Пример #1
0
  public void receive_request_service_contexts(ServerRequestInfo ri) {
    ServiceContext ctx;
    try {
      ctx = ri.get_request_service_context(SERVICE_ID);
    } catch (org.omg.CORBA.BAD_PARAM e) {
      logger.debug(
          "tid=" + Thread.currentThread().getName() + "," + "**Service context was not specified");
      return;
    }

    if (null == ctx) {
      logger.debug("tid=" + Thread.currentThread().getName() + "," + "**Service context is null");
      return;
    }

    try {
      Any slotDataAsAny = codec.decode(ctx.context_data);

      // Get the slot data as a string
      String slotDataAsStr;
      if (null == (slotDataAsStr = slotDataAsAny.extract_string())) {
        logger.debug("slotDataAsStr=<null>");
      } else {
        logger.debug("slotDataAsStr=" + slotDataAsStr);
      }

      slotDataAsStr += ":receive_request_service_contexts";

      slotDataAsAny.insert_string(slotDataAsStr);

      ri.set_slot(slot_id, slotDataAsAny);
    } catch (Exception e) {
      throw new INTERNAL("Caught " + e);
    }
  }
Пример #2
0
  /**
   * Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code
   * CSIIOP}. {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such
   * component can exist inside an IOR.
   *
   * <p>Should be called with non-null metadata, in which case we probably don't want to include
   * security info in the IOR.
   *
   * @param metadata the metadata object that contains the CSIv2 security configuration info.
   * @param codec the {@code Codec} used to encode the CSIv2 security component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
   */
  public static TaggedComponent createSecurityTaggedComponent(
      IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
      JacORBLogger.ROOT_LOGGER.createSecurityTaggedComponentWithNullMetaData();
      return null;
    }

    TaggedComponent tc;

    // get the the supported security mechanisms.
    CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);

    // the above is wrapped into a CSIIOP.CompoundSecMechList structure, which is NOT a
    // CompoundSecMech[].
    // we don't support stateful/reusable security contexts (false).
    CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
    // finally, the CompoundSecMechList must be encoded as a TaggedComponent
    try {
      Any any = orb.create_any();
      CompoundSecMechListHelper.insert(any, csmList);
      byte[] b = codec.encode_value(any);
      tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
    } catch (InvalidTypeForEncoding e) {
      throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
    }
    return tc;
  }
Пример #3
0
  public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    try {
      org.omg.CORBA.Any any = ri.get_slot(slot_id);

      if (any.type().kind().value() == org.omg.CORBA.TCKind._tk_null) {
        logger.debug(
            "tid="
                + Thread.currentThread().getName()
                + ","
                + "ClientInterceptor.send_request, slot is empty");
      } else {
        logger.debug(
            "tid="
                + Thread.currentThread().getName()
                + ","
                + "ClientInterceptor.send_request, adding ServiceContext");

        ServiceContext ctx = new ServiceContext(SERVICE_ID, codec.encode(any));

        ri.add_request_service_context(ctx, false);
      }
    } catch (Exception e) {
      throw new INTERNAL("Caught " + e);
    }
  }
Пример #4
0
  /**
   * Decodes an ASN.1-encoded {@code InitialContextToken}. See {@code encodeInitialContextToken} for
   * a description of the encoded token format.
   *
   * @param encodedToken the encoded token.
   * @param codec the {@code Codec} used to decode the token.
   * @return the decoded {@code InitialContextToken} instance.
   * @see #encodeInitialContextToken(org.omg.GSSUP.InitialContextToken, org.omg.IOP.Codec)
   */
  public static InitialContextToken decodeInitialContextToken(byte[] encodedToken, Codec codec) {
    if (encodedToken[0] != 0x60) return null;

    int encodedLength = 0;
    int n = 0;

    if (encodedToken[1] >= 0) encodedLength = encodedToken[1];
    else {
      n = encodedToken[1] & 0x7F;
      for (int i = 1; i <= n; i++) {
        encodedLength += (encodedToken[1 + i] & 0xFF) << (n - i) * 8;
      }
    }

    int length = encodedLength - gssUpMechOidArray.length;
    byte[] encodedInitialContextToken = new byte[length];

