public void receive_request_service_contexts(ServerRequestInfo ri) {
ServiceContext ctx;
try {
ctx = ri.get_request_service_context(SERVICE_ID);
} catch (org.omg.CORBA.BAD_PARAM e) {
logger.debug(
"tid=" + Thread.currentThread().getName() + "," + "**Service context was not specified");
return;
}
if (null == ctx) {
logger.debug("tid=" + Thread.currentThread().getName() + "," + "**Service context is null");
return;
}
try {
Any slotDataAsAny = codec.decode(ctx.context_data);
// Get the slot data as a string
String slotDataAsStr;
if (null == (slotDataAsStr = slotDataAsAny.extract_string())) {
logger.debug("slotDataAsStr=<null>");
} else {
logger.debug("slotDataAsStr=" + slotDataAsStr);
}
slotDataAsStr += ":receive_request_service_contexts";
slotDataAsAny.insert_string(slotDataAsStr);
ri.set_slot(slot_id, slotDataAsAny);
} catch (Exception e) {
throw new INTERNAL("Caught " + e);
}
}
/**
* Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code
* CSIIOP}. {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such
* component can exist inside an IOR.
*
* <p>Should be called with non-null metadata, in which case we probably don't want to include
* security info in the IOR.
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
*/
public static TaggedComponent createSecurityTaggedComponent(
IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
JacORBLogger.ROOT_LOGGER.createSecurityTaggedComponentWithNullMetaData();
return null;
}
TaggedComponent tc;
// get the the supported security mechanisms.
CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
// the above is wrapped into a CSIIOP.CompoundSecMechList structure, which is NOT a
// CompoundSecMech[].
// we don't support stateful/reusable security contexts (false).
CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
// finally, the CompoundSecMechList must be encoded as a TaggedComponent
try {
Any any = orb.create_any();
CompoundSecMechListHelper.insert(any, csmList);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
} catch (InvalidTypeForEncoding e) {
throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
}
return tc;
}
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
try {
org.omg.CORBA.Any any = ri.get_slot(slot_id);
if (any.type().kind().value() == org.omg.CORBA.TCKind._tk_null) {
logger.debug(
"tid="
+ Thread.currentThread().getName()
+ ","
+ "ClientInterceptor.send_request, slot is empty");
} else {
logger.debug(
"tid="
+ Thread.currentThread().getName()
+ ","
+ "ClientInterceptor.send_request, adding ServiceContext");
ServiceContext ctx = new ServiceContext(SERVICE_ID, codec.encode(any));
ri.add_request_service_context(ctx, false);
}
} catch (Exception e) {
throw new INTERNAL("Caught " + e);
}
}
/**
* Decodes an ASN.1-encoded {@code InitialContextToken}. See {@code encodeInitialContextToken} for
* a description of the encoded token format.
*
* @param encodedToken the encoded token.
* @param codec the {@code Codec} used to decode the token.
* @return the decoded {@code InitialContextToken} instance.
* @see #encodeInitialContextToken(org.omg.GSSUP.InitialContextToken, org.omg.IOP.Codec)
*/
public static InitialContextToken decodeInitialContextToken(byte[] encodedToken, Codec codec) {
if (encodedToken[0] != 0x60) return null;
int encodedLength = 0;
int n = 0;
if (encodedToken[1] >= 0) encodedLength = encodedToken[1];
else {
n = encodedToken[1] & 0x7F;
for (int i = 1; i <= n; i++) {
encodedLength += (encodedToken[1 + i] & 0xFF) << (n - i) * 8;
}
}
int length = encodedLength - gssUpMechOidArray.length;
byte[] encodedInitialContextToken = new byte[length];
System.arraycopy(
encodedToken, 2 + n + gssUpMechOidArray.length, encodedInitialContextToken, 0, length);
Any any;
try {
any = codec.decode_value(encodedInitialContextToken, InitialContextTokenHelper.type());
} catch (Exception e) {
return null;
}
return InitialContextTokenHelper.extract(any);
}
/**
* Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code
* CSIIOP}. {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such
* component can exist inside an IOR.
