Example 26 with GemFireSecurityException
use of org.apache.geode.security.GemFireSecurityException in project geode by apache.
the class SecurityService method getObjectOfTypeFromClassName.
/**
* this method would never return null, it either throws an exception or returns an object
*/
public static <T> T getObjectOfTypeFromClassName(String className, Class<T> expectedClazz) {
Class actualClass = null;
try {
actualClass = ClassLoadUtil.classFromName(className);
} catch (Exception ex) {
throw new GemFireSecurityException("Instance could not be obtained, " + ex.toString(), ex);
}
if (!expectedClazz.isAssignableFrom(actualClass)) {
throw new GemFireSecurityException("Instance could not be obtained. Expecting a " + expectedClazz.getName() + " class.");
}
T actualObject = null;
try {
actualObject = (T) actualClass.newInstance();
} catch (Exception e) {
throw new GemFireSecurityException("Instance could not be obtained. Error instantiating " + actualClass.getName(), e);
}
return actualObject;
}
Also used :
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
Example 27 with GemFireSecurityException
use of org.apache.geode.security.GemFireSecurityException in project geode by apache.
the class DynamicRegionFactory method createDynamicRegionImpl.
private Region createDynamicRegionImpl(String parentRegionName, String newRegionName, boolean addEntry) throws CacheException {
Region parentRegion = this.cache.getRegion(parentRegionName);
if (parentRegion == null) {
String errMsg = LocalizedStrings.DynamicRegionFactory_ERROR__COULD_NOT_FIND_A_REGION_NAMED___0_.toLocalizedString(parentRegionName);
RegionDestroyedException e = new RegionDestroyedException(errMsg, parentRegionName);
this.cache.getLoggerI18n().warning(LocalizedStrings.DynamicRegionFactory_ERROR__COULD_NOT_FIND_A_REGION_NAMED___0_, parentRegionName, e);
throw e;
}
// Create RegionAttributes by inheriting from the parent
RegionAttributes rra = parentRegion.getAttributes();
AttributesFactory af = new AttributesFactory(rra);
EvictionAttributes ev = rra.getEvictionAttributes();
if (ev != null && ev.getAlgorithm().isLRU()) {
EvictionAttributes rev = new EvictionAttributesImpl((EvictionAttributesImpl) ev);
af.setEvictionAttributes(rev);
}
// regions
if (newRegionName.endsWith("_PRTEST_")) {
af.setPartitionAttributes(new PartitionAttributesFactory().create());
}
RegionAttributes newRegionAttributes = af.create();
Region newRegion;
try {
newRegion = parentRegion.createSubregion(newRegionName, newRegionAttributes);
this.cache.getLoggerI18n().fine("Created dynamic region " + newRegion);
} catch (RegionExistsException ex) {
// a race condition exists that can cause this so just fine log it
this.cache.getLoggerI18n().fine("DynamicRegion " + newRegionName + " in parent " + parentRegionName + " already existed");
newRegion = ex.getRegion();
}
if (addEntry) {
DynamicRegionAttributes dra = new DynamicRegionAttributes();
dra.name = newRegionName;
dra.rootRegionName = parentRegion.getFullPath();
if (this.cache.getLoggerI18n().fineEnabled()) {
this.cache.getLoggerI18n().fine("Putting entry into dynamic region list at key: " + newRegion.getFullPath());
}
this.dynamicRegionList.put(newRegion.getFullPath(), dra);
}
if (this.config.getRegisterInterest()) {
ServerRegionProxy proxy = ((LocalRegion) newRegion).getServerProxy();
if (proxy != null) {
if (((Pool) proxy.getPool()).getSubscriptionEnabled()) {
try {
newRegion.registerInterest("ALL_KEYS");
} catch (GemFireSecurityException ex) {
// Ignore security exceptions here
this.cache.getSecurityLoggerI18n().warning(LocalizedStrings.DynamicRegionFactory_EXCEPTION_WHEN_REGISTERING_INTEREST_FOR_ALL_KEYS_IN_DYNAMIC_REGION_0_1, new Object[] { newRegion.getFullPath(), ex });
}
}
}
}
if (regionCreateSleepMillis > 0) {
try {
Thread.sleep(regionCreateSleepMillis);
} catch (InterruptedException ignore) {
Thread.currentThread().interrupt();
}
}
if (this.cache.getLoggerI18n().fineEnabled()) {
this.cache.getLoggerI18n().fine("Created Dynamic Region " + newRegion.getFullPath());
}
return newRegion;
}
Also used :
DynamicRegionAttributes(org.apache.geode.internal.cache.DynamicRegionAttributes)
DynamicRegionAttributes(org.apache.geode.internal.cache.DynamicRegionAttributes)
LocalRegion(org.apache.geode.internal.cache.LocalRegion)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
EvictionAttributesImpl(org.apache.geode.internal.cache.EvictionAttributesImpl)
ServerRegionProxy(org.apache.geode.cache.client.internal.ServerRegionProxy)
LocalRegion(org.apache.geode.internal.cache.LocalRegion)
DistributedRegion(org.apache.geode.internal.cache.DistributedRegion)
Pool(org.apache.geode.cache.client.Pool)
Example 28 with GemFireSecurityException
use of org.apache.geode.security.GemFireSecurityException in project geode by apache.
