Made changes to simplify the configuration of enabled servers. Also,
modified to utilize the ISSUER_SERIAL scheme for including X509 Cert Info in tokens targeting services local to the ATS.
This commit is contained in:
Juan Carlos Luciani
@@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 18 11:18:00 MDT 2006 - jluciani@novell.com
|
||||
|
||||
- Updated the Svc to reduce the configuration requirements on services
|
||||
that want to leverage the infrastructure.
|
||||
|
||||
- Modified the WSSecurity module to not include the X509 certificate
|
||||
in tokens if they are targeted to services residing on the same
|
||||
box as the ATS. This is being done in order to minimize the size
|
||||
of the tokens.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 14 09:57:00 MDT 2006 - jluciani@novell.com
|
||||
|
||||
|
||||
@@ -53,7 +53,6 @@ import java.io.*;
|
||||
*/
|
||||
public class AuthToken
|
||||
{
|
||||
|
||||
private String m_token;
|
||||
private String m_lifetime = "";
|
||||
private String m_lifetimeShorter = "";
|
||||
@@ -111,7 +110,8 @@ public class AuthToken
|
||||
Message authTokenMessage = getMessage(identityToken.getEncodedToken(),
|
||||
identityToken.getProviderType(),
|
||||
Integer.valueOf(m_lifetime).intValue(),
|
||||
svcConfig);
|
||||
svcConfig,
|
||||
(targetHost.compareTo("localhost") == 0) ? false : true);
|
||||
|
||||
// Now save the message as a string
|
||||
OutputStream outStream = new ByteArrayOutputStream();
|
||||
@@ -201,13 +201,15 @@ public class AuthToken
|
||||
* @param identityToken String containing the identity token that should be part of the message
|
||||
* @param identityTokenType String containing the identity token type
|
||||
* @param lifetime Lifetime that should be specified in the message timestamp (seconds)
|
||||
* @param svcConfig Service configuratio object
|
||||
* @param svcConfig Service configuration object
|
||||
* @param includeCert True if the message should include the Public Certificate
|
||||
* @return <code>Message<code> AuthToken message, null if the method fails.
|
||||
*/
|
||||
private Message getMessage(String identityToken,
|
||||
String identityTokenType,
|
||||
int lifetime,
|
||||
SvcConfig svcConfig)
|
||||
SvcConfig svcConfig,
|
||||
boolean includeCert)
|
||||
{
|
||||
Message secureMessage;
|
||||
|
||||
@@ -240,7 +242,8 @@ public class AuthToken
|
||||
// To do this we are going to leverage WS-Security.
|
||||
secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(),
|
||||
lifetime,
|
||||
svcConfig);
|
||||
svcConfig,
|
||||
includeCert);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
|
||||
@@ -40,6 +40,14 @@ public class EnabledSvcsConfig
|
||||
private static final String m_authTokenSettingsFileName = "authtoken.settings";
|
||||
private static final String m_idenTokenSettingsFileName = "identoken.settings";
|
||||
|
||||
private boolean m_enabledSvcsOnly;
|
||||
|
||||
// Default auth policy, authtoken, and identtoken configs.
|
||||
byte[] m_defaultAuthPolicyData = null;
|
||||
AuthTokenConfig m_defaultAuthTokenConfig = null;
|
||||
IdenTokenConfig m_defaultIdenTokenConfig = null;
|
||||
|
||||
|
||||
private Map m_hostsMap;
|
||||
|
||||
/**
|
||||
@@ -71,11 +79,15 @@ public class EnabledSvcsConfig
|
||||
/*
|
||||
* Constructor.
|
||||
*/
|
||||
public EnabledSvcsConfig(String svcConfigPath) throws Exception
|
||||
public EnabledSvcsConfig(String svcConfigPath,
|
||||
boolean enabledSvcsOnly) throws Exception
|
||||
{
|
||||
System.err.println("EnabledSvcsConfig()-");
|
||||
System.err.println("EnabledSvcsConfig()- SvcConfigPath = " + svcConfigPath);
|
||||
|
||||
// Remember the enabledSvcsOnly setting
|
||||
m_enabledSvcsOnly = enabledSvcsOnly;
|
||||
|
||||
// Initialize the default auth policy, authtoken, and identtoken configs.
