Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

de.fzj.unicore.uas.security
Class SecurityManager

java.lang.Object
  extended by de.fzj.unicore.uas.security.SecurityManager

public final class SecurityManager
extends java.lang.Object

access to security components

Author:
schuller, golbi

Nested Class Summary
static class SecurityManager.NullAuthoriser
           
 
Field Summary
static java.util.regex.Pattern pattern
           
protected static java.lang.String proxyRE
           
 
Method Summary
static void addCallback(AttributeHandlingCallback aac)
          add a callback class for dealing with additional security attributes
static java.util.Map<java.lang.String,java.lang.String[]> authorise(eu.unicore.security.xfireutil.SecurityTokens tokens)
          Deprecated. Use establishAttributes()
static void checkAuthentication(eu.unicore.security.xfireutil.SecurityTokens tokens, java.lang.String action, ResourceDescriptor d)
          check whether authentication is OK and conforms to this server's policies
static void checkAuthorisation(de.fzj.unicore.xnjs.aaa.Client c, java.lang.String action, ResourceDescriptor d)
          check access by evaluating the XACML policies
static boolean checkConsignorEqualsUser(eu.unicore.security.xfireutil.SecurityTokens tokens)
          checks if user+consignor DNs are equal (taking into account proxy mode)
static void checkValidityOfTrustDelegation(eu.unicore.security.xfireutil.SecurityTokens tokens)
          checks whether the supplied TD is valid
thorws an AuthorisationException iff TD is requested, user+consignor differ, but is invalid
static de.fzj.unicore.xnjs.aaa.Client createAndAuthoriseClient(eu.unicore.security.xfireutil.SecurityTokens tokens)
          Create an authorised Client object.
static void createAttributeSource()
          Creates AttributeSource used for establishing clients' attributes.
static java.util.Map<java.lang.String,java.lang.String[]> establishAttributes(eu.unicore.security.xfireutil.SecurityTokens tokens)
          Returns an attribute map for a set of security tokens
static java.lang.String getAuthoriserConnectionStatus()
          get a human-readable description of the current status of the configured authorisers.
static UASSecurityProperties getClaimTrustDelegationProperties(eu.unicore.security.xfireutil.SecurityTokens t)
          get a UASSecurityProperties instance suitable for claiming any trust delegation contained in the security tokens.
static java.security.cert.X509Certificate getGatewayCert()
          get the certificate of the gateway, if available, in the following way it can be configured statically, by adding the certificate to the truststore and setting the property IUASSecurityProperties.UAS_GATEWAY_ALIAS to the alias of the certificate it is retrieved dynamically by opening an SSL connection to the server at the configured base url + *
static UASSecurityProperties getIssueTrustDelegationProperties(eu.unicore.security.xfireutil.SecurityTokens t, org.w3.x2005.x08.addressing.EndpointReferenceType epr)
          Create a UASSecurityProperties instance suitable for issuing a trust delegation assertion to the receiver indicated by the supplied EPR.
static XacmlPDP getPDP()
          get the XACML policy decision point
static java.security.cert.X509Certificate getPeerCertificate(java.lang.String url, IUASSecurityProperties security)
           
static java.security.cert.X509Certificate getPeerCertificate(java.lang.String url, IUASSecurityProperties security, int timeout)
          helper to get the certificate on the other side of a SSL connection to "url"
static java.security.cert.X509Certificate getProxiedUserCert(eu.unicore.security.xfireutil.SecurityTokens tokens)
          get the real user cert from either the user cert path or the consignor cert path
static java.security.cert.X509Certificate getRealUserCertFromProxyCertPath(java.security.cert.CertPath cp)
          for the given certificate path, return the first entry that is not a proxy cert, i.e. the real user certificate
static java.security.cert.X509Certificate getServerCert()
          get the certificate of the server
static java.lang.String getServerDistinguishedName()
          get the X500 name of the server in human-friendly form, i.e. using X500Principal.toString()
static javax.security.auth.x500.X500Principal getServerIdentity()
          get the server's identity, or null if no server keystore has been configured
protected static de.fzj.unicore.xnjs.aaa.Role getServerRole()
          server role
static java.lang.String handleProxyCert(eu.unicore.security.xfireutil.SecurityTokens tokens)
          gets the DN in case of a proxy cert.
static boolean isAccessControlEnabled()
           
static boolean isAccessible(de.fzj.unicore.xnjs.aaa.Client client, java.lang.String serviceName, java.lang.String wsResourceID, java.lang.String owner, java.lang.String action)
          Can the given client access the given (server-local!)
static boolean isAdmin(de.fzj.unicore.xnjs.aaa.Client c)
          checks whether the given client has the "admin" role
static boolean isLocalCall()
           
protected static boolean isNotClear(com.sun.xacml.ctx.ResponseCtx pdpResponse)
          check whether the response from the PDP is "NotApplicable" or "Indeterminate"
protected static boolean isPermit(com.sun.xacml.ctx.ResponseCtx pdpResponse)
          check whether the response from the PDP is "Permit"
static boolean isProxyDN(java.lang.String dn)
           
static boolean isProxyModeEnabled()
           