*
* <p>Should be called with non-null metadata, in which case we probably don't want to include
* security info in the IOR.
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
*/
public static TaggedComponent createSecurityTaggedComponent(
IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
log.debugf("createSecurityTaggedComponent() called with null metadata");
return null;
}
TaggedComponent tc;
// get the the supported security mechanisms.
CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
// the above is wrapped into a CSIIOP.CompoundSecMechList structure, which is NOT a
// CompoundSecMech[].
// we don't support stateful/reusable security contexts (false).
CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
// finally, the CompoundSecMechList must be encoded as a TaggedComponent
try {
Any any = orb.create_any();
CompoundSecMechListHelper.insert(any, csmList);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
} catch (InvalidTypeForEncoding e) {
log.warn("Caught unexcepted exception while encoding CompoundSecMechList", e);
throw new RuntimeException(e);
}
return tc;
}
/**
* Helper method to be called from a client request interceptor. The {@code ri} parameter refers
* to the current request. This method returns the first {@code CompoundSecMech} found in the
* target IOR such that
*
* <ul>
* <li>all {@code CompoundSecMech} requirements are satisfied by the options in the {@code
* clientSupports} parameter, and
* <li>every requirement in the {@code clientRequires} parameter is satisfied by the {@code
* CompoundSecMech}.
* </ul>
*
* The method returns null if the target IOR contains no {@code CompoundSecMech}s or if no
* matching {@code CompoundSecMech} is found.
*
* <p>Since this method is intended to be called from a client request interceptor, it converts
* unexpected exceptions into {@code MARSHAL} exceptions.
*
* @param ri a reference to the current {@code ClientRequestInfo}.
* @param codec the {@code Codec} used to decode the CSIv2 components.
* @param clientSupports the client supported transport options that must be satisfied by the
* {@code CompoundSecMech}.
* @param clientRequires the client required transport options that must be satisfied by the
* {@code CompoundSecMech}.
* @return the {@code CompoundSecMech} instance that satisfies all client options, or {@code null}
* if no such object can be found.
*/
public static CompoundSecMech getMatchingSecurityMech(
ClientRequestInfo ri, Codec codec, short clientSupports, short clientRequires) {
CompoundSecMechList csmList;
try {
TaggedComponent tc = ri.get_effective_component(TAG_CSI_SEC_MECH_LIST.value);
Any any = codec.decode_value(tc.component_data, CompoundSecMechListHelper.type());
csmList = CompoundSecMechListHelper.extract(any);
// look for the first matching security mech.
for (int i = 0; i < csmList.mechanism_list.length; i++) {
CompoundSecMech securityMech = csmList.mechanism_list[i];
AS_ContextSec authConfig = securityMech.as_context_mech;
if ((EstablishTrustInTarget.value
& (clientRequires ^ authConfig.target_supports)
& ~authConfig.target_supports)
!= 0) {
// client requires EstablishTrustInTarget, but target does not support it: skip this
// securityMech.
continue;
}
if ((EstablishTrustInClient.value
& (authConfig.target_requires ^ clientSupports)
& ~clientSupports)
!= 0) {
// target requires EstablishTrustInClient, but client does not support it: skip this
// securityMech.
continue;
}
SAS_ContextSec identityConfig = securityMech.sas_context_mech;
if ((IdentityAssertion.value
& (identityConfig.target_requires ^ clientSupports)
& ~clientSupports)
!= 0) {
// target requires IdentityAssertion, but client does not support it: skip this
// securityMech
continue;
}
// found matching securityMech.
return securityMech;
}
// no matching securityMech was found.
return null;
} catch (BAD_PARAM e) {
// no component with TAG_CSI_SEC_MECH_LIST was found.
return null;
} catch (org.omg.IOP.CodecPackage.TypeMismatch e) {
// unexpected exception in codec
throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
} catch (org.omg.IOP.CodecPackage.FormatMismatch e) {
// unexpected exception in codec
throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
}
}
/**
* ASN.1-encode an {@code InitialContextToken} as defined in RFC 2743, Section 3.1,
* "Mechanism-Independent Token Format", pp. 81-82. The encoded token contains the ASN.1 tag 0x60,
* followed by a token length (which is itself stored in a variable-length format and takes 1 to 5
* bytes), the GSSUP mechanism identifier, and a mechanism-specific token, which in this case is a
* CDR encapsulation of the GSSUP {@code InitialContextToken} in the {@code authToken} parameter.
