Search in sources :

Example 1 with CompoundSecMechList

use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.

the class CSIv2Util method createSecurityTaggedComponent.

/**
 * <p>
 * Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code org.omg.CSIIOP}.
 * {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such component can exist inside
 * an IOR.
 * </p>
 * <p>
 * Should be called with non-null metadata, in which case we probably don't want to include security info in the IOR.
 * </p>
 *
 * @param metadata the metadata object that contains the CSIv2 security configuration info.
 * @param codec    the {@code Codec} used to encode the CSIv2 security component.
 * @param sslPort  an {@code int} representing the SSL port.
 * @param orb      a reference to the running {@code ORB}.
 * @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
 */
public static TaggedComponent createSecurityTaggedComponent(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
        IIOPLogger.ROOT_LOGGER.debug("Method createSecurityTaggedComponent() called with null metadata");
        return null;
    }
    TaggedComponent tc;
    // get the the supported security mechanisms.
    CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
    // the above is wrapped into a org.omg.CSIIOP.CompoundSecMechList structure, which is NOT a CompoundSecMech[].
    // we don't support stateful/reusable security contexts (false).
    CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
    // finally, the CompoundSecMechList must be encoded as a TaggedComponent
    try {
        Any any = orb.create_any();
        CompoundSecMechListHelper.insert(any, csmList);
        byte[] b = codec.encode_value(any);
        tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
    } catch (InvalidTypeForEncoding e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
    return tc;
}
Also used : CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) TaggedComponent(org.omg.IOP.TaggedComponent) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)

Example 2 with CompoundSecMechList

use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.

the class CSIV2IORToSocketInfo method selectSSLTransportAddress.

private TransportAddress selectSSLTransportAddress(IOR ior) {
    CompoundSecMechList compoundSecMechList = readCompoundSecMechList(ior);
    if (compoundSecMechList != null) {
        for (CompoundSecMech mech : compoundSecMechList.mechanism_list) {
            TLS_SEC_TRANS sslMech = extractTlsSecTrans(ior, mech);
            if (sslMech == null) {
                continue;
            }
            boolean targetSupportsSsl = checkSSL(sslMech.target_supports);
            boolean targetRequiresSsl = checkSSL(sslMech.target_requires);
            if (!targetSupportsSsl && clientRequiresSsl) {
                throw IIOPLogger.ROOT_LOGGER.serverDoesNotSupportSsl();
            }
            if (targetSupportsSsl && (targetRequiresSsl || clientRequiresSsl)) {
                return extractAddress(sslMech);
            }
        }
    }
    return null;
}
Also used : TAG_TLS_SEC_TRANS(org.omg.CSIIOP.TAG_TLS_SEC_TRANS) TLS_SEC_TRANS(org.omg.CSIIOP.TLS_SEC_TRANS) CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)

Example 3 with CompoundSecMechList

use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.

the class CSIv2Util method getMatchingSecurityMech.

/**
 * <p>
 * Helper method to be called from a client request interceptor. The {@code ri} parameter refers to the current
 * request. This method returns the first {@code CompoundSecMech} found in the target IOR such that
 * <ul>
 * <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code clientSupports}
 * parameter, and</li>
 * <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code CompoundSecMech}.
 * </li>
 * </ul>
 * The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no matching
 * {@code CompoundSecMech} is found.
 * </p>
 * <p>
 * Since this method is intended to be called from a client request interceptor, it converts unexpected exceptions
 * into {@code MARSHAL} exceptions.
 * </p>
 *
 * @param ri             a reference to the current {@code ClientRequestInfo}.
 * @param codec          the {@code Codec} used to decode the CSIv2 components.
 * @param clientSupports the client supported transport options that must be satisfied by the {@code CompoundSecMech}.
 * @param clientRequires the client required transport options that must be satisfied by the {@code CompoundSecMech}.
 * @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null} if no such object
 *         can be found.
 */
public static CompoundSecMech getMatchingSecurityMech(ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
    CompoundSecMechList csmList;
    try {
        TaggedComponent tc = ri.get_effective_component(org.omg.IOP.TAG_CSI_SEC_MECH_LIST.value);
        Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
        csmList = CompoundSecMechListHelper.extract(any);
        // look for the first matching security mech.
        for (int i = 0; i < csmList.mechanism_list.length; i++) {
            CompoundSecMech securityMech = csmList.mechanism_list[i];
            AS_ContextSec authConfig = securityMech.as_context_mech;
            if ((EstablishTrustInTarget.value & (clientRequires ^ authConfig.target_supports) & ~authConfig.target_supports) != 0) {
                // client requires EstablishTrustInTarget, but target does not support it: skip this securityMech.
                continue;
            }
            if ((EstablishTrustInClient.value & (authConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
                // target requires EstablishTrustInClient, but client does not support it: skip this securityMech.
                continue;
            }
            SAS_ContextSec identityConfig = securityMech.sas_context_mech;
            if ((IdentityAssertion.value & (identityConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
                // target requires IdentityAssertion, but client does not support it: skip this securityMech
                continue;
            }
            // found matching securityMech.
            return securityMech;
        }
        // no matching securityMech was found.
        return null;
    } catch (BAD_PARAM e) {
        // no component with TAG_CSI_SEC_MECH_LIST was found.
        return null;
    } catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
        // unexpected exception in codec
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    } catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
        // unexpected exception in codec
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec) AS_ContextSec(org.omg.CSIIOP.AS_ContextSec) CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) TaggedComponent(org.omg.IOP.TaggedComponent) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec) Any(org.omg.CORBA.Any)

Aggregations

CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)3 CompoundSecMechList (org.omg.CSIIOP.CompoundSecMechList)3 Any (org.omg.CORBA.Any)2 TaggedComponent (org.omg.IOP.TaggedComponent)2 BAD_PARAM (org.omg.CORBA.BAD_PARAM)1 AS_ContextSec (org.omg.CSIIOP.AS_ContextSec)1 SAS_ContextSec (org.omg.CSIIOP.SAS_ContextSec)1 TAG_TLS_SEC_TRANS (org.omg.CSIIOP.TAG_TLS_SEC_TRANS)1 TLS_SEC_TRANS (org.omg.CSIIOP.TLS_SEC_TRANS)1 InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)1