/**
* Returns SSLContext with TESTED_SECURITY_PROTOCOL protocol and sets up keys.
*
* @return - SSLContext with a protocol specified by TESTED_SECURITY_PROTOCOL.
*/
public static SSLContext getContext() {
try {
java.security.Security.setProperty("jdk.tls.disabledAlgorithms", "");
java.security.Security.setProperty("jdk.certpath.disabledAlgorithms", "");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore ts = KeyStore.getInstance("JKS");
char[] passphrase = PASSWD.toCharArray();
try (FileInputStream keyFileStream = new FileInputStream(KEY_FILE_NAME)) {
ks.load(keyFileStream, passphrase);
}
try (FileInputStream trustFileStream = new FileInputStream(TRUST_FILE_NAME)) {
ts.load(trustFileStream, passphrase);
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
SSLContext sslCtx = SSLContext.getInstance(TESTED_SECURITY_PROTOCOL);
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return sslCtx;
} catch (KeyStoreException
| IOException
| NoSuchAlgorithmException
| CertificateException
| UnrecoverableKeyException
| KeyManagementException ex) {
throw new Error("Unexpected exception", ex);
}
}
private static void initSystemProperties() {
// currently we support IPv4 only
System.setProperty("java.net.preferIPv4Stack", "true");
// disable DNS caches
Security.setProperty("networkaddress.cache.ttl", "0");
Security.setProperty("networkaddress.cache.negative.ttl", "0");
}
public static void init() {
System.setProperty(
WMStaticConstants.HTTP_PROXY_HOST,
StaticResourceFactory.getProperty(
WMStaticConstants.WEALTH_MGMT_MODULE_NAME, WMStaticConstants.HTTP_PROXY_HOST));
System.setProperty(
WMStaticConstants.HTTP_PROXY_PORT,
StaticResourceFactory.getProperty(
WMStaticConstants.WEALTH_MGMT_MODULE_NAME, WMStaticConstants.HTTP_PROXY_PORT));
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty(
"ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
}
private static Properties getImapMailProperties(Account account) {
Properties props = new Properties();
if (account.getReceiveProtocolType().contains("gmail")) {
props.put("mail.imap.host", "imap.gmail.com");
props.put("mail.imap.port", "143");
props.put("mail.imap.auth", "true");
props.put("mail.store.protocol", "imap");
props.put("mail.imap.starttls.enable", "true");
props.put("mail.imap.socketFactory.port", "993");
props.put("mail.imap.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.iamp.socketFactory.fallback", "false");
} else {
props.setProperty("mail.imap.port", account.getReceivePort());
props.setProperty("mail.imap.connectiontimeout", "30000");
if ("ssl".equals(account.getReceiveTs())) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
props.setProperty("mail.imap.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.imap.socketFactory.fallback", "false");
props.setProperty("mail.imap.socketFactory.port", account.getReceivePort());
} else if ("tls".equals(account.getReceiveTs())) {
props.setProperty("mail.imap.starttls.enable", "true");
java.security.Security.setProperty(
"ssl.SocketFactory.provider", "com.archermind.txtbl.mail.DummySSLSocketFactory");
}
}
return props;
}
public static void initCore() throws InitializationFailedException {
java.security.Security.setProperty("networkaddress.cache.ttl", "0");
if (System.getProperty("unicorn.home") == null) {
try {
URL frameworkDir = Framework.class.getResource("Framework.class");
if (frameworkDir.getProtocol() != "jar") {
File unicornHome = new File(frameworkDir.toURI());
for (int i = 0; i < 6; i++) unicornHome = unicornHome.getParentFile();
System.setProperty("unicorn.home", unicornHome.getAbsolutePath());
}
} catch (URISyntaxException e) {
throw new InitializationFailedException(e.getMessage(), e);
}
}
// Log4j initialization attempt
URL log4jURL = Framework.class.getResource("/unicorn_log4j.xml");
if (log4jURL != null) {
DOMConfigurator.configure(log4jURL);
logger.info("OK - Log4j successfully initialized");
logger.debug("> Used log4j.xml file: " + log4jURL.toString());
} else {
logger.warn("Log4j config file \"log4j.xml\" could not be found in classpath.");
logger.warn("Log4j will not be initialized");
}
}
// Steps:
// 1. Install unlimited strength encryption jar files in jre/lib/security
// (e.g. http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html)
// 2. run kinit
// 3. Set system properties, e.g.:
// -Djava.security.krb5.realm=10GEN.ME -Djavax.security.auth.useSubjectCredsOnly=false
// -Djava.security.krb5.kdc=kdc.10gen.me
// auth.login.defaultCallbackHandler=name of class that implements
// javax.security.auth.callback.CallbackHandler
// You may also need to define realms and domain_realm entries in your krb5.conf file (in /etc by
// default)
public static void main(String[] args) throws UnknownHostException, InterruptedException {
// Set this property to avoid the default behavior where the program prompts on the command line
// for username/password
Security.setProperty("auth.login.defaultCallbackHandler", "DefaultSecurityCallbackHandler");
String server = args[0];
String user = args[1];
String dbName = args[2];
MongoClient mongo =
new MongoClient(
new MongoClientAuthority(
new ServerAddress(server),
new MongoClientCredentials(user, MongoClientCredentials.GSSAPI_MECHANISM)),
new MongoClientOptions.Builder().socketKeepAlive(true).socketTimeout(30000).build());
DB testDB = mongo.getDB(dbName);
System.out.println("Find one: " + testDB.getCollection("test").findOne());
System.out.println("Count: " + testDB.getCollection("test").count());
WriteResult writeResult = testDB.getCollection("test").insert(new BasicDBObject());
System.out.println("Write result: " + writeResult);
System.out.println();
System.out.println("Count: " + testDB.getCollection("test").count());
}
// Check that the Security package.access control works.
