From b8dd842addbc8bfcd28aafd802d6af68d04de2d3 Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Tue, 19 Sep 2006 00:34:56 +0000 Subject: [PATCH] Made changes to simplify the configuration of enabled servers. Also, modified to utilize the ISSUER_SERIAL scheme for including X509 Cert Info in tokens targeting services local to the ATS. --- .../package/linux/CASA_auth_token_svc.changes | 11 ++ .../com/novell/casa/authtoksvc/AuthToken.java | 13 +- .../casa/authtoksvc/EnabledSvcsConfig.java | 112 ++++++++++++------ .../src/com/novell/casa/authtoksvc/Rpc.java | 16 ++- .../novell/casa/authtoksvc/SessionToken.java | 3 +- .../novell/casa/authtoksvc/WSSecurity.java | 13 +- 6 files changed, 120 insertions(+), 48 deletions(-) diff --git a/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes b/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes index dee5e8d9..98e5832c 100644 --- a/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes +++ b/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Sep 18 11:18:00 MDT 2006 - jluciani@novell.com + +- Updated the Svc to reduce the configuration requirements on services + that want to leverage the infrastructure. + +- Modified the WSSecurity module to not include the X509 certificate + in tokens if they are targeted to services residing on the same + box as the ATS. This is being done in order to minimize the size + of the tokens. + ------------------------------------------------------------------- Thu Sep 14 09:57:00 MDT 2006 - jluciani@novell.com diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java index 5fa51ea9..55a23f0b 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java @@ -53,7 +53,6 @@ import java.io.*; */ public class AuthToken { - private String m_token; private String m_lifetime = ""; private String m_lifetimeShorter = ""; @@ -111,7 +110,8 @@ public class AuthToken Message authTokenMessage = getMessage(identityToken.getEncodedToken(), identityToken.getProviderType(), Integer.valueOf(m_lifetime).intValue(), - svcConfig); + svcConfig, + (targetHost.compareTo("localhost") == 0) ? false : true); // Now save the message as a string OutputStream outStream = new ByteArrayOutputStream(); @@ -201,13 +201,15 @@ public class AuthToken * @param identityToken String containing the identity token that should be part of the message * @param identityTokenType String containing the identity token type * @param lifetime Lifetime that should be specified in the message timestamp (seconds) - * @param svcConfig Service configuratio object + * @param svcConfig Service configuration object + * @param includeCert True if the message should include the Public Certificate * @return Message AuthToken message, null if the method fails. */ private Message getMessage(String identityToken, String identityTokenType, int lifetime, - SvcConfig svcConfig) + SvcConfig svcConfig, + boolean includeCert) { Message secureMessage; @@ -240,7 +242,8 @@ public class AuthToken // To do this we are going to leverage WS-Security. secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(), lifetime, - svcConfig); + svcConfig, + includeCert); } catch (Exception e) { diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/EnabledSvcsConfig.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/EnabledSvcsConfig.java index 59301e54..5dc76489 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/EnabledSvcsConfig.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/EnabledSvcsConfig.java @@ -40,6 +40,14 @@ public class EnabledSvcsConfig private static final String m_authTokenSettingsFileName = "authtoken.settings"; private static final String m_idenTokenSettingsFileName = "identoken.settings"; + private boolean m_enabledSvcsOnly; + + // Default auth policy, authtoken, and identtoken configs. + byte[] m_defaultAuthPolicyData = null; + AuthTokenConfig m_defaultAuthTokenConfig = null; + IdenTokenConfig m_defaultIdenTokenConfig = null; + + private Map m_hostsMap; /** @@ -71,11 +79,15 @@ public class EnabledSvcsConfig /* * Constructor. */ - public EnabledSvcsConfig(String svcConfigPath) throws Exception + public EnabledSvcsConfig(String svcConfigPath, + boolean enabledSvcsOnly) throws Exception { System.err.println("EnabledSvcsConfig()-"); System.err.println("EnabledSvcsConfig()- SvcConfigPath = " + svcConfigPath); + // Remember the enabledSvcsOnly setting + m_enabledSvcsOnly = enabledSvcsOnly; + // Initialize the default auth policy, authtoken, and identtoken configs. byte[] defaultAuthPolicyData = null; AuthTokenConfig defaultAuthTokenConfig = null; @@ -93,11 +105,11 @@ public class EnabledSvcsConfig try { File f = new File(configFolder, m_authPolicyFileName); - defaultAuthPolicyData = new byte[(int) f.length()]; + m_defaultAuthPolicyData = new byte[(int) f.length()]; FileInputStream inStream = new FileInputStream(f); - int bytesRead = inStream.read(defaultAuthPolicyData); + int bytesRead = inStream.read(m_defaultAuthPolicyData); inStream.close(); - if (bytesRead != defaultAuthPolicyData.length) + if (bytesRead != m_defaultAuthPolicyData.length) { System.err.println("EnabledSvcsConfig()- Error reading default policy file"); } @@ -118,25 +130,25 @@ public class EnabledSvcsConfig // Try to obtain the default authentication token settings try { - defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName); + m_defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName); } catch (Exception e) { // Not able to create authentication token configuration using the default // file. Create one using default parameters. - defaultAuthTokenConfig = new AuthTokenConfig(); + m_defaultAuthTokenConfig = new AuthTokenConfig(); } // Try to obtain the default identity token settings try { - defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName); + m_defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName); } catch (Exception e) { // Not able to create identity token configuration using the default // file. Create one using default parameters. - defaultIdenTokenConfig = new IdenTokenConfig(); + m_defaultIdenTokenConfig = new IdenTokenConfig(); } // Now go through the configured hosts. Note that the services config folder @@ -229,12 +241,12 @@ public class EnabledSvcsConfig // Make sure that we have a policy file if ((authPolicyData != null && authPolicyData.length != 0) - || (defaultAuthPolicyData != null && defaultAuthPolicyData.length != 0)) + || (m_defaultAuthPolicyData != null && m_defaultAuthPolicyData.length != 0)) { // Instantiate SvcConfigEntry for this service and place it in our map - SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : defaultAuthPolicyData, - (authTokenConfig != null) ? authTokenConfig : defaultAuthTokenConfig, - (idenTokenConfig != null) ? idenTokenConfig : defaultIdenTokenConfig); + SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : m_defaultAuthPolicyData, + (authTokenConfig != null) ? authTokenConfig : m_defaultAuthTokenConfig, + (idenTokenConfig != null) ? idenTokenConfig : m_defaultIdenTokenConfig); // Add this entry to our map System.err.println("EnabledSvcsConfig()- Adding entry in map for " + servicesConfigFolderObjs[i] + " " + hostFolderObjs[ii]); @@ -289,16 +301,25 @@ public class EnabledSvcsConfig */ public boolean svcEnabled(String hostName, String serviceName) { - // First try to obtain the Map of enabled services for the host - // tbd - Should we make this case insensitive? - Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); - if (enabledSvcsConfigMap != null) + // Always return try if m_enabledSvcsOnly is configured "false" else + // check the enabled svcs configuration. + if (m_enabledSvcsOnly == false) { - return enabledSvcsConfigMap.containsKey(serviceName); + return true; } else { - return false; + // First try to obtain the Map of enabled services for the host + // tbd - Should we make this case insensitive? + Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); + if (enabledSvcsConfigMap != null) + { + return enabledSvcsConfigMap.containsKey(serviceName); + } + else + { + return false; + } } } @@ -308,6 +329,8 @@ public class EnabledSvcsConfig */ public byte[] getAuthPolicyFileDataForSvc(String hostName, String serviceName) { + byte[] authPolicyData = null; + // First try to obtain the Map of enabled services for the host // tbd - Should we make this case insensitive? Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); @@ -317,17 +340,20 @@ public class EnabledSvcsConfig SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); if (svcConfigEntry != null) { - return svcConfigEntry.m_authPolicyFileData; - } - else - { - return null; + authPolicyData = svcConfigEntry.m_authPolicyFileData; } } - else + + // If m_enabledSvcsOnly is configured "false" and if no authentication policy + // data was found for this service then return the default authentication policy + // data. + if (authPolicyData == null + && m_enabledSvcsOnly == false) { - return null; + authPolicyData = m_defaultAuthPolicyData; } + + return authPolicyData; } /* @@ -336,6 +362,8 @@ public class EnabledSvcsConfig */ public AuthTokenConfig getAuthTokenConfig(String hostName, String serviceName) { + AuthTokenConfig authTokenConfig = null; + // First try to obtain the Map of enabled services for the host // tbd - Should we make this case insensitive? Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); @@ -345,17 +373,19 @@ public class EnabledSvcsConfig SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); if (svcConfigEntry != null) { - return svcConfigEntry.m_authTokenConfig; - } - else - { - return null; + authTokenConfig = svcConfigEntry.m_authTokenConfig; } } - else + + // If m_enabledSvcsOnly is configured "false" and if no AuthTokenConfig + // was found for this service then return the default AuthTokenConfig. + if (authTokenConfig == null + && m_enabledSvcsOnly == false) { - return null; + authTokenConfig = m_defaultAuthTokenConfig; } + + return authTokenConfig; } /* @@ -364,6 +394,8 @@ public class EnabledSvcsConfig */ public IdenTokenConfig getIdenTokenConfig(String hostName, String serviceName) { + IdenTokenConfig idenTokenConfig = null; + // First try to obtain the Map of enabled services for the host // tbd - Should we make this case insensitive? Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); @@ -373,16 +405,18 @@ public class EnabledSvcsConfig SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); if (svcConfigEntry != null) { - return svcConfigEntry.m_idenTokenConfig; - } - else - { - return null; + idenTokenConfig = svcConfigEntry.m_idenTokenConfig; } } - else + + // If m_enabledSvcsOnly is configured "false" and if no IdenTokenConfig + // was found for this service then return the default IdenTokenConfig. + if (idenTokenConfig == null + && m_enabledSvcsOnly == false) { - return null; + idenTokenConfig = m_defaultIdenTokenConfig; } + + return idenTokenConfig; } } \ No newline at end of file diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Rpc.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Rpc.java index 6da2ca7c..18a9f439 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Rpc.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Rpc.java @@ -49,6 +49,8 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet private String m_appFolderPath = null; private String m_configFolderPath = null; + private boolean m_enabledSvcsOnly; + protected ReconfigureThread m_reconfigureThread = null; protected int m_reconfigureInterval; // seconds @@ -147,7 +149,7 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet } // Read enabled services configuration - EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath); + EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath, m_enabledSvcsOnly); // Create a map to keep track of the Rpc methods Map methodsMap = new HashMap(); @@ -194,6 +196,18 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet m_configFolderPath = m_appFolderPath + "WEB-INF/conf"; } + // Check if we support services that are not explicitedly enabled + String enabledSvcsOnly = System.getProperty("com.novell.casa.authtoksvc.enabled_svcs_only"); + if (enabledSvcsOnly != null + && enabledSvcsOnly.compareToIgnoreCase("true") == 0) + { + m_enabledSvcsOnly = true; + } + else + { + m_enabledSvcsOnly = false; + } + // Configure ourselves configureServlet(); diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/SessionToken.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/SessionToken.java index bcbbdf5e..081b2915 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/SessionToken.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/SessionToken.java @@ -194,7 +194,8 @@ public class SessionToken // To do this we are going to leverage WS-Security. secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(), lifetime, - svcConfig); + svcConfig, + false); } catch (Exception e) { diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/WSSecurity.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/WSSecurity.java index b0699437..4e24ab58 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/WSSecurity.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/WSSecurity.java @@ -234,17 +234,26 @@ public class WSSecurity * @param envelope String containing a SOAP envelope * @param timeToLive Value to set the timestamp timeToLive parameter in seconds * @param svcConfig Service Config object + * @param includeCert True if the message should include the Public Certificate * @return Message Signed and timestamped SOAP message * @throws Exception on error */ public static Message secureSOAPEnvelope(SOAPEnvelope envelope, int timeToLive, - SvcConfig svcConfig) throws Exception + SvcConfig svcConfig, + boolean includeCert) throws Exception { WSSecSignature signer = new WSSecSignature(); signer.setUserInfo(svcConfig.getSetting(SvcConfig.KeyStoreUser), svcConfig.getSetting(SvcConfig.KeyStorePwd)); - signer.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); // Include X509 Cert in message + if (includeCert) + { + signer.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); // Include X509 Cert in message + } + else + { + signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); // Use X509 Cert Serial Number and issuer info + } Document doc = envelope.getAsDocument();