|
||||
byte[] defaultAuthPolicyData = null;
|
||||
AuthTokenConfig defaultAuthTokenConfig = null;
|
||||
@@ -93,11 +105,11 @@ public class EnabledSvcsConfig
|
||||
try
|
||||
{
|
||||
File f = new File(configFolder, m_authPolicyFileName);
|
||||
defaultAuthPolicyData = new byte[(int) f.length()];
|
||||
m_defaultAuthPolicyData = new byte[(int) f.length()];
|
||||
FileInputStream inStream = new FileInputStream(f);
|
||||
int bytesRead = inStream.read(defaultAuthPolicyData);
|
||||
int bytesRead = inStream.read(m_defaultAuthPolicyData);
|
||||
inStream.close();
|
||||
if (bytesRead != defaultAuthPolicyData.length)
|
||||
if (bytesRead != m_defaultAuthPolicyData.length)
|
||||
{
|
||||
System.err.println("EnabledSvcsConfig()- Error reading default policy file");
|
||||
}
|
||||
@@ -118,25 +130,25 @@ public class EnabledSvcsConfig
|
||||
// Try to obtain the default authentication token settings
|
||||
try
|
||||
{
|
||||
defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName);
|
||||
m_defaultAuthTokenConfig = new AuthTokenConfig(configFolder + File.separator + m_authTokenSettingsFileName);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// Not able to create authentication token configuration using the default
|
||||
// file. Create one using default parameters.
|
||||
defaultAuthTokenConfig = new AuthTokenConfig();
|
||||
m_defaultAuthTokenConfig = new AuthTokenConfig();
|
||||
}
|
||||
|
||||
// Try to obtain the default identity token settings
|
||||
try
|
||||
{
|
||||
defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName);
|
||||
m_defaultIdenTokenConfig = new IdenTokenConfig(configFolder + File.separator + m_idenTokenSettingsFileName);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// Not able to create identity token configuration using the default
|
||||
// file. Create one using default parameters.
|
||||
defaultIdenTokenConfig = new IdenTokenConfig();
|
||||
m_defaultIdenTokenConfig = new IdenTokenConfig();
|
||||
}
|
||||
|
||||
// Now go through the configured hosts. Note that the services config folder
|
||||
@@ -229,12 +241,12 @@ public class EnabledSvcsConfig
|
||||
|
||||
// Make sure that we have a policy file
|
||||
if ((authPolicyData != null && authPolicyData.length != 0)
|
||||
|| (defaultAuthPolicyData != null && defaultAuthPolicyData.length != 0))
|
||||
|| (m_defaultAuthPolicyData != null && m_defaultAuthPolicyData.length != 0))
|
||||
{
|
||||
// Instantiate SvcConfigEntry for this service and place it in our map
|
||||
SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : defaultAuthPolicyData,
|
||||
(authTokenConfig != null) ? authTokenConfig : defaultAuthTokenConfig,
|
||||
(idenTokenConfig != null) ? idenTokenConfig : defaultIdenTokenConfig);
|
||||
SvcConfigEntry svcConfigEntry = new SvcConfigEntry((authPolicyData != null && authPolicyData.length != 0) ? authPolicyData : m_defaultAuthPolicyData,
|
||||
(authTokenConfig != null) ? authTokenConfig : m_defaultAuthTokenConfig,
|
||||
(idenTokenConfig != null) ? idenTokenConfig : m_defaultIdenTokenConfig);
|
||||
|
||||
// Add this entry to our map
|
||||
System.err.println("EnabledSvcsConfig()- Adding entry in map for " + servicesConfigFolderObjs[i] + " " + hostFolderObjs[ii]);
|
||||
@@ -288,6 +300,14 @@ public class EnabledSvcsConfig
|
||||
* tokens.
