KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > objectweb > jonas > security > iiop > Csiv2IorInterceptor


1 /**
2  * JOnAS: Java(TM) Open Application Server
3  * Copyright (C) 2004 Bull S.A.
4  * Contact: jonas-team@objectweb.org
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
19  * USA
20  *
21  * --------------------------------------------------------------------------
22  * $Id: Csiv2IorInterceptor.java,v 1.7 2005/04/28 08:43:26 benoitf Exp $
23  * --------------------------------------------------------------------------
24  */
25 package org.objectweb.jonas.security.iiop;
26
27 import java.rmi.Remote JavaDoc;
28
29 import javax.rmi.CORBA.Tie JavaDoc;
30
31 import org.jacorb.orb.iiop.IIOPProfile;
32 import org.jacorb.poa.RequestProcessor;
33 import org.omg.CORBA.Any JavaDoc;
34 import org.omg.CORBA.INV_POLICY JavaDoc;
35 import org.omg.CSIIOP.AS_ContextSec;
36 import org.omg.CSIIOP.CompoundSecMech;
37 import org.omg.CSIIOP.CompoundSecMechList;
38 import org.omg.CSIIOP.CompoundSecMechListHelper;
39 import org.omg.CSIIOP.DetectMisordering;
40 import org.omg.CSIIOP.DetectReplay;
41 import org.omg.CSIIOP.Integrity;
42 import org.omg.CSIIOP.SAS_ContextSec;
43 import org.omg.CSIIOP.ServiceConfiguration;
44 import org.omg.CSIIOP.TAG_CSI_SEC_MECH_LIST;
45 import org.omg.CSIIOP.TAG_NULL_TAG;
46 import org.omg.CSIIOP.TAG_TLS_SEC_TRANS;
47 import org.omg.CSIIOP.TLS_SEC_TRANS;
48 import org.omg.CSIIOP.TLS_SEC_TRANSHelper;
49 import org.omg.IOP.Codec JavaDoc;
50 import org.omg.IOP.TAG_INTERNET_IOP JavaDoc;
51 import org.omg.IOP.TaggedComponent JavaDoc;
52 import org.omg.IOP.CodecPackage.InvalidTypeForEncoding JavaDoc;
53 import org.omg.PortableInterceptor.IORInfo JavaDoc;
54 import org.omg.PortableServer.Servant JavaDoc;
55 import org.omg.SSLIOP.SSL;
56 import org.omg.SSLIOP.SSLHelper;
57 import org.omg.SSLIOP.TAG_SSL_SEC_TRANS;
58
59 import org.objectweb.carol.util.configuration.CarolDefaultValues;
60 import org.objectweb.carol.util.csiv2.SasComponent;
61 import org.objectweb.carol.util.csiv2.SasPolicy;
62 import org.objectweb.carol.util.csiv2.struct.AsStruct;
63 import org.objectweb.carol.util.csiv2.struct.SasStruct;
64 import org.objectweb.carol.util.csiv2.struct.TransportStruct;
65
66 import org.objectweb.jonas_ejb.container.JHome;
67 import org.objectweb.jonas_ejb.container.JRemote;
68 import org.objectweb.jonas_ejb.deployment.api.BeanDesc;
69
70 import org.objectweb.util.monolog.api.BasicLevel;
71 import org.objectweb.util.monolog.api.Logger;
72
73 /**
74  * IOR interceptor for the supports of CSiv2 level 0 as described by chapter
75  * 19.8.2.5 Stateful support is not require for level 0
76  * @author Florent Benoit
77  * @see Common Secure Interoperability V2 Specification (July 23,2001)
78  */
79 public class Csiv2IorInterceptor extends org.omg.CORBA.LocalObject JavaDoc implements
80         org.omg.PortableInterceptor.IORInterceptor JavaDoc {
81
82     /**
83      * Name
84      */
85     private static final String JavaDoc NAME = "Csiv2IorInterceptor";
86
87     /**
88      * Codec to use (when encoding Any object)
89      */
90     private Codec JavaDoc codec = null;
91
92     /**
93      * Logger to use
94      */
95     private Logger logger = null;
96
97     /**
98      * Logger details (On catching exception)
99      */
100     private Logger loggerDetails = null;
101
102     /**
103      * Constructor
104      * @param codec used for encoding any objects
105      * @param logger used for logging useful information
106      * @param loggerDetails for all information (useless for most time :)
107      */
108     public Csiv2IorInterceptor(Codec JavaDoc codec, Logger logger, Logger loggerDetails) {
109         this.codec = codec;
110         this.logger = logger;
111         this.loggerDetails = loggerDetails;
112     }
113
114     /**
115      * Check if there is a CSI v2 policy and there is one add the csiv2
116      * component into the IOR. The tagged Component is built from information of
117      * csiv2 policy object
118      * @see org.omg.PortableInterceptor.IORInterceptorOperations#establish_components(org.omg.PortableInterceptor.IORInfo)
119      */
