abdera-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jmsn...@apache.org
Subject svn commit: r482003 - in /incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security: ./ util/servlet/ xmlsec/
Date Mon, 04 Dec 2006 01:18:15 GMT
Author: jmsnell
Date: Sun Dec  3 17:18:11 2006
New Revision: 482003

URL: http://svn.apache.org/viewvc?view=rev&rev=482003
Log:
Adding an Encryption Filter.  Will encrypt an Atom document when a client cert with a 
RSA key is provided (e.g. SSL Mutual Auth).  

Fix the DSig impl so that the signing algorithm is configurable

Added:
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/EncryptedResponseFilter.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SecurityFilter.java
Modified:
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/SignatureOptions.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SignedResponseFilter.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignatureOptions.java

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/SignatureOptions.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/SignatureOptions.java?view=diff&rev=482003&r1=482002&r2=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/SignatureOptions.java
(original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/SignatureOptions.java
Sun Dec  3 17:18:11 2006
@@ -26,6 +26,10 @@
 public interface SignatureOptions 
   extends SecurityOptions {
 
+  String getSigningAlgorithm();
+  
+  void setSigningAlgorithm(String algorithm);
+  
   /**
    * Return the private key with which to sign the element
    */

Added: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/EncryptedResponseFilter.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/EncryptedResponseFilter.java?view=auto&rev=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/EncryptedResponseFilter.java
(added)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/EncryptedResponseFilter.java
Sun Dec  3 17:18:11 2006
@@ -0,0 +1,101 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  The ASF licenses this file to You
+* under the Apache License, Version 2.0 (the "License"); you may not
+* use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.  For additional information regarding
+* copyright in this work, please see the NOTICE file in the top level
+* directory of this distribution.
+*/
+package org.apache.abdera.security.util.servlet;
+
+import java.io.IOException;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+
+import javax.crypto.KeyGenerator;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.abdera.model.Document;
+import org.apache.abdera.model.Element;
+import org.apache.abdera.security.Encryption;
+import org.apache.abdera.security.EncryptionOptions;
+import org.apache.xml.security.encryption.XMLCipher;
+
+/**
+ * <pre>
+ * &lt;filter>
+ *   &lt;filter-name>enc filter&lt;/filter-name>
+ *   &lt;filter-class>com.test.EncryptedResponseFilter&lt;/filter-class>
+ * &lt;/filter>
+ * &lt;filter-mapping>
+ *   &lt;filter-name>enc filter&lt;/filter-name>
+ *   &lt;servlet-name>TestServlet&lt;/servlet-name>
+ * &lt;/filter-mapping>
+ * </pre>
+ */
+public class EncryptedResponseFilter 
+  extends SecurityFilter {
+
+  public void init(
+    FilterConfig config) 
+      throws ServletException {
+    try {
+      Class.forName("org.bouncycastle.LICENSE");
+      Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
+    } catch (Exception e) {}
+  }
+  
+  @SuppressWarnings("unchecked")
+  public void doFilter(
+    ServletRequest request, 
+    ServletResponse response,
+    FilterChain chain) 
+      throws IOException, 
+             ServletException {
+    try {
+      X509Certificate[] cert = (X509Certificate[]) request.getAttribute(
+        "javax.servlet.request.X509Certificate");
+      PublicKey pkey = (cert != null) ? cert[0].getPublicKey() : null;
+      if (pkey != null && pkey instanceof RSAPublicKey) {
+        BufferingResponseWrapper wrapper = 
+          new BufferingResponseWrapper(
+            (HttpServletResponse)response);
+        chain.doFilter(request, wrapper);
+        Document<Element> doc = getDocument(wrapper);
+        if (doc != null) {  
+          KeyGenerator keygen = KeyGenerator.getInstance("AES");
+          keygen.init(new SecureRandom());
+          Key key = keygen.generateKey();
+          Encryption enc = security.getEncryption(); 
+          EncryptionOptions options = enc.getDefaultEncryptionOptions();
+          options.setDataEncryptionKey(key);
+          options.setKeyEncryptionKey(pkey);
+          options.setKeyCipherAlgorithm(XMLCipher.RSA_v1dot5);
+          options.setIncludeKeyInfo(true);
+          Document<Element> enc_doc = enc.encrypt(doc, options);
+          enc_doc.writeTo(response.getOutputStream());
+        }
+      } else {
+        chain.doFilter(request, response);
+      }
+    } catch (Exception e) {}
+  } 
+}