|
||||
*/
|
||||
public boolean svcEnabled(String hostName, String serviceName)
|
||||
{
|
||||
// Always return try if m_enabledSvcsOnly is configured "false" else
|
||||
// check the enabled svcs configuration.
|
||||
if (m_enabledSvcsOnly == false)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
// First try to obtain the Map of enabled services for the host
|
||||
// tbd - Should we make this case insensitive?
|
||||
@@ -301,6 +321,7 @@ public class EnabledSvcsConfig
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns the data associated with the authentication policy file
|
||||
@@ -308,6 +329,8 @@ public class EnabledSvcsConfig
|
||||
*/
|
||||
public byte[] getAuthPolicyFileDataForSvc(String hostName, String serviceName)
|
||||
{
|
||||
byte[] authPolicyData = null;
|
||||
|
||||
// First try to obtain the Map of enabled services for the host
|
||||
// tbd - Should we make this case insensitive?
|
||||
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
|
||||
@@ -317,17 +340,20 @@ public class EnabledSvcsConfig
|
||||
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
|
||||
if (svcConfigEntry != null)
|
||||
{
|
||||
return svcConfigEntry.m_authPolicyFileData;
|
||||
authPolicyData = svcConfigEntry.m_authPolicyFileData;
|
||||
}
|
||||
else
|
||||
}
|
||||
|
||||
// If m_enabledSvcsOnly is configured "false" and if no authentication policy
|
||||
// data was found for this service then return the default authentication policy
|
||||
// data.
|
||||
if (authPolicyData == null
|
||||
&& m_enabledSvcsOnly == false)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return null;
|
||||
authPolicyData = m_defaultAuthPolicyData;
|
||||
}
|
||||
|
||||
return authPolicyData;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -336,6 +362,8 @@ public class EnabledSvcsConfig
|
||||
*/
|
||||
public AuthTokenConfig getAuthTokenConfig(String hostName, String serviceName)
|
||||
{
|
||||
AuthTokenConfig authTokenConfig = null;
|
||||
|
||||
// First try to obtain the Map of enabled services for the host
|
||||
// tbd - Should we make this case insensitive?
|
||||
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
|
||||
@@ -345,17 +373,19 @@ public class EnabledSvcsConfig
|
||||
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
|
||||
if (svcConfigEntry != null)
|
||||
{
|
||||
return svcConfigEntry.m_authTokenConfig;
|
||||
authTokenConfig = svcConfigEntry.m_authTokenConfig;
|
||||
}
|
||||
else
|
||||
}
|
||||
|
||||
// If m_enabledSvcsOnly is configured "false" and if no AuthTokenConfig
|
||||
// was found for this service then return the default AuthTokenConfig.
|
||||
if (authTokenConfig == null
|
||||
&& m_enabledSvcsOnly == false)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return null;
|
||||
authTokenConfig = m_defaultAuthTokenConfig;
|
||||
}
|
||||
|
||||
return authTokenConfig;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -364,6 +394,8 @@ public class EnabledSvcsConfig
|
||||
*/
|
||||
public IdenTokenConfig getIdenTokenConfig(String hostName, String serviceName)
|
||||
{
|
||||
IdenTokenConfig idenTokenConfig = null;
|
||||
|
||||
// First try to obtain the Map of enabled services for the host
|
||||
// tbd - Should we make this case insensitive?
|
||||
Map enabledSvcsConfigMap = (Map) m_hostsMap.get(hostName);
|
||||
@@ -373,16 +405,18 @@ public class EnabledSvcsConfig
|
||||
SvcConfigEntry svcConfigEntry = (SvcConfigEntry) enabledSvcsConfigMap.get(serviceName);
|
||||
if (svcConfigEntry != null)
|
||||
{
|
||||
return svcConfigEntry.m_idenTokenConfig;
|
||||
idenTokenConfig = svcConfigEntry.m_idenTokenConfig;
|
||||
}
|
||||
else
|
||||
}
|
||||
|
||||
// If m_enabledSvcsOnly is configured "false" and if no IdenTokenConfig
|
||||
// was found for this service then return the default IdenTokenConfig.