120     public void establish_components(IORInfo JavaDoc info) {
121         SasPolicy sasPolicy = null;
122         SasComponent sasComponent = null;
123
124         try {
125             sasPolicy = (SasPolicy) info.get_effective_policy(SasPolicy.POLICY_TYPE);
126
127             // build CSiv2 tagged component as required by spec
128 // 16.3.1 compound mechnaisms [62] and 16.5.1 [132]
129 TaggedComponent JavaDoc taggedComponent = null;
130
131             if (sasPolicy != null) {
132                 sasComponent = sasPolicy.getSasComponent();
133             } else {
134                 // It may be a remote interface
135 Thread JavaDoc currentThread = Thread.currentThread();
136                 if (!(currentThread instanceof RequestProcessor)) {
137                     return;
138                 }
139                 RequestProcessor rp = (RequestProcessor) currentThread;
140                 Servant JavaDoc servant = rp.getServant();
141                 if (servant == null) {
142                     return;
143                 }
144                 Tie JavaDoc tie = null;
145                 if (!(servant instanceof Tie JavaDoc)) {
146                     return;
147                 }
148                 tie = (Tie JavaDoc) servant;
149                 Remote JavaDoc target = tie.getTarget();
150                 if (target == null) {
151                     return;
152                 }
153
154                 if (!(target instanceof JHome) && !(target instanceof JRemote)) {
155                     return;
156                 }
157                 BeanDesc bd = null;
158                 if (target instanceof JHome) {
159                     bd = ((JHome) target).getDd();
160                 } else if (target instanceof JRemote) {
161                     bd = ((JRemote) target).getBf().getDeploymentDescriptor();
162                 }
163                 sasComponent = bd.getSasComponent();
164             }
165
166             if (sasComponent == null) {
167                 if (loggerDetails.isLoggable(BasicLevel.DEBUG)) {
168                     loggerDetails.log(BasicLevel.DEBUG, "No Sas component was found, will not write any infos into IOR.");
169                 }
170                 return;
171             }
172
173             try {
174
175                 taggedComponent = buildCSIv2Component(sasComponent);
176
177                 // And add it into the ior
178 info.add_ior_component_to_profile(taggedComponent, TAG_INTERNET_IOP.value);
179
180             } catch (Csiv2InterceptorException cie) {
181                 logger.log(BasicLevel.ERROR, "Cannot build Csiv2 component, cannot add it. Component = "
182                         + taggedComponent);
183             }
184
185         } catch (INV_POLICY JavaDoc e) {
186             if (logger.isLoggable(BasicLevel.DEBUG)) {
187                 logger.log(BasicLevel.DEBUG, "No policy found");
188             }
189
190         } finally {
191
192             // Add SSL
193 if (sasComponent != null) {
194                 // Need to patch profile port if SSL (port should be 0)
195 TransportStruct transportStruct = sasComponent.getTransport();
196                 if (transportStruct.getTargetRequires() > 0) {
197                     org.omg.ETF.Profile profile = ((org.jacorb.orb.portableInterceptor.IORInfoImpl) info).get_profile(0);
198                     if (profile instanceof IIOPProfile) {
199                         if (logger.isLoggable(BasicLevel.DEBUG)) {
200                             logger.log(BasicLevel.DEBUG, "Set port to 0");
201                         }
202                         ((IIOPProfile) profile).patchPrimaryAddress(null, 0);
203                     }
204                 }
205             }
206
207             try {
208                 info.add_ior_component_to_profile(buildSslTaggedComponent(sasComponent), TAG_INTERNET_IOP.value);
209             } catch (Csiv2InterceptorException cie) {
210                 logger.log(BasicLevel.ERROR, "Cannot add SSL tagged component" + cie.getMessage(), cie);
211             }
212
213
214         }
215
216
217     }
218
219     /**
220      * Provides an opportunity to destroy this interceptor.