    System.arraycopy(
        encodedToken, 2 + n + gssUpMechOidArray.length, encodedInitialContextToken, 0, length);
    Any any;
    try {
      any = codec.decode_value(encodedInitialContextToken, InitialContextTokenHelper.type());
    } catch (Exception e) {
      return null;
    }

    return InitialContextTokenHelper.extract(any);
  }
Пример #5
0
  /**
   * Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code
   * CSIIOP}. {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such
   * component can exist inside an IOR.
   *
   * <p>Should be called with non-null metadata, in which case we probably don't want to include
   * security info in the IOR.
   *
   * @param metadata the metadata object that contains the CSIv2 security configuration info.
   * @param codec the {@code Codec} used to encode the CSIv2 security component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
   */
  public static TaggedComponent createSecurityTaggedComponent(
      IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
      log.debugf("createSecurityTaggedComponent() called with null metadata");
      return null;
    }

    TaggedComponent tc;

    // get the the supported security mechanisms.
    CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);

    // the above is wrapped into a CSIIOP.CompoundSecMechList structure, which is NOT a
    // CompoundSecMech[].
    // we don't support stateful/reusable security contexts (false).
    CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
    // finally, the CompoundSecMechList must be encoded as a TaggedComponent
    try {
      Any any = orb.create_any();
      CompoundSecMechListHelper.insert(any, csmList);
      byte[] b = codec.encode_value(any);
      tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
    } catch (InvalidTypeForEncoding e) {
      log.warn("Caught unexcepted exception while encoding CompoundSecMechList", e);
      throw new RuntimeException(e);
    }
    return tc;
  }
Пример #6
0
  /**
   * Helper method to be called from a client request interceptor. The {@code ri} parameter refers
   * to the current request. This method returns the first {@code CompoundSecMech} found in the
   * target IOR such that
   *
   * <ul>
   *   <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code
   *       clientSupports} parameter, and
   *   <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code
   *       CompoundSecMech}.
   * </ul>
   *
   * The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no
   * matching {@code CompoundSecMech} is found.
   *
   * <p>Since this method is intended to be called from a client request interceptor, it converts
   * unexpected exceptions into {@code MARSHAL} exceptions.
   *
   * @param ri a reference to the current {@code ClientRequestInfo}.
   * @param codec the {@code Codec} used to decode the CSIv2 components.
   * @param clientSupports the client supported transport options that must be satisfied by the
   *     {@code CompoundSecMech}.
   * @param clientRequires the client required transport options that must be satisfied by the
   *     {@code CompoundSecMech}.
   * @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null}
   *     if no such object can be found.
   */
  public static CompoundSecMech getMatchingSecurityMech(
      ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
    CompoundSecMechList csmList;
    try {
      TaggedComponent tc = ri.get_effective_component(TAG_CSI_SEC_MECH_LIST.value);

      Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
      csmList = CompoundSecMechListHelper.extract(any);

      // look for the first matching security mech.
      for (int i = 0; i < csmList.mechanism_list.length; i++) {
        CompoundSecMech securityMech = csmList.mechanism_list[i];
        AS_ContextSec authConfig = securityMech.as_context_mech;

        if ((EstablishTrustInTarget.value
                & (clientRequires ^ authConfig.target_supports)
                & ~authConfig.target_supports)
            != 0) {
          // client requires EstablishTrustInTarget, but target does not support it: skip this
          // securityMech.
          continue;
        }

        if ((EstablishTrustInClient.value
                & (authConfig.target_requires ^ clientSupports)
                & ~clientSupports)
            != 0) {
          // target requires EstablishTrustInClient, but client does not support it: skip this
          // securityMech.
          continue;
        }

        SAS_ContextSec identityConfig = securityMech.sas_context_mech;

        if ((IdentityAssertion.value
                & (identityConfig.target_requires ^ clientSupports)
                & ~clientSupports)
            != 0) {
          // target requires IdentityAssertion, but client does not support it: skip this
          // securityMech
          continue;
        }