|
||||
if (idenTokenConfig == null
|
||||
&& m_enabledSvcsOnly == false)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return null;
|
||||
idenTokenConfig = m_defaultIdenTokenConfig;
|
||||
}
|
||||
|
||||
return idenTokenConfig;
|
||||
}
|
||||
}
|
||||
@@ -49,6 +49,8 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
|
||||
private String m_appFolderPath = null;
|
||||
private String m_configFolderPath = null;
|
||||
|
||||
private boolean m_enabledSvcsOnly;
|
||||
|
||||
protected ReconfigureThread m_reconfigureThread = null;
|
||||
protected int m_reconfigureInterval; // seconds
|
||||
|
||||
@@ -147,7 +149,7 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
|
||||
}
|
||||
|
||||
// Read enabled services configuration
|
||||
EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath);
|
||||
EnabledSvcsConfig enabledSvcsConfig = new EnabledSvcsConfig(m_configFolderPath, m_enabledSvcsOnly);
|
||||
|
||||
// Create a map to keep track of the Rpc methods
|
||||
Map methodsMap = new HashMap();
|
||||
@@ -194,6 +196,18 @@ public class Rpc extends javax.servlet.http.HttpServlet implements javax.servlet
|
||||
m_configFolderPath = m_appFolderPath + "WEB-INF/conf";
|
||||
}
|
||||
|
||||
// Check if we support services that are not explicitedly enabled
|
||||
String enabledSvcsOnly = System.getProperty("com.novell.casa.authtoksvc.enabled_svcs_only");
|
||||
if (enabledSvcsOnly != null
|
||||
&& enabledSvcsOnly.compareToIgnoreCase("true") == 0)
|
||||
{
|
||||
m_enabledSvcsOnly = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
m_enabledSvcsOnly = false;
|
||||
}
|
||||
|
||||
// Configure ourselves
|
||||
configureServlet();
|
||||
|
||||
|
||||
@@ -194,7 +194,8 @@ public class SessionToken
|
||||
// To do this we are going to leverage WS-Security.
|
||||
secureMessage = WSSecurity.secureSOAPEnvelope(message.getSOAPEnvelope(),
|
||||
lifetime,
|
||||
svcConfig);
|
||||
svcConfig,
|
||||
false);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
|
||||
@@ -234,17 +234,26 @@ public class WSSecurity
|
||||
* @param envelope String containing a SOAP envelope
|
||||
* @param timeToLive Value to set the timestamp timeToLive parameter in seconds
|
||||
* @param svcConfig Service Config object
|
||||
* @param includeCert True if the message should include the Public Certificate
|
||||
* @return <code>Message</code> Signed and timestamped SOAP message
|
||||
* @throws Exception on error
|
||||
*/
|
||||
public static Message secureSOAPEnvelope(SOAPEnvelope envelope,
|
||||
int timeToLive,
|
||||
SvcConfig svcConfig) throws Exception
|
||||
SvcConfig svcConfig,
|
||||
boolean includeCert) throws Exception
|
||||
{
|
||||
WSSecSignature signer = new WSSecSignature();
|
||||
signer.setUserInfo(svcConfig.getSetting(SvcConfig.KeyStoreUser),
|
||||
svcConfig.getSetting(SvcConfig.KeyStorePwd));
|
||||
if (includeCert)
|
||||
{
|
||||
signer.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); // Include X509 Cert in message
|
||||
}
|
||||
else
|
||||
{
|
||||
signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); // Use X509 Cert Serial Number and issuer info
|
||||
}
|
||||
|
||||
Document doc = envelope.getAsDocument();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user