use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.
the class CSIv2Util method createSecurityTaggedComponent.
/**
* <p>
* Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code org.omg.CSIIOP}.
* {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such component can exist inside
* an IOR.
* </p>
* <p>
* Should be called with non-null metadata, in which case we probably don't want to include security info in the IOR.
* </p>
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
*/
public static TaggedComponent createSecurityTaggedComponent(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
IIOPLogger.ROOT_LOGGER.debug("Method createSecurityTaggedComponent() called with null metadata");
return null;
}
TaggedComponent tc;
// get the the supported security mechanisms.
CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
// the above is wrapped into a org.omg.CSIIOP.CompoundSecMechList structure, which is NOT a CompoundSecMech[].
// we don't support stateful/reusable security contexts (false).
CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
// finally, the CompoundSecMechList must be encoded as a TaggedComponent
try {
Any any = orb.create_any();
CompoundSecMechListHelper.insert(any, csmList);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
return tc;
}
use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.
the class CSIV2IORToSocketInfo method selectSSLTransportAddress.
private TransportAddress selectSSLTransportAddress(IOR ior) {
CompoundSecMechList compoundSecMechList = readCompoundSecMechList(ior);
if (compoundSecMechList != null) {
for (CompoundSecMech mech : compoundSecMechList.mechanism_list) {
TLS_SEC_TRANS sslMech = extractTlsSecTrans(ior, mech);
if (sslMech == null) {
continue;
}
boolean targetSupportsSsl = checkSSL(sslMech.target_supports);
boolean targetRequiresSsl = checkSSL(sslMech.target_requires);
if (!targetSupportsSsl && clientRequiresSsl) {
throw IIOPLogger.ROOT_LOGGER.serverDoesNotSupportSsl();
}
if (targetSupportsSsl && (targetRequiresSsl || clientRequiresSsl)) {
return extractAddress(sslMech);
}
}
}
return null;
}
use of org.omg.CSIIOP.CompoundSecMechList in project wildfly by wildfly.
the class CSIv2Util method getMatchingSecurityMech.
/**
* <p>
* Helper method to be called from a client request interceptor. The {@code ri} parameter refers to the current
* request. This method returns the first {@code CompoundSecMech} found in the target IOR such that
* <ul>
* <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code clientSupports}
* parameter, and</li>
* <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code CompoundSecMech}.
* </li>
* </ul>
* The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no matching
* {@code CompoundSecMech} is found.
* </p>
* <p>
* Since this method is intended to be called from a client request interceptor, it converts unexpected exceptions
* into {@code MARSHAL} exceptions.
* </p>
*
* @param ri a reference to the current {@code ClientRequestInfo}.
* @param codec the {@code Codec} used to decode the CSIv2 components.
* @param clientSupports the client supported transport options that must be satisfied by the {@code CompoundSecMech}.
* @param clientRequires the client required transport options that must be satisfied by the {@code CompoundSecMech}.
* @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null} if no such object
* can be found.
*/
public static CompoundSecMech getMatchingSecurityMech(ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
CompoundSecMechList csmList;
try {
TaggedComponent tc = ri.get_effective_component(org.omg.IOP.TAG_CSI_SEC_MECH_LIST.value);
Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
csmList = CompoundSecMechListHelper.extract(any);
// look for the first matching security mech.
for (int i = 0; i < csmList.mechanism_list.length; i++) {
CompoundSecMech securityMech = csmList.mechanism_list[i];
AS_ContextSec authConfig = securityMech.as_context_mech;
if ((EstablishTrustInTarget.value & (clientRequires ^ authConfig.target_supports) & ~authConfig.target_supports) != 0) {
// client requires EstablishTrustInTarget, but target does not support it: skip this securityMech.
continue;
}
if ((EstablishTrustInClient.value & (authConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
// target requires EstablishTrustInClient, but client does not support it: skip this securityMech.
continue;
}
SAS_ContextSec identityConfig = securityMech.sas_context_mech;
if ((IdentityAssertion.value & (identityConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
// target requires IdentityAssertion, but client does not support it: skip this securityMech
continue;
}
// found matching securityMech.
return securityMech;
}
// no matching securityMech was found.
return null;
} catch (BAD_PARAM e) {
// no component with TAG_CSI_SEC_MECH_LIST was found.
return null;
} catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
// unexpected exception in codec
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
} catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
// unexpected exception in codec
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Aggregations