Changes to allow the reading of REALM Proxy User Credentials from miCASA
in order to avoid having those credentials in the clear in the iaRealms.xml file.
This commit is contained in:
Juan Carlos Luciani
parent
90afeed839
commit
9c139d4a2b
@ -143,7 +143,7 @@ CLASSES = $(addprefix $(BUILDDIR)/, $(JAVAFILES:%.java=%.class))
|
||||
|
||||
XMLSEC_LIBS = $(XMLSEC_JARS_DIR)/xmlsec-1.4.0.jar
|
||||
|
||||
LIBS = /usr/share/java/servletapi5.jar:/usr/share/java/xerces-j2.jar:/usr/share/java/log4j.jar
|
||||
LIBS = /usr/share/java/servletapi5.jar:/usr/share/java/xerces-j2.jar:/usr/share/java/log4j.jar:/usr/lib/miCASA.jar
|
||||
CLASSPATH = $(XMLSEC_LIBS):$(IDENT_ABSTRACTION_DIR)/identity-abstraction.jar:$(IDENT_ABSTRACTION_DIR)/bandit-util.jar:$(IDENT_ABSTRACTION_DIR)/castor-1.0.4.jar:$(LIBS)
|
||||
|
||||
CUR_DIR := $(shell pwd)
|
||||
|
||||
@ -716,6 +716,11 @@ public final class CasaIdentityToken implements IdentityToken
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
|
||||
env.put(Realm.REALM_CONFIG_LOCATION, svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
|
||||
env.put(Realm.REALM_SELECTOR, sourceName);
|
||||
if (svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(sourceName) == false)
|
||||
{
|
||||
env.put(Context.SECURITY_PRINCIPAL, svcConfig.m_realmsInfo.proxyUsernameCredential(sourceName));
|
||||
env.put(Context.SECURITY_CREDENTIALS, svcConfig.m_realmsInfo.proxyPasswordCredential(sourceName));
|
||||
}
|
||||
|
||||
int retries = 3;
|
||||
while (retries != 0)
|
||||
|
||||
@ -211,6 +211,11 @@ public final class Krb5Authenticate implements AuthMechanism, Serializable
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
|
||||
env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
|
||||
env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm());
|
||||
if (m_svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(authReqMsg.getRealm()) == false)
|
||||
{
|
||||
env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
|
||||
env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
|
||||
}
|
||||
|
||||
int retries = 3;
|
||||
while (retries != 0)
|
||||
|
||||
@ -186,6 +186,11 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
|
||||
env.put(Realm.REALM_CONFIG_LOCATION, m_svcConfig.getSetting(SvcConfig.IdentityAbstractionConfigFile));
|
||||
env.put(Realm.REALM_SELECTOR, authReqMsg.getRealm());
|
||||
if (m_svcConfig.m_realmsInfo.proxyCredentialsInRealmFile(authReqMsg.getRealm()) == false)
|
||||
{
|
||||
env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
|
||||
env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
|
||||
}
|
||||
|
||||
int retries = 3;
|
||||
while (retries != 0)
|
||||
|
||||
@ -37,10 +37,14 @@ import org.bandit.util.config.Realm;
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import java.io.FileReader;
|
||||
import java.io.IOException;
|
||||
import java.util.Hashtable;
|
||||
import java.util.Map;
|
||||
import java.util.HashMap;
|
||||
|
||||
import com.novell.casa.NetCredential;
|
||||
import com.novell.casa.MiCasa;
|
||||
|
||||
/**
|
||||
* RealmsInfo class.
|
||||
* <p>
|
||||
@ -73,6 +77,9 @@ public class RealmsInfo
|
||||
// Map for holding ream key/values
|
||||
protected Map<String, String> m_keyValueMap = new HashMap<String, String>();
|
||||
protected String[] m_searchRoots = null;
|
||||
protected boolean m_proxyUserCredentialsInRealmsFile = true;
|
||||
protected String m_proxyUserName = null;
|
||||
protected String m_proxyUserPassword = null;
|
||||
}
|
||||
|
||||
// Map for holding ream information
|
||||
@ -87,7 +94,10 @@ public class RealmsInfo
|
||||
RealmsInfo(String realmConfigFilePath) throws Exception
|
||||
{
|
||||
// Go through all of the configured realms
|
||||
FileReader fileReader = new FileReader(realmConfigFilePath);
|
||||
FileReader fileReader = null;
|
||||
try
|
||||
{
|
||||
fileReader = new FileReader(realmConfigFilePath);
|
||||
RealmsType realmsType = Realms.unmarshal(fileReader);
|
||||
for (int i = 0; i < realmsType.getRealmsTypeItemCount(); i++)
|
||||
{
|
||||
@ -99,6 +109,7 @@ public class RealmsInfo
|
||||
RealmInfo realmInfo = new RealmInfo();
|
||||
RealmTypeItem[] realmTypeItems = realm.getRealmTypeItem();
|
||||
String principalName = null;
|
||||
String principalPassword = null;
|
||||
for (int ii = 0; ii < realmTypeItems.length; ii++)
|
||||
{
|
||||
// Find the configure Proxy User Name for the realm and any configured
|
||||
@ -115,6 +126,11 @@ public class RealmsInfo
|
||||
// We found the proxy user name. Save it in case it is needed later.