221      */
222     public void destroy() {
223     }
224
225     /**
226      * Returns the name of the interceptor.
227      * @return the name of the interceptor.
228      */
229     public String JavaDoc name() {
230         return NAME;
231     }
232
233     /**
234      * CSIv2 component is built from info within sasComponent which was
235      * contained in the policy object during the bind of the object <br>
236      * 16.4.2 Transport Mechanism Configuration <br>
237      * [113] The configuration of transport-layer security mechanisms is
238      * specified in IORs. Support for CSI is indicated within an IOR profile by
239      * the presence of at most one TAG_CSI_SEC_MECH_LIST tagged component that
240      * defines the mechanism configuration pertaining to the profile. This
241      * component contains a list of one or more CompoundSecMech structures, each
242      * of which defines the layer-specific security mechanisms that comprise a
243      * compound mechanism that is supported by the target. This specification
244      * does not define support for CSI mechanisms in multiple-component IOR
245      * profiles. <br>
246      * [114] Each CompoundSecMech structure contains a transport_mech field that
247      * defines the transport-layer security mechanism of the compound mechanism.
248      * A compound mechanism that does not implement security functionality at
249      * the transport layer shall contain the TAG_NULL_TAG component in its
250      * transport_mech field. Otherwise, the transport_mech field shall contain a
251      * tagged component that defines a transport protocol and its configuration.
252      * Section , TAG_SSL_SEC_TRANS, on page 16-33 and Section ,
253      * TAG_SECIOP_SEC_TRANS, on page 16-34 define valid transportlayer
254      * components that can be used in the transport_mech field.
255      * @param sasComponent information to build component
256      * @return CSIv2 component to be put in IOR
257      * @throws Csiv2InterceptorException if there is a failure
258      */
259     private TaggedComponent JavaDoc buildCSIv2Component(SasComponent sasComponent) throws Csiv2InterceptorException {
260         if (logger.isLoggable(BasicLevel.DEBUG)) {
261             logger.log(BasicLevel.DEBUG, "");
262         }
263
264         // @see 16.5.1 [132] SecMechList
265 // build list of compound_sec_mech
266 CompoundSecMech[] mechanismList = buildCompoundSecMechs(sasComponent);
267         CompoundSecMechList compoundSecMechList = new CompoundSecMechList(Csiv2Const.STATEFUL_MODE, mechanismList);
268
269
270         // use Any object
271 Any JavaDoc pAny = ORBHelper.getOrb().create_any();
272         CompoundSecMechListHelper.insert(pAny, compoundSecMechList);
273         byte[] componentData = null;
274         try {
275             componentData = codec.encode_value(pAny);
276         } catch (InvalidTypeForEncoding JavaDoc itfe) {
277             throw new Csiv2InterceptorException("Cannot encode a given any corba object", itfe);
278         }
279
280         // Create tagged component TAG_CSI_SEC_MECH_LIST
281 TaggedComponent JavaDoc taggedComponent = new TaggedComponent JavaDoc(TAG_CSI_SEC_MECH_LIST.value, componentData);
282
283         return taggedComponent;
284     }
285
286     /**
287      * Build all CompoundSecMech objects for building TAG_CSI_SEC_MECH_LIST
288      * CompoundSecMech is composed of (see [132] 16.5.1 p16-35)
289      * <ul>
290      * <li>target_requires</li>
291      * <li>transport_mech</li>
292      * <li>as_context_mech</li>
293      * <li>sas_context_mech</li>
294      * </ul>
295      * @param sasComponent information to build component
296      * @return CompoundSecMech objects for building TAG_CSI_SEC_MECH_LIST
297      * @throws Csiv2InterceptorException if there is a failure
298      */
299     private CompoundSecMech[] buildCompoundSecMechs(SasComponent sasComponent) throws Csiv2InterceptorException {
300         if (logger.isLoggable(BasicLevel.DEBUG)) {
