From 73ad8ed2c626e627ba1d0331922dc6bf80f0422a Mon Sep 17 00:00:00 2001 From: Benjamin Phillippe Date: Thu, 10 Jul 2014 13:58:05 -0500 Subject: [PATCH] Omaha #3350 Added user/role authentication. Added XACML authorization Change-Id: Id307fdc04ba7a74c9e81650c7b4ba272405cf6df Former-commit-id: 91df842c4cfc7925323854da4639daaa83a86efc [formerly c74f855d31096bbad3add3633ca24af482ad07bc] [formerly d4997f5a90112296f579833a7e82df11fc0d3072] [formerly d4997f5a90112296f579833a7e82df11fc0d3072 [formerly cebfbebea626bb4b7f5f058ac5244ef60e98b75b]] [formerly 91df842c4cfc7925323854da4639daaa83a86efc [formerly c74f855d31096bbad3add3633ca24af482ad07bc] [formerly d4997f5a90112296f579833a7e82df11fc0d3072] [formerly d4997f5a90112296f579833a7e82df11fc0d3072 [formerly cebfbebea626bb4b7f5f058ac5244ef60e98b75b]] [formerly 6cb73e63a15b75e9922e015ccd92e880ba9bd241 [formerly d4997f5a90112296f579833a7e82df11fc0d3072 [formerly cebfbebea626bb4b7f5f058ac5244ef60e98b75b] [formerly 6cb73e63a15b75e9922e015ccd92e880ba9bd241 [formerly 81d0249971d4004067b6aef672e00417ddb83b36]]]]] Former-commit-id: 6cb73e63a15b75e9922e015ccd92e880ba9bd241 Former-commit-id: afd3fd850357825899b54c0498a8d3070ebfabe1 [formerly 2971b9f0f21f344dde47a6bc99f8d885cde6cd67] [formerly 6959bdcdb2e3602050baaab6cae562e3e5f97d6e] [formerly 0d4bf0bbab90c26bb30b41f76341cecea18b3ad9 [formerly b6f1310c23e3d57c8b4d89aa6e6c01e283285ca6] [formerly 6959bdcdb2e3602050baaab6cae562e3e5f97d6e [formerly 576e2eb0f8d8febccfbec3bf95b42fdf034a0080]]] Former-commit-id: baa835379f96444dc1d5269ed3fccc707a7818b1 [formerly 1ffb4a3530cde1a6f0b1318bb0854398258aee1c] [formerly ec91eaed8fd5d48a95c4f86be23dfcc95105f997 [formerly b0ddc103a77e20460e3283e00138b6744736ef69]] Former-commit-id: ec91eaed8fd5d48a95c4f86be23dfcc95105f997 Former-commit-id: 3058586d6cae58f9bf910b33b0774bda8a16d258 --- .../feature.xml | 9 +- .../esb/conf/security/keystoreUtil.sh | 54 +++- .../esb/conf/security/realms.properties | 4 + .../common/registry/ebxml/RegistryUtil.java | 6 +- .../regrep/xsd/rim/v4/RegistryObjectType.java | 5 +- .../.classpath | 7 + .../com.raytheon.uf.common.security/.project | 28 ++ .../META-INF/MANIFEST.MF | 9 + .../build.properties | 4 + .../security/encryption/AESEncryptor.java | 152 +++++++++ .../META-INF/MANIFEST.MF | 6 +- .../res/spring/ebxml-eventbus.xml | 4 + .../res/spring/ebxml-impl.xml | 11 +- .../res/spring/ebxml-registry-init.xml | 3 +- .../res/spring/ebxml-webservices.xml | 40 +-- .../res/spring/ebxml-xacml.xml | 5 +- ...raytheon.uf.edex.registry.ebxml.properties | 2 - .../acp/xacml/XACMLContextHandler.java | 27 +- .../registry/acp/xacml/XACMLInterceptor.java | 128 ++++++++ .../acp/xacml/XACMLPolicyAdministrator.java | 14 +- .../acp/xacml/XACMLPolicyDecisionPoint.java | 81 +---- .../acp/xacml/util/XACMLObjectUtil.java | 3 + .../uf/edex/registry/ebxml/RegistryUsers.java | 289 +++++++++++++++++ .../registry/ebxml/acp/PasswordCallback.java | 8 +- .../uf/edex/registry/ebxml/dao/DbInit.java | 14 + .../ebxml/services/RegistryRESTServices.java | 2 + .../RegistryServiceInInterceptor.java | 9 + .../services/soap/RegistrySOAPServices.java | 2 + .../ebxml/util/EDEXRegistryManager.java | 9 +- .../registry/ebxml/web/RegistryWebServer.java | 12 +- .../ebxml/web/security/CredentialCache.java | 300 ++++++++++++++++++ .../web/security/RegistryLoginModule.java | 80 +++++ .../security/RegistrySSLContextFactory.java | 89 ++++++ .../base/ebxml/acp/default-acp.xml | 26 +- .../web/WEB-INF/web.xml | 43 +++ .../web/etc/jettyServer.xml | 14 +- .../web/registry/navigation.html | 2 + .../registry/services/users/defineUsers.html | 180 +++++++++++ .../web/webServiceBeans.xml | 15 +- .../feature.xml | 9 +- .../META-INF/MANIFEST.MF | 4 +- .../res/spring/edex-security.xml | 5 +- .../uf/edex/security/EncryptedProperties.java | 84 ++--- .../edex/security/SecurityConfiguration.java | 278 ++++++++-------- 44 files changed, 1750 insertions(+), 326 deletions(-) create mode 100644 edexOsgi/build.edex/esb/conf/security/realms.properties create mode 100644 edexOsgi/com.raytheon.uf.common.security/.classpath create mode 100644 edexOsgi/com.raytheon.uf.common.security/.project create mode 100644 edexOsgi/com.raytheon.uf.common.security/META-INF/MANIFEST.MF create mode 100644 edexOsgi/com.raytheon.uf.common.security/build.properties create mode 100644 edexOsgi/com.raytheon.uf.common.security/src/com/raytheon/uf/common/security/encryption/AESEncryptor.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLInterceptor.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/RegistryUsers.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/CredentialCache.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistryLoginModule.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistrySSLContextFactory.java create mode 100644 edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/services/users/defineUsers.html diff --git a/cave/com.raytheon.uf.viz.registry.feature/feature.xml b/cave/com.raytheon.uf.viz.registry.feature/feature.xml index b27d1e2d88..d43b86c726 100644 --- a/cave/com.raytheon.uf.viz.registry.feature/feature.xml +++ b/cave/com.raytheon.uf.viz.registry.feature/feature.xml @@ -41,6 +41,13 @@ id="com.sun.xml.bind" download-size="0" install-size="0" - version="0.0.0"/> + version="0.0.0"/> + + diff --git a/edexOsgi/build.edex/esb/conf/security/keystoreUtil.sh b/edexOsgi/build.edex/esb/conf/security/keystoreUtil.sh index 350424bcf2..2e78a5c141 100755 --- a/edexOsgi/build.edex/esb/conf/security/keystoreUtil.sh +++ b/edexOsgi/build.edex/esb/conf/security/keystoreUtil.sh @@ -1,15 +1,20 @@ #!/bin/bash +SETUP_ENV=/awips2/edex/bin/setup.env +source $SETUP_ENV + +JAVA_BIN=/awips2/java/jre/bin/java + securityDir=/awips2/edex/conf/security -securityProps=$securityDir/security.properties +securityPropertiesDir=/awips2/edex/conf/resources/site/$AW_SITE_IDENTIFIER +securityProps=$securityPropertiesDir/security.properties publicKeyFile=PublicKey.cer keystore=keystore.jks truststore=truststore.jks keystorePw= -keyAlias=$(hostname -s) keyPw= - +encryptionKey=encrypt truststorePw=password function usage { @@ -23,10 +28,34 @@ function generateKeystores() { echo "Generating keystores" +if [ -z $CLUSTER_ID ] +then + echo "CLUSTER_ID undefined. Determining from hostname..." + HOST=$(hostname -s) + CLUSTER_ID=${HOST:$(expr index "$HOST" -)} | tr '[:lower:]' '[:upper:]' +fi + +if [ -z $CLUSTER_ID ] +then + echo "CLUSTER_ID could not be determined from hostname. Using site as CLUSTER_ID" + CLUSTER_ID=$AW_SITE_IDENTIFIER +fi + +echo "CLUSTER_ID set to: $CLUSTER_ID" + +keyAlias=$CLUSTER_ID +# Write the cluster ID to the setup.env file +sed -i "s@^export CLUSTER_ID.*@export CLUSTER_ID=$CLUSTER_ID@g" $SETUP_ENV + + if [ ! -d "$securityDir" ]; then mkdir $securityDir fi +if [ ! -d "$securityPropertiesDir" ]; then + mkdir -p $securityPropertiesDir +fi + while [ -z $keystorePw ]; do echo -n "Enter desired password for keystore [$keystore]: " @@ -74,20 +103,29 @@ keytool -genkeypair -alias $keyAlias -keypass $keyPw -keystore $keystore -storep echo -n "Exporting public key..." exportOutput=`keytool -exportcert -alias $keyAlias -keystore $keystore -file $keyAlias$publicKeyFile -storepass $keystorePw 2>&1` echo "Done!" -obfuscatedKeystorePassword=`java -cp /awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-http-7.6.14.v20131031.jar:/awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-util-7.6.14.v20131031.jar org.eclipse.jetty.util.security.Password $keystorePw 2>&1 | grep OBF` - +obfuscatedKeystorePassword=`$JAVA_BIN -cp /awips2/edex/lib/dependencies/org.apache.commons.codec/commons-codec-1.4.jar:/awips2/edex/lib/plugins/com.raytheon.uf.common.security.jar com.raytheon.uf.common.security.encryption.AESEncryptor encrypt $encryptionKey $keystorePw 2>&1` echo "Generating trust store..." keytool -genkey -alias tmp -keypass tempPass -dname CN=foo -keystore $truststore -storepass $truststorePw keytool -delete -alias tmp -keystore $truststore -storepass $truststorePw keytool -import -trustcacerts -file $keyAlias$publicKeyFile -alias $keyAlias -keystore $truststore -storepass $truststorePw -obfuscatedTruststorePassword=`java -cp /awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-http-7.6.14.v20131031.jar:/awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-util-7.6.14.v20131031.jar org.eclipse.jetty.util.security.Password $truststorePw 2>&1 | grep OBF` +jettyObscuredPassword=`$JAVA_BIN -cp /awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-http-7.6.14.v20131031.jar:/awips2/edex/lib/dependencies/org.eclipse.jetty/jetty-util-7.6.14.v20131031.jar org.eclipse.jetty.util.security.Password $keystorePw 2>&1 | grep OBF` + +obfuscatedTruststorePassword=`$JAVA_BIN -cp /awips2/edex/lib/dependencies/org.apache.commons.codec/commons-codec-1.4.jar:/awips2/edex/lib/plugins/com.raytheon.uf.common.security.jar com.raytheon.uf.common.security.encryption.AESEncryptor encrypt $encryptionKey $truststorePw 2>&1` echo -n "Generating security properties file..." -echo "edex.security.keystore.path=$securityDir/$keystore" > $securityProps +echo "# This file was automatically generated using /awips2/edex/conf/security/keystoreUtil.sh" > $securityProps +echo "java.security.auth.login.config=/awips2/edex/conf/security/realms.properties" >> $securityProps +echo "edex.security.auth.user=$keyAlias" >> $securityProps +echo "edex.security.auth.password=$obfuscatedKeystorePassword" >> $securityProps +echo "edex.security.auth.authorizationType=Basic" >> $securityProps +echo "edex.security.auth.loginService.name=RegistryRealm" >> $securityProps +echo "edex.security.auth.loginService.realm=RegistryRealm" >> $securityProps +echo "edex.security.encryption.key=$encryptionKey" >> $securityProps +echo "edex.security.keystore.path=$securityDir/$keystore" >> $securityProps echo "edex.security.keystore.alias=$keyAlias" >> $securityProps echo "edex.security.keystore.password=$obfuscatedKeystorePassword" >> $securityProps echo "edex.security.keystore.type=JKS" >> $securityProps @@ -100,7 +138,7 @@ echo "edex.security.disableCNCheck=false" >>$securityProps echo "#The following configuration items are used with the wss4j in/out interceptors" >> $securityProps echo "org.apache.ws.security.crypto.merlin.keystore.file=security/$keystore" >> $securityProps -echo "org.apache.ws.security.crypto.merlin.keystore.password=$obfuscatedKeystorePassword" >> $securityProps +echo "org.apache.ws.security.crypto.merlin.keystore.password=$jettyObscuredPassword" >> $securityProps echo "org.apache.ws.security.crypto.merlin.keystore.type=JKS" >> $securityProps echo "org.apache.ws.security.crypto.merlin.keystore.alias=$keyAlias" >> $securityProps diff --git a/edexOsgi/build.edex/esb/conf/security/realms.properties b/edexOsgi/build.edex/esb/conf/security/realms.properties new file mode 100644 index 0000000000..b1e58311e5 --- /dev/null +++ b/edexOsgi/build.edex/esb/conf/security/realms.properties @@ -0,0 +1,4 @@ +RegistryRealm { + com.raytheon.uf.edex.registry.ebxml.web.security.RegistryLoginModule required + debug="false"; + }; \ No newline at end of file diff --git a/edexOsgi/com.raytheon.uf.common.registry.ebxml/src/com/raytheon/uf/common/registry/ebxml/RegistryUtil.java b/edexOsgi/com.raytheon.uf.common.registry.ebxml/src/com/raytheon/uf/common/registry/ebxml/RegistryUtil.java index e7d4d24808..664facc84b 100644 --- a/edexOsgi/com.raytheon.uf.common.registry.ebxml/src/com/raytheon/uf/common/registry/ebxml/RegistryUtil.java +++ b/edexOsgi/com.raytheon.uf.common.registry.ebxml/src/com/raytheon/uf/common/registry/ebxml/RegistryUtil.java @@ -54,7 +54,6 @@ import com.raytheon.uf.common.registry.ebxml.slots.SlotConverter; import com.raytheon.uf.common.registry.ebxml.slots.StringSlotConverter; import com.raytheon.uf.common.serialization.SerializationException; import com.raytheon.uf.common.time.util.ImmutableDate; -import com.raytheon.uf.common.util.ClusterIdUtil; import com.raytheon.uf.common.util.CollectionUtil; import com.raytheon.uf.common.util.ReflectionException; import com.raytheon.uf.common.util.ReflectionUtil; @@ -84,6 +83,7 @@ import com.raytheon.uf.common.util.ReflectionUtil; * Apr 24, 2014 2992 dhladky fixed all objects in ebxml owned by NCF, bad. * 6/5/2014 1712 bphillip Registry now communicates over https * June 25, 2014 3273 dhladky Remove all DD environment variables from setup.env + * 7/10/2014 1717 bphillip Changed default user * * * @@ -104,7 +104,7 @@ public final class RegistryUtil { public static final String registryUser = "Registry"; - public static final String defaultUser = "NCF"; + public static final String defaultUser = RegistryObjectType.SYSTEM_USER; static { if (System.getProperty("ebxml.registry.host") != null @@ -121,7 +121,7 @@ public final class RegistryUtil { /** * The default internal owner is the local registry ID */ - public static final String DEFAULT_OWNER = ClusterIdUtil.getId(); + public static final String DEFAULT_OWNER = defaultUser; // A private mapping of attribute types to slot types, used when storing an // object to the registry to map QueryableAttributes to SlotConverters. diff --git a/edexOsgi/com.raytheon.uf.common.registry.schemas.ebxml/src/oasis/names/tc/ebxml/regrep/xsd/rim/v4/RegistryObjectType.java b/edexOsgi/com.raytheon.uf.common.registry.schemas.ebxml/src/oasis/names/tc/ebxml/regrep/xsd/rim/v4/RegistryObjectType.java index 68ef65d3ed..c24bd16ed5 100644 --- a/edexOsgi/com.raytheon.uf.common.registry.schemas.ebxml/src/oasis/names/tc/ebxml/regrep/xsd/rim/v4/RegistryObjectType.java +++ b/edexOsgi/com.raytheon.uf.common.registry.schemas.ebxml/src/oasis/names/tc/ebxml/regrep/xsd/rim/v4/RegistryObjectType.java @@ -93,6 +93,7 @@ import com.raytheon.uf.common.serialization.annotations.DynamicSerializeElement; * 2012 bphillip Initial implementation * 10/17/2013 1682 bphillip Added software history * 12/2/2013 1829 bphillip Made ExtensibleObjectType persistable, modified persistence annotations, added hashCode, toString and equals + * 7/10/2014 1717 bphillip Added default user * * * @author bphillip @@ -122,6 +123,8 @@ import com.raytheon.uf.common.serialization.annotations.DynamicSerializeElement; public class RegistryObjectType extends IdentifiableType { private static final long serialVersionUID = -7436174012584469534L; + + public static final String SYSTEM_USER = "System"; @XmlElement(name = "Name") @DynamicSerializeElement @@ -172,7 +175,7 @@ public class RegistryObjectType extends IdentifiableType { @XmlAttribute @DynamicSerializeElement - protected String owner; + protected String owner = SYSTEM_USER; @XmlAttribute @DynamicSerializeElement diff --git a/edexOsgi/com.raytheon.uf.common.security/.classpath b/edexOsgi/com.raytheon.uf.common.security/.classpath new file mode 100644 index 0000000000..3bc247511f --- /dev/null +++ b/edexOsgi/com.raytheon.uf.common.security/.classpath @@ -0,0 +1,7 @@ + + + + + + + diff --git a/edexOsgi/com.raytheon.uf.common.security/.project b/edexOsgi/com.raytheon.uf.common.security/.project new file mode 100644 index 0000000000..f1fc94f0ef --- /dev/null +++ b/edexOsgi/com.raytheon.uf.common.security/.project @@ -0,0 +1,28 @@ + + + com.raytheon.uf.common.security + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipse.pde.ManifestBuilder + + + + + org.eclipse.pde.SchemaBuilder + + + + + + org.eclipse.pde.PluginNature + org.eclipse.jdt.core.javanature + + diff --git a/edexOsgi/com.raytheon.uf.common.security/META-INF/MANIFEST.MF b/edexOsgi/com.raytheon.uf.common.security/META-INF/MANIFEST.MF new file mode 100644 index 0000000000..eeb7a5ff7a --- /dev/null +++ b/edexOsgi/com.raytheon.uf.common.security/META-INF/MANIFEST.MF @@ -0,0 +1,9 @@ +Manifest-Version: 1.0 +Bundle-ManifestVersion: 2 +Bundle-Name: Security +Bundle-SymbolicName: com.raytheon.uf.common.security +Bundle-Version: 1.14.0.qualifier +Bundle-Vendor: RAYTHEON +Bundle-RequiredExecutionEnvironment: JavaSE-1.7 +Require-Bundle: org.apache.commons.codec;bundle-version="1.4.0" +Export-Package: com.raytheon.uf.common.security.encryption diff --git a/edexOsgi/com.raytheon.uf.common.security/build.properties b/edexOsgi/com.raytheon.uf.common.security/build.properties new file mode 100644 index 0000000000..34d2e4d2da --- /dev/null +++ b/edexOsgi/com.raytheon.uf.common.security/build.properties @@ -0,0 +1,4 @@ +source.. = src/ +output.. = bin/ +bin.includes = META-INF/,\ + . diff --git a/edexOsgi/com.raytheon.uf.common.security/src/com/raytheon/uf/common/security/encryption/AESEncryptor.java b/edexOsgi/com.raytheon.uf.common.security/src/com/raytheon/uf/common/security/encryption/AESEncryptor.java new file mode 100644 index 0000000000..9aa03a9a4e --- /dev/null +++ b/edexOsgi/com.raytheon.uf.common.security/src/com/raytheon/uf/common/security/encryption/AESEncryptor.java @@ -0,0 +1,152 @@ +/** + * This software was developed and / or modified by Raytheon Company, + * pursuant to Contract DG133W-05-CQ-1067 with the US Government. + * + * U.S. EXPORT CONTROLLED TECHNICAL DATA + * This software product contains export-restricted data whose + * export/transfer/disclosure is restricted by U.S. law. Dissemination + * to non-U.S. persons whether in the United States or abroad requires + * an export license or other authorization. + * + * Contractor Name: Raytheon Company + * Contractor Address: 6825 Pine Street, Suite 340 + * Mail Stop B8 + * Omaha, NE 68106 + * 402.291.0100 + * + * See the AWIPS II Master Rights File ("Master Rights File.pdf") for + * further licensing information. + **/ +package com.raytheon.uf.common.security.encryption; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; + +import javax.crypto.Cipher; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.apache.commons.codec.binary.Base64; + +/** + * + * Class that supports encrypting/decrypting AES encrypted objects + * + * 
+ * 
+ * SOFTWARE HISTORY
+ * 
+ * Date         Ticket#     Engineer    Description
+ * ------------ ----------  ----------- --------------------------
+ * 7/16/2014    3350        bphillip    Initial coding
+ *
+ * + * @author bphillip + * @version 1 + */ +public class AESEncryptor { + + private static final String ALGORITHM = "AES"; + + private static final String PADDING = "AES/CFB8/NoPadding"; + + // entropy input vector length + private static final int IV_LENGTH = 16; + + private IvParameterSpec ivSpec; + + private SecretKeySpec key; + + private Cipher deCipher; + + private Cipher enCipher; + + public static void main(String[] args) { + String action = args[0]; + String key = args[1]; + String input = args[2]; + + try { + AESEncryptor enc = new AESEncryptor(); + if (action.equalsIgnoreCase("encrypt")) { + System.out.println(enc.encrypt(key, input)); + } else if (action.equalsIgnoreCase("decrypt")) { + System.out.println(enc.decrypt(key, input)); + } else { + System.out.println("Unrecognized action"); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public AESEncryptor() { + + } + + /** + * Sets up the cipher using the sharedKey + * + * @param sharedKey + * @throws NoSuchAlgorithmException + */ + private void setupCipher(String sharedKey) throws Exception { + + byte[] keyBytes = null; + MessageDigest sha = MessageDigest.getInstance("SHA-1"); + keyBytes = sha.digest(Base64.decodeBase64(sharedKey)); + keyBytes = Arrays.copyOf(keyBytes, IV_LENGTH); // use only first 128 bit + + byte[] ivBytes = new byte[IV_LENGTH]; + ivSpec = new IvParameterSpec(ivBytes); + + /* + * create the cipher with the algorithm you choose see javadoc for + * Cipher class for more info, e.g. + */ + key = new SecretKeySpec(keyBytes, ALGORITHM); + deCipher = Cipher.getInstance(PADDING); + enCipher = Cipher.getInstance(PADDING); + } + + /** + * Encrypts a string using AES/DES encoding + * + * @param sharedKey + * The encryption key + * @param password + * The string to encrypt + * @return The encrypted string + * @throws Exception + * on error + */ + public String encrypt(String sharedKey, String password) throws Exception { + + setupCipher(sharedKey); + enCipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); + + return Base64.encodeBase64String(enCipher.doFinal(password.getBytes())); + } + + /** + * Decrypts an AES/DES encoded string + * + * @param sharedKey + * The encryption key + * @param encryptedPass + * The encrypted string to decrypt + * @return The encrypted string + * @throws Exception + * on error + */ + public String decrypt(String sharedKey, String encryptedPass) + throws Exception { + + setupCipher(sharedKey); + deCipher.init(Cipher.DECRYPT_MODE, key, ivSpec); + + return new String(deCipher.doFinal(Base64.decodeBase64(encryptedPass))); + } + +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/META-INF/MANIFEST.MF b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/META-INF/MANIFEST.MF index 4dcf581cc2..2285ff5fb8 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/META-INF/MANIFEST.MF +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/META-INF/MANIFEST.MF @@ -35,8 +35,10 @@ Require-Bundle: com.raytheon.uf.common.registry.schemas.ebxml;bundle-version="1. com.sun.xml.bind;bundle-version="1.0.0", org.eclipse.jetty;bundle-version="7.6.14", com.raytheon.uf.edex.security;bundle-version="1.14.0", - org.opensaml;bundle-version="1.0.0" -Export-Package: com.raytheon.uf.edex.registry.ebxml.acp, + org.opensaml;bundle-version="1.0.0", + com.raytheon.uf.common.security;bundle-version="1.14.0" +Export-Package: com.raytheon.uf.edex.registry.ebxml, + com.raytheon.uf.edex.registry.ebxml.acp, com.raytheon.uf.edex.registry.ebxml.dao, com.raytheon.uf.edex.registry.ebxml.exception, com.raytheon.uf.edex.registry.ebxml.init, diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-eventbus.