Search in sources :

Example 6 with TaggedComponent

use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.

the class CSIV2IORToSocketInfo method readCompoundSecMechList.

private CompoundSecMechList readCompoundSecMechList(IOR ior) {
    Iterator iter = ior.getProfile().getTaggedProfileTemplate().iteratorById(TAG_CSI_SEC_MECH_LIST.value);
    if (!iter.hasNext()) {
        return null;
    }
    ORB orb = ior.getORB();
    TaggedComponent compList = ((com.sun.corba.se.spi.ior.TaggedComponent) iter.next()).getIOPComponent(orb);
    CDRInputStream in = doPrivileged(new PrivilegedAction<CDRInputStream>() {

        @Override
        public CDRInputStream run() {
            return new EncapsInputStream(orb, compList.component_data, compList.component_data.length);
        }
    });
    in.consumeEndian();
    return CompoundSecMechListHelper.read(in);
}
Also used : TaggedComponent(org.omg.IOP.TaggedComponent) CDRInputStream(com.sun.corba.se.impl.encoding.CDRInputStream) EncapsInputStream(com.sun.corba.se.impl.encoding.EncapsInputStream) Iterator(java.util.Iterator) ORB(com.sun.corba.se.spi.orb.ORB)

Example 7 with TaggedComponent

use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.

the class CSIv2IORInterceptor method establish_components.

@Override
public void establish_components(IORInfo info) {
    // check if CSIv2 policy is in effect for this IOR.
    CSIv2Policy csiv2Policy = null;
    try {
        csiv2Policy = (CSIv2Policy) info.get_effective_policy(CSIv2Policy.TYPE);
    } catch (BAD_PARAM e) {
        IIOPLogger.ROOT_LOGGER.debug("CSIv2Policy not found in IORInfo");
    } catch (Exception e) {
        IIOPLogger.ROOT_LOGGER.failedToFetchCSIv2Policy(e);
    }
    if (csiv2Policy != null) {
        // if csiv2Policy effective, stuff a copy of the TaggedComponents already created by the CSIv2Policy into the IOR's IIOP profile.
        TaggedComponent sslComponent = csiv2Policy.getSSLTaggedComponent();
        // if interop with IONA ASP is on, don't add the SSL component to the IOR.
        if (sslComponent != null) {
            info.add_ior_component_to_profile(sslComponent, TAG_INTERNET_IOP.value);
        }
        TaggedComponent csiv2Component = csiv2Policy.getSecurityTaggedComponent();
        if (csiv2Component != null) {
            info.add_ior_component_to_profile(csiv2Component, TAG_INTERNET_IOP.value);
        }
    } else {
        if (defaultSSLComponent != null) {
            // otherwise stuff the default SSL component (with the minimum set of SSL options) into the IOR's IIOP profile.
            info.add_ior_component_to_profile(defaultSSLComponent, TAG_INTERNET_IOP.value);
        }
        if (defaultCSIComponent != null) {
            // and stuff the default CSI component (with the minimum set of CSI options) into the IOR's IIOP profile.
            info.add_ior_component_to_profile(defaultCSIComponent, TAG_INTERNET_IOP.value);
        }
    }
}
Also used : TaggedComponent(org.omg.IOP.TaggedComponent) BAD_PARAM(org.omg.CORBA.BAD_PARAM)

Example 8 with TaggedComponent

use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.

the class CSIv2Util method getMatchingSecurityMech.

/**
     * <p>
     * Helper method to be called from a client request interceptor. The {@code ri} parameter refers to the current
     * request. This method returns the first {@code CompoundSecMech} found in the target IOR such that
     * <ul>
     * <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code clientSupports}
     * parameter, and</li>
     * <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code CompoundSecMech}.
     * </li>
     * </ul>
     * The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no matching
     * {@code CompoundSecMech} is found.
     * </p>
     * <p>
     * Since this method is intended to be called from a client request interceptor, it converts unexpected exceptions
     * into {@code MARSHAL} exceptions.
     * </p>
     *
     * @param ri             a reference to the current {@code ClientRequestInfo}.
     * @param codec          the {@code Codec} used to decode the CSIv2 components.
     * @param clientSupports the client supported transport options that must be satisfied by the {@code CompoundSecMech}.
     * @param clientRequires the client required transport options that must be satisfied by the {@code CompoundSecMech}.
     * @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null} if no such object
     *         can be found.
     */
public static CompoundSecMech getMatchingSecurityMech(ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
    CompoundSecMechList csmList;
    try {
        TaggedComponent tc = ri.get_effective_component(org.omg.IOP.TAG_CSI_SEC_MECH_LIST.value);
        Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
        csmList = CompoundSecMechListHelper.extract(any);
        // look for the first matching security mech.
        for (int i = 0; i < csmList.mechanism_list.length; i++) {
            CompoundSecMech securityMech = csmList.mechanism_list[i];
            AS_ContextSec authConfig = securityMech.as_context_mech;
            if ((EstablishTrustInTarget.value & (clientRequires ^ authConfig.target_supports) & ~authConfig.target_supports) != 0) {
                // client requires EstablishTrustInTarget, but target does not support it: skip this securityMech.
                continue;
            }
            if ((EstablishTrustInClient.value & (authConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
                // target requires EstablishTrustInClient, but client does not support it: skip this securityMech.
                continue;
            }
            SAS_ContextSec identityConfig = securityMech.sas_context_mech;
            if ((IdentityAssertion.value & (identityConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
                // target requires IdentityAssertion, but client does not support it: skip this securityMech
                continue;
            }
            // found matching securityMech.
            return securityMech;
        }
        // no matching securityMech was found.
        return null;
    } catch (BAD_PARAM e) {
        // no component with TAG_CSI_SEC_MECH_LIST was found.
        return null;
    } catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
        // unexpected exception in codec
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    } catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
        // unexpected exception in codec
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec) AS_ContextSec(org.omg.CSIIOP.AS_ContextSec) CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) TaggedComponent(org.omg.IOP.TaggedComponent) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec) Any(org.omg.CORBA.Any)

Example 9 with TaggedComponent

use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.

the class CSIv2Util method createTransportMech.

