class SecurityCache extends java.lang.Object implements SecurityConstants
Only the first item is common between the client and server sides. The rest of the list is for the server side only.
Modifier and Type | Field and Description |
---|---|
private Account[] |
accs
All known accounts.
|
private java.lang.String |
anonymId
Account ID for anonymous processes or
null to disallow. |
private Audit |
audit
Audit control.
|
private int |
authMode
Authorization mode.
|
private java.util.Map<java.lang.String,AuthPlugin> |
authPlugins
Set of available auth plugins (plugin class -> plugin description
object).
|
private int |
authRetries
The number of authorization retries, where:
-1 unlimited retries
0 no retries
> 0 specific limit
|
private java.lang.String[] |
caAliases
CA certificate aliases in truststore
|
private java.lang.String |
customClientExt
Custom account extensions client plugin class name.
|
private java.lang.String |
customServerExt
Custom account extensions server plugin class name.
|
private java.util.Set |
holidays
Set of holidays.
|
private java.lang.String |
hookName
Authorization hook class name.
|
private SecurityContext |
initContext
Initial security context.
|
static int |
LM_ADMIN
logging mode for admin client
|
static int |
LM_CONSOLE
logging mode for server console
|
static int |
LM_DUAL
logging mode for admin client and server console
|
private int |
logMode
logging mode for this cache instance
|
private int |
maxAge
Maximum number of days user password is valid; 0 means unlimited.
|
(package private) java.util.List<java.lang.String[]> |
msgBuf
buffer to receive messages
|
private java.lang.String[] |
peerAliases
Peer certificate aliases in truststore
|
private java.util.Map<java.lang.String,java.lang.String> |
privateKeyPasswords
Encryption passwords for each SSL private key, per alias.
|
private java.util.Map<java.lang.String,byte[]> |
privateKeys
Encrypted SSL private keys, per alias.
|
private java.lang.String |
pwInputHook
Password input hook.
|
private ResourceRegistry[] |
registry
Registry of abstract resource plugins.
|
private Resolver |
resolver
Instance of symbol resolver.
|
private int |
serialNo
Serial (generation) number of this instance of cache.
|
private ProcessAccount |
serverAcc
Server's process account.
|
private java.lang.String |
serverAlias
Server's truststore alias.
|
private java.lang.String |
serverId
Server's ID.
|
private SecurityManager |
sm
instance of security manager
|
private SSLCertFactory |
sslFactory
The SSL certificate factory.
|
private int |
systemOrdinal
Ordinal number of the "system" resource in registry.
|
private java.security.KeyStore |
trustStore
In-memory truststore.
|
AUTH_ACTION_ABORT, AUTH_ACTION_CONTINUE, AUTH_ACTION_DONE, AUTH_ACTION_RETRY, AUTH_MODE_CUSTOM, AUTH_MODE_HIGHEST, AUTH_MODE_IDPW, AUTH_MODE_LOWEST, AUTH_MODE_NONE, AUTH_MODE_X509, AUTH_MODE_X509_IDPW, AUTH_REQ_PROCESS, AUTH_REQ_PROGRAM, AUTH_REQ_USER, AUTH_RESULT_INSUFFICIENT_RIGHTS, AUTH_RESULT_INVALID_PASSWORD, AUTH_RESULT_INVALID_USERID, AUTH_RESULT_NONE, AUTH_RESULT_SKIP_TO_NEXT, AUTH_RESULT_SUCCESS, AUTH_RESULT_UNSPECIFIED_FAILURE, PKT_SIZE_SKIP_TO_NEXT
Constructor and Description |
---|
SecurityCache(BootstrapConfig bc,
int newSerial)
Package private constructor.
|
SecurityCache(BootstrapConfig bc,
int newSerial,
int logMode,
java.util.List<java.lang.String[]> msgBuf)
Package private constructor.
|
SecurityCache(int logMode,
java.util.List<java.lang.String[]> msgBuf,
java.lang.String[] plugins)
Package private constructor to mimic the server environment for
standalone utilities.
|
Modifier and Type | Method and Description |
---|---|
private void |
addAclNodes(DirectoryService ds,
java.lang.String fullId,
java.util.Map map,
int ord)
Enumerates a directory branch and gathers all ACLs from there.
|
private void |
checkCertificate(java.lang.String alias,
java.security.cert.X509Certificate cert)
Check the RSA key length and encryption algorithm for the given certificate.
|
private static boolean |
checkSubjectId(java.lang.String id,
java.util.List list)
Checks to see if the given subject ID is unique.