        // found matching securityMech.
        return securityMech;
      }
      // no matching securityMech was found.
      return null;
    } catch (BAD_PARAM e) {
      // no component with TAG_CSI_SEC_MECH_LIST was found.
      return null;
    } catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
      // unexpected exception in codec
      throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
    } catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
      // unexpected exception in codec
      throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
    }
  }
Пример #7
0
  /**
   * ASN.1-encode an {@code InitialContextToken} as defined in RFC 2743, Section 3.1,
   * "Mechanism-Independent Token Format", pp. 81-82. The encoded token contains the ASN.1 tag 0x60,
   * followed by a token length (which is itself stored in a variable-length format and takes 1 to 5
   * bytes), the GSSUP mechanism identifier, and a mechanism-specific token, which in this case is a
   * CDR encapsulation of the GSSUP {@code InitialContextToken} in the {@code authToken} parameter.
   *
   * @param authToken the {@code InitialContextToken} to be encoded.
   * @param codec the {@code Codec} used to encode the token.
   * @return a {@code byte[]} representing the encoded token.
   */
  public static byte[] encodeInitialContextToken(InitialContextToken authToken, Codec codec) {
    byte[] out;
    Any any = ORB.init().create_any();
    InitialContextTokenHelper.insert(any, authToken);
    try {
      out = codec.encode_value(any);
    } catch (Exception e) {
      return new byte[0];
    }

    int length = out.length + gssUpMechOidArray.length;
    int n;

    if (length < (1 << 7)) {
      n = 0;
    } else if (length < (1 << 8)) {
      n = 1;
    } else if (length < (1 << 16)) {
      n = 2;
    } else if (length < (1 << 24)) {
      n = 3;
    } else { // if (length < (1 << 32))
      n = 4;
    }

    byte[] encodedToken = new byte[2 + n + length];
    encodedToken[0] = 0x60;

    if (n == 0) {
      encodedToken[1] = (byte) length;
    } else {
      encodedToken[1] = (byte) (n | 0x80);
      switch (n) {
        case 1:
          encodedToken[2] = (byte) length;
          break;
        case 2:
          encodedToken[2] = (byte) (length >> 8);
          encodedToken[3] = (byte) length;
          break;
        case 3:
          encodedToken[2] = (byte) (length >> 16);
          encodedToken[3] = (byte) (length >> 8);
          encodedToken[4] = (byte) length;
          break;
        default: // case 4:
          encodedToken[2] = (byte) (length >> 24);
          encodedToken[3] = (byte) (length >> 16);
          encodedToken[4] = (byte) (length >> 8);
          encodedToken[5] = (byte) length;
      }
    }
    System.arraycopy(gssUpMechOidArray, 0, encodedToken, 2 + n, gssUpMechOidArray.length);
    System.arraycopy(out, 0, encodedToken, 2 + n + gssUpMechOidArray.length, out.length);

    return encodedToken;
  }
Пример #8
0
  /**
   * Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code
   * CompoundSecMech}.
   *
   * <p>If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the
   * specified metadata indicates that transport config is not supported, then a {@code
   * TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
   *
   * <p>Otherwise a {@code CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be
   * returned, indicating support for TLS/SSL as a CSIv2 transport mechanism.
   *
   * <p>Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we
   * only include one.
   *
   * @param tconfig the transport configuration metadata.
   * @param codec the {@code Codec} used to encode the transport configuration.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return the constructed {@code TaggedComponent}.
   */
  public static TaggedComponent createTransportMech(
      TransportConfig tconfig, Codec codec, int sslPort, ORB orb) {

    TaggedComponent tc;

    // what we support and require as a target.
    int support = 0;
    int require = 0;

    if (tconfig != null) {
      require = createTargetRequires(tconfig);
      support = createTargetSupports(tconfig);
    }

    if (tconfig == null || support == 0 || sslPort < 0) {
      // no support for transport security.
      tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
    } else {
      // my ip address.
      String host;
      try {
        host = InetAddress.getLocalHost().getHostAddress();
      } catch (java.net.UnknownHostException e) {
        host = "127.0.0.1";
      }

      // this will create only one transport address.
      TransportAddress[] taList = createTransportAddress(host, sslPort);
      TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);