/**
     * <p>
     * Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code CompoundSecMech}.
     * </p>
     * <p>
     * If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the specified metadata indicates
     * that transport config is not supported, then a {@code TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
     * </p>
     * <p>
     * Otherwise a {@code org.omg.CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be returned, indicating support
     * for TLS/SSL as a CSIv2 transport mechanism.
     * </p>
     * <p>
     * Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we only include one.
     * </p>
     *
     * @param tconfig the transport configuration metadata.
     * @param codec   the {@code Codec} used to encode the transport configuration.
     * @param sslPort an {@code int} representing the SSL port.
     * @param orb     a reference to the running {@code ORB}.
     * @return the constructed {@code TaggedComponent}.
     */
public static TaggedComponent createTransportMech(IORTransportConfigMetaData tconfig, Codec codec, int sslPort, ORB orb) {
    TaggedComponent tc;
    // what we support and require as a target.
    int support = 0;
    int require = 0;
    if (tconfig != null) {
        require = createTargetRequires(tconfig);
        support = createTargetSupports(tconfig);
    }
    if (tconfig == null || support == 0 || sslPort == 0) {
        // no support for transport security.
        tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
    } else {
        // my ip address.
        String host = CorbaORBService.getORBProperty(Constants.ORB_ADDRESS);
        // this will create only one transport address.
        TransportAddress[] taList = createTransportAddress(host, sslPort);
        TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);
        // The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
        try {
            Any any = orb.create_any();
            TLS_SEC_TRANSHelper.insert(any, tst);
            byte[] b = codec.encode_value(any);
            tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
        } catch (InvalidTypeForEncoding e) {
            throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
        }
    }
    return tc;
}
Also used : TAG_TLS_SEC_TRANS(org.omg.CSIIOP.TAG_TLS_SEC_TRANS) TLS_SEC_TRANS(org.omg.CSIIOP.TLS_SEC_TRANS) TaggedComponent(org.omg.IOP.TaggedComponent) TransportAddress(org.omg.CSIIOP.TransportAddress) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)

Example 10 with TaggedComponent

use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.

the class CSIv2Util method createCompoundSecMechanisms.

/**
     * <p>
     * Create a {@code org.omg.CSIIOP.CompoundSecMechanisms} which is a sequence of {@code CompoundSecMech}. Here we only
     * support one security mechanism.
     * </p>
     *
     * @param metadata the metadata object that contains the CSIv2 security configuration info.
     * @param codec    the {@code Codec} used to encode the CSIv2 security component.
     * @param sslPort  an {@code int} representing the SSL port.
     * @param orb      a reference to the running {@code ORB}.
     * @return the constructed {@code CompoundSecMech} array.
     */
public static CompoundSecMech[] createCompoundSecMechanisms(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
    // support just 1 security mechanism for now (and ever).
    CompoundSecMech[] csmList = new CompoundSecMech[1];
    // a CompoundSecMech contains: target_requires, transport_mech, as_context_mech, sas_context_mech.
    TaggedComponent transport_mech = createTransportMech(metadata.getTransportConfig(), codec, sslPort, orb);
    // create AS Context.
    AS_ContextSec asContext = createAuthenticationServiceContext(metadata);
    // create SAS Context.
    SAS_ContextSec sasContext = createSecureAttributeServiceContext(metadata);
    // create target_requires bit field (AssociationOption) can't read directly the transport_mech TaggedComponent.
    int target_requires = createTargetRequires(metadata.getTransportConfig()) | asContext.target_requires | sasContext.target_requires;
    CompoundSecMech csm = new CompoundSecMech((short) target_requires, transport_mech, asContext, sasContext);
    csmList[0] = csm;
    return csmList;
}
Also used : SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec) AS_ContextSec(org.omg.CSIIOP.AS_ContextSec) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) TaggedComponent(org.omg.IOP.TaggedComponent) SAS_ContextSec(org.omg.CSIIOP.SAS_ContextSec)

Aggregations

TaggedComponent (org.omg.IOP.TaggedComponent)11 Any (org.omg.CORBA.Any)5 InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)4 CDRInputStream (com.sun.corba.se.impl.encoding.CDRInputStream)3 EncapsInputStream (com.sun.corba.se.impl.encoding.EncapsInputStream)3 ORB (com.sun.corba.se.spi.orb.ORB)3 CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)3 Iterator (java.util.Iterator)2 BAD_PARAM (org.omg.CORBA.BAD_PARAM)2 AS_ContextSec (org.omg.CSIIOP.AS_ContextSec)2 CompoundSecMechList (org.omg.CSIIOP.CompoundSecMechList)2 SAS_ContextSec (org.omg.CSIIOP.SAS_ContextSec)2 SSL (org.omg.SSLIOP.SSL)2 TAG_TLS_SEC_TRANS (org.omg.CSIIOP.TAG_TLS_SEC_TRANS)1 TLS_SEC_TRANS (org.omg.CSIIOP.TLS_SEC_TRANS)1 TransportAddress (org.omg.CSIIOP.TransportAddress)1