the class HandShake method writeCredential.
/**
* This method writes what readCredential() method expects to read. (Note the use of singular
* credential). It is similar to writeCredentials(), except that it doesn't write
* credential-properties.
*/
public byte writeCredential(DataOutputStream dos, DataInputStream dis, String authInit, boolean isNotification, DistributedMember member, HeapDataOutputStream heapdos) throws IOException, GemFireSecurityException {
if (!this.multiuserSecureMode && (authInit == null || authInit.length() == 0)) {
// No credentials indicator
heapdos.writeByte(CREDENTIALS_NONE);
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
return -1;
}
if (dhSKAlgo == null || dhSKAlgo.length() == 0) {
// Normal credentials without encryption indicator
heapdos.writeByte(CREDENTIALS_NORMAL);
this.appSecureMode = CREDENTIALS_NORMAL;
// DataSerializer.writeProperties(p_credentials, heapdos);
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
return -1;
}
byte acceptanceCode = -1;
try {
InternalLogWriter securityLogWriter = (InternalLogWriter) this.system.getSecurityLogWriter();
securityLogWriter.fine("HandShake: using Diffie-Hellman key exchange with algo " + dhSKAlgo);
boolean requireAuthentication = (certificateFilePath != null && certificateFilePath.length() > 0);
if (requireAuthentication) {
securityLogWriter.fine("HandShake: server authentication using digital " + "signature required");
}
// Credentials with encryption indicator
heapdos.writeByte(CREDENTIALS_DHENCRYPT);
this.appSecureMode = CREDENTIALS_DHENCRYPT;
heapdos.writeBoolean(requireAuthentication);
// Send the symmetric encryption algorithm name
DataSerializer.writeString(dhSKAlgo, heapdos);
// Send the DH public key
byte[] keyBytes = dhPublicKey.getEncoded();
DataSerializer.writeByteArray(keyBytes, heapdos);
byte[] clientChallenge = null;
if (requireAuthentication) {
// Authentication of server should be with the client supplied
// challenge
clientChallenge = new byte[64];
random.nextBytes(clientChallenge);
DataSerializer.writeByteArray(clientChallenge, heapdos);
}
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
// Expect the alias and signature in the reply
acceptanceCode = dis.readByte();
if (acceptanceCode != REPLY_OK && acceptanceCode != REPLY_AUTH_NOT_REQUIRED) {
// Ignore the useless data
dis.readByte();
dis.readInt();
if (!isNotification) {
DataSerializer.readByteArray(dis);
}
readMessage(dis, dos, acceptanceCode, member);
} else if (acceptanceCode == REPLY_OK) {
// Get the public key of the other side
keyBytes = DataSerializer.readByteArray(dis);
if (requireAuthentication) {
String subject = DataSerializer.readString(dis);
byte[] signatureBytes = DataSerializer.readByteArray(dis);
if (!certificateMap.containsKey(subject)) {
throw new AuthenticationFailedException(LocalizedStrings.HandShake_HANDSHAKE_FAILED_TO_FIND_PUBLIC_KEY_FOR_SERVER_WITH_SUBJECT_0.toLocalizedString(subject));
}
// Check the signature with the public key
X509Certificate cert = (X509Certificate) certificateMap.get(subject);
Signature sig = Signature.getInstance(cert.getSigAlgName());
sig.initVerify(cert);
sig.update(clientChallenge);
// Check the challenge string
if (!sig.verify(signatureBytes)) {
throw new AuthenticationFailedException("Mismatch in client " + "challenge bytes. Malicious server?");
}
securityLogWriter.fine("HandShake: Successfully verified the " + "digital signature from server");
}
// Read server challenge bytes
byte[] serverChallenge = DataSerializer.readByteArray(dis);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFact = KeyFactory.getInstance("DH");
// PublicKey pubKey = keyFact.generatePublic(x509KeySpec);
this.clientPublicKey = keyFact.generatePublic(x509KeySpec);
HeapDataOutputStream hdos = new HeapDataOutputStream(Version.CURRENT);
try {
// Add the challenge string
DataSerializer.writeByteArray(serverChallenge, hdos);
// byte[] encBytes = encrypt.doFinal(hdos.toByteArray());
byte[] encBytes = encryptBytes(hdos.toByteArray(), getEncryptCipher(dhSKAlgo, this.clientPublicKey));
DataSerializer.writeByteArray(encBytes, dos);
} finally {
hdos.close();
}
}
} catch (IOException ex) {
throw ex;