|
||||
principalName = env[iii].getValue();
|
||||
}
|
||||
else if (env[iii].getProp().equalsIgnoreCase("java.naming.security.credentials"))
|
||||
{
|
||||
// We found the proxy password. Save it in case it is needed later.
|
||||
principalPassword = env[iii].getValue();
|
||||
}
|
||||
else if (env[iii].getProp().equalsIgnoreCase("com.novell.casa.authtoksvc.searchroot"))
|
||||
{
|
||||
// We are dealing with a search root, keep track of it. Make sure to preserve the order
|
||||
@ -165,6 +181,25 @@ public class RealmsInfo
|
||||
}
|
||||
}
|
||||
|
||||
// Check if we need to read the proxy user credentials from miCASA
|
||||
if (principalName == null || principalPassword == null)
|
||||
{
|
||||
realmInfo.m_proxyUserCredentialsInRealmsFile = false;
|
||||
|
||||
// We need to access miCASA to obtain the credentials
|
||||
try
|
||||
{
|
||||
MiCasa store = new MiCasa();
|
||||
NetCredential nc = store.getCredential(0, realm.getId(), null, 0);
|
||||
realmInfo.m_proxyUserName = principalName = nc.getUsername();
|
||||
realmInfo.m_proxyUserPassword = principalPassword = nc.getPassword();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
m_log.warn("Constructor()- Exception caught obtaining proxy user credentials from miCASA, msg = " + e.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
// Check if we must try to determine the directory type
|
||||
if (realmInfo.m_keyValueMap.get(RealmType) == null)
|
||||
{
|
||||
@ -181,6 +216,11 @@ public class RealmsInfo
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.bandit.ia.IAInitialCtxFactory");
|
||||
env.put(Realm.REALM_CONFIG_LOCATION, realmConfigFilePath);
|
||||
env.put(Realm.REALM_SELECTOR, realm.getId());
|
||||
if (realmInfo.m_proxyUserCredentialsInRealmsFile == false)
|
||||
{
|
||||
env.put(Context.SECURITY_PRINCIPAL, realmInfo.m_proxyUserName);
|
||||
env.put(Context.SECURITY_CREDENTIALS, realmInfo.m_proxyUserPassword);
|
||||
}
|
||||
|
||||
int retries = 3;
|
||||
while (retries != 0)
|
||||
@ -246,6 +286,25 @@ public class RealmsInfo
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
m_log.error("Constructor()- Exception caught, msg = " + e.getMessage());
|
||||
}
|
||||
finally
|
||||
{
|
||||
if (fileReader != null)
|
||||
{
|
||||
try
|
||||
{
|
||||
fileReader.close();
|
||||
}
|
||||
catch (IOException e)
|
||||
{
|
||||
// Do nothing
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get Realm Type.
|
||||
@ -306,4 +365,50 @@ public class RealmsInfo
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Proxy Credentials In Realms File.
|
||||
*
|
||||
* @param realmId Realm id.
|
||||
* @return True if present.
|
||||
*/
|
||||
final boolean proxyCredentialsInRealmFile(String realmId)
|
||||
{
|
||||
RealmInfo realmInfo = m_realmsMap.get(realmId);
|
||||
if (realmInfo != null)
|
||||
return realmInfo.m_proxyUserCredentialsInRealmsFile;
|
||||
else
|
||||
// Assume yes
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Proxy Username Credential.
|
||||
*
|
||||
* @param realmId Realm id.
|
||||
* @return Username or null.
|
||||
*/
|
||||
final String proxyUsernameCredential(String realmId)
|
||||
{
|
||||
RealmInfo realmInfo = m_realmsMap.get(realmId);
|
||||
if (realmInfo != null)
|
||||
return realmInfo.m_proxyUserName;
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Proxy Password Credential.
|
||||
*
|
||||
* @param realmId Realm id.
|
||||
* @return Password or null.