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-eventbus.xml index ca02952daf..925b0eaea3 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-eventbus.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-eventbus.xml @@ -19,6 +19,10 @@ + + + + diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-xacml.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-xacml.xml index 945ffca2c6..071b0e6cb2 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-xacml.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/res/spring/ebxml-xacml.xml @@ -2,10 +2,7 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> - - - + diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/resources/com.raytheon.uf.edex.registry.ebxml.properties b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/resources/com.raytheon.uf.edex.registry.ebxml.properties index f26830c61a..bc7bef32c2 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/resources/com.raytheon.uf.edex.registry.ebxml.properties +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/resources/com.raytheon.uf.edex.registry.ebxml.properties @@ -20,8 +20,6 @@ ebxml.thrift.service.port=9588 ebxml.registry.webserver.port=8082 # EBXML registry host ebxml.registry.host=localhost -# EBXML registry user -ebxml.registry.user=localhost # EBXML federation enable flag ebxml.registry.federation.enabled=false # EBXML registry webserver home diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLContextHandler.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLContextHandler.java index 880924c72b..c0fb1332d0 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLContextHandler.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLContextHandler.java @@ -51,7 +51,7 @@ import org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder; import org.opensaml.xacml.ctx.impl.RequestTypeImplBuilder; import org.opensaml.xacml.ctx.impl.ResourceTypeImplBuilder; import org.opensaml.xacml.ctx.impl.SubjectTypeImplBuilder; -import org.opensaml.xacml.policy.ObligationType; +import org.opensaml.xacml.policy.PolicyType; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; @@ -63,8 +63,6 @@ import com.raytheon.uf.common.status.IUFStatusHandler; import com.raytheon.uf.common.status.UFStatus; import com.raytheon.uf.edex.registry.acp.xacml.conformance.DataTypes; import com.raytheon.uf.edex.registry.acp.xacml.conformance.Identifiers; -import com.raytheon.uf.edex.registry.acp.xacml.engine.obligation.XACMLObligationEvaluator; -import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLException; import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLNotApplicableException; import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLProcessingException; import com.raytheon.uf.edex.registry.acp.xacml.util.XACMLObjectUtil; @@ -91,6 +89,7 @@ import com.raytheon.uf.edex.registry.ebxml.util.EbxmlObjectUtil; * 3/18/2013 1802 bphillip Modified to use transaction boundaries and spring injection * 4/9/2013 1802 bphillip Added additional object checking * 10/23/2013 1538 bphillip Changed constructor call for QueryRequest + * 7/10/2014 1717 bphillip Removed obligation processing from authorize method * * * @author bphillip @@ -129,25 +128,10 @@ public class XACMLContextHandler { throws MsgRegistryException, EbxmlRegistryException { RequestType request = constructRequest(userName, object); - XACMLObject policy = xacmlPolicyAdmin .getPolicyObject("urn:oasis:names:tc:xacml:2.0:data-delivery:default-policySet"); - XACMLPolicyDecisionPoint pdp = new XACMLPolicyDecisionPoint(policy, - request); - - ResponseType response = pdp.evaluate(); - List obligations = pdp.getObligations(); - if (obligations != null) { - for (ObligationType obligation : obligations) { - try { - XACMLObligationEvaluator.getInstance().evaluate(obligation, - request); - } catch (XACMLException e) { - e.printStackTrace(); - } - } - } - + XACMLPolicyDecisionPoint pdp = new XACMLPolicyDecisionPoint(policy); + ResponseType response = pdp.evaluate((PolicyType)policy,request); return response; } @@ -355,6 +339,9 @@ public class XACMLContextHandler { attrName = attrTokens[attrTokens.length - 1]; } + if(attrName.equals("id")){ + return objId.toString(); + } Object repoItem = registryObjectDao.getById(objId.toString()); if (repoItem == null) { diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLInterceptor.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLInterceptor.java new file mode 100644 index 0000000000..014cfe1941 --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLInterceptor.java @@ -0,0 +1,128 @@ +package com.raytheon.uf.edex.registry.acp.xacml; + +import java.io.ByteArrayOutputStream; +import java.security.Principal; + +import oasis.names.tc.ebxml.regrep.wsdl.registry.services.v4.MsgRegistryException; + +import org.apache.cxf.message.Message; +import org.apache.cxf.rt.security.xacml.AbstractXACMLAuthorizingInterceptor; +import org.opensaml.xacml.ctx.RequestType; +import org.opensaml.xacml.ctx.ResponseType; +import org.opensaml.xacml.ctx.ResultType; +import org.opensaml.xacml.policy.ObligationType; +import org.opensaml.xacml.policy.ObligationsType; +import org.opensaml.xacml.policy.PolicySetType; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallerFactory; +import org.w3c.dom.Element; +import org.w3c.dom.bootstrap.DOMImplementationRegistry; +import org.w3c.dom.ls.DOMImplementationLS; +import org.w3c.dom.ls.LSOutput; +import org.w3c.dom.ls.LSSerializer; + +import com.raytheon.uf.common.status.IUFStatusHandler; +import com.raytheon.uf.common.status.UFStatus; +import com.raytheon.uf.common.status.UFStatus.Priority; +import com.raytheon.uf.edex.registry.acp.xacml.engine.obligation.XACMLObligationEvaluator; +import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLException; + +/** + * + * + * Policy enforcement point (PEP) - The system entity that performs access + * control, by making decision requests and enforcing authorization decisions. + * This term is defined in a joint effort by the IETF Policy Framework Working + * Group and the Distributed Management Task Force (DMTF)/Common Information + * Model (CIM) in [RFC3198]. This term corresponds to "Access Enforcement + * Function" (AEF) in [ISO10181-3]. + * + * 
+ * 
+ * SOFTWARE HISTORY
+ * 
+ * Date         Ticket#     Engineer    Description
+ * ------------ ----------  ----------- --------------------------
+ * 7/09/2014    724          bphillip    Initial Coding
+ *
+ * + * @author bphillip + * @version 1 + */ +public class XACMLInterceptor extends AbstractXACMLAuthorizingInterceptor { + + /** The logger */ + private static final IUFStatusHandler statusHandler = UFStatus + .getHandler(XACMLInterceptor.class); + + private XACMLPolicyAdministrator xacmlPolicyAdmin; + + private XACMLPolicyDecisionPoint pdp; + + public XACMLInterceptor(XACMLPolicyAdministrator xacmlPolicyAdmin, + XACMLPolicyDecisionPoint pdp) throws MsgRegistryException { + this.xacmlPolicyAdmin = xacmlPolicyAdmin; + this.pdp = pdp; + } + + @Override + public ResponseType performRequest(RequestType request, Message message) + throws Exception { + + if(statusHandler.isPriorityEnabled(Priority.DEBUG)){ + statusHandler.debug(outputRequest(request)); + } + PolicySetType defaultPolicy = xacmlPolicyAdmin + .getPolicySet("urn:oasis:names:tc:xacml:2.0:data-delivery:default-policySet"); + ResponseType response = pdp.evaluate(defaultPolicy, request); + return response; + } + + /** + * Handle any Obligations returned by the PDP + * + * @throws XACMLException + */ + protected void handleObligations(RequestType request, Principal principal, + Message message, ResultType result) throws XACMLException { + ObligationsType obligationObject = result.getObligations(); + if (obligationObject != null + && !obligationObject.getObligations().isEmpty()) { + statusHandler.info("Evaluating " + + obligationObject.getObligations().size() + + " obligations!"); + for (ObligationType obligation : result.getObligations() + .getObligations()) { + XACMLObligationEvaluator.getInstance().evaluate(obligation, + request); + } + } + } + + private String outputRequest(XMLObject xmlObject) throws Exception { + try { + System.setProperty("javax.xml.parsers.DocumentBuilderFactory", + "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl"); + + MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration + .getMarshallerFactory(); + Marshaller marshaller = marshallerFactory.getMarshaller(xmlObject); + Element element = marshaller.marshall(xmlObject); + + ByteArrayOutputStream byteArrayOutputStrm = new ByteArrayOutputStream(); + DOMImplementationRegistry registry = DOMImplementationRegistry + .newInstance(); + DOMImplementationLS impl = (DOMImplementationLS) registry + .getDOMImplementation("LS"); + LSSerializer writer = impl.createLSSerializer(); + LSOutput output = impl.createLSOutput(); + output.setByteStream(byteArrayOutputStrm); + writer.write(element, output); + return byteArrayOutputStrm.toString(); + } catch (Exception e) { + throw new Exception("Error Serializing the SAML Response", e); + } + } + +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyAdministrator.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyAdministrator.java index 494c7673a8..47a6f9152a 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyAdministrator.