use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.
the class CSIV2IORToSocketInfo method readCompoundSecMechList.
private CompoundSecMechList readCompoundSecMechList(IOR ior) {
Iterator iter = ior.getProfile().getTaggedProfileTemplate().iteratorById(TAG_CSI_SEC_MECH_LIST.value);
if (!iter.hasNext()) {
return null;
}
ORB orb = ior.getORB();
TaggedComponent compList = ((com.sun.corba.se.spi.ior.TaggedComponent) iter.next()).getIOPComponent(orb);
CDRInputStream in = doPrivileged(new PrivilegedAction<CDRInputStream>() {
@Override
public CDRInputStream run() {
return new EncapsInputStream(orb, compList.component_data, compList.component_data.length);
}
});
in.consumeEndian();
return CompoundSecMechListHelper.read(in);
}
use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.
the class CSIv2IORInterceptor method establish_components.
@Override
public void establish_components(IORInfo info) {
// check if CSIv2 policy is in effect for this IOR.
CSIv2Policy csiv2Policy = null;
try {
csiv2Policy = (CSIv2Policy) info.get_effective_policy(CSIv2Policy.TYPE);
} catch (BAD_PARAM e) {
IIOPLogger.ROOT_LOGGER.debug("CSIv2Policy not found in IORInfo");
} catch (Exception e) {
IIOPLogger.ROOT_LOGGER.failedToFetchCSIv2Policy(e);
}
if (csiv2Policy != null) {
// if csiv2Policy effective, stuff a copy of the TaggedComponents already created by the CSIv2Policy into the IOR's IIOP profile.
TaggedComponent sslComponent = csiv2Policy.getSSLTaggedComponent();
// if interop with IONA ASP is on, don't add the SSL component to the IOR.
if (sslComponent != null) {
info.add_ior_component_to_profile(sslComponent, TAG_INTERNET_IOP.value);
}
TaggedComponent csiv2Component = csiv2Policy.getSecurityTaggedComponent();
if (csiv2Component != null) {
info.add_ior_component_to_profile(csiv2Component, TAG_INTERNET_IOP.value);
}
} else {
if (defaultSSLComponent != null) {
// otherwise stuff the default SSL component (with the minimum set of SSL options) into the IOR's IIOP profile.
info.add_ior_component_to_profile(defaultSSLComponent, TAG_INTERNET_IOP.value);
}
if (defaultCSIComponent != null) {
// and stuff the default CSI component (with the minimum set of CSI options) into the IOR's IIOP profile.
info.add_ior_component_to_profile(defaultCSIComponent, TAG_INTERNET_IOP.value);
}
}
}
use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.
the class CSIv2Util method getMatchingSecurityMech.
/**
* <p>
* Helper method to be called from a client request interceptor. The {@code ri} parameter refers to the current
* request. This method returns the first {@code CompoundSecMech} found in the target IOR such that
* <ul>
* <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code clientSupports}
* parameter, and</li>
* <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code CompoundSecMech}.
* </li>
* </ul>
* The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no matching
* {@code CompoundSecMech} is found.
* </p>
* <p>
* Since this method is intended to be called from a client request interceptor, it converts unexpected exceptions
* into {@code MARSHAL} exceptions.
* </p>
*
* @param ri a reference to the current {@code ClientRequestInfo}.
* @param codec the {@code Codec} used to decode the CSIv2 components.
* @param clientSupports the client supported transport options that must be satisfied by the {@code CompoundSecMech}.
* @param clientRequires the client required transport options that must be satisfied by the {@code CompoundSecMech}.
* @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null} if no such object
* can be found.