*
* @param authToken the {@code InitialContextToken} to be encoded.
* @param codec the {@code Codec} used to encode the token.
* @return a {@code byte[]} representing the encoded token.
*/
public static byte[] encodeInitialContextToken(InitialContextToken authToken, Codec codec) {
byte[] out;
Any any = ORB.init().create_any();
InitialContextTokenHelper.insert(any, authToken);
try {
out = codec.encode_value(any);
} catch (Exception e) {
return new byte[0];
}
int length = out.length + gssUpMechOidArray.length;
int n;
if (length < (1 << 7)) {
n = 0;
} else if (length < (1 << 8)) {
n = 1;
} else if (length < (1 << 16)) {
n = 2;
} else if (length < (1 << 24)) {
n = 3;
} else { // if (length < (1 << 32))
n = 4;
}
byte[] encodedToken = new byte[2 + n + length];
encodedToken[0] = 0x60;
if (n == 0) {
encodedToken[1] = (byte) length;
} else {
encodedToken[1] = (byte) (n | 0x80);
switch (n) {
case 1:
encodedToken[2] = (byte) length;
break;
case 2:
encodedToken[2] = (byte) (length >> 8);
encodedToken[3] = (byte) length;
break;
case 3:
encodedToken[2] = (byte) (length >> 16);
encodedToken[3] = (byte) (length >> 8);
encodedToken[4] = (byte) length;
break;
default: // case 4:
encodedToken[2] = (byte) (length >> 24);
encodedToken[3] = (byte) (length >> 16);
encodedToken[4] = (byte) (length >> 8);
encodedToken[5] = (byte) length;
}
}
System.arraycopy(gssUpMechOidArray, 0, encodedToken, 2 + n, gssUpMechOidArray.length);
System.arraycopy(out, 0, encodedToken, 2 + n + gssUpMechOidArray.length, out.length);
return encodedToken;
}
/**
* Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code
* CompoundSecMech}.
*
* <p>If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the
* specified metadata indicates that transport config is not supported, then a {@code
* TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
*
* <p>Otherwise a {@code CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be
* returned, indicating support for TLS/SSL as a CSIv2 transport mechanism.
*
* <p>Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we
* only include one.
*
* @param tconfig the transport configuration metadata.
* @param codec the {@code Codec} used to encode the transport configuration.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return the constructed {@code TaggedComponent}.
*/
public static TaggedComponent createTransportMech(
TransportConfig tconfig, Codec codec, int sslPort, ORB orb) {
TaggedComponent tc;
// what we support and require as a target.
int support = 0;
int require = 0;
if (tconfig != null) {
require = createTargetRequires(tconfig);
support = createTargetSupports(tconfig);
}
if (tconfig == null || support == 0 || sslPort < 0) {
// no support for transport security.
tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
} else {
// my ip address.
String host;
try {
host = InetAddress.getLocalHost().getHostAddress();
} catch (java.net.UnknownHostException e) {
host = "127.0.0.1";
}
// this will create only one transport address.
TransportAddress[] taList = createTransportAddress(host, sslPort);
TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);
// The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
try {
Any any = orb.create_any();
TLS_SEC_TRANSHelper.insert(any, tst);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
} catch (InvalidTypeForEncoding e) {
log.warn("Caught unexcepted exception while encoding TLS_SEC_TRANS", e);
throw new RuntimeException(e);
}
}
return tc;
}
/**
* Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing a
* structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
*
* <p>Should be called with non-null metadata, in which case we probably don't want to include
* security info in the IOR.
*
* @param metadata the metadata object that contains the SSL configuration info.
* @param codec the {@code Codec} used to encode the SSL component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded SSL component.