} catch (GemFireSecurityException ex) {
throw ex;
} catch (Exception ex) {
throw new AuthenticationFailedException("HandShake failed in Diffie-Hellman key exchange", ex);
}
dos.flush();
return acceptanceCode;
}
Also used :
InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter)
AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
ServerRefusedConnectionException(org.apache.geode.cache.client.ServerRefusedConnectionException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
InternalGemFireException(org.apache.geode.InternalGemFireException)
GatewayConfigurationException(org.apache.geode.cache.GatewayConfigurationException)
EOFException(java.io.EOFException)
AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException)
GemFireConfigException(org.apache.geode.GemFireConfigException)
IOException(java.io.IOException)
AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
HeapDataOutputStream(org.apache.geode.internal.HeapDataOutputStream)
Signature(java.security.Signature)
KeyFactory(java.security.KeyFactory)
Example 29 with GemFireSecurityException
use of org.apache.geode.security.GemFireSecurityException in project geode by apache.
the class ServerConnection method setSecurityPart.
private void setSecurityPart() {
try {
this.connectionId = randomConnectionIdGen.nextLong();
this.securePart = new Part();
byte[] id = encryptId(this.connectionId, this);
this.securePart.setPartState(id, false);
} catch (Exception ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.ServerConnection_SERVER_FAILED_TO_ENCRYPT_DATA_0, ex));
throw new GemFireSecurityException("Server failed to encrypt response message.");
}
}
Also used :
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
CancelException(org.apache.geode.CancelException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException)
IOException(java.io.IOException)
AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)
Example 30 with GemFireSecurityException
use of org.apache.geode.security.GemFireSecurityException in project geode by apache.
the class HandShake method writeCredentials.
/**
* This assumes that authentication is the last piece of info in handshake
*/
public void writeCredentials(DataOutputStream dos, DataInputStream dis, Properties p_credentials, boolean isNotification, DistributedMember member, HeapDataOutputStream heapdos) throws IOException, GemFireSecurityException {
if (p_credentials == null) {
// No credentials indicator
heapdos.writeByte(CREDENTIALS_NONE);
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
return;
}
if (dhSKAlgo == null || dhSKAlgo.length() == 0) {
// Normal credentials without encryption indicator
heapdos.writeByte(CREDENTIALS_NORMAL);
DataSerializer.writeProperties(p_credentials, heapdos);
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
return;
}
try {
InternalLogWriter securityLogWriter = (InternalLogWriter) this.system.getSecurityLogWriter();
securityLogWriter.fine("HandShake: using Diffie-Hellman key exchange with algo " + dhSKAlgo);
boolean requireAuthentication = (certificateFilePath != null && certificateFilePath.length() > 0);
if (requireAuthentication) {
securityLogWriter.fine("HandShake: server authentication using digital " + "signature required");
}
// Credentials with encryption indicator
heapdos.writeByte(CREDENTIALS_DHENCRYPT);
heapdos.writeBoolean(requireAuthentication);
// Send the symmetric encryption algorithm name
DataSerializer.writeString(dhSKAlgo, heapdos);
// Send the DH public key
byte[] keyBytes = dhPublicKey.getEncoded();
DataSerializer.writeByteArray(keyBytes, heapdos);
byte[] clientChallenge = null;
if (requireAuthentication) {
// Authentication of server should be with the client supplied
// challenge
clientChallenge = new byte[64];
random.nextBytes(clientChallenge);
DataSerializer.writeByteArray(clientChallenge, heapdos);
}
heapdos.flush();
dos.write(heapdos.toByteArray());
dos.flush();
// Expect the alias and signature in the reply
byte acceptanceCode = dis.readByte();
if (acceptanceCode != REPLY_OK && acceptanceCode != REPLY_AUTH_NOT_REQUIRED) {
// Ignore the useless data
dis.readByte();
dis.readInt();
if (!isNotification) {
DataSerializer.readByteArray(dis);