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyAdministrator.java @@ -49,7 +49,6 @@ import com.raytheon.uf.common.status.UFStatus; import com.raytheon.uf.edex.registry.acp.xacml.util.XACMLParser; import com.raytheon.uf.edex.registry.ebxml.dao.ExtrinsicObjectDao; import com.raytheon.uf.edex.registry.ebxml.exception.EbxmlRegistryException; -import com.raytheon.uf.edex.registry.ebxml.init.RegistryInitializedListener; import com.raytheon.uf.edex.registry.ebxml.services.lifecycle.LifecycleManagerImpl; import com.raytheon.uf.edex.registry.ebxml.util.EbxmlObjectUtil; @@ -68,6 +67,7 @@ import com.raytheon.uf.edex.registry.ebxml.util.EbxmlObjectUtil; * 4/9/2013 1802 bphillip Import changes due to moved constant classes * 5/21/2013 2022 bphillip Implemented RegistryInitializedListener * Mar 31, 2014 2889 dhladky Added username for notification center tracking. + * 7/10/2014 1717 bphillip No longer implements RegistryInitializedListener * * * @author bphillip @@ -75,7 +75,7 @@ import com.raytheon.uf.edex.registry.ebxml.util.EbxmlObjectUtil; */ @Service @Transactional -public class XACMLPolicyAdministrator implements RegistryInitializedListener { +public class XACMLPolicyAdministrator { /** The status handler */ private static final transient IUFStatusHandler statusHandler = UFStatus @@ -183,16 +183,6 @@ public class XACMLPolicyAdministrator implements RegistryInitializedListener { return policySet; } - @Override - public void executeAfterRegistryInit() throws EbxmlRegistryException { - try { - loadAccessControlPolicies(); - } catch (MsgRegistryException e) { - throw new EbxmlRegistryException(e); - } - - } - /** * Loads the access control policies from the file system folder * diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyDecisionPoint.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyDecisionPoint.java index 228cba834c..fa2ab70d63 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyDecisionPoint.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/XACMLPolicyDecisionPoint.java @@ -19,17 +19,15 @@ **/ package com.raytheon.uf.edex.registry.acp.xacml; -import java.util.List; - import org.opensaml.xacml.XACMLObject; import org.opensaml.xacml.ctx.DecisionType.DECISION; import org.opensaml.xacml.ctx.RequestType; import org.opensaml.xacml.ctx.ResponseType; import org.opensaml.xacml.ctx.StatusCodeType; -import org.opensaml.xacml.policy.ObligationType; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; +import com.raytheon.uf.common.util.CollectionUtil; import com.raytheon.uf.edex.registry.acp.xacml.engine.policy.Evaluator; import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLProcessingException; import com.raytheon.uf.edex.registry.acp.xacml.objects.Match; @@ -52,6 +50,7 @@ import com.raytheon.uf.edex.registry.acp.xacml.util.XACMLObjectUtil; * ------------ ---------- ----------- -------------------------- * 8/17/2012 724 bphillip Initial Coding * 3/18/2013 1802 bphillip Modified to use transaction boundaries and spring injection + * 7/10/2014 1717 bphillip Removed unneccessary methods * * * @author bphillip @@ -61,15 +60,6 @@ import com.raytheon.uf.edex.registry.acp.xacml.util.XACMLObjectUtil; @Transactional public class XACMLPolicyDecisionPoint { - /** The obligations to evaluate */ - private List obligations; - - /** The Policy or Policy Set object being used to evaluate the request */ - private XACMLObject policyObject; - - /** The Request being evaluated */ - private RequestType request; - public XACMLPolicyDecisionPoint() { } @@ -82,10 +72,7 @@ public class XACMLPolicyDecisionPoint { * @param request * The request being evaluated */ - public XACMLPolicyDecisionPoint(XACMLObject policyObject, - RequestType request) { - this.policyObject = policyObject; - this.request = request; + public XACMLPolicyDecisionPoint(XACMLObject policyObject) { } /** @@ -93,63 +80,25 @@ public class XACMLPolicyDecisionPoint { * * @return The response */ - public ResponseType evaluate() { + public ResponseType evaluate(XACMLObject policy, RequestType request) { + ResponseType response = null; Match match; try { - match = Evaluator.getInstance().evaluate(policyObject, request); + match = Evaluator.getInstance().evaluate(policy, request); } catch (XACMLProcessingException e) { - return XACMLObjectUtil.buildResponse(DECISION.Deny, + response = XACMLObjectUtil.buildResponse(DECISION.Deny, StatusCodeType.SC_PROCESSING_ERROR, e.getLocalizedMessage(), ""); + return response; } - this.obligations = match.getObligations(); - return XACMLObjectUtil.buildResponse(match.getMatch(), + + response = XACMLObjectUtil.buildResponse(match.getMatch(), match.getStatusCode(), match.getMessage(), ""); - } - - /** - * @return the obligations - */ - public List getObligations() { - return obligations; - } - - /** - * @param obligations - * the obligations to set - */ - public void setObligations(List obligations) { - this.obligations = obligations; - } - - /** - * @return the policyObject - */ - public XACMLObject getPolicyObject() { - return policyObject; - } - - /** - * @param policyObject - * the policyObject to set - */ - public void setPolicyObject(XACMLObject policyObject) { - this.policyObject = policyObject; - } - - /** - * @return the request - */ - public RequestType getRequest() { - return request; - } - - /** - * @param request - * the request to set - */ - public void setRequest(RequestType request) { - this.request = request; + if (!CollectionUtil.isNullOrEmpty(match.getObligations())) { + response.getResult().getObligations().getObligations() + .addAll(match.getObligations()); + } + return response; } } diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/util/XACMLObjectUtil.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/util/XACMLObjectUtil.java index 6dc89e0947..f37abe9640 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/util/XACMLObjectUtil.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/acp/xacml/util/XACMLObjectUtil.java @@ -34,6 +34,7 @@ import org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder; import org.opensaml.xacml.ctx.impl.StatusDetailTypeImplBuilder; import org.opensaml.xacml.ctx.impl.StatusMessageTypeImplBuilder; import org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder; +import org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder; import com.raytheon.uf.edex.registry.acp.xacml.conformance.IdentifierPrefixes; import com.raytheon.uf.edex.registry.acp.xacml.conformance.SchemaPrefixes; @@ -50,6 +51,7 @@ import com.raytheon.uf.edex.registry.acp.xacml.exception.XACMLSyntaxException; * Date Ticket# Engineer Description * ------------ ---------- ----------- -------------------------- * 8/17/2012 724 bphillip Initial Coding + * 7/10/2014 1717 bphillip Set obligations on response object * * * @author bphillip @@ -168,6 +170,7 @@ public class XACMLObjectUtil { statusObj.setStatusDetail(statusDetailObj); } resultObj.setStatus(statusObj); + resultObj.setObligations(new ObligationsTypeImplBuilder().buildObject()); // Return the response return resultObj; diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/RegistryUsers.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/RegistryUsers.java new file mode 100644 index 0000000000..7bddf4868c --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/RegistryUsers.java @@ -0,0 +1,289 @@ +package com.raytheon.uf.edex.registry.ebxml; + +import java.util.List; + +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.UriInfo; + +import oasis.names.tc.ebxml.regrep.wsdl.registry.services.v4.LifecycleManager; +import oasis.names.tc.ebxml.regrep.wsdl.registry.services.v4.MsgRegistryException; +import oasis.names.tc.ebxml.regrep.xsd.lcm.v4.Mode; +import oasis.names.tc.ebxml.regrep.xsd.lcm.v4.RemoveObjectsRequest; +import oasis.names.tc.ebxml.regrep.xsd.lcm.v4.SubmitObjectsRequest; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.AssociationType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.InternationalStringType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.ObjectRefListType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.ObjectRefType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.PersonType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.RegistryObjectListType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.RegistryObjectType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.SlotType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.StringValueType; + +import org.springframework.stereotype.Service; +import org.springframework.transaction.annotation.Transactional; + +import com.raytheon.uf.common.registry.constants.AssociationTypes; +import com.raytheon.uf.common.registry.constants.RegistryObjectTypes; +import com.raytheon.uf.common.registry.ebxml.RegistryUtil; +import com.raytheon.uf.common.security.encryption.AESEncryptor; +import com.raytheon.uf.edex.registry.ebxml.dao.PersonDao; +import com.raytheon.uf.edex.registry.ebxml.dao.RoleDao; +import com.raytheon.uf.edex.registry.ebxml.exception.EbxmlRegistryException; +import com.raytheon.uf.edex.security.SecurityConfiguration; + +@Path("/registryUsers/") +@Service +@Transactional +public class RegistryUsers { + + public static final String USER_SUFFIX = "_RegistryUser"; + + public static final String USER_SLOT_NAME = "user"; + + public static final String PASSWORD_SLOT_NAME = "password"; + + public static final String ROLE_SLOT_NAME = "role"; + + private PersonDao personDao; + + private RoleDao roleDao; + + private LifecycleManager lcm; + + private SecurityConfiguration securityConfig; + + private AESEncryptor encryption; + + @GET + @Path("getUsers") + @Produces("text/plain") + public String getRegistryUsers() { + List users = personDao.getAll(); + + StringBuilder sb = new StringBuilder(); + String name = null; + String role = null; + for (PersonType user : users) { + if (user.getId().endsWith(RegistryUsers.USER_SUFFIX)) { + name = user.getSlotValue(USER_SLOT_NAME); + role = user.getSlotValue(ROLE_SLOT_NAME); + if (role == null) { + role = ""; + } + sb.append(name).append(";"); + sb.append(role).append(";"); + } + } + return sb.toString(); + } + + @GET + @Path("addUser") + public String addRegistryUser(@Context + UriInfo info) throws EbxmlRegistryException, MsgRegistryException { + MultivaluedMap params = info.getQueryParameters(); + String userName = params.getFirst("userName"); + String pwd = params.getFirst("pwd"); + String role = params.getFirst("role"); + + PersonType user = new PersonType(); + user.setId(userName); + user.setLid(userName); + user.setObjectType(RegistryObjectTypes.PERSON); + user.setName(new InternationalStringType("User " + userName)); + user.setDescription(new InternationalStringType("User" + userName)); + user.setOwner(RegistryUtil.DEFAULT_OWNER); + addUser(userName, pwd, role); + return "Successfully added user " + userName + " to registry"; + + } + + @GET + @Path("deleteUser/{userName}") + public String deleteUser(@PathParam("userName") + String userName) throws MsgRegistryException { + PersonType user = personDao.getById(userName + + RegistryUsers.USER_SUFFIX); + if (user != null) { + remove(user); + } + return "Deleted user [" + userName + "]"; + + } + + @GET + @Path("changePassword") + public String changePassword(@Context + UriInfo info) throws MsgRegistryException, EbxmlRegistryException { + MultivaluedMap params = info.getQueryParameters(); + String userName = params.getFirst("userName"); + String pwd = params.getFirst("pwd"); + PersonType user = personDao.getById(userName + USER_SUFFIX); + if (user == null) { + return "User [" + userName + "] does not exist"; + } + + ((StringValueType) user.getSlotByName(PASSWORD_SLOT_NAME) + .getSlotValue()).setStringValue(encryptPassword(pwd)); + submit(user); + return "Password for user [" + userName + "] successfully updated!"; + } + + @GET + @Path("changeRole") + public String changeRole(@Context + UriInfo info) throws MsgRegistryException { + MultivaluedMap params = info.getQueryParameters(); + String userName = params.getFirst("userName"); + String role = params.getFirst("role"); + PersonType user = personDao.getById(userName + USER_SUFFIX); + if (user == null) { + return "User [" + userName + "] does not exist"; + } + + ((StringValueType) user.getSlotByName(ROLE_SLOT_NAME).getSlotValue()) + .setStringValue(role); + submit(user); + return "Role for user [" + userName + "] successfully updated!"; + } + + public void addUser(String id, String password, String role) + throws EbxmlRegistryException, MsgRegistryException { + if (id == null) { + throw new EbxmlRegistryException("User ID cannot be null"); + } + if (userExists(id)) { + throw new EbxmlRegistryException("User [" + id + "] already exists"); + } + if (!roleExists(role)) { + throw new EbxmlRegistryException("Role [" + role + + "] does not exist"); + } + PersonType user = new PersonType(); + user.setId(id + USER_SUFFIX); + user.setLid(user.getId()); + user.setObjectType(RegistryObjectTypes.PERSON); + user.setName(new InternationalStringType("Registry User " + id)); + user.setDescription(new InternationalStringType("Registry User " + id)); + user.setOwner(RegistryUtil.DEFAULT_OWNER); + + AssociationType association = new AssociationType(); + association.setId(id + "_" + role + "_Association"); + association.setLid(association.getId()); + association.setObjectType(RegistryObjectTypes.ASSOCIATION); + association.setOwner(RegistryUtil.DEFAULT_OWNER); + association.setName(new InternationalStringType(role + + " role assocation for user " + id)); + association.setDescription(new InternationalStringType(role + + " role assocation for user " + id)); + association.setSourceObject(id); + association.setTargetObject(role); + association.setType(AssociationTypes.HAS_ROLE); + + SlotType userSlot = new SlotType(USER_SLOT_NAME, + new StringValueType(id)); + SlotType passwordSlot = new SlotType(PASSWORD_SLOT_NAME, + new StringValueType(encryptPassword(password))); + SlotType roleSlot = new SlotType(ROLE_SLOT_NAME, new StringValueType( + role)); + user.getSlot().add(userSlot); + user.getSlot().add(passwordSlot); + user.getSlot().add(roleSlot); + + submit(association, user); + } + + private void remove(RegistryObjectType... objs) throws MsgRegistryException { + ObjectRefListType refList = new ObjectRefListType(); + for (RegistryObjectType obj : objs) { + refList.getObjectRef().add(new ObjectRefType(obj.getId())); + } + RemoveObjectsRequest req = new RemoveObjectsRequest(); + req.setId("Removing registry users"); + req.setComment("Remove request to remove registry users"); + req.setDeleteChildren(true); + req.setObjectRefList(refList); + lcm.removeObjects(req); + } + + private void submit(RegistryObjectType... objs) throws MsgRegistryException { + SubmitObjectsRequest submitObjectsRequest = new SubmitObjectsRequest(); + submitObjectsRequest.setCheckReferences(false); + submitObjectsRequest.setComment("Modifying registry user"); + submitObjectsRequest.setId("Submit User objects"); + submitObjectsRequest.setMode(Mode.CREATE_OR_REPLACE); + submitObjectsRequest.setUsername(RegistryUtil.registryUser); + submitObjectsRequest + .setRegistryObjectList(new RegistryObjectListType()); + for (RegistryObjectType obj : objs) { + submitObjectsRequest.getRegistryObjects().add(obj); + } + lcm.submitObjects(submitObjectsRequest); + + } + + public boolean userExists(String userId) { + return personDao.getById(userId + USER_SUFFIX) != null; + } + + private boolean roleExists(String roleId) { + return roleDao.getById(roleId) != null; + } + + private String encryptPassword(String password) throws EbxmlRegistryException{ + try { + return encryption.encrypt(securityConfig.getEncryptionKey(), password); + } catch (Exception e) { + throw new EbxmlRegistryException("Error encrypting password",e); + } + } + + /** + * @param personDao + * the personDao to set + */ + public void setPersonDao(PersonDao personDao) { + this.personDao = personDao; + } + + /** + * @param roleDao + * the roleDao to set + */ + public void setRoleDao(RoleDao roleDao) { + this.roleDao = roleDao; + } + + /** + * @param lcm + * the lcm to set + */ + public void setLcm(LifecycleManager lcm) { + this.lcm = lcm; + } + + + + /** + * @param securityConfig the securityConfig to set + */ + public void setSecurityConfig(SecurityConfiguration securityConfig) { + this.securityConfig = securityConfig; + } + + /** + * @param encryption the encryption to set + */ + public void setEncryption(AESEncryptor encryption) { + this.encryption = encryption; + } + + + +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/acp/PasswordCallback.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/acp/PasswordCallback.java index 239470a579..5d4db0298f 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/acp/PasswordCallback.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/acp/PasswordCallback.java @@ -28,9 +28,11 @@ import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; +import com.raytheon.uf.edex.registry.ebxml.web.security.CredentialCache; + /** * - * Password callback class used with WS security. Currently unused. + * Password callback class used with WS security. * * 
  * 
@@ -39,6 +41,7 @@ import org.apache.ws.security.WSPasswordCallback;
  * Date         Ticket#    Engineer    Description
  * ------------ ---------- ----------- --------------------------
  * Aug 3, 2012            bphillip     Initial creation
+ * 7/10/2014    1717       bphillip    Get user information from CredentialCache
  * 
  *
* @@ -59,7 +62,8 @@ public class PasswordCallback implements CallbackHandler { for (Callback call : callbacks) { if (call instanceof WSPasswordCallback) { WSPasswordCallback cb = (WSPasswordCallback) call; - cb.setPassword("password"); + cb.setPassword(CredentialCache.getInstance().getUserPassword( + ((WSPasswordCallback) call).getIdentifier())); } } } diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/dao/DbInit.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/dao/DbInit.java index 0a47ce8c58..e7534f04d7 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/dao/DbInit.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/dao/DbInit.java @@ -67,6 +67,7 @@ import com.raytheon.uf.common.status.UFStatus; import com.raytheon.uf.common.util.ReflectionUtil; import com.raytheon.uf.edex.core.EDEXUtil; import com.raytheon.uf.edex.core.props.PropertiesFactory; +import com.raytheon.uf.edex.registry.acp.xacml.XACMLPolicyAdministrator; import com.raytheon.uf.edex.registry.ebxml.exception.EbxmlRegistryException; import com.raytheon.uf.edex.registry.ebxml.init.RegistryInitializedListener; @@ -93,6 +94,7 @@ import com.raytheon.uf.edex.registry.ebxml.init.RegistryInitializedListener; * Nov 14, 2013 2552 bkowal EbxmlJaxbManager is now accessed via getInstance * Dec 20, 2013 2636 mpduff Set initialized to true before postInitialized is called. * Dec 04, 2013 2584 dhladky Version based EbxmlJaxbManager + * 7/10/2014 1717 bphillip Removed xacml policy admin object * * * @author bphillip @@ -118,6 +120,8 @@ public class DbInit extends com.raytheon.uf.edex.database.init.DbInit implements private SessionFactory sessionFactory; private ApplicationContext applicationContext; + + private XACMLPolicyAdministrator xacmlPolicyAdmin; /** * Creates a new instance of DbInit. This constructor should only be called @@ -137,6 +141,7 @@ public class DbInit extends com.raytheon.uf.edex.database.init.DbInit implements executeRegistrySql(); populateDB(); + xacmlPolicyAdmin.loadAccessControlPolicies(); } public static boolean isDbInitialized() { @@ -404,4 +409,13 @@ public class DbInit extends com.raytheon.uf.edex.database.init.DbInit implements throws BeansException { this.applicationContext = applicationContext; } + + /** + * @param xacmlPolicyAdmin the xacmlPolicyAdmin to set + */ + public void setXacmlPolicyAdmin(XACMLPolicyAdministrator xacmlPolicyAdmin) { + this.xacmlPolicyAdmin = xacmlPolicyAdmin; + } + + } diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryRESTServices.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryRESTServices.java index 7535c8b37b..73897b9e2e 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryRESTServices.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryRESTServices.java @@ -64,6 +64,7 @@ import com.raytheon.uf.edex.security.SecurityConfiguration; * 1/15/2014 2613 bphillip Removed Service cache due to unexpected behavior * 2/19/2014 2769 bphillip Added service cache * 6/5/2014 1712 bphillip Moved configuration out to separate class + * 7/10/2014 1717 bphillip Added authorization policy * * * @author bphillip @@ -183,6 +184,7 @@ public class RegistryRESTServices { HTTPConduit conduit = config.getHttpConduit(); conduit.setClient(serviceConfig.getHttpClientPolicy()); conduit.setTlsClientParameters(securityConfig.getTlsParams()); + conduit.setAuthorization(securityConfig.getAuthPolicy()); // Create HTTP header containing the calling registry client.header(RegistryUtil.CALLING_REGISTRY_SOAP_HEADER_NAME, diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryServiceInInterceptor.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryServiceInInterceptor.java index 277b8aeb68..5991d0036d 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryServiceInInterceptor.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/RegistryServiceInInterceptor.java @@ -48,6 +48,7 @@ import com.raytheon.uf.common.util.CollectionUtil; * ------------ ---------- ----------- -------------------------- * 9/5/2013 1538 bphillip Initial implementation * 2/27/2014 2769 bphillip Changed verbose output to debug level + * 7/10/2014 1717 bphillip Added session * * * @author bphillip @@ -66,6 +67,14 @@ public class RegistryServiceInInterceptor extends @SuppressWarnings("unchecked") @Override public void handleMessage(Message message) throws Fault { + /* + * Request the current session so that login credentials can be + * maintained across multiple calls + */ + HttpServletRequest req = (HttpServletRequest) message + .get("HTTP.REQUEST"); + req.getSession(true); + if (statusHandler.isPriorityEnabled(Priority.DEBUG)) { StringBuilder logMessage = new StringBuilder(); HttpServletRequest request = (HttpServletRequest) message diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/soap/RegistrySOAPServices.