Made changes to simplify the configuration of enabled servers. Also,

modified to utilize the ISSUER_SERIAL scheme for including X509 Cert
Info in tokens targeting services local to the ATS.
This commit is contained in:
Juan Carlos Luciani 2006-09-19 00:34:56 +00:00
parent a860e0353b
commit b8dd842add
6 changed files with 120 additions and 48 deletions

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Sep 18 11:18:00 MDT 2006 - jluciani@novell.com
- Updated the Svc to reduce the configuration requirements on services
that want to leverage the infrastructure.
- Modified the WSSecurity module to not include the X509 certificate
in tokens if they are targeted to services residing on the same
box as the ATS. This is being done in order to minimize the size
of the tokens.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 14 09:57:00 MDT 2006 - jluciani@novell.com Thu Sep 14 09:57:00 MDT 2006 - jluciani@novell.com

View File

@ -53,7 +53,6 @@ import java.io.*;
*/ */
public class AuthToken public class AuthToken
{ {
private String m_token; private String m_token;
private String m_lifetime = ""; private String m_lifetime = "";
private String m_lifetimeShorter = ""; private String m_lifetimeShorter = "";
@ -111,7 +110,8 @@ public class AuthToken
Message authTokenMessage = getMessage(identityToken.getEncodedToken(), Message authTokenMessage = getMessage(identityToken.getEncodedToken(),
identityToken.getProviderType(), identityToken.getProviderType(),
Integer.valueOf(m_lifetime).intValue(), Integer.valueOf(m_lifetime).intValue(),
svcConfig); svcConfig,
(targetHost.compareTo("localhost") == 0) ? false : true);
// Now save the message as a string // Now save the message as a string
OutputStream outStream = new ByteArrayOutputStream(); OutputStream outStream = new ByteArrayOutputStream();
@ -201,13 +201,15 @@ public class AuthToken
* @param identityToken String containing the identity token that should be part of the message * @param identityToken String containing the identity token that should be part of the message
* @param identityTokenType String containing the identity token type * @param identityTokenType String containing the identity token type
* @param lifetime Lifetime that should be specified in the message timestamp (seconds) * @param lifetime Lifetime that should be specified in the message timestamp (seconds)
* @param svcConfig Service configuratio object * @param svcConfig Service configuration object
* @param includeCert True if the message should include the Public Certificate
* @return <code>Message<code> AuthToken message, null if the method fails. * @return <code>Message<code> AuthToken message, null if the method fails.
*/ */
private Message getMessage(String identityToken, private Message getMessage(String identityToken,
String identityTokenType, String identityTokenType,
int lifetime, int lifetime,
SvcConfig svcConfig) SvcConfig svcConfig,
boolean includeCert)
{ {
Message secureMessage; Message secureMessage;
@ -240,7 +242,8 @@ public class AuthToken
// To do this we are going to leverage WS-Security. // To do this we are going to leverage WS-Security.
secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(), secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(),
lifetime, lifetime,
svcConfig); svcConfig,
includeCert);
} }
catch (Exception e) catch (Exception e)
{ {

