Example #1
0
  @Override
  public void init(GatewayConfig config, Map<String, String> options)
      throws ServiceLifecycleException {
    // set any JSSE or security related system properties
    System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
    try {
      if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
        log.creatingCredentialStoreForGateway();
        ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
        // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
        // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
        // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
        // as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
      } else {
        log.credentialStoreForGatewayFoundNotCreating();
      }
    } catch (KeystoreServiceException e) {
      throw new ServiceLifecycleException(
          "Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
          e);
    }

    try {
      if (!ks.isKeystoreForGatewayAvailable()) {
        log.creatingKeyStoreForGateway();
        ks.createKeystoreForGateway();
        char[] passphrase = null;
        try {
          passphrase = as.getGatewayIdentityPassphrase();
        } catch (AliasServiceException e) {
          throw new ServiceLifecycleException(
              "Error accessing credential store for the gateway.", e);
        }
        if (passphrase == null) {
          passphrase = ms.getMasterSecret();
        }
        ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
      } else {
        log.keyStoreForGatewayFoundNotCreating();
      }
      logAndValidateCertificate();
    } catch (KeystoreServiceException e) {
      throw new ServiceLifecycleException(
          "Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.",
          e);
    }

    keystoreType = config.getKeystoreType();
    sslExcludeProtocols = config.getExcludedSSLProtocols();
    clientAuthNeeded = config.isClientAuthNeeded();
    truststorePath = config.getTruststorePath();
    trustAllCerts = config.getTrustAllCerts();
    trustStoreType = config.getTruststoreType();
  }
Example #2
0
  private void logAndValidateCertificate() throws ServiceLifecycleException {
    // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL
    // debugging
    Certificate cert;
    try {
      cert = as.getCertificateForGateway("gateway-identity");
    } catch (AliasServiceException e) {
      throw new ServiceLifecycleException(
          "Cannot Retreive Gateway SSL Certificate. Server will not start.", e);
    }
    if (cert != null) {
      if (cert instanceof X509Certificate) {
        X500Principal x500Principal = ((X509Certificate) cert).getSubjectX500Principal();
        X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
        log.certificateHostNameForGateway(parser.getCN());
        Date notBefore = ((X509Certificate) cert).getNotBefore();
        Date notAfter = ((X509Certificate) cert).getNotAfter();
        log.certificateValidityPeriod(notBefore, notAfter);

        // let's not even start if the current date is not within the validity period for the SSL
        // cert
        try {
          ((X509Certificate) cert).checkValidity();
        } catch (CertificateExpiredException e) {
          throw new ServiceLifecycleException(
              "Gateway SSL Certificate is Expired. Server will not start.", e);
        } catch (CertificateNotYetValidException e) {
          throw new ServiceLifecycleException(
              "Gateway SSL Certificate is not yet valid. Server will not start.", e);
        }
      } else {
        throw new ServiceLifecycleException(
            "Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
      }
    } else {
      throw new ServiceLifecycleException(
          "Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
    }
  }
Example #3
0
  public void doGet(URI url, HttpServletRequest request, HttpServletResponse response)
      throws IOException, URISyntaxException {
    String sourcePathInfo = request.getPathInfo();
    String sourcePattern = getConfig().getInitParameter("pattern");
    String targetPattern = getConfig().getInitParameter("target");

    // TODO: Some of the compilation should be done at servlet init for performance reasons.
    Template sourceTemplate = Parser.parseTemplate(sourcePattern);
    Template targetTemplate = Parser.parseTemplate(targetPattern);

    Resolver resolver = new DispatchParamResolver(getConfig(), request);
    URI sourceUri = new URI(sourcePathInfo);
    URI targetUri = Rewriter.rewrite(sourceUri, sourceTemplate, targetTemplate, resolver, null);

    //    //TODO: This should be more at filter init.
    //    Pattern sourceRegex = UrlRewriter.compileUrlRegex( sourcePattern );
    //    Matcher matcher = sourceRegex.matcher( sourcePathInfo );
    //    String targetUrl = MessageFormat.format( targetPattern, Regex.toGroupArray( matcher ) );
    //    System.out.println( "Source URI: " + expect.getRequestURI() );
    //    System.out.println( "Source URL: " + expect.getRequestURL() );
    //    System.out.println( "Source Query: " + expect.getQueryString() );
    //    System.out.println( "Source pathInfo: " + sourcePathInfo );
    //    System.out.println( "Source pattern: " + sourcePattern );
    //    System.out.println( "Target pattern: " + targetPattern );
    //    System.out.println( "Resolved target: " + targetUrl );

    StringBuilder paramStr = new StringBuilder();
    Enumeration paramNames = request.getParameterNames();
    if (paramNames.hasMoreElements()) {
      paramStr.append("?");
    }
    while (paramNames.hasMoreElements()) {
      String paramName = (String) paramNames.nextElement();
      String paramValue = request.getParameter(paramName);
      paramStr.append(paramName);
      paramStr.append("=");
      paramStr.append(URLEncoder.encode(paramValue, "UTF-8"));
      if (paramNames.hasMoreElements()) {
        paramStr.append("&");
      }
    }
    String urlStr = targetUri.toString() + paramStr.toString();
    try {
      URL clientUrl = new URL(urlStr);
      // System.out.println( "Resolved query: " + clientUrl );
      AuthenticatedURL.Token token = new AuthenticatedURL.Token();
      KerberosAuthenticator authenticator = new KerberosAuthenticator();
      auditor.audit(Action.DISPATCH, urlStr, ResourceType.URI, ActionOutcome.UNAVAILABLE);
      HttpURLConnection conn = new AuthenticatedURL(authenticator).openConnection(clientUrl, token);
      // System.out.println( "STATUS=" + conn.getResponseCode() );
      InputStream input = conn.getInputStream();
      if (input != null) {
        OutputStream output = response.getOutputStream();
        try {
          IOUtils.copy(input, output);
        } finally {
          output.flush();
          input.close();
        }
      }
      auditor.audit(Action.DISPATCH, urlStr, ResourceType.URI, ActionOutcome.SUCCESS);
    } catch (AuthenticationException e) {
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      LOG.failedToEstablishConnectionToUrl(urlStr, e);
      auditor.audit(
          Action.DISPATCH,
          urlStr,
          ResourceType.URI,
          ActionOutcome.FAILURE,
          RES.responseStatus(HttpServletResponse.SC_UNAUTHORIZED));
    } catch (FileNotFoundException e) {
      response.sendError(HttpServletResponse.SC_NOT_FOUND);
      LOG.failedToEstablishConnectionToUrl(urlStr, e);
      auditor.audit(
          Action.DISPATCH,
          urlStr,
          ResourceType.URI,
          ActionOutcome.FAILURE,
          RES.responseStatus(HttpServletResponse.SC_NOT_FOUND));
    }
  }