static boolean isServer(java.security.cert.CertPath path)
          checks whether the given CertPath is the server identity
static boolean isServer(de.fzj.unicore.xnjs.aaa.Client c)
          checks whether the given client has the server identity
static boolean isServer(java.security.cert.X509Certificate cert)
          checks whether the given certificate is the server identity
static boolean isTrustedAgent(de.fzj.unicore.xnjs.aaa.Client c)
          checks whether the given client has the "trusted agent" role
protected static de.fzj.unicore.xnjs.aaa.Client makeAnonymousClient(java.lang.String dn)
          a special client useful for anonymous requests
static void makeAuthoriser()
          Deprecated. Use createAttributeSource()
static void registerAuthNCheckingStrategies(AuthNCheckingStrategy... strategies)
          register checking strategies
static void setAccessControlEnabled(boolean isAccessControlEnabled)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

proxyRE

protected static final java.lang.String proxyRE
See Also:
Constant Field Values

pattern

public static final java.util.regex.Pattern pattern
Method Detail

addCallback

public static void addCallback(AttributeHandlingCallback aac)
add a callback class for dealing with additional security attributes

Parameters:
aac - - an AttributeHandlingCallback

getServerCert

public static java.security.cert.X509Certificate getServerCert()
get the certificate of the server

Returns:

getServerIdentity

public static javax.security.auth.x500.X500Principal getServerIdentity()
get the server's identity, or null if no server keystore has been configured

Returns:
an X500Principal or null
See Also:
getServerCert()

getServerDistinguishedName

public static java.lang.String getServerDistinguishedName()
get the X500 name of the server in human-friendly form, i.e. using X500Principal.toString()

Returns:
the human-friendly form of the server DN
See Also:
getServerIdentity()

getGatewayCert

public static java.security.cert.X509Certificate getGatewayCert()
get the certificate of the gateway, if available, in the following way

Returns:
the X509Certificate of the gateway

getPDP

public static XacmlPDP getPDP()
get the XACML policy decision point

Returns:
XacmlPDP

establishAttributes

public static java.util.Map<java.lang.String,java.lang.String[]> establishAttributes(eu.unicore.security.xfireutil.SecurityTokens tokens)
                                                                              throws java.lang.Exception
Returns an attribute map for a set of security tokens

Parameters:
tokens -
Returns:
attributes
Throws:
java.lang.Exception

createAttributeSource

public static void createAttributeSource()
                                  throws java.lang.Exception
Creates AttributeSource used for establishing clients' attributes.

Throws:
java.lang.Exception

createAndAuthoriseClient

public static de.fzj.unicore.xnjs.aaa.Client createAndAuthoriseClient(eu.unicore.security.xfireutil.SecurityTokens tokens)
Create an authorised Client object. This will use the supplied security tokens to make a call to an authoriser (such as the XUUDB) and set client attributes such as role, xlogin, etc based on the authoriser's reply.

Parameters:
tokens - - Security tokens
Returns:
authorised Client object

handleProxyCert

public static java.lang.String handleProxyCert(eu.unicore.security.xfireutil.SecurityTokens tokens)
                                        throws java.security.cert.CertificateException
gets the DN in case of a proxy cert. As a "side effect", the user and user name fields in the Securitytokens are modified, so that later stages in the authz get the proper (i.e. non-proxy)user DN.

Parameters:
tokens -
Returns:
the real DN, or null if the user cert path is not a proxy
Throws:
java.security.cert.CertificateException

getProxiedUserCert

public static java.security.cert.X509Certificate getProxiedUserCert(eu.unicore.security.xfireutil.SecurityTokens tokens)
                                                             throws java.security.cert.CertificateException
get the real user cert from either the user cert path or the consignor cert path

Parameters:
tokens -
Returns:
X509Certificate - the user certificate
Throws:
java.security.cert.CertificateException

getRealUserCertFromProxyCertPath

public static java.security.cert.X509Certificate getRealUserCertFromProxyCertPath(java.security.cert.CertPath cp)
for the given certificate path, return the first entry that is not a proxy cert, i.e. the real user certificate

Parameters:
cp - - the certpath to check
Returns:
the user X509 certificate

checkConsignorEqualsUser

public static boolean checkConsignorEqualsUser(eu.unicore.security.xfireutil.SecurityTokens tokens)
checks if user+consignor DNs are equal (taking into account proxy mode)

Parameters:
tokens -
Returns:

getServerRole

protected static de.fzj.unicore.xnjs.aaa.Role getServerRole()
server role

makeAnonymousClient

protected static de.fzj.unicore.xnjs.aaa.Client makeAnonymousClient(java.lang.String dn)
a special client useful for anonymous requests

Returns:

checkAuthentication

public static void checkAuthentication(eu.unicore.security.xfireutil.SecurityTokens tokens,
                                       java.lang.String action,
                                       ResourceDescriptor d)
check whether authentication is OK and conforms to this server's policies

Parameters:
tokens - - SecurityTokens from the request
action - - the method being invoked
d - - the resource being accessed

registerAuthNCheckingStrategies

public static void registerAuthNCheckingStrategies(AuthNCheckingStrategy... strategies)
register checking strategies