|
private void |
createACL(DirectoryService ds,
java.lang.String path,
int ord,
Rights rights,
java.util.List list)
Reads the P2J directory and loads ACLs from the specified
directory object into a list.
|
private void |
createOldACLs(DirectoryService ds,
java.lang.String roid,
Rights rights,
java.lang.String boid,
java.util.List list)
Reads the P2J directory and loads ACLs from the specified binding
directory object into a list.
|
(package private) Rights |
createRights(DirectoryService ds,
int ord,
java.lang.String path)
Creates an instance of Rights based on information in the P2J directory.
|
void |
dData(java.lang.String message)
Logs detailed data, possibly including sensitive information.
|
void |
dErr(java.lang.String message)
Logs error messages.
|
void |
dList(java.lang.String message)
Logs detailed lists.
|
void |
dStat(java.lang.String message)
Logs statistics.
|
void |
dTrace(java.lang.String message)
Logs detailed traces.
|
void |
dWarn(java.lang.String message)
Logs warnings.
|
(package private) Account |
getAccountById(java.lang.String id)
Gets an account by its ID.
|
(package private) Account |
getAccountByOrd(int ordinal)
Gets an account by its ordinal number.
|
(package private) Account[] |
getAccountsByAlias(java.lang.String alias,
int type)
Gets an array of user or process accounts by a trust store alias.
|
(package private) java.lang.String[] |
getAccountsForAppserver(java.lang.String appServer)
Get the process accounts configured to start the given appserver.
|
java.lang.String[] |
getAllAccountIds(int type)
Gets IDs of all defined accounts of the specified type.
|
(package private) java.lang.String |
getAnonymId()
Gets anonymous account ID.
|
(package private) Audit |
getAudit()
Gets the Audit object from this cache.
|
(package private) int |
getAuthMode()
Gets authorization mode.
|
(package private) int |
getAuthNumRetries()
Gets the maximum number of authorization retries.
|
(package private) AuthPlugin |
getAuthPlugin(java.lang.String pluginClass)
Get auth plugin description object by its class.
|
(package private) AuthPlugin[] |
getAuthPlugins()
Get the list of available auth plugins.
|
(package private) java.lang.String[] |
getCaAliases()
Gets the array of CA certificate aliases.
|
(package private) int |
getCountByAlias(java.lang.String alias,
int type)
Gets the number of user or process accounts by a trust store alias.
|
(package private) java.lang.String |
getCustomClientExt()
Gets custom client extension plugin name.
|
(package private) java.lang.String |
getCustomServerExt()
Gets custom server extension plugin name.
|
(package private) java.util.Set |
getHolidays()
Gets the defined set of holidays.
|
(package private) java.lang.String |
getHookName()
Gets authentication hook name.
|
(package private) SecurityContext |
getInitialSecurityContext()
Gets the initial security context.
|
(package private) java.lang.String |
getKeyEntryPassword(java.lang.String alias)
Get the encryption password for the SSL private key associated with the given alias.
|
(package private) int |
getMaxAge()
Gets the maximum password age in days.
|
(package private) int |
getNumResources()
Gets the number of registered resource plugins.
|
(package private) int |
getOrdinalById(java.lang.String id)
Gets account's ordinal number by its ID.
|
(package private) java.lang.String |
getPasswordInput()
Gets the password input hook class name.
|
(package private) java.lang.String[] |
getPeerAliases()
Gets the array of peer certificate aliases.
|
(package private) byte[] |
getPrivateKey(java.lang.String alias)
Get the encrypted SSL private key associated with the given alias.
|
(package private) ResourceRegistry |
getRegistryByOrd(int ordinal)
Gets a registry entry by its ordinal number.
|
(package private) int |
getRegistryOrdByTypeName(java.lang.String typeName)
Gets a registry ordinal by the resource type name.
|
(package private) Resolver |
getResolver()
Gets the symbol resolver.
|
(package private) int |
getSerial()
Gets this security cache's serial number.
|
(package private) ProcessAccount |
getServerAccount()
Gets this server's account.
|
(package private) SSLCertFactory |
getSSLCertFactory()
Get the factory used to create SSL private keys and certificates.
|
(package private) int |
getSystem()
Gets the system resource ordinal number.
|
(package private) java.security.KeyStore |
getTrustStore()
Returns the trust store.
|
(package private) SecurityContext |
getUniqueInitialSecurityContext()
Gets a new and unique instance of an initial security context.
|
(package private) boolean |
migrateACLs(DirectoryService ds,
java.lang.String path,
java.lang.String[] nodes,
int ord)
Checks migration status of the given ACL branch and migrates it fron
the old tree to the new flat representation when necessary.