View File

@ -40,6 +40,14 @@ public class EnabledSvcsConfig
private static final String m_authTokenSettingsFileName = "authtoken.settings"; private static final String m_authTokenSettingsFileName = "authtoken.settings";
private static final String m_idenTokenSettingsFileName = "identoken.settings"; private static final String m_idenTokenSettingsFileName = "identoken.settings";
private boolean m_enabledSvcsOnly;
// Default auth policy, authtoken, and identtoken configs.
byte[] m_defaultAuthPolicyData = null;
AuthTokenConfig m_defaultAuthTokenConfig = null;
IdenTokenConfig m_defaultIdenTokenConfig = null;
private Map m_hostsMap; private Map m_hostsMap;
/** /**
@ -71,11 +79,15 @@ public class EnabledSvcsConfig
/* /*
* Constructor. * Constructor.
*/ */
public EnabledSvcsConfig(String svcConfigPath) throws Exception public EnabledSvcsConfig(String svcConfigPath,
boolean enabledSvcsOnly) throws Exception
{ {
System.err.println("EnabledSvcsConfig()-"); System.err.println("EnabledSvcsConfig()-");
System.err.println("EnabledSvcsConfig()- SvcConfigPath = " + svcConfigPath); System.err.println("EnabledSvcsConfig()- SvcConfigPath = " + svcConfigPath);
// Remember the enabledSvcsOnly setting
m_enabledSvcsOnly = enabledSvcsOnly;
// Initialize the default auth policy, authtoken, and identtoken configs. // Initialize the default auth policy, authtoken, and identtoken configs.
byte[] defaultAuthPolicyData = null; byte[] defaultAuthPolicyData = null;
AuthTokenConfig defaultAuthTokenConfig = null; AuthTokenConfig defaultAuthTokenConfig = null;
@ -93,11 +105,11 @@ public class EnabledSvcsConfig
try try
{ {
File f = new File(configFolder, m_authPolicyFileName); File f = new File(configFolder, m_authPolicyFileName);
defaultAuthPolicyData = new byte[(int) f.length()]; m_defaultAuthPolicyData = new byte[(int) f.length()];
FileInputStream inStream = new FileInputStream(f); FileInputStream inStream = new FileInputStream(f);
int bytesRead = inStream.read(defaultAuthPolicyData); int bytesRead = inStream.read(m_defaultAuthPolicyData);
inStream.close(); inStream.close();
if (bytesRead != defaultAuthPolicyData.length) if (bytesRead != m_defaultAuthPolicyData.length)
{ {
System.err.println("EnabledSvcsConfig()- Error reading default policy file"); System.err.println("EnabledSvcsConfig()- Error reading default policy file");
} }
@ -118,25 +130,25 @@ public class EnabledSvcsConfig
// Try to obtain the default authentication token settings // Try to obtain the default authentication token settings
try try
{ {
defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName); m_defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName);
} }
catch (Exception e) catch (Exception e)
{ {
// Not able to create authentication token configuration using the default // Not able to create authentication token configuration using the default
// file. Create one using default parameters. // file. Create one using default parameters.
defaultAuthTokenConfig = new AuthTokenConfig(); m_defaultAuthTokenConfig = new AuthTokenConfig();
} }
// Try to obtain the default identity token settings // Try to obtain the default identity token settings
try try
{ {
defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName); m_defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName);
} }
catch (Exception e) catch (Exception e)
{ {
// Not able to create identity token configuration using the default // Not able to create identity token configuration using the default
// file. Create one using default parameters. // file. Create one using default parameters.
defaultIdenTokenConfig = new IdenTokenConfig(); m_defaultIdenTokenConfig = new IdenTokenConfig();
} }
// Now go through the configured hosts. Note that the services config folder // Now go through the configured hosts. Note that the services config folder
@ -229,12 +241,12 @@ public class EnabledSvcsConfig
// Make sure that we have a policy file // Make sure that we have a policy file
if ((authPolicyData != null && authPolicyData.length != 0) if ((authPolicyData != null && authPolicyData.length != 0)
|| (defaultAuthPolicyData != null && defaultAuthPolicyData.length != 0)) || (m_defaultAuthPolicyData != null && m_defaultAuthPolicyData.length != 0))
{ {
// Instantiate SvcConfigEntry for this service and place it in our map // Instantiate SvcConfigEntry for this service and place it in our map
SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : defaultAuthPolicyData, SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : m_defaultAuthPolicyData,
(authTokenConfig != null) ? authTokenConfig : defaultAuthTokenConfig, (authTokenConfig != null) ? authTokenConfig : m_defaultAuthTokenConfig,
(idenTokenConfig != null) ? idenTokenConfig : defaultIdenTokenConfig); (idenTokenConfig != null) ? idenTokenConfig : m_defaultIdenTokenConfig);