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/soap/RegistrySOAPServices.java index 8f57f9595f..3e089895ea 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/soap/RegistrySOAPServices.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/services/soap/RegistrySOAPServices.java @@ -71,6 +71,7 @@ import com.raytheon.uf.edex.security.SecurityConfiguration; * 1/15/2014 2613 bphillip Eliminated service caching...again * 2/19/2014 2769 bphillip Renamed getPort method * 6/5/2014 1712 bphillip Moved configuration out to separate class. Added outbound interceptor + * 7/10/2014 1717 bphillip Added authorization policy * * * @author bphillip @@ -308,6 +309,7 @@ public class RegistrySOAPServices { HTTPConduit conduit = (HTTPConduit) client.getConduit(); conduit.setClient(serviceConfig.getHttpClientPolicy()); conduit.setTlsClientParameters(securityConfig.getTlsParams()); + conduit.setAuthorization(securityConfig.getAuthPolicy()); // Create HTTP header containing the calling registry Map> headers = new HashMap>(); diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/util/EDEXRegistryManager.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/util/EDEXRegistryManager.java index 7ec6008314..5ceaaab38f 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/util/EDEXRegistryManager.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/util/EDEXRegistryManager.java @@ -19,7 +19,6 @@ import com.raytheon.uf.common.status.IUFStatusHandler; import com.raytheon.uf.common.status.UFStatus; import com.raytheon.uf.edex.auth.req.AbstractPrivilegedRequestHandler; import com.raytheon.uf.edex.auth.resp.AuthorizationResponse; -import com.raytheon.uf.edex.registry.acp.xacml.XACMLPolicyEnforcementPoint; /** * @@ -57,8 +56,6 @@ public class EDEXRegistryManager extends @VisibleForTesting static final String CAN_ONLY_STORE_SINGLE_OBJECT = "Only one object can be stored at a time, ignoring all but the first item in the list!"; - private XACMLPolicyEnforcementPoint xacmlPep; - private RegistryHandler registryHandler; /** @@ -123,11 +120,7 @@ public class EDEXRegistryManager extends @Transactional public AuthorizationResponse authorized(IUser user, IRegistryRequest request) throws AuthorizationException { - return xacmlPep.handleRegistryRequest(user, request); - } - - public void setXacmlPep(XACMLPolicyEnforcementPoint xacmlPep) { - this.xacmlPep = xacmlPep; + return new AuthorizationResponse(true); } public void setRegistryHandler(RegistryHandler registryHandler) { diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/RegistryWebServer.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/RegistryWebServer.java index cab4a64b14..fcc63a4b40 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/RegistryWebServer.java +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/RegistryWebServer.java @@ -54,6 +54,7 @@ public class RegistryWebServer implements RegistryInitializedListener { /** The jetty server instance */ private final Server jettyServer; + /** * Creates a new Jetty Server with the given configuration file @@ -63,22 +64,19 @@ public class RegistryWebServer implements RegistryInitializedListener { * @throws Exception * If errors occur while configuring the Jetty Server */ - public RegistryWebServer(String jettyConfigFile, SecurityConfiguration securityConfiguration) throws Exception { + public RegistryWebServer(String jettyConfigFile, + SecurityConfiguration securityConfiguration) throws Exception { try { statusHandler.info("Configuring registry web server from file [" + jettyConfigFile + "]"); FileInputStream fis = null; try { - // Temporarily add the security properties to the java properties so it can be configured properly - System.getProperties().putAll(securityConfiguration.getSecurityProperties()); + System.getProperties().putAll( + securityConfiguration.getSecurityProperties()); fis = new FileInputStream(jettyConfigFile); XmlConfiguration configuration = new XmlConfiguration(fis); jettyServer = (Server) configuration.configure(); } finally { - // Remove the security properties from the environment - for(Object property: securityConfiguration.getSecurityProperties().keySet()){ - System.getProperties().remove(property); - } if (fis != null) { fis.close(); } diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/CredentialCache.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/CredentialCache.java new file mode 100644 index 0000000000..2b1f469b53 --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/CredentialCache.java @@ -0,0 +1,300 @@ +/** + * This software was developed and / or modified by Raytheon Company, + * pursuant to Contract DG133W-05-CQ-1067 with the US Government. + * + * U.S. EXPORT CONTROLLED TECHNICAL DATA + * This software product contains export-restricted data whose + * export/transfer/disclosure is restricted by U.S. law. Dissemination + * to non-U.S. persons whether in the United States or abroad requires + * an export license or other authorization. + * + * Contractor Name: Raytheon Company + * Contractor Address: 6825 Pine Street, Suite 340 + * Mail Stop B8 + * Omaha, NE 68106 + * 402.291.0100 + * + * See the AWIPS II Master Rights File ("Master Rights File.pdf") for + * further licensing information. + **/ +package com.raytheon.uf.edex.registry.ebxml.web.security; + +import java.util.List; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import javax.xml.ws.WebServiceException; + +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.PersonType; +import oasis.names.tc.ebxml.regrep.xsd.rim.v4.RegistryObjectType; + +import org.springframework.transaction.TransactionStatus; +import org.springframework.transaction.annotation.Propagation; +import org.springframework.transaction.annotation.Transactional; +import org.springframework.transaction.support.TransactionCallback; +import org.springframework.transaction.support.TransactionTemplate; + +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; +import com.google.common.eventbus.Subscribe; +import com.raytheon.uf.common.registry.constants.RegistryObjectTypes; +import com.raytheon.uf.common.registry.handler.RegistryHandlerException; +import com.raytheon.uf.common.registry.services.RegistryServiceException; +import com.raytheon.uf.common.security.encryption.AESEncryptor; +import com.raytheon.uf.edex.registry.ebxml.RegistryUsers; +import com.raytheon.uf.edex.registry.ebxml.dao.PersonDao; +import com.raytheon.uf.edex.registry.ebxml.services.RegistryRESTServices; +import com.raytheon.uf.edex.registry.events.CreateAuditTrailEvent; +import com.raytheon.uf.edex.security.SecurityConfiguration; + +/** + * + * Cache object for holding users' credentials for accessing registry web + * services + * + * 
+ * 
+ * SOFTWARE HISTORY
+ * 
+ * Date         Ticket#     Engineer    Description
+ * ------------ ----------  ----------- --------------------------
+ * 7/10/2014    1717        bphillip    Initial creation
+ *
+ * + * @author bphillip + * @version 1 + **/ +public class CredentialCache { + + /** The singleton instance */ + private static CredentialCache instance = new CredentialCache(); + + /** The registry REST services */ + private RegistryRESTServices restServices; + + /** Data access object for person type */ + private PersonDao personDao; + + /** The Hibernate Transaction template */ + private TransactionTemplate txTemplate; + + /** The security configuration */ + private SecurityConfiguration securityConfig; + + /** AESEncryptor object */ + private AESEncryptor encryption; + + /** Field denoting if this registry is running in centralRegistry mode */ + public static final boolean centralRegistry = System.getProperty( + "edex.run.mode").equals("centralRegistry"); + + /** Address of the central registry */ + private static final String CENTRAL_REGISTRY_ADDRESS = "https://" + + (System.getProperty("ncf.host")) + ":" + + (System.getProperty("ebxml.registry.webserver.port")); + + /** Cache holding users' credentials */ + private LoadingCache credentialCache = CacheBuilder + .newBuilder().maximumSize(1000) + .expireAfterAccess(60, TimeUnit.MINUTES) + .build(new CacheLoader() { + @Override + public String[] load(final String userName) + throws RegistryHandlerException { + return txTemplate + .execute(new TransactionCallback() { + @Override + public String[] doInTransaction( + TransactionStatus status) { + PersonType user = null; + + /* + * If we are the central registry, directly + * query the registry + */ + if (centralRegistry) { + user = personDao.getById(userName + + RegistryUsers.USER_SUFFIX); + } + /* + * If we are not the central registry, query + * the central registry to get the user's + * information + */ + else { + try { + user = restServices + .getRegistryObject( + CENTRAL_REGISTRY_ADDRESS, + userName + + RegistryUsers.USER_SUFFIX); + } catch (Exception e) { + throw new WebServiceException( + "Error contacting central registry!", + e); + } + } + /* + * User not found means unauthorized + */ + if (user == null) { + throw new WebServiceException("User [" + + userName + " Not authorized!"); + } + /* + * Put the user name, password, and role in + * the return array. Decrypt the password. + */ + String userName = user + .getSlotValue(RegistryUsers.USER_SLOT_NAME); + String password = null; + try { + password = encryption.decrypt( + securityConfig + .getEncryptionKey(), + (String) user + .getSlotValue(RegistryUsers.PASSWORD_SLOT_NAME)); + } catch (Exception e) { + throw new RegistryServiceException( + "Error decrypting password!", e); + } + String role = user + .getSlotValue(RegistryUsers.ROLE_SLOT_NAME); + return new String[] { userName, password, + role }; + } + }); + } + }); + + /** + * Protected constructor + */ + protected CredentialCache() { + + } + + /** + * Gets the singleton instance of the Credential cache + * + * @return The singleton instance + */ + public static CredentialCache getInstance() { + return instance; + } + + /** + * Listens for updates to users and invalidates their entries in the cache + * if they have changed + * + * @param event + * The event to examine + */ + @Subscribe + @Transactional(propagation = Propagation.REQUIRED) + public void processEvent(CreateAuditTrailEvent event) { + List objsAffected = event.getObjectsAffected(); + for (RegistryObjectType affectedObj : objsAffected) { + if (RegistryObjectTypes.PERSON.equals(affectedObj.getObjectType())) { + credentialCache.invalidate(affectedObj.getId()); + } + } + } + + /** + * Gets a user from the provided user name + * + * @param userName + * The user name of the user + * @return An array containing the user name, password, and role of the user + * @throws RegistryServiceException + * If errors occur while accessing the cache + */ + public String[] getUser(String userName) throws RegistryServiceException { + try { + return credentialCache.get(userName); + } catch (ExecutionException e) { + throw new RegistryServiceException("Error retrieving user " + + userName); + } + } + + /** + * Gets the role of the given user + * + * @param userName + * The user name to get the role for + * @return The role of the given user + * @throws RegistryServiceException + * If errors occur while accessing the cache + */ + public String getUserRole(String userName) throws RegistryServiceException { + try { + return credentialCache.get(userName)[0]; + } catch (ExecutionException e) { + throw new RegistryServiceException( + "Error retrieving role for user " + userName); + } + } + + /** + * Gets the password for the given user + * + * @param userName + * The user to get the password for + * @return The password for the given user + * @throws RegistryServiceException + * If errors occur while accessing the cache + */ + public String getUserPassword(String userName) + throws RegistryServiceException { + try { + return credentialCache.get(userName)[1]; + } catch (ExecutionException e) { + throw new RegistryServiceException( + "Error retrieving password for user " + userName); + } + } + + /** + * @param restServices + * the restServices to set + */ + public void setRestServices(RegistryRESTServices restServices) { + this.restServices = restServices; + } + + /** + * @param personDao + * the personDao to set + */ + public void setPersonDao(PersonDao personDao) { + this.personDao = personDao; + } + + /** + * @param txTemplate + * the txTemplate to set + */ + public void setTxTemplate(TransactionTemplate txTemplate) { + this.txTemplate = txTemplate; + } + + /** + * @param securityConfig + * the securityConfig to set + */ + public void setSecurityConfig(SecurityConfiguration securityConfig) { + this.securityConfig = securityConfig; + } + + /** + * @param encryption + * the encryption to set + */ + public void setEncryption(AESEncryptor encryption) { + this.encryption = encryption; + } + +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistryLoginModule.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistryLoginModule.java new file mode 100644 index 0000000000..e86bf95290 --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistryLoginModule.java @@ -0,0 +1,80 @@ +/** + * This software was developed and / or modified by Raytheon Company, + * pursuant to Contract DG133W-05-CQ-1067 with the US Government. + * + * U.S. EXPORT CONTROLLED TECHNICAL DATA + * This software product contains export-restricted data whose + * export/transfer/disclosure is restricted by U.S. law. Dissemination + * to non-U.S. persons whether in the United States or abroad requires + * an export license or other authorization. + * + * Contractor Name: Raytheon Company + * Contractor Address: 6825 Pine Street, Suite 340 + * Mail Stop B8 + * Omaha, NE 68106 + * 402.291.0100 + * + * See the AWIPS II Master Rights File ("Master Rights File.pdf") for + * further licensing information. + **/ +package com.raytheon.uf.edex.registry.ebxml.web.security; + +import java.util.ArrayList; +import java.util.List; + +import javax.xml.ws.WebServiceException; + +import org.eclipse.jetty.plus.jaas.spi.AbstractLoginModule; +import org.eclipse.jetty.plus.jaas.spi.UserInfo; +import org.eclipse.jetty.util.security.Credential; +import org.eclipse.jetty.util.security.Password; + +import com.raytheon.uf.common.registry.services.RegistryServiceException; + +/** + * + * The registry login module used by the Jetty server hosting the registry services + * + * 
+ * 
+ * SOFTWARE HISTORY
+ * 
+ * Date         Ticket#     Engineer    Description
+ * ------------ ----------  ----------- --------------------------
+ * 7/10/2014    1717        bphillip    Initial creation
+ *
+ * + * @author bphillip + * @version 1 + **/ +public class RegistryLoginModule extends AbstractLoginModule { + + /** + * Creates a new RegistryLoginModule + */ + public RegistryLoginModule() { + super(); + } + + @Override + public UserInfo getUserInfo(final String userName) { + String[] user = null; + try { + user = CredentialCache.getInstance().getUser(userName); + } catch (RegistryServiceException e) { + throw new WebServiceException("User [" + userName + + " Not authorized!",e); + } + for(String userField:user){ + if(userField == null){ + throw new WebServiceException("User [" + userName + + " Not authorized!"); + } + } + List roleList = new ArrayList(1); + roleList.add(user[2]); + Credential credential = new Password(user[1]); + UserInfo userInfo = new UserInfo(userName, credential, roleList); + return userInfo; + } +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistrySSLContextFactory.java b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistrySSLContextFactory.java new file mode 100644 index 0000000000..ae3b4f1519 --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/src/com/raytheon/uf/edex/registry/ebxml/web/security/RegistrySSLContextFactory.java @@ -0,0 +1,89 @@ +/** + * This software was developed and / or modified by Raytheon Company, + * pursuant to Contract DG133W-05-CQ-1067 with the US Government. + * + * U.S. EXPORT CONTROLLED TECHNICAL DATA + * This software product contains export-restricted data whose + * export/transfer/disclosure is restricted by U.S. law. Dissemination + * to non-U.S. persons whether in the United States or abroad requires + * an export license or other authorization. + * + * Contractor Name: Raytheon Company + * Contractor Address: 6825 Pine Street, Suite 340 + * Mail Stop B8 + * Omaha, NE 68106 + * 402.291.0100 + * + * See the AWIPS II Master Rights File ("Master Rights File.pdf") for + * further licensing information. + **/ +package com.raytheon.uf.edex.registry.ebxml.web.security; + +import java.io.IOException; + +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import com.raytheon.uf.common.security.encryption.AESEncryptor; +import com.raytheon.uf.edex.security.SecurityConfiguration; + +/** + * + * Custom SslContextFacotry implementation which accepts encrypted values for passwords + * + * 
+ * 
+ * SOFTWARE HISTORY
+ * 
+ * Date         Ticket#     Engineer    Description
+ * ------------ ----------  ----------- --------------------------
+ * 7/10/2014    1717        bphillip    Initial creation
+ *
+ * + * @author bphillip + * @version 1 + **/ +public class RegistrySSLContextFactory extends SslContextFactory { + + private AESEncryptor encryption; + + private SecurityConfiguration securityConfiguration; + + public RegistrySSLContextFactory() throws IOException { + super(); + this.securityConfiguration = new SecurityConfiguration(); + this.encryption = new AESEncryptor(); + } + + @Override + public void setKeyStorePassword(String password) { + try { + super.setKeyStorePassword(encryption.decrypt(this.securityConfiguration.getEncryptionKey(), + password)); + } catch (Exception e) { + throw new RuntimeException("Error setting web server properties!", + e); + } + } + + @Override + public void setTrustStorePassword(String password) { + try { + super.setTrustStorePassword(encryption.decrypt(this.securityConfiguration.getEncryptionKey(), + password)); + } catch (Exception e) { + throw new RuntimeException("Error setting web server properties!", + e); + } + } + + public void setKeyManagerPassword(String password) { + try { + super.setKeyManagerPassword(encryption.decrypt(this.securityConfiguration.getEncryptionKey(), + password)); + } catch (Exception e) { + throw new RuntimeException("Error setting web server properties!", + e); + } + } + +} diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/utility/edex_static/base/ebxml/acp/default-acp.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/utility/edex_static/base/ebxml/acp/default-acp.xml index c2219f5982..26a07239f8 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/utility/edex_static/base/ebxml/acp/default-acp.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/utility/edex_static/base/ebxml/acp/default-acp.xml @@ -54,9 +54,33 @@ DataType="http://www.w3.org/2001/XMLSchema#string" /> + + + execute + + + + + + GET + + + + + + POST + + + - Default access control policy for accessing registry diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/WEB-INF/web.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/WEB-INF/web.xml index 9192a22844..148684d12d 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/WEB-INF/web.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/WEB-INF/web.xml @@ -12,6 +12,49 @@ version="2.4"> Data Delivery Web Services + + RegistryAdministrator + + + RegistryLocalAdministrator + + + RegistryUser + + + RegistryGuest + + + + + + + Registry User Admin pages + + /* + + + RegistryLocalAdministrator + RegistryAdministrator + + + + + + Registry User Admin pages + + /registry/services/users/* + + + RegistryAdministrator + + + + + BASIC + RegistryRealm + + webAppRootKey registryEbxml diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/etc/jettyServer.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/etc/jettyServer.xml index 0af53852c7..61b11a47bb 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/etc/jettyServer.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/etc/jettyServer.xml @@ -26,7 +26,7 @@ - + @@ -63,9 +63,19 @@ + + + + + + + + + + WEB-INF/web.xml - + / true diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/navigation.html b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/navigation.html index 701d08abe5..6d417840d6 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/navigation.html +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/navigation.html @@ -61,6 +61,8 @@ Date Ticket# Engineer Description Subscription Backup
Federation Status +
+ User Admin diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/services/users/defineUsers.html b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/services/users/defineUsers.html new file mode 100644 index 0000000000..d182db1448 --- /dev/null +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/registry/services/users/defineUsers.html @@ -0,0 +1,180 @@ + + + + + + + + + + Registry User Administration + + + + +