Added: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SecurityFilter.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SecurityFilter.java?view=auto&rev=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SecurityFilter.java
(added)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SecurityFilter.java
Sun Dec  3 17:18:11 2006
@@ -0,0 +1,139 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  The ASF licenses this file to You
+* under the Apache License, Version 2.0 (the "License"); you may not
+* use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.  For additional information regarding
+* copyright in this work, please see the NOTICE file in the top level
+* directory of this distribution.
+*/
+package org.apache.abdera.security.util.servlet;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.CharArrayReader;
+import java.io.CharArrayWriter;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.io.Reader;
+
+import javax.servlet.Filter;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.abdera.Abdera;
+import org.apache.abdera.model.Document;
+import org.apache.abdera.model.Element;
+import org.apache.abdera.parser.Parser;
+import org.apache.abdera.security.AbderaSecurity;
+
+public abstract class SecurityFilter 
+  implements Filter {
+
+  protected final Abdera abdera;
+  protected final AbderaSecurity security;
+  
+  protected SecurityFilter() {
+    this.abdera = new Abdera();
+    this.security = new AbderaSecurity(abdera);
+  }
+  
+  public void destroy() {
+  }
+
+  protected Document<Element> getDocument(BufferingResponseWrapper wrapper) {
+    Reader rdr = wrapper.getReader();
+    InputStream in = wrapper.getInputStream();
+    Parser parser = abdera.getParser();
+    try {
+      if (rdr != null) {
+        return parser.parse(rdr);
+      }
+      if (in != null) {
+        return parser.parse(in);
+      }
+    } catch (Exception e) {}
+    return null;
+  }
+ 
+  public static class BufferingResponseWrapper 
+    extends HttpServletResponseWrapper {
+    
+    CharArrayWriter output = null;
+    ByteArrayOutputStream outStream = null;
+    
+    BufferingResponseWrapper(HttpServletResponse response) {
+      super(response);
+    }
+    
+    @Override
+    public PrintWriter getWriter() throws IOException {
+      if (outStream != null) throw new IllegalStateException();
+      if (output == null) output = new CharArrayWriter();
+      return new PrintWriter(output);
+    }
+    
+    @Override
+    public ServletOutputStream getOutputStream() throws IOException {
+      if (output != null) throw new IllegalStateException();
+      if (outStream == null) outStream = new ByteArrayOutputStream();
+      return new BufferingServletOutputStream(outStream);
+    }
+    
+    public Reader getReader() {
+      if (output == null) return null;
+      return new CharArrayReader(output.toCharArray());
+    }
+    
+    public InputStream getInputStream() {
+      if (outStream == null) return null;
+      return new ByteArrayInputStream(outStream.toByteArray());
+    }
+  }
+  
+  public static class BufferingServletOutputStream 
+    extends ServletOutputStream {
+  
+    ByteArrayOutputStream out = null;
+    
+    BufferingServletOutputStream(ByteArrayOutputStream out) {
+      this.out = out;
+    }
+    
+    public void write(int b) throws IOException {
+      out.write(b);
+    }
+    
+    public void write(byte[] b) throws IOException {
+      out.write(b);
+    }
+    
+    public void write(byte[] b, int off, int len) throws IOException {
+      out.write(b, off, len);
+    }
+  
+    @Override
+    public void close() throws IOException {
+      out.close();
+      super.close();
+    }
+  
+    @Override
+    public void flush() throws IOException {
+      out.flush();
+      super.flush();
+    }
+    
+  }
+
+}