// Add this entry to our map // Add this entry to our map
System.err.println("EnabledSvcsConfig()- Adding entry in map for " + servicesConfigFolderObjs[i] + " " + hostFolderObjs[ii]); System.err.println("EnabledSvcsConfig()- Adding entry in map for " + servicesConfigFolderObjs[i] + " " + hostFolderObjs[ii]);
@ -289,16 +301,25 @@ public class EnabledSvcsConfig
*/ */
public boolean svcEnabled(String hostName, String serviceName) public boolean svcEnabled(String hostName, String serviceName)
{ {
// First try to obtain the Map of enabled services for the host // Always return try if m_enabledSvcsOnly is configured "false" else
// tbd - Should we make this case insensitive? // check the enabled svcs configuration.
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); if (m_enabledSvcsOnly == false)
if (enabledSvcsConfigMap != null)
{ {
return enabledSvcsConfigMap.containsKey(serviceName); return true;
} }
else else
{ {
return false; // First try to obtain the Map of enabled services for the host
// tbd - Should we make this case insensitive?
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
if (enabledSvcsConfigMap != null)
{
return enabledSvcsConfigMap.containsKey(serviceName);
}
else
{
return false;
}
} }
} }
@ -308,6 +329,8 @@ public class EnabledSvcsConfig
*/ */
public byte[] getAuthPolicyFileDataForSvc(String hostName, String serviceName) public byte[] getAuthPolicyFileDataForSvc(String hostName, String serviceName)
{ {
byte[] authPolicyData = null;
// First try to obtain the Map of enabled services for the host // First try to obtain the Map of enabled services for the host
// tbd - Should we make this case insensitive? // tbd - Should we make this case insensitive?
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
@ -317,17 +340,20 @@ public class EnabledSvcsConfig
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
if (svcConfigEntry != null) if (svcConfigEntry != null)
{ {
return svcConfigEntry.m_authPolicyFileData; authPolicyData = svcConfigEntry.m_authPolicyFileData;
}
else
{
return null;
} }
} }
else
// If m_enabledSvcsOnly is configured "false" and if no authentication policy
// data was found for this service then return the default authentication policy
// data.
if (authPolicyData == null
&& m_enabledSvcsOnly == false)
{ {
return null; authPolicyData = m_defaultAuthPolicyData;
} }
return authPolicyData;
} }
/* /*
@ -336,6 +362,8 @@ public class EnabledSvcsConfig
*/ */
public AuthTokenConfig getAuthTokenConfig(String hostName, String serviceName) public AuthTokenConfig getAuthTokenConfig(String hostName, String serviceName)
{ {
AuthTokenConfig authTokenConfig = null;
// First try to obtain the Map of enabled services for the host // First try to obtain the Map of enabled services for the host
// tbd - Should we make this case insensitive? // tbd - Should we make this case insensitive?
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
@ -345,17 +373,19 @@ public class EnabledSvcsConfig
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
if (svcConfigEntry != null) if (svcConfigEntry != null)
{ {
return svcConfigEntry.m_authTokenConfig; authTokenConfig = svcConfigEntry.m_authTokenConfig;
}
else
{
return null;
} }
} }
else
// If m_enabledSvcsOnly is configured "false" and if no AuthTokenConfig
// was found for this service then return the default AuthTokenConfig.
if (authTokenConfig == null
&& m_enabledSvcsOnly == false)
{ {
return null; authTokenConfig = m_defaultAuthTokenConfig;
} }
return authTokenConfig;
} }
/* /*
@ -364,6 +394,8 @@ public class EnabledSvcsConfig
*/ */
public IdenTokenConfig getIdenTokenConfig(String hostName, String serviceName) public IdenTokenConfig getIdenTokenConfig(String hostName, String serviceName)
{ {
IdenTokenConfig idenTokenConfig = null;
// First try to obtain the Map of enabled services for the host // First try to obtain the Map of enabled services for the host
// tbd - Should we make this case insensitive? // tbd - Should we make this case insensitive?
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName); Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
@ -373,16 +405,18 @@ public class EnabledSvcsConfig
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName); SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
if (svcConfigEntry != null) if (svcConfigEntry != null)
{ {
return svcConfigEntry.m_idenTokenConfig; idenTokenConfig = svcConfigEntry.m_idenTokenConfig;
}
else
{
return null;
} }
} }
else
// If m_enabledSvcsOnly is configured "false" and if no IdenTokenConfig
// was found for this service then return the default IdenTokenConfig.
if (idenTokenConfig == null
&& m_enabledSvcsOnly == false)
{ {
return null; idenTokenConfig = m_defaultIdenTokenConfig;
} }
return idenTokenConfig;
} }
} }