public void testPackageAccess() {
String script = "new javax.print.PrintException();";
Security.setProperty("package.access", "javax.print");
// This should throw an ACE because its codeBase does not allow access to javax.print
assertExecute(
script,
"/groovy/security/javax/print/deny",
new RuntimePermission("accessClassInPackage.javax.print"));
// This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
assertExecute(script, "/groovy/security/javax/print/allow", null);
}
@Override
public void init() throws ServletException {
java.security.Security.setProperty("networkaddress.cache.ttl", "-1");
// java.security.Security.setProperty("networkaddress.cache.negative.ttl",
// "60");// second
loadIPs();
startQueryThread();
super.init();
}
public static void main(String[] args) throws Exception {
Security.setProperty("krb5.kdc.bad.policy", "");
BadKdc.go(
"121212222222(32){1,2}121212222222(32){1,2}",
"121212222222(32){1,2}121212222222(32){1,2}",
// refresh
"121212222222(32){1,2}121212222222(32){1,2}",
// k3 off k2 on
"121212(22){1,2}121212(22){1,2}",
// k1 on
"(12){2,4}");
}
private static Properties getPop3MailProperties(Account account) {
Properties props = new Properties();
props.setProperty("mail.pop3.port", account.getReceivePort());
props.setProperty("mail.pop3.connectiontimeout", "30000");
if ("ssl".equals(account.getReceiveTs())) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
props.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.pop3.socketFactory.fallback", "false");
props.setProperty("mail.pop3.socketFactory.port", account.getReceivePort());
} else if ("tls".equals(account.getReceiveTs())) {
props.setProperty("mail.pop3.starttls.enable", "true");
java.security.Security.setProperty(
"ssl.SocketFactory.provider", "com.archermind.txtbl.mail.DummySSLSocketFactory");
}
return props;
}
/**
* Get ip address of target hosts. <br>
* if target hosts 'a.com:1.1.1.1' add 'a.com' & '1.1.1.1' <br>
* if target hosts ':1.1.1.1' add : '1.1.1.1' <br>
* if target hosts '1.1.1.1' add : '1.1.1.1' <br>
* <br>
* Add controller host<br>
*/
private void initAccessOfHosts() {
String[] hostsList = etcHosts.split(",");
for (String hosts : hostsList) {
String[] addresses = hosts.split(":");
if (addresses.length > 1) {
allowedHost.add(addresses[0]);
allowedHost.add(addresses[addresses.length - 1]);
} else {
allowedHost.add(hosts);
}
}
// add controller host
allowedHost.add(consoleIP);
try {
java.security.Security.setProperty("networkaddress.cache.ttl", "0");
} catch (Exception e) {
// Fall through
}
}
/**
* Writes a JAAS login config file, which contains as many as useful entries, including JGSS style
* initiator/acceptor and normal JAAS entries with names using existing OneKDC principals.
*
* @throws java.lang.Exception if anything goes wrong
*/
public void writeJAASConf() throws IOException {
System.setProperty("java.security.auth.login.config", JAAS_CONF);
File f = new File(JAAS_CONF);
FileOutputStream fos = new FileOutputStream(f);
fos.write(
("com.sun.security.jgss.krb5.initiate {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required;\n};\n"
+ "com.sun.security.jgss.krb5.accept {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required\n"
+ " principal=\""
+ SERVER
+ "\"\n"
+ " useKeyTab=true\n"
+ " isInitiator=false\n"
+ " storeKey=true;\n};\n"
+ "client {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required;\n};\n"
+ "server {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required\n"
+ " principal=\""
+ SERVER
+ "\"\n"
+ " useKeyTab=true\n"
+ " storeKey=true;\n};\n"
+ "backend {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required\n"
+ " principal=\""
+ BACKEND
+ "\"\n"
+ " useKeyTab=true\n"
+ " storeKey=true\n"
+ " isInitiator=false;\n};\n")
.getBytes());
fos.close();
f.deleteOnExit();
Security.setProperty("auth.login.defaultCallbackHandler", "OneKDC$CallbackForClient");
}
private static void configure(String propertiesFile) throws IOException {
if (propertiesFile != null) {
loadProperties(propertiesFile);
}
// ensure the JVM will refresh the cached IP values of AWS resources (e.g. service endpoints).
java.security.Security.setProperty("networkaddress.cache.ttl", "60");
String workerId = InetAddress.getLocalHost().getCanonicalHostName() + ":" + UUID.randomUUID();
LOG.info("Using workerId: " + workerId);
// Get credentials from IMDS. If unsuccessful, get them from the credential profiles file.