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SignedResponseFilter.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SignedResponseFilter.java?view=diff&rev=482003&r1=482002&r2=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SignedResponseFilter.java
(original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/servlet/SignedResponseFilter.java
Sun Dec  3 17:18:11 2006
@@ -17,33 +17,20 @@
 */
 package org.apache.abdera.security.util.servlet;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.CharArrayReader;
-import java.io.CharArrayWriter;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.PrintWriter;
-import java.io.Reader;
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletOutputStream;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
 
-import org.apache.abdera.Abdera;
 import org.apache.abdera.model.Document;
 import org.apache.abdera.model.Element;
-import org.apache.abdera.parser.Parser;
-import org.apache.abdera.security.AbderaSecurity;
 import org.apache.abdera.security.SecurityException;
 import org.apache.abdera.security.Signature;
 import org.apache.abdera.security.SignatureOptions;
@@ -74,6 +61,10 @@
  *     &lt;param-name>org.apache.abdera.security.util.servlet.CertificateAlias&lt;/param-name>
  *     &lt;param-value>James&lt;/param-value>
  *   &lt;/init-param>
+ *   &lt;init-param>
+ *     &lt;param-name>org.apache.abdera.security.util.servlet.SigningAlgorithm&lt;/param-name>
+ *     &lt;param-value>http://www.w3.org/2000/09/xmldsig#rsa-sha1&lt;/param-value>
+ *   &lt;/init-param>
  * &lt;/filter>
  * &lt;filter-mapping id="signing-filter">
  *   &lt;filter-name>signing filter&lt;/filter-name>
@@ -82,31 +73,26 @@
  * </pre>
  */
 public class SignedResponseFilter 
-  implements Filter {
+  extends SecurityFilter {
 
   private static final String KEYSTORE  = "org.apache.abdera.security.util.servlet.Keystore";
   private static final String STOREPASS = "org.apache.abdera.security.util.servlet.KeystorePassword";
   private static final String KEY       = "org.apache.abdera.security.util.servlet.PrivateKeyAlias";
   private static final String KEYPASS   = "org.apache.abdera.security.util.servlet.PrivateKeyPassword";
   private static final String CERT      = "org.apache.abdera.security.util.servlet.CertificateAlias";
+  private static final String ALGO      = "org.apache.abdera.security.util.servlet.SigningAlgorithm";
   
   private static final String keystoreType = "JKS";
   
-  private final Abdera abdera;
-  private final AbderaSecurity security;
   private String keystoreFile = null;
   private String keystorePass = null;
   private String privateKeyAlias = null;
   private String privateKeyPass = null;
   private String certificateAlias = null;
+  private String algorithm = null;
   private PrivateKey signingKey = null;
   private X509Certificate cert = null;
 
-  public SignedResponseFilter() {
-    this.abdera = new Abdera();
-    this.security = new AbderaSecurity(abdera);
-  }
-  
   public void init(
     FilterConfig config) 
       throws ServletException {
@@ -115,11 +101,13 @@
     privateKeyAlias = config.getInitParameter(KEY);
     privateKeyPass = config.getInitParameter(KEYPASS);
     certificateAlias = config.getInitParameter(CERT);
+    algorithm = config.getInitParameter(ALGO);
     
     try {
       KeyStore ks = KeyStore.getInstance(keystoreType);    
-      InputStream in = SignedResponseFilter.class.getResourceAsStream(keystoreFile);
-      ks.load(in, keystorePass.toCharArray());
+      //InputStream in = SignedResponseFilter.class.getResourceAsStream(keystoreFile);
+      java.io.FileInputStream fin = new java.io.FileInputStream(keystoreFile);
+      ks.load(fin, keystorePass.toCharArray());
       signingKey = 
         (PrivateKey) ks.getKey(
           privateKeyAlias,
@@ -130,15 +118,13 @@
     } catch (Exception e) {}
   }
   
-  public void destroy() {}
-
   public void doFilter(
     ServletRequest request, 
     ServletResponse response,
     FilterChain chain) 
       throws IOException, 
              ServletException {
-
+    
     BufferingResponseWrapper wrapper = 
       new BufferingResponseWrapper(
         (HttpServletResponse)response);
@@ -159,96