|
private void |
printACLs(java.util.List list)
Prints all ACLs from a list.
|
private void |
readACLs(DirectoryService ds)
Reads the P2J directory and loads the defined ACLs.
|
private void |
readAudit(DirectoryService ds)
Reads the P2J directory and loads audit related definitions.
|
private void |
readAuthMode(DirectoryService ds)
Reads the P2J directory and initializes authentication control data.
|
private void |
readAuthPlugins(DirectoryService ds)
Read the list of available auth plugins form the directory.
|
private void |
readCAs(java.security.KeyStore trustStore,
DirectoryService ds)
Reads the P2J directory and loads CA certificates into truststore.
|
private java.lang.String |
readCustomExtension(DirectoryService ds,
java.lang.String nodeId)
Reads the P2J directory and returns the custom extension plugin name.
|
private void |
readGroups(DirectoryService ds,
java.util.List list)
Reads the P2J directory and loads defined group accounts.
|
private void |
readHolidays(DirectoryService ds)
Reads the P2J directory and initializes the list of known holidays.
|
private void |
readPasswordAging(DirectoryService ds)
Reads the password aging control parameters.
|
private void |
readPeers(java.security.KeyStore trustStore,
DirectoryService ds)
Reads the P2J directory and loads peers certificates into truststore.
|
(package private) void |
readPlugins(DirectoryService ds,
java.lang.String[] preload)
Reads the P2J directory and loads defined resource plugins.
|
private void |
readPrivateKeys(BootstrapConfig cfg,
DirectoryService ds)
Read the SSL private keys and their encryption keys.
|
private void |
readProcesses(DirectoryService ds,
java.util.List list,
boolean secure)
Reads the P2J directory and loads defined process accounts.
|
private void |
readRSAConfig(BootstrapConfig cfg,
DirectoryService ds)
Read the RSA configuration.
|
private void |
readUsers(DirectoryService ds,
java.util.List list,
boolean secure)
Reads the P2J directory and loads defined user accounts.
|
(package private) void |
refreshAll(AdminAccountExtension ae)
Refresh all plugins.
|
boolean |
updateCachedUserAccount(UserDef user)
Find and update user account stored in cache.
|
private void |
verifyAnonymousId()
Verifies that the anonymous process account ID is valid.
|
(package private) void |
verifyCAs(java.security.KeyStore trustStore)
Verifies the validity of certification authority certificates loaded
into the trust store.
|
private void |
verifyServerId(boolean secure)
Verifies that the server ID is valid.
|
public static final int LM_ADMIN
public static final int LM_CONSOLE
public static final int LM_DUAL
private final int logMode
private int serialNo
private java.security.KeyStore trustStore
private java.lang.String[] caAliases
private java.lang.String[] peerAliases
private Account[] accs
private java.lang.String serverId
private ProcessAccount serverAcc
private java.lang.String serverAlias
private SecurityContext initContext
private int authMode
private int authRetries
private java.util.Map<java.lang.String,AuthPlugin> authPlugins
private java.lang.String hookName
private java.lang.String anonymId
null
to disallow.private ResourceRegistry[] registry
private int systemOrdinal
private java.util.Set holidays
private Audit audit
private Resolver resolver
private int maxAge
private java.lang.String pwInputHook
private SecurityManager sm
java.util.List<java.lang.String[]> msgBuf
private java.lang.String customServerExt
private java.lang.String customClientExt
private java.util.Map<java.lang.String,java.lang.String> privateKeyPasswords
private java.util.Map<java.lang.String,byte[]> privateKeys
private SSLCertFactory sslFactory
SecurityCache(BootstrapConfig bc, int newSerial) throws ConfigurationException, java.lang.NoSuchMethodException
bc
- An instance of BootstrapConfig
class used to get
the security related configuration information.newSerial
- Serial number for the generation of the security cache being
created.ConfigurationException
java.lang.NoSuchMethodException
SecurityCache(BootstrapConfig bc, int newSerial, int logMode, java.util.List<java.lang.String[]> msgBuf) throws ConfigurationException, java.lang.NoSuchMethodException
bc
- An instance of BootstrapConfig
class used to get
the security related configuration information.newSerial
- Serial number for the generation of the security cache being
created.logMode
- specifies logging for the admin client, or server console,
or bothmsgBuf
- list to receive messages if logmode enables admin messagesConfigurationException
java.lang.NoSuchMethodException
SecurityCache(int logMode, java.util.List<java.lang.String[]> msgBuf, java.lang.String[] plugins) throws ConfigurationException, java.lang.NoSuchMethodException
logMode
- specifies logging for the admin client, or server console,
or bothmsgBuf
- list to receive messages if logmode enables admin messagesplugins
- array of resource plugins to be loaded or null
ConfigurationException
java.lang.NoSuchMethodException
private static boolean checkSubjectId(java.lang.String id, java.util.List list)
id
- Account ID to check.list
- List of defined accounts.true
if subject ID is unique.int getSerial()
void refreshAll(AdminAccountExtension ae)
ae
- void verifyCAs(java.security.KeyStore trustStore) throws ConfigurationException
CA certificates have to:
trustStore
- Truststore loaded with CA certificates to verify.ConfigurationException
- If the trust store is or becomes empty.java.security.KeyStore getTrustStore()
int getAuthMode()
int getAuthNumRetries()
java.lang.String getAnonymId()
java.lang.String getCustomServerExt()
java.lang.String getCustomClientExt()
java.lang.String getHookName()
SecurityContext getInitialSecurityContext()
SecurityContext
.SecurityContext getUniqueInitialSecurityContext()
SecurityContext
which is not
associated with any account.Account getAccountById(java.lang.String id)
Comparison is case-insensitive.