*/
public static CompoundSecMech getMatchingSecurityMech(ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
CompoundSecMechList csmList;
try {
TaggedComponent tc = ri.get_effective_component(org.omg.IOP.TAG_CSI_SEC_MECH_LIST.value);
Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
csmList = CompoundSecMechListHelper.extract(any);
// look for the first matching security mech.
for (int i = 0; i < csmList.mechanism_list.length; i++) {
CompoundSecMech securityMech = csmList.mechanism_list[i];
AS_ContextSec authConfig = securityMech.as_context_mech;
if ((EstablishTrustInTarget.value & (clientRequires ^ authConfig.target_supports) & ~authConfig.target_supports) != 0) {
// client requires EstablishTrustInTarget, but target does not support it: skip this securityMech.
continue;
}
if ((EstablishTrustInClient.value & (authConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
// target requires EstablishTrustInClient, but client does not support it: skip this securityMech.
continue;
}
SAS_ContextSec identityConfig = securityMech.sas_context_mech;
if ((IdentityAssertion.value & (identityConfig.target_requires ^ clientSupports) & ~clientSupports) != 0) {
// target requires IdentityAssertion, but client does not support it: skip this securityMech
continue;
}
// found matching securityMech.
return securityMech;
}
// no matching securityMech was found.
return null;
} catch (BAD_PARAM e) {
// no component with TAG_CSI_SEC_MECH_LIST was found.
return null;
} catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
// unexpected exception in codec
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
} catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
// unexpected exception in codec
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.
the class CSIv2Util method createTransportMech.
/**
* <p>
* Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code CompoundSecMech}.
* </p>
* <p>
* If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the specified metadata indicates
* that transport config is not supported, then a {@code TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
* </p>
* <p>
* Otherwise a {@code org.omg.CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be returned, indicating support
* for TLS/SSL as a CSIv2 transport mechanism.
* </p>
* <p>
* Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we only include one.
* </p>
*
* @param tconfig the transport configuration metadata.
* @param codec the {@code Codec} used to encode the transport configuration.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return the constructed {@code TaggedComponent}.
*/
public static TaggedComponent createTransportMech(IORTransportConfigMetaData tconfig, Codec codec, int sslPort, ORB orb) {
TaggedComponent tc;
// what we support and require as a target.
int support = 0;
int require = 0;
if (tconfig != null) {
require = createTargetRequires(tconfig);
support = createTargetSupports(tconfig);
}
if (tconfig == null || support == 0 || sslPort == 0) {
// no support for transport security.
tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
} else {
// my ip address.
String host = CorbaORBService.getORBProperty(Constants.ORB_ADDRESS);
// this will create only one transport address.
TransportAddress[] taList = createTransportAddress(host, sslPort);
TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);
// The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
try {
Any any = orb.create_any();
TLS_SEC_TRANSHelper.insert(any, tst);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
return tc;
}
use of org.omg.IOP.TaggedComponent in project wildfly by wildfly.
the class CSIv2Util method createCompoundSecMechanisms.
/**
* <p>
* Create a {@code org.omg.CSIIOP.CompoundSecMechanisms} which is a sequence of {@code CompoundSecMech}. Here we only
* support one security mechanism.
* </p>
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return the constructed {@code CompoundSecMech} array.
*/
public static CompoundSecMech[] createCompoundSecMechanisms(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
// support just 1 security mechanism for now (and ever).
CompoundSecMech[] csmList = new CompoundSecMech[1];
// a CompoundSecMech contains: target_requires, transport_mech, as_context_mech, sas_context_mech.
TaggedComponent transport_mech = createTransportMech(metadata.getTransportConfig(), codec, sslPort, orb);
// create AS Context.
AS_ContextSec asContext = createAuthenticationServiceContext(metadata);
// create SAS Context.
SAS_ContextSec sasContext = createSecureAttributeServiceContext(metadata);
// create target_requires bit field (AssociationOption) can't read directly the transport_mech TaggedComponent.
int target_requires = createTargetRequires(metadata.getTransportConfig()) | asContext.target_requires | sasContext.target_requires;
CompoundSecMech csm = new CompoundSecMech((short) target_requires, transport_mech, asContext, sasContext);
csmList[0] = csm;
return csmList;
}
Aggregations