|
||||
*/
|
||||
final String proxyPasswordCredential(String realmId)
|
||||
{
|
||||
RealmInfo realmInfo = m_realmsMap.get(realmId);
|
||||
if (realmInfo != null)
|
||||
return realmInfo.m_proxyUserPassword;
|
||||
else
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
@ -54,4 +54,4 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar,/usr/share/java/identity-abstraction/*.jar
|
||||
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar,/usr/share/java/identity-abstraction/*.jar,/usr/lib/miCASA.jar
|
||||
|
||||
@ -1,3 +1,27 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed May 9 16:38:14 MDT 2007 - jluciani@novell.com
|
||||
|
||||
- Added the capability to read REALM credentials from miCASA to
|
||||
avoid having the credentials in the clear in the iaRealms.xml
|
||||
file. This change adds a dependency on CASA and partially
|
||||
addresses BUG265414.
|
||||
|
||||
- Created a utility that allows users to edit the iaRealms.xml
|
||||
file. This was necessary to support the CASA ATS Yast Module
|
||||
enhancements.
|
||||
|
||||
- Fixed settings and policy utilities to output error messages
|
||||
to stderr instead of stdout to avoid messing up the CASA ATS
|
||||
Yast Module.
|
||||
|
||||
- Fixed the SPEC files to set the appropriate home folder for
|
||||
the casaatsd user.
|
||||
|
||||
- Temporary changed the SPEC files to allow the casaatsd user
|
||||
to have a shell. This change will be reverted as soon as
|
||||
the CASAcli is updated to allow a root user to pass the
|
||||
UID of the user being targeted.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 20 15:40:01 MDT 2007 - jluciani@novell.com
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
Name: @PACKAGE@
|
||||
URL: http://www.novell.com/products
|
||||
BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 xml-commons-apis
|
||||
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils
|
||||
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
|
||||
%define prefix /usr
|
||||
License: LGPL
|
||||
Group: Applications/System
|
||||
@ -30,7 +30,7 @@ Summary: Novell CASA Authentication Token Service
|
||||
Source: %{name}-%{version}.tar.bz2
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Requires: jre >= 1.5.0
|
||||
Requires: servletapi5 tomcat5 sysvinit insserv identity-abstraction sed log4j xerces-j2
|
||||
Requires: servletapi5 tomcat5 sysvinit insserv identity-abstraction sed log4j xerces-j2 CASA
|
||||
PreReq: %fillup_prereq %insserv_prereq
|
||||
PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd
|
||||
PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
|
||||
@ -221,7 +221,8 @@ fi
|
||||
|
||||
user_present=`getent passwd | grep ^casaatsd`
|
||||
if [ -z "$user_present" ] ; then
|
||||
/usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
# /usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
/usr/sbin/useradd -c "casaatsd System User" -s /bin/bash -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
fi
|
||||
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
Name: @PACKAGE@
|
||||
URL: http://www.novell.com/products
|
||||
BuildRequires: gcc-c++ glib2-devel identity-abstraction insserv libstdc++ libstdc++-devel mono-devel pkgconfig servletapi5 sysvinit xerces-j2 jdk novell-zenworks-java-links xml-commons-apis
|
||||
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils
|
||||
BuildRequires: java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
|
||||
%define prefix /usr
|
||||
License: LGPL
|
||||
Group: Applications/System
|
||||
@ -30,7 +30,7 @@ Summary: Novell CASA Authentication Token Service
|
||||
Source: %{name}-%{version}.tar.bz2
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Requires: jre >= 1.5.0
|
||||
Requires: novell-zenworks-tomcat sysvinit insserv identity-abstraction sed jdk novell-zenworks-java-links log4j xerces-j2
|
||||
Requires: novell-zenworks-tomcat sysvinit insserv identity-abstraction sed jdk novell-zenworks-java-links log4j xerces-j2 CASA
|
||||
PreReq: %fillup_prereq %insserv_prereq
|
||||
PreReq: /usr/bin/awk, /usr/bin/test, /bin/grep, /bin/cat, /usr/bin/install, /bin/pwd
|
||||
PreReq: /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
|
||||
@ -221,7 +221,8 @@ fi
|
||||
|
||||
user_present=`getent passwd | grep ^casaatsd`
|
||||
if [ -z "$user_present" ] ; then
|
||||
/usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
# /usr/sbin/useradd -c "casaatsd System User" -s /bin/false -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
/usr/sbin/useradd -c "casaatsd System User" -s /bin/bash -r -d /var/lib/CASA/authtoken/svc -g casaauth casaatsd 2> /dev/null || :
|
||||
fi
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user