AWSCredentialsProvider credentialsProvider = null;
try {
credentialsProvider = new InstanceProfileCredentialsProvider();
// Verify we can fetch credentials from the provider
credentialsProvider.getCredentials();
LOG.info("Obtained credentials from the IMDS.");
} catch (AmazonClientException e) {
LOG.info("Unable to obtain credentials from the IMDS, trying classpath properties", e);
credentialsProvider = new ProfileCredentialsProvider();
// Verify we can fetch credentials from the provider
credentialsProvider.getCredentials();
LOG.info("Obtained credentials from the properties file.");
}
LOG.info(
"Using credentials with access key id: "
+ credentialsProvider.getCredentials().getAWSAccessKeyId());
kinesisClientLibConfiguration =
new KinesisClientLibConfiguration(
applicationName, streamName, credentialsProvider, workerId)
.withInitialPositionInStream(initialPositionInStream)
.withRegionName(kinesisEndpoint);
}
public void initialize() throws Exception {
Security.setProperty("networkaddress.cache.ttl", AWS_RECOMMENDED_DNS_CACHE_TTL);
AbstractNavigation.DEFAULT_AUTOCOMMIT_DELAY = 2000;
String defaultEncoding = System.getProperty("file.encoding");
if (!defaultEncoding.equals("UTF-8")) {
logger.warn("default encoding " + defaultEncoding + " is not UTF-8");
}
initContainer();
initPlugins();
initGui();
documentLauncher =
url ->
new Thread(
() -> {
try {
Desktop.getDesktop().browse(new URI(url));
} catch (IOException | URISyntaxException e) {
logger.error("failed to open uri", e);
}
})
.start();
}
/* (non-Javadoc)
* @see org.claros.commons.mail.protocols.FetchProtocol#connect(int)
*/
public ConnectionMetaHandler connect(int connectType)
throws SystemException, ConnectionException, ServerDownException {
try {
try {
disconnect();
try {
Thread.sleep(2000);
} catch (Exception k) {
}
} catch (Exception k) {
}
if (handler == null || !handler.getStore().isConnected()) {
Properties props = new Properties();
if (profile.getFetchSSL() != null && profile.getFetchSSL().toLowerCase().equals("true")) {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
Security.setProperty(
"ssl.SocketFactory.provider",
"org.claros.commons.mail.protocols.DummySSLSocketFactory");
props.setProperty("mail.store.protocol", "pop3");
props.setProperty("mail.pop3.host", profile.getFetchServer());
props.setProperty("mail.pop3.port", profile.getFetchPort());
props.setProperty(
"mail.pop3.socketFactory.class",
"org.claros.commons.mail.protocols.DummySSLSocketFactory");
props.setProperty("mail.pop3.socketFactory.fallback", "false");
props.setProperty("mail.pop3.port", profile.getFetchPort());
props.setProperty("mail.pop3.socketFactory.port", profile.getFetchPort());
}
Session session = Session.getInstance(props);
handler = new ConnectionMetaHandler();
handler.setStore(session.getStore(profile.getProtocol()));
handler
.getStore()
.connect(
profile.getFetchServer(),
profile.getIFetchPort(),
auth.getUsername(),
auth.getPassword());
handler.setMbox(handler.getStore().getDefaultFolder());
handler.setMbox(handler.getMbox().getFolder(Constants.FOLDER_INBOX(profile)));
handler.getMbox().open(connectType);
// storing the folder in map
pop3Folders.put(auth.getUsername(), handler.getMbox());
handler.setTotalMessagesCount(handler.getMbox().getMessageCount());
}
} catch (AuthenticationFailedException e) {
System.out.println(
"Pop3 Mailbox was busy with another session and there is a read write lock. A few minutes later when the lock is released everything will be fine.");
} catch (NoSuchProviderException e) {
System.out.println(profile.getProtocol() + " provider could not be found.");
throw new SystemException(e);
} catch (MessagingException e) {
System.out.println("Connection could not be established.");
throw new ConnectionException(e);
} catch (Exception e) {
e.printStackTrace();
}
return handler;
}
// Required by GreenMail.
static {
Security.setProperty("ssl.SocketFactory.provider", DummySSLSocketFactory.class.getName());
}
// Test to prevent scripts from invoking the groovy compiler. This is done by restricting access
// to the org.codehaus.groovy packages.
public void testMetaClassTest() {
Security.setProperty("package.access", "org.codehaus.groovy");
assertExecute(
new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"),
new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
}