}
readMessage(dis, dos, acceptanceCode, member);
} else if (acceptanceCode == REPLY_OK) {
// Get the public key of the other side
keyBytes = DataSerializer.readByteArray(dis);
if (requireAuthentication) {
String subject = DataSerializer.readString(dis);
byte[] signatureBytes = DataSerializer.readByteArray(dis);
if (!certificateMap.containsKey(subject)) {
throw new AuthenticationFailedException(LocalizedStrings.HandShake_HANDSHAKE_FAILED_TO_FIND_PUBLIC_KEY_FOR_SERVER_WITH_SUBJECT_0.toLocalizedString(subject));
}
// Check the signature with the public key
X509Certificate cert = (X509Certificate) certificateMap.get(subject);
Signature sig = Signature.getInstance(cert.getSigAlgName());
sig.initVerify(cert);
sig.update(clientChallenge);
// Check the challenge string
if (!sig.verify(signatureBytes)) {
throw new AuthenticationFailedException("Mismatch in client " + "challenge bytes. Malicious server?");
}
securityLogWriter.fine("HandShake: Successfully verified the " + "digital signature from server");
}
byte[] challenge = DataSerializer.readByteArray(dis);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFact = KeyFactory.getInstance("DH");
// PublicKey pubKey = keyFact.generatePublic(x509KeySpec);
this.clientPublicKey = keyFact.generatePublic(x509KeySpec);
HeapDataOutputStream hdos = new HeapDataOutputStream(Version.CURRENT);
try {
DataSerializer.writeProperties(p_credentials, hdos);
// Also add the challenge string
DataSerializer.writeByteArray(challenge, hdos);
// byte[] encBytes = encrypt.doFinal(hdos.toByteArray());
byte[] encBytes = encryptBytes(hdos.toByteArray(), getEncryptCipher(dhSKAlgo, this.clientPublicKey));
DataSerializer.writeByteArray(encBytes, dos);
} finally {
hdos.close();
}
}
} catch (IOException ex) {
throw ex;
} catch (GemFireSecurityException ex) {
throw ex;
} catch (Exception ex) {
throw new AuthenticationFailedException("HandShake failed in Diffie-Hellman key exchange", ex);
}
dos.flush();
}
Also used :
InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter)
AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
ServerRefusedConnectionException(org.apache.geode.cache.client.ServerRefusedConnectionException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
InternalGemFireException(org.apache.geode.InternalGemFireException)
GatewayConfigurationException(org.apache.geode.cache.GatewayConfigurationException)
EOFException(java.io.EOFException)
AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException)
GemFireConfigException(org.apache.geode.GemFireConfigException)
IOException(java.io.IOException)
AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)
GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)
HeapDataOutputStream(org.apache.geode.internal.HeapDataOutputStream)
Signature(java.security.Signature)
KeyFactory(java.security.KeyFactory)
Aggregations
GemFireSecurityException (org.apache.geode.security.GemFireSecurityException)39
IOException (java.io.IOException)18
GemFireConfigException (org.apache.geode.GemFireConfigException)13
CancelException (org.apache.geode.CancelException)9
LocalRegion (org.apache.geode.internal.cache.LocalRegion)8
Part (org.apache.geode.internal.cache.tier.sockets.Part)8
AuthenticationRequiredException (org.apache.geode.security.AuthenticationRequiredException)8
GatewayConfigurationException (org.apache.geode.cache.GatewayConfigurationException)7
RegionDestroyedException (org.apache.geode.cache.RegionDestroyedException)7
ServerRefusedConnectionException (org.apache.geode.cache.client.ServerRefusedConnectionException)7
ServerLocation (org.apache.geode.distributed.internal.ServerLocation)7
CacheServerStats (org.apache.geode.internal.cache.tier.sockets.CacheServerStats)7
AuthenticationFailedException (org.apache.geode.security.AuthenticationFailedException)7
EOFException (java.io.EOFException)6
ByteBuffer (java.nio.ByteBuffer)6
Properties (java.util.Properties)6
InternalGemFireException (org.apache.geode.InternalGemFireException)5
EventID (org.apache.geode.internal.cache.EventID)5
EventIDHolder (org.apache.geode.internal.cache.EventIDHolder)5
CachedRegionHelper (org.apache.geode.internal.cache.tier.CachedRegionHelper)5