301             logger.log(BasicLevel.DEBUG, "");
302         }
303
304         // build transport_mech
305 TaggedComponent JavaDoc transportMech = buildTransportMech(sasComponent);
306
307         // build as_context_mech
308 AS_ContextSec asContextMech = buildAsContextMech(sasComponent);
309
310         // build sas_context_mech
311 SAS_ContextSec sasContextMech = buildSasContextMech(sasComponent);
312
313         // See [135]
314 // The target_requires field of the CompoundSecMech structure is used to
315 // designate a required outcome that shall be satisfied by one or more
316 // supporting (but not requiring) layers. The target_requires field also
317 // represents all the options required independently by the various
318 // layers as defined within the mechanism.
319 short targetRequires = (short) (sasComponent.getTransport().getTargetRequires() | asContextMech.target_requires | sasContextMech.target_requires);
320
321         // Only one compound sec mech
322 CompoundSecMech[] compoundSecMechs = new CompoundSecMech[1];
323         compoundSecMechs[0] = new CompoundSecMech(targetRequires, transportMech, asContextMech, sasContextMech);
324
325         // return objects
326 return compoundSecMechs;
327     }
328
329     /**
330      * Build the transport mech object of the Sas component
331      * @param sasComponent information to build component
332      * @return transport mech object
333      * @throws Csiv2InterceptorException if there is a failure
334      */
335     private TaggedComponent JavaDoc buildTransportMech(SasComponent sasComponent) throws Csiv2InterceptorException {
336
337         TaggedComponent JavaDoc taggedComponent = null;
338
339         TransportStruct transportStruct = sasComponent.getTransport();
340
341         if (transportStruct.getTargetSupports() == 0 && transportStruct.getTargetRequires() == 0) {
342             // TAG_NULL_TAG [150] This new tagged component is used in the
343 // transport_mech field of a CompoundSecMech structure to indicate that
344 // the compound mechanism does not implement security functionality at
345 // the transport layer.
346
347             return new TaggedComponent JavaDoc(TAG_NULL_TAG.value, Csiv2Const.EMPTY_BYTES);
348         }
349
350         /**
351          * Tagged component for configuring TLS/SSL as a CSIv2 transport
352          * mechanism is the constant : IOP::ComponentId TAG_TLS_SEC_TRANS = 36;
353          */
354         TLS_SEC_TRANS tlsSecTrans = new TLS_SEC_TRANS(transportStruct.getTargetSupports(), transportStruct.getTargetRequires(), transportStruct.getTransportAddress());
355
356         // use Any object
357 Any JavaDoc pAny = ORBHelper.getOrb().create_any();
358         TLS_SEC_TRANSHelper.insert(pAny, tlsSecTrans);
359         byte[] componentData = null;
360         try {
361             componentData = codec.encode_value(pAny);
362         } catch (InvalidTypeForEncoding JavaDoc itfe) {
363             throw new Csiv2InterceptorException("Cannot encode a given any corba object", itfe);
364         }
365
366         // Create tagged component TAG_CSI_SEC_MECH_LIST
367 taggedComponent = new TaggedComponent JavaDoc(TAG_TLS_SEC_TRANS.value, componentData);
368
369         return taggedComponent;
370     }
371
372     /**
373      * Build SSL tagged component
374      * @param sasComponent information for build component
375      * @return SSL tagged component
376      * @throws Csiv2InterceptorException if the SSL tagged cannot be built
377      */
378     private TaggedComponent JavaDoc buildSslTaggedComponent(SasComponent sasComponent) throws Csiv2InterceptorException {
379
380         SSL ssl = null;
381         int minSSlOptions = Integrity.value | DetectReplay.value | DetectMisordering.value;
382         if (sasComponent != null) {
383             TransportStruct transportStruct = sasComponent.getTransport();
384
385             ssl = new SSL(transportStruct.getTargetSupports(), transportStruct.getTargetRequires(), (short) TransportStruct.getSslPort());