id
- Account ID.Account
object or null
if not found.java.lang.String[] getAccountsForAppserver(java.lang.String appServer)
appServer
is null
, this will return an array of length 0.appServer
- The appserver for which the accounts are needed.public java.lang.String[] getAllAccountIds(int type)
type
- Account type.int getCountByAlias(java.lang.String alias, int type)
Comparison is case-insensitive.
alias
- Trust store alias.type
- Account type.Account
object or null
if not
found.Account[] getAccountsByAlias(java.lang.String alias, int type)
Comparison is case-insensitive.
alias
- Trust store alias.type
- Account type.int getOrdinalById(java.lang.String id)
id
- Account ID.Account getAccountByOrd(int ordinal)
ordinal
- Account ordinal.Account
object or null
.int getNumResources()
int getRegistryOrdByTypeName(java.lang.String typeName)
Comparison is case-sensitive.
typeName
- Abstract resource type name.ResourceRegistry getRegistryByOrd(int ordinal)
ordinal
- Index (ordinal number) of the abstract resource.ResourceRegistry
registered under this index or
null
.java.util.Set getHolidays()
Set
containing dates of all defined holidays as
String
s formatted to "yyyy-mm-dd".Audit getAudit()
Audit
defined in this cache.int getSystem()
ProcessAccount getServerAccount()
Resolver getResolver()
Resolver
object.int getMaxAge()
java.lang.String getPasswordInput()
java.lang.String[] getCaAliases()
java.lang.String[] getPeerAliases()
java.lang.String getKeyEntryPassword(java.lang.String alias)
Only the server can access this.
alias
- The alias.SSLCertFactory getSSLCertFactory()
Bouncy Castle
factory
.byte[] getPrivateKey(java.lang.String alias)
alias
- The alias.AuthPlugin getAuthPlugin(java.lang.String pluginClass)
pluginClass
- Class of the required plugin.AuthPlugin[] getAuthPlugins()
private void readCAs(java.security.KeyStore trustStore, DirectoryService ds)
trustStore
- The target trust store.ds
- Instance of DirectoryService
from which to read.private void checkCertificate(java.lang.String alias, java.security.cert.X509Certificate cert) throws java.security.cert.CertificateParsingException
SSLCertFactory.MIN_RSA_KEY_STRENGTH
bits.
Also, an error is logged if the encryption algorithm is SHA-1.java.security.cert.CertificateParsingException
- If the certificate's common-name can not be determined.private void readPeers(java.security.KeyStore trustStore, DirectoryService ds)
Peer certificates are verified before they are put into the trust store. They have to:
trustStore
- The target trust store.ds
- Instance of DirectoryService
from which to read.private void readRSAConfig(BootstrapConfig cfg, DirectoryService ds)
cfg
- An instance of BootstrapConfig
class used to get
the security related configuration information.ds
- Instance of DirectoryService
from which to read.private void readPrivateKeys(BootstrapConfig cfg, DirectoryService ds)
cfg
- An instance of BootstrapConfig
class used to get
the security related configuration information.ds
- Instance of DirectoryService
from which to read.private void readGroups(DirectoryService ds, java.util.List list)
ds
- Instance of DirectoryService
from which to read.list
- List to which to add new accounts.private void readProcesses(DirectoryService ds, java.util.List list, boolean secure)
ds
- Instance of DirectoryService
from which to read.list
- List to which to add new accounts.secure
- Specifies whether secure environment is enabled.private void readUsers(DirectoryService ds, java.util.List list, boolean secure)
Group accounts must be created by the time of this call as user accounts have to be converted to contain ordinal references to groups instead of IDs.
