell. This change will be reverted as soon as
the CASAcli is updated to allow a root user to pass the
UID of the user being targeted.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 20 15:40:01 MDT 2007 - jluciani@novell.com Fri Apr 20 15:40:01 MDT 2007 - jluciani@novell.com

View File

@ -18,7 +18,7 @@
Name: @PACKAGE@ Name: @PACKAGE@
URL: http://www.novell.com/products URL: http://www.novell.com/products
BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 xml-commons-apis BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 xml-commons-apis
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
%define prefix /usr %define prefix /usr
License: LGPL License: LGPL
Group: Applications/System Group: Applications/System
@ -30,7 +30,7 @@ Summary: Novell CASA Authentication Token Service
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: jre >= 1.5.0 Requires: jre >= 1.5.0
Requires: servletapi5 tomcat5 sysvinit insserv identity-abstraction sed log4j xerces-j2 Requires: servletapi5 tomcat5 sysvinit insserv identity-abstraction sed log4j xerces-j2 CASA
PreReq: %fillup_prereq %insserv_prereq PreReq: %fillup_prereq %insserv_prereq
PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd
PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
@ -221,7 +221,8 @@ fi
user_present=`getent passwd | grep ^casaatsd` user_present=`getent passwd | grep ^casaatsd`
if [ -z "$user_present" ] ; then if [ -z "$user_present" ] ; then
/usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || : # /usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
/usr/sbin/useradd -c "casaatsd System User" -s /bin/bash -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
fi fi

View File

@ -18,7 +18,7 @@
Name: @PACKAGE@ Name: @PACKAGE@
URL: http://www.novell.com/products URL: http://www.novell.com/products
BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 jdk novell-zenworks-java-links xml-commons-apis BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 jdk novell-zenworks-java-links xml-commons-apis
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
%define prefix /usr %define prefix /usr
License: LGPL License: LGPL
Group: Applications/System Group: Applications/System
@ -30,7 +30,7 @@ Summary: Novell CASA Authentication Token Service
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: jre >= 1.5.0 Requires: jre >= 1.5.0
Requires: novell-zenworks-tomcat sysvinit insserv identity-abstraction sed jdk novell-zenworks-java-links log4j xerces-j2 Requires: novell-zenworks-tomcat sysvinit insserv identity-abstraction sed jdk novell-zenworks-java-links log4j xerces-j2 CASA
PreReq: %fillup_prereq %insserv_prereq PreReq: %fillup_prereq %insserv_prereq
PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd
PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
@ -221,7 +221,8 @@ fi
user_present=`getent passwd | grep ^casaatsd` user_present=`getent passwd | grep ^casaatsd`
if [ -z "$user_present" ] ; then if [ -z "$user_present" ] ; then
/usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || : # /usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
/usr/sbin/useradd -c "casaatsd System User" -s /bin/bash -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
fi fi