/** Check the certificates with the ones in the jar file (all must match). */ private static final void validateCertificate( final Certificate[] rootCerts, final JarFile jar, final JarEntry entry, final byte[] buf) throws IOException, SecurityException { if (DEBUG) { System.err.println("JarUtil: validate JarEntry : " + entry.getName()); } // API states that we must read all of the data from the entry's // InputStream in order to be able to get its certificates final InputStream is = jar.getInputStream(entry); try { while (is.read(buf) > 0) {} } finally { is.close(); } // Get the certificates for the JAR entry final Certificate[] nativeCerts = entry.getCertificates(); if (nativeCerts == null || nativeCerts.length == 0) { throw new SecurityException("no certificate for " + entry.getName() + " in " + jar.getName()); } if (!SecurityUtil.equals(rootCerts, nativeCerts)) { throw new SecurityException( "certificates not equal for " + entry.getName() + " in " + jar.getName()); } }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); User user; if (principal instanceof AgilefantUserDetails) { user = this.userBusiness.retrieve(((AgilefantUserDetails) principal).getUserId()); } else { user = userBusiness.retrieveByLoginName("readonly"); } try { SecurityUtil.setLoggedUser(user); chain.doFilter(request, response); } finally { SecurityUtil.setLoggedUser(null); } }
/** * 仅将请求参数作为签名因子进行签名 * * @param params api请求的各参数键值对 * @param appSecretKey * @return */ public static String signatureWithParamsOnly(Map<String, String> params, String appSecretKey) { List<String> paramValueList = new ArrayList<String>(); if (params != null) { for (Map.Entry<String, String> entry : params.entrySet()) { paramValueList.add(entry.getKey() + entry.getValue()); } } Collections.sort(paramValueList); String[] datas = new String[paramValueList.size()]; paramValueList.toArray(datas); byte[] signature = SecurityUtil.hmacSha1(datas, StringUtil.toBytes(appSecretKey)); return StringUtil.encodeHexStr(signature); }
/** * 将urlPath和请求参数同时作为签名因子进行签名 * * @param urlPath protocol/version/namespace/name/appKey * @param params api请求的各参数键值对 * @param appSecretKey app签名密钥 * @return */ public static String signatureWithParamsAndUrlPath( String urlPath, Map<String, String> params, String appSecretKey) { List<String> paramValueList = new ArrayList<String>(); if (params != null) { for (Map.Entry<String, String> entry : params.entrySet()) { paramValueList.add(entry.getKey() + entry.getValue()); } } final String[] datas = new String[1 + paramValueList.size()]; datas[0] = urlPath; Collections.sort(paramValueList); for (int i = 0; i < paramValueList.size(); i++) { datas[i + 1] = paramValueList.get(i); } byte[] signature = SecurityUtil.hmacSha1(datas, StringUtil.toBytes(appSecretKey)); return StringUtil.encodeHexStr(signature); }
@Test public void testGetKerberosPrincipalWithSubstitutedHostSecure() throws Exception { String principal = StartupProperties.get().getProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL); String expectedPrincipal = "falcon/" + SecurityUtil.getLocalHostName().toLowerCase() + "@Example.com"; try { Configuration conf = new Configuration(false); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); Assert.assertTrue(UserGroupInformation.isSecurityEnabled()); StartupProperties.get() .setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, "falcon/[email protected]"); FalconAuthenticationFilter filter = new FalconAuthenticationFilter(); Properties properties = filter.getConfiguration(FalconAuthenticationFilter.FALCON_PREFIX, null); Assert.assertEquals( properties.get(KerberosAuthenticationHandler.PRINCIPAL), expectedPrincipal); } finally { StartupProperties.get().setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, principal); } }
/** * Set the {@link UserGroupInformation} for the current thread WARNING - This method should be * used only in test cases and other exceptional cases! * * @param ugi {@link UserGroupInformation} for the current thread */ public static void setCurrentUser(UserGroupInformation ugi) { Subject user = SecurityUtil.getSubject(ugi); currentUser.set(user); }
/** * Determine if the current user has dataset detail view (means {@link ProtectionType#EXPORT}) * right * * @param ds data set to check for * @return <code>true</code> if dataset detail view right is present, <code>false</code> otherwise */ public boolean hasDatasetDetailRights(DataSet ds) { return SecurityUtil.hasExportPermission(ds); }
/** * Determine if user is super admin * * @return <code>true</code> if super admin access shall be granted, <code>false</code> otherwise * @see SecurityUtil#hasSuperAdminPermission() */ public boolean hasSuperAdminPermission() { return SecurityUtil.hasSuperAdminPermission(); }
/** * Determine if user shall be able to enter admin area * * @return <code>true</code> if access shall be granted, <code>false</code> otherwise * @see SecurityUtil#hasAdminAreaAccessRight() */ public boolean hasAdminAreaAccessRight() { return SecurityUtil.hasAdminAreaAccessRight(); }