ds
- Instance of DirectoryService
from which to read.list
- List to which to add new accounts.secure
- Specifies whether secure environment is enabled.private void readAuthMode(DirectoryService ds) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.ConfigurationException
- If the authentication mode is invalid.private void readAuthPlugins(DirectoryService ds)
ds
- Instance of DirectoryService
from which to read.private void readHolidays(DirectoryService ds) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.ConfigurationException
private void readPasswordAging(DirectoryService ds) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.ConfigurationException
- If maxAge parameter is out of bounds.void readPlugins(DirectoryService ds, java.lang.String[] preload) throws java.lang.NoSuchMethodException
ds
- Instance of DirectoryService
from which to read.preload
- array of plugin names to bypass reading the directoryjava.lang.NoSuchMethodException
- Thrown by use of ResourceRegistry
.private java.lang.String readCustomExtension(DirectoryService ds, java.lang.String nodeId)
ds
- Instance of DirectoryService
from which to read.nodeId
- where to look for the extensionnull
private void readACLs(DirectoryService ds) throws ConfigurationException
ACLs may be defined under the shared branch of the directory, namely,
/security/acl
and/or under the server's private branch
/security/acls/server-name
. If both branches
contain definitions, they will be logically combined.
The basis for this combination is the ACL sequence numbers, which are node names. All definitions are read from both the branches and then processed in the ascending order of their sequence numbers. If a sequence number is used in both shared and private branches, the ACL definition from the private branch is used. This way the private branch can simply add definitions to the combinated set or replace some shared definitions.
ds
- Instance of DirectoryService
from which to read.ConfigurationException
private void addAclNodes(DirectoryService ds, java.lang.String fullId, java.util.Map map, int ord) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.fullId
- directory branchmap
- storage for ACL pathsord
- resource plugin ordinal numberConfigurationException
boolean migrateACLs(DirectoryService ds, java.lang.String path, java.lang.String[] nodes, int ord) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.path
- directory branchnodes
- array of existing nodes in the branchord
- resource plugin ordinal numberConfigurationException
private void readAudit(DirectoryService ds) throws ConfigurationException
ds
- Instance of DirectoryService
from which to read.ConfigurationException
private void verifyServerId(boolean secure) throws ConfigurationException
Server ID is valid if:
secure
- Specifies whether secure environment is enabled.ConfigurationException
- If the server ID is invalid.private void verifyAnonymousId() throws ConfigurationException
Anonymous process account ID is valid if:
ConfigurationException
- If the anonymous ID is invalid.Rights createRights(DirectoryService ds, int ord, java.lang.String path)
ds
- Instance of DirectoryService
from which to read.ord
- Ordinal number of the resource type.path
- P2J directory path to the instance of Rights
.Rights
or null
.private void createOldACLs(DirectoryService ds, java.lang.String roid, Rights rights, java.lang.String boid, java.util.List list) throws ConfigurationException
A binding object is made of:
true
meaning exact name and false
meaning regexp match
The result of this method is a number of AccessControlList
entries added to the list "list", one entry per instance name. These
AccessControlList
s will have exactly one
Binding
object put into the embedded list of bindings:
{parameter rights, list of subjects from oid}.
ds
- Instance of DirectoryService
from which to read.roid
- Rights directory object IDrights
- Object to be kept in triplets.boid
- Binding directory object ID to read.list
- Place to put the instances of ACLs.ConfigurationException
private void createACL(DirectoryService ds, java.lang.String path, int ord, Rights rights, java.util.List list) throws ConfigurationException
The result of this method is a number of AccessControlList
entries added to the list "list", one entry per instance name. These
AccessControlList
s will have exactly one
Binding
object put into the embedded list of bindings:
{parameter rights, list of subjects from oid}.
ds
- Instance of DirectoryService
from which to read.path
- directory object ID of the container of this ACLrights
- Object to be kept in triplets.list
- Place to put the instances of ACLs.ConfigurationException
private void printACLs(java.util.List list)
list
- List of ACLs.public void dErr(java.lang.String message)
message
- text to be displayedpublic void dWarn(java.lang.String message)
message
- text to be displayedpublic void dStat(java.lang.String message)
message
- text to be displayedpublic void dList(java.lang.String message)
message
- text to be displayedpublic void dTrace(java.lang.String message)
message
- text to be displayedpublic void dData(java.lang.String message)
message
- text to be displayedpublic boolean updateCachedUserAccount(UserDef user)
user
- User account parameters.true
if account is found and updated.
false
if account not found.