      // The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
      try {
        Any any = orb.create_any();
        TLS_SEC_TRANSHelper.insert(any, tst);
        byte[] b = codec.encode_value(any);
        tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
      } catch (InvalidTypeForEncoding e) {
        log.warn("Caught unexcepted exception while encoding TLS_SEC_TRANS", e);
        throw new RuntimeException(e);
      }
    }

    return tc;
  }
Пример #9
0
  /**
   * Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing a
   * structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
   *
   * <p>Should be called with non-null metadata, in which case we probably don't want to include
   * security info in the IOR.
   *
   * @param metadata the metadata object that contains the SSL configuration info.
   * @param codec the {@code Codec} used to encode the SSL component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return a {@code TaggedComponent} representing the encoded SSL component.
   */
  public static TaggedComponent createSSLTaggedComponent(
      IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
      JacORBLogger.ROOT_LOGGER.createSSLTaggedComponentWithNullMetaData();
      return null;
    }

    TaggedComponent tc;
    try {
      int supports = createTargetSupports(metadata.getTransportConfig());
      int requires = createTargetRequires(metadata.getTransportConfig());
      SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
      Any any = orb.create_any();
      SSLHelper.insert(any, ssl);
      byte[] componentData = codec.encode_value(any);
      tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
    } catch (InvalidTypeForEncoding e) {
      throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
    }
    return tc;
  }
Пример #10
0
  public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    System.out.println("[" + Thread.currentThread() + "] ClientInterceptor: send_request()");

    try {
      org.omg.CORBA.Any any = ri.get_slot(slot_id);

      System.out.println(
          "["
              + Thread.currentThread()
              + "] ClientInterceptor: send_request() - get_slot() = "
              + any);

      if (any.type().kind().value() != org.omg.CORBA.TCKind._tk_null) {
        ServiceContext ctx = new ServiceContext(4711, codec.encode(any));

        ri.add_request_service_context(ctx, false);
      }
    } catch (Exception e) {
      e.printStackTrace();
      throw new INTERNAL(e.getMessage());
    }
  }
Пример #11
0
  /**
   * Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing an
   * structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
   *
   * <p>Should be called with non-null metadata, in which case we probably don't want to include
   * security info in the IOR.
   *
   * @param metadata the metadata object that contains the SSL configuration info.
   * @param codec the {@code Codec} used to encode the SSL component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return a {@code TaggedComponent} representing the encoded SSL component.
   */
  public static TaggedComponent createSSLTaggedComponent(
      IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
      log.debugf("createSSLTaggedComponent() called with null metadata");
      return null;
    }

    TaggedComponent tc;
    try {
      int supports = createTargetSupports(metadata.getTransportConfig());
      int requires = createTargetRequires(metadata.getTransportConfig());
      SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
      Any any = orb.create_any();
      SSLHelper.insert(any, ssl);
      byte[] componentData = codec.encode_value(any);
      tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
    } catch (InvalidTypeForEncoding e) {
      log.warn("Caught unexcepted exception while encoding SSL component", e);
      throw new RuntimeException(e);
    }
    return tc;
  }
Пример #12
0
  /**
   * Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code
   * CompoundSecMech}.
   *
   * <p>If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the
   * specified metadata indicates that transport config is not supported, then a {@code
   * TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
   *
   * <p>Otherwise a {@code CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be
   * returned, indicating support for TLS/SSL as a CSIv2 transport mechanism.
   *
   * <p>Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we
   * only include one.
   *
   * @param tconfig the transport configuration metadata.
   * @param codec the {@code Codec} used to encode the transport configuration.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return the constructed {@code TaggedComponent}.
   */
  public static TaggedComponent createTransportMech(
      IORTransportConfigMetaData tconfig, Codec codec, int sslPort, ORB orb) {

    TaggedComponent tc;

    // what we support and require as a target.
    int support = 0;
    int require = 0;

    if (tconfig != null) {
      require = createTargetRequires(tconfig);
      support = createTargetSupports(tconfig);
    }

    if (tconfig == null || support == 0 || sslPort < 0) {
      // no support for transport security.
      tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
    } else {
      // my ip address.
      String host = CorbaORBService.getORBProperty(JacORBSubsystemConstants.ORB_ADDRESS);

      // this will create only one transport address.
      TransportAddress[] taList = createTransportAddress(host, sslPort);
      TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);

      // The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
      try {
        Any any = orb.create_any();
        TLS_SEC_TRANSHelper.insert(any, tst);
        byte[] b = codec.encode_value(any);
        tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
      } catch (InvalidTypeForEncoding e) {
        throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
      }
    }

    return tc;
  }