Registry User Administration

+ +

Add User

+ + + + + + + + + + + + + + + + + +
User ID:
Password:
Role: +
+
+

+

+

Update User

+ + + + + + + + + + + + + + + + + + +
User ID:
Password:
Role: +
+ + +

+

+

Delete User

+ + + + + + + + +
User ID:
+
+ +

+

+

+

Current Users

+ + + + + + + + diff --git a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/webServiceBeans.xml b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/webServiceBeans.xml index c7a971b4b5..bee890e1b4 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/webServiceBeans.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.ebxml/web/webServiceBeans.xml @@ -19,7 +19,7 @@ http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> - + @@ -65,6 +65,8 @@ + + @@ -74,6 +76,8 @@ + + @@ -83,6 +87,8 @@ + + @@ -92,6 +98,8 @@ + + @@ -101,6 +109,8 @@ + + @@ -112,11 +122,14 @@ + + + diff --git a/edexOsgi/com.raytheon.uf.edex.registry.feature/feature.xml b/edexOsgi/com.raytheon.uf.edex.registry.feature/feature.xml index fa982e8625..07b8531dd4 100644 --- a/edexOsgi/com.raytheon.uf.edex.registry.feature/feature.xml +++ b/edexOsgi/com.raytheon.uf.edex.registry.feature/feature.xml @@ -16,8 +16,6 @@ [Enter License Description here.] - - + + diff --git a/edexOsgi/com.raytheon.uf.edex.security/META-INF/MANIFEST.MF b/edexOsgi/com.raytheon.uf.edex.security/META-INF/MANIFEST.MF index 1560df5dd4..5962be3b9e 100644 --- a/edexOsgi/com.raytheon.uf.edex.security/META-INF/MANIFEST.MF +++ b/edexOsgi/com.raytheon.uf.edex.security/META-INF/MANIFEST.MF @@ -9,5 +9,7 @@ Require-Bundle: org.eclipse.jetty;bundle-version="7.6.14", com.raytheon.uf.edex.core;bundle-version="1.14.0", com.raytheon.uf.common.util;bundle-version="1.14.0", com.raytheon.uf.common.status;bundle-version="1.12.1174", - org.apache.commons.cxf;bundle-version="2.7.11" + org.apache.commons.cxf;bundle-version="2.7.11", + com.raytheon.uf.common.security;bundle-version="1.14.0", + org.apache.ws.security;bundle-version="1.0.0" Export-Package: com.raytheon.uf.edex.security diff --git a/edexOsgi/com.raytheon.uf.edex.security/res/spring/edex-security.xml b/edexOsgi/com.raytheon.uf.edex.security/res/spring/edex-security.xml index 6af1fad8aa..a4f8dbd60d 100644 --- a/edexOsgi/com.raytheon.uf.edex.security/res/spring/edex-security.xml +++ b/edexOsgi/com.raytheon.uf.edex.security/res/spring/edex-security.xml @@ -5,9 +5,10 @@ http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> - + - + \ No newline at end of file diff --git a/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/EncryptedProperties.java b/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/EncryptedProperties.java index edaed64a5f..c0444e00c0 100644 --- a/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/EncryptedProperties.java +++ b/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/EncryptedProperties.java @@ -25,12 +25,14 @@ import java.util.Properties; import org.eclipse.jetty.util.security.Password; +import com.raytheon.uf.common.security.encryption.AESEncryptor; + /** * * Class used with the WSS4j interceptors. This class extends the java - * Properties class to allow obfuscated properties to be contained in the - * properties file. The properties may be obfuscated using Jetty's obfuscation - * methods. + * Properties class to allow obfuscated and encrypted password properties to be contained in the + * properties file. The password properties may be obfuscated using Jetty's obfuscation + * method or may be encrypted using the com.raytheon.uf.common.security.encryption.AESEncryptor class * * 
  * 
@@ -39,46 +41,56 @@ import org.eclipse.jetty.util.security.Password;
  * Date         Ticket#     Engineer    Description
  * ------------ ----------  ----------- --------------------------
  * 6/5/2014     1712        bphillip    Initial Creation
+ * 7/10/2014    1717        bphillip    Added support for additional encryption
  *
* * @author bphillip * @version 1 - * @see org.eclipse.jetty.util.security.Password.obfuscate(String) - * @see org.eclipse.jetty.util.security.Password.deobfuscate(String) **/ public class EncryptedProperties extends Properties { - private static final long serialVersionUID = -8799654229761166379L; + private static final long serialVersionUID = -8799654229761166379L; - /** The prefix prepended to an obfuscated property */ - private static final String OBFUSCATED_PREFIX = "OBF:"; + private AESEncryptor encryption; - /** - * Creates a new EncryptedProperties object - * - * @param filename - * The file containing the properties - * @throws IOException - * If errors occur while reading the properties file - */ - public EncryptedProperties(String filename) throws IOException { - FileInputStream fis = null; - try { - fis = new FileInputStream(filename); - load(fis); - } finally { - if (fis != null) { - fis.close(); - } - } - } - - public String getProperty(String propertyName){ - String property = super.getProperty(propertyName); - if (property != null - && property.startsWith(OBFUSCATED_PREFIX)) { - return Password.deobfuscate(property); - } - return property; - } + /** + * Creates a new EncryptedProperties object + * + * @param filename + * The file containing the properties + * @throws IOException + * If errors occur while reading the properties file + */ + public EncryptedProperties(String filename) throws IOException { + FileInputStream fis = null; + try { + fis = new FileInputStream(filename); + load(fis); + } finally { + if (fis != null) { + fis.close(); + } + } + encryption = new AESEncryptor(); + } + + public String getProperty(String propertyName) { + String property = super.getProperty(propertyName); + if (property != null) { + if (property.startsWith("OBF:")) { + return Password.deobfuscate(property); + } else if (propertyName.contains("password")) { + try { + return encryption.decrypt( + getProperty("edex.security.encryption.key"), + property); + } catch (Exception e) { + throw new RuntimeException( + "Error decrypting password property " + + propertyName, e); + } + } + } + return property; + } } diff --git a/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/SecurityConfiguration.java b/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/SecurityConfiguration.java index c297441931..4ff0305208 100644 --- a/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/SecurityConfiguration.java +++ b/edexOsgi/com.raytheon.uf.edex.security/src/com/raytheon/uf/edex/security/SecurityConfiguration.java @@ -28,9 +28,8 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManagerFactory; import org.apache.cxf.configuration.jsse.TLSClientParameters; +import org.apache.cxf.configuration.security.AuthorizationPolicy; -import com.raytheon.uf.common.status.IUFStatusHandler; -import com.raytheon.uf.common.status.UFStatus; import com.raytheon.uf.edex.core.modes.EDEXModesUtil; /** @@ -44,6 +43,7 @@ import com.raytheon.uf.edex.core.modes.EDEXModesUtil; * Date Ticket# Engineer Description * ------------ ---------- ----------- -------------------------- * 6/5/2014 1712 bphillip Initial Creation + * 7/10/2014 1717 bphillip Added authorization policy * * * @author bphillip @@ -51,141 +51,169 @@ import com.raytheon.uf.edex.core.modes.EDEXModesUtil; **/ public class SecurityConfiguration { - /** The logger instance */ - private static final IUFStatusHandler statusHandler = UFStatus - .getHandler(SecurityConfiguration.class); + /** The directory containing security related files such as keystores */ + private static final String SECURITY_DIR = EDEXModesUtil.CONF_DIR + + File.separator + "resources/site" + File.separator + + System.getenv("AW_SITE_IDENTIFIER") + File.separator; - /** The directory containing security related files such as keystores */ - private static final String SECURITY_DIR = EDEXModesUtil.CONF_DIR - + File.separator + "security" + File.separator; + /** The properties file containing the security configuration items */ + private static final String SECURITY_PROPERTIES_FILE = SECURITY_DIR + + "security.properties"; - /** The properties file containing the security configuration items */ - private static final String SECURITY_PROPERTIES_FILE = SECURITY_DIR - + "security.properties"; + /** Properties object for the security configuration */ + private EncryptedProperties securityProperties; - /** Properties object for the security configuration */ - private EncryptedProperties securityProperties; + /** The https configuration */ + private TLSClientParameters tlsParams; - /** The https configuration */ - private TLSClientParameters tlsParams; + /** The authorization policy */ + private AuthorizationPolicy authPolicy; - /** Keystore factory */ - private KeyManagerFactory kmf; + /** Keystore factory */ + private KeyManagerFactory kmf; - /** Trust store factory */ - private TrustManagerFactory tmf; + /** Trust store factory */ + private TrustManagerFactory tmf; - /** - * Creates and initializes a new Security configuration object based on the - * security properties specified - * @throws IOException - */ - public SecurityConfiguration() throws IOException { - securityProperties = new EncryptedProperties(SECURITY_PROPERTIES_FILE); - initKeyStore(); - initTrustStore(); - initTLSParams(); - } + /** + * Creates and initializes a new Security configuration object based on the + * security properties specified + * + * @throws IOException + */ + public SecurityConfiguration() throws IOException { + securityProperties = new EncryptedProperties(SECURITY_PROPERTIES_FILE); + initKeyStore(); + initTrustStore(); + initTLSParams(); + initAuthPolicy(); + } - /** - * Initializes the TLS parameters - */ - private void initTLSParams() { - tlsParams = new TLSClientParameters(); - tlsParams.setKeyManagers(kmf.getKeyManagers()); - tlsParams.setTrustManagers(tmf.getTrustManagers()); - tlsParams.setDisableCNCheck(Boolean - .parseBoolean(getProperty("edex.security.disableCNCheck"))); - } + /** + * Initializes the authorization policy + */ + private void initAuthPolicy() { + authPolicy = new AuthorizationPolicy(); + String user = getProperty("edex.security.auth.user"); + authPolicy.setUserName(user); + authPolicy.setPassword(getProperty("edex.security.auth.password")); + authPolicy + .setAuthorizationType(getProperty("edex.security.auth.authorizationType")); + } - /** - * Initializes the keystore - */ - private void initKeyStore() { - FileInputStream fis = null; - KeyStore keystore = null; - char[] storepass = getProperty("edex.security.keystore.password").toCharArray(); - - try { - kmf = KeyManagerFactory - .getInstance(getProperty("edex.security.keystore.algorithm")); - fis = new FileInputStream( - getProperty("edex.security.keystore.path")); - keystore = KeyStore - .getInstance(getProperty("edex.security.keystore.type")); - keystore.load(fis, storepass); - kmf.init(keystore, storepass); - } catch (Exception e) { - throw new SecurityException("Error initializing keystore", e); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException e) { - throw new RuntimeException( - "Error closing file input stream!", e); - } - } - } - } + /** + * Initializes the TLS parameters + */ + private void initTLSParams() { + tlsParams = new TLSClientParameters(); + tlsParams.setKeyManagers(kmf.getKeyManagers()); + tlsParams.setTrustManagers(tmf.getTrustManagers()); + tlsParams.setDisableCNCheck(Boolean + .parseBoolean(getProperty("edex.security.disableCNCheck"))); + } - /** - * Initializes the trust store - */ - private void initTrustStore() { - FileInputStream fis = null; - KeyStore truststore = null; - char[] storepass = getProperty("edex.security.truststore.password").toCharArray(); + /** + * Initializes the keystore + */ + private void initKeyStore() { + FileInputStream fis = null; + KeyStore keystore = null; + char[] storepass = getProperty("edex.security.keystore.password") + .toCharArray(); - try { - tmf = TrustManagerFactory - .getInstance(getProperty("edex.security.truststore.algorithm")); - fis = new FileInputStream( - getProperty("edex.security.truststore.path")); - truststore = KeyStore - .getInstance(getProperty("edex.security.truststore.type")); - truststore.load(fis, storepass); - tmf.init(truststore); - } catch (Exception e) { - throw new SecurityException("Error initializing truststore", e); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException e) { - throw new RuntimeException( - "Error closing file input stream!", e); - } - } - } - } + try { + kmf = KeyManagerFactory + .getInstance(getProperty("edex.security.keystore.algorithm")); + fis = new FileInputStream( + getProperty("edex.security.keystore.path")); + keystore = KeyStore + .getInstance(getProperty("edex.security.keystore.type")); + keystore.load(fis, storepass); + kmf.init(keystore, storepass); + } catch (Exception e) { + throw new SecurityException("Error initializing keystore", e); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException e) { + throw new RuntimeException( + "Error closing file input stream!", e); + } + } + } + } - /** - * Gets a security property. - * @param propertyName The name of the property to get - * @return The property value - */ - private String getProperty(String propertyName) { - String prop = securityProperties.getProperty(propertyName); - if (prop == null || prop.trim().isEmpty()) { - throw new SecurityException("Required property not set: " - + propertyName); - } - return prop; - } + /** + * Initializes the trust store + */ + private void initTrustStore() { + FileInputStream fis = null; + KeyStore truststore = null; + char[] storepass = getProperty("edex.security.truststore.password") + .toCharArray(); - /** - * Gets the TLSClientParameters - * - * @return The TLSClientParameters - */ - public TLSClientParameters getTlsParams() { - return tlsParams; - } + try { + tmf = TrustManagerFactory + .getInstance(getProperty("edex.security.truststore.algorithm")); + fis = new FileInputStream( + getProperty("edex.security.truststore.path")); + truststore = KeyStore + .getInstance(getProperty("edex.security.truststore.type")); + truststore.load(fis, storepass); + tmf.init(truststore); + } catch (Exception e) { + throw new SecurityException("Error initializing truststore", e); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException e) { + throw new RuntimeException( + "Error closing file input stream!", e); + } + } + } + } + + public String getEncryptionKey() { + return getProperty("edex.security.encryption.key"); + } + + /** + * Gets a security property. + * + * @param propertyName + * The name of the property to get + * @return The property value + */ + public String getProperty(String propertyName) { + String prop = securityProperties.getProperty(propertyName); + if (prop == null || prop.trim().isEmpty()) { + throw new SecurityException("Required property not set: " + + propertyName); + } + return prop; + } + + /** + * Gets the TLSClientParameters + * + * @return The TLSClientParameters + */ + public TLSClientParameters getTlsParams() { + return tlsParams; + } + + public EncryptedProperties getSecurityProperties() { + return securityProperties; + } + + /** + * @return the authPolicy + */ + public AuthorizationPolicy getAuthPolicy() { + return authPolicy; + } - public EncryptedProperties getSecurityProperties() { - return securityProperties; - } - - }