*/
public static TaggedComponent createSSLTaggedComponent(
IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
JacORBLogger.ROOT_LOGGER.createSSLTaggedComponentWithNullMetaData();
return null;
}
TaggedComponent tc;
try {
int supports = createTargetSupports(metadata.getTransportConfig());
int requires = createTargetRequires(metadata.getTransportConfig());
SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
Any any = orb.create_any();
SSLHelper.insert(any, ssl);
byte[] componentData = codec.encode_value(any);
tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
} catch (InvalidTypeForEncoding e) {
throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
}
return tc;
}
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
System.out.println("[" + Thread.currentThread() + "] ClientInterceptor: send_request()");
try {
org.omg.CORBA.Any any = ri.get_slot(slot_id);
System.out.println(
"["
+ Thread.currentThread()
+ "] ClientInterceptor: send_request() - get_slot() = "
+ any);
if (any.type().kind().value() != org.omg.CORBA.TCKind._tk_null) {
ServiceContext ctx = new ServiceContext(4711, codec.encode(any));
ri.add_request_service_context(ctx, false);
}
} catch (Exception e) {
e.printStackTrace();
throw new INTERNAL(e.getMessage());
}
}
/**
* Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing an
* structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
*
* <p>Should be called with non-null metadata, in which case we probably don't want to include
* security info in the IOR.
*
* @param metadata the metadata object that contains the SSL configuration info.
* @param codec the {@code Codec} used to encode the SSL component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded SSL component.
*/
public static TaggedComponent createSSLTaggedComponent(
IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
log.debugf("createSSLTaggedComponent() called with null metadata");
return null;
}
TaggedComponent tc;
try {
int supports = createTargetSupports(metadata.getTransportConfig());
int requires = createTargetRequires(metadata.getTransportConfig());
SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
Any any = orb.create_any();
SSLHelper.insert(any, ssl);
byte[] componentData = codec.encode_value(any);
tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
} catch (InvalidTypeForEncoding e) {
log.warn("Caught unexcepted exception while encoding SSL component", e);
throw new RuntimeException(e);
}
return tc;
}
/**
* Create a transport mechanism {@code TaggedComponent} to be stuffed into a {@code
* CompoundSecMech}.
*
* <p>If no {@code TransportConfig} metadata is specified, or ssl port is negative, or the
* specified metadata indicates that transport config is not supported, then a {@code
* TAG_NULL_TAG} (empty) {@code TaggedComponent} will be returned.
*
* <p>Otherwise a {@code CSIIOP.TLS_SEC_TRANS}, tagged as {@code TAG_TLS_SEC_TRANS} will be
* returned, indicating support for TLS/SSL as a CSIv2 transport mechanism.
*
* <p>Multiple {@code TransportAddress} may be included in the SSL info (host/port pairs), but we
* only include one.
*
* @param tconfig the transport configuration metadata.
* @param codec the {@code Codec} used to encode the transport configuration.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return the constructed {@code TaggedComponent}.
*/
public static TaggedComponent createTransportMech(
IORTransportConfigMetaData tconfig, Codec codec, int sslPort, ORB orb) {
TaggedComponent tc;
// what we support and require as a target.
int support = 0;
int require = 0;
if (tconfig != null) {
require = createTargetRequires(tconfig);
support = createTargetSupports(tconfig);
}
if (tconfig == null || support == 0 || sslPort < 0) {
// no support for transport security.
tc = new TaggedComponent(TAG_NULL_TAG.value, new byte[0]);
} else {
// my ip address.
String host = CorbaORBService.getORBProperty(JacORBSubsystemConstants.ORB_ADDRESS);
// this will create only one transport address.
TransportAddress[] taList = createTransportAddress(host, sslPort);
TLS_SEC_TRANS tst = new TLS_SEC_TRANS((short) support, (short) require, taList);
// The tricky part, we must encode TLS_SEC_TRANS into an octet sequence.
try {
Any any = orb.create_any();
TLS_SEC_TRANSHelper.insert(any, tst);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_TLS_SEC_TRANS.value, b);
} catch (InvalidTypeForEncoding e) {
throw JacORBLogger.ROOT_LOGGER.unexpectedException(e);
}
}
return tc;
}