Parameters:
strategies - - AuthNCheckingStrategy objects

checkAuthorisation

public static void checkAuthorisation(de.fzj.unicore.xnjs.aaa.Client c,
                                      java.lang.String action,
                                      ResourceDescriptor d)
check access by evaluating the XACML policies

Parameters:
c -
action -
d -

isLocalCall

public static boolean isLocalCall()

isServer

public static boolean isServer(de.fzj.unicore.xnjs.aaa.Client c)
checks whether the given client has the server identity

isServer

public static boolean isServer(java.security.cert.X509Certificate cert)
checks whether the given certificate is the server identity

isServer

public static boolean isServer(java.security.cert.CertPath path)
checks whether the given CertPath is the server identity

isTrustedAgent

public static boolean isTrustedAgent(de.fzj.unicore.xnjs.aaa.Client c)
checks whether the given client has the "trusted agent" role

isAdmin

public static boolean isAdmin(de.fzj.unicore.xnjs.aaa.Client c)
checks whether the given client has the "admin" role

checkValidityOfTrustDelegation

public static void checkValidityOfTrustDelegation(eu.unicore.security.xfireutil.SecurityTokens tokens)
                                           throws AuthorisationException
checks whether the supplied TD is valid
thorws an AuthorisationException iff TD is requested, user+consignor differ, but is invalid

Parameters:
tokens - - the sec tokens to check
Throws:
AuthorisationException - iff TD is requested but invalid

getPeerCertificate

public static java.security.cert.X509Certificate getPeerCertificate(java.lang.String url,
                                                                    IUASSecurityProperties security)

getPeerCertificate

public static java.security.cert.X509Certificate getPeerCertificate(java.lang.String url,
                                                                    IUASSecurityProperties security,
                                                                    int timeout)
helper to get the certificate on the other side of a SSL connection to "url"

Parameters:
url - - the URL to connect to
security - - the IUASSecurityProperties to use
timeout - - the time to wait for a connection before giving up

getIssueTrustDelegationProperties

public static UASSecurityProperties getIssueTrustDelegationProperties(eu.unicore.security.xfireutil.SecurityTokens t,
                                                                      org.w3.x2005.x08.addressing.EndpointReferenceType epr)
Create a UASSecurityProperties instance suitable for issuing a trust delegation assertion to the receiver indicated by the supplied EPR. This EPR should contain the receiver DN (@see {@link AddressingUtil#extractServerIDFromEPR(EndpointReferenceType)), otherwise the receiver has to be set manually before the web service call.

Parameters:
t - - the security tokens
epr - - the EPR of the receiver service
Returns:
UASSecurityProperties pre-configured for trust delegation

getClaimTrustDelegationProperties

public static UASSecurityProperties getClaimTrustDelegationProperties(eu.unicore.security.xfireutil.SecurityTokens t)
get a UASSecurityProperties instance suitable for claiming any trust delegation contained in the security tokens.

Parameters:
t - - security tokens, possibly containing trust delegation
Returns:

isAccessible

public static boolean isAccessible(de.fzj.unicore.xnjs.aaa.Client client,
                                   java.lang.String serviceName,
                                   java.lang.String wsResourceID,
                                   java.lang.String owner,
                                   java.lang.String action)
                            throws java.lang.Exception
Can the given client access the given (server-local!) endpoint? This will not give the correct result if the action plays a role

Parameters:
client - - the client
serviceName - - can be null
wsResourceID - - can be null
action- - method name, can be null
Returns:
true if the
Throws:
java.lang.Exception

isPermit

protected static boolean isPermit(com.sun.xacml.ctx.ResponseCtx pdpResponse)
check whether the response from the PDP is "Permit"

Parameters:
pdpResponse -
Returns:
false if response is Deny or Indeterminate, true if Permit

isNotClear

protected static boolean isNotClear(com.sun.xacml.ctx.ResponseCtx pdpResponse)
check whether the response from the PDP is "NotApplicable" or "Indeterminate"

Parameters:
pdpResponse -
Returns:
true if NotApplicable or Indeterminate

isAccessControlEnabled

public static boolean isAccessControlEnabled()

setAccessControlEnabled

public static void setAccessControlEnabled(boolean isAccessControlEnabled)

isProxyModeEnabled

public static boolean isProxyModeEnabled()

getAuthoriserConnectionStatus

public static java.lang.String getAuthoriserConnectionStatus()
                                                      throws java.lang.Exception
get a human-readable description of the current status of the configured authorisers.

Throws:
java.lang.Exception

isProxyDN

public static boolean isProxyDN(java.lang.String dn)

authorise

@Deprecated
public static java.util.Map<java.lang.String,java.lang.String[]> authorise(eu.unicore.security.xfireutil.SecurityTokens tokens)
                                                                    throws java.lang.Exception
Deprecated. Use establishAttributes()

Throws:
java.lang.Exception

makeAuthoriser

@Deprecated
public static void makeAuthoriser()
                           throws java.lang.Exception
Deprecated. Use createAttributeSource()

Throws:
java.lang.Exception
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2006-2010 Research Center Juelich. All Rights Reserved.