386         } else {
387             ssl = new SSL((short) minSSlOptions, (short) 0, (short) TransportStruct.getSslPort());
388         }
389
390         // use Any object
391 Any JavaDoc pAny = ORBHelper.getOrb().create_any();
392         SSLHelper.insert(pAny, ssl);
393         byte[] componentData = null;
394         try {
395             componentData = codec.encode_value(pAny);
396         } catch (InvalidTypeForEncoding JavaDoc itfe) {
397             throw new Csiv2InterceptorException("Cannot encode a given any corba object", itfe);
398         }
399         return new TaggedComponent JavaDoc(TAG_SSL_SEC_TRANS.value, componentData);
400
401     }
402
403
404
405
406     /**
407      * Build the Authentication service object of the Sas component
408      * @param sasComponent information to build component
409      * @return Authentication service object
410      */
411     private AS_ContextSec buildAsContextMech(SasComponent sasComponent) {
412
413         AsStruct asStruct = sasComponent.getAs();
414
415         // The asStruct object could be for authenticated or no authenticated
416 AS_ContextSec asContextMech = new AS_ContextSec(asStruct.getTargetSupports(), asStruct
417                 .getTargetRequires(), asStruct.getClientAuthenticationMech(), asStruct.getTargetName());
418
419         return asContextMech;
420
421     }
422
423     /**
424      * Build the Secure Authentication service object of the Sas component
425      * @param sasComponent information to build component
426      * @return Secure Authentication service
427      */
428     private SAS_ContextSec buildSasContextMech(SasComponent sasComponent) {
429
430         SasStruct sasStruct = sasComponent.getSas();
431
432         /**
433          * The privilege_authorities field contains a list of the names of 0 or
434          * more privilege authorities in decreasing order of target preference.
435          * A non-empty list indicates that the target supports authorization
436          * tokens provided by a CSS (in EstablishContext messages) and acquired
437          * from a named privilege authority. For us, always empty.
438          */
439         ServiceConfiguration[] privilegeAuthorities = new ServiceConfiguration[0];
440
441         byte[][] supportedNamingMechanisms = sasStruct.getSupportedNamingMechanisms();
442         if (logger.isLoggable(BasicLevel.DEBUG)) {
443             logger.log(BasicLevel.DEBUG, "supported mechanisms = " + supportedNamingMechanisms + " and identity = "
444                     + sasStruct.getSupportedIdentityTypes());
445             logger.log(BasicLevel.DEBUG, "supported mechanisms size= " + supportedNamingMechanisms.length);
446             logger.log(BasicLevel.DEBUG, "target supports= " + sasStruct.getTargetSupports());
447         }
448         /**
449          * A target that supports identity assertion shall include in its IORs
450          * the complete list of GSS mechanisms for which it supports identity
451          * assertions using an identity token of type ITTPrincipalName. A TSS
452          * shall reject requests that carry identity tokens of type
453          * ITTPrincipalName constructed using a GSS mechanism that is not among
454          * the GSS mechanisms supported by the target. The definition of a
455          * target s list of supported GSS naming mechanisms is defined in
456          * Section , struct SAS_ContextSec, on page 16-37.
457          */
458         // should be ITTPrincipalName if supported
459 int supportedIdentityTypes = sasStruct.getSupportedIdentityTypes();
460
461         // build sas context with info of the given object.
462 SAS_ContextSec sasContextMech = new SAS_ContextSec(sasStruct.getTargetSupports(),
463                 sasStruct.getTargetRequires(), privilegeAuthorities, supportedNamingMechanisms, supportedIdentityTypes);
464
465         return sasContextMech;
466     }
467
468
469
470 }
Popular Tags