View File

@ -49,6 +49,8 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
private String m_appFolderPath = null; private String m_appFolderPath = null;
private String m_configFolderPath = null; private String m_configFolderPath = null;
private boolean m_enabledSvcsOnly;
protected ReconfigureThread m_reconfigureThread = null; protected ReconfigureThread m_reconfigureThread = null;
protected int m_reconfigureInterval; // seconds protected int m_reconfigureInterval; // seconds
@ -147,7 +149,7 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
} }
// Read enabled services configuration // Read enabled services configuration
EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath); EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath, m_enabledSvcsOnly);
// Create a map to keep track of the Rpc methods // Create a map to keep track of the Rpc methods
Map methodsMap = new HashMap(); Map methodsMap = new HashMap();
@ -194,6 +196,18 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
m_configFolderPath = m_appFolderPath + "WEB-INF/conf"; m_configFolderPath = m_appFolderPath + "WEB-INF/conf";
} }
// Check if we support services that are not explicitedly enabled
String enabledSvcsOnly = System.getProperty("com.novell.casa.authtoksvc.enabled_svcs_only");
if (enabledSvcsOnly != null
&& enabledSvcsOnly.compareToIgnoreCase("true") == 0)
{
m_enabledSvcsOnly = true;
}
else
{
m_enabledSvcsOnly = false;
}
// Configure ourselves // Configure ourselves
configureServlet(); configureServlet();

View File

@ -194,7 +194,8 @@ public class SessionToken
// To do this we are going to leverage WS-Security. // To do this we are going to leverage WS-Security.
secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(), secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(),
lifetime, lifetime,
svcConfig); svcConfig,
false);
} }
catch (Exception e) catch (Exception e)
{ {

View File

@ -234,17 +234,26 @@ public class WSSecurity
* @param envelope String containing a SOAP envelope * @param envelope String containing a SOAP envelope
* @param timeToLive Value to set the timestamp timeToLive parameter in seconds * @param timeToLive Value to set the timestamp timeToLive parameter in seconds
* @param svcConfig Service Config object * @param svcConfig Service Config object
* @param includeCert True if the message should include the Public Certificate
* @return <code>Message</code> Signed and timestamped SOAP message * @return <code>Message</code> Signed and timestamped SOAP message
* @throws Exception on error * @throws Exception on error
*/ */
public static Message secureSOAPEnvelope(SOAPEnvelope envelope, public static Message secureSOAPEnvelope(SOAPEnvelope envelope,
int timeToLive, int timeToLive,
SvcConfig svcConfig) throws Exception SvcConfig svcConfig,
boolean includeCert) throws Exception
{ {
WSSecSignature signer = new WSSecSignature(); WSSecSignature signer = new WSSecSignature();
signer.setUserInfo(svcConfig.getSetting(SvcConfig.KeyStoreUser), signer.setUserInfo(svcConfig.getSetting(SvcConfig.KeyStoreUser),
svcConfig.getSetting(SvcConfig.KeyStorePwd)); svcConfig.getSetting(SvcConfig.KeyStorePwd));
signer.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); // Include X509 Cert in message if (includeCert)
{
signer.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); // Include X509 Cert in message
}
else
{
signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); // Use X509 Cert Serial Number and issuer info
}
Document doc = envelope.getAsDocument(); Document doc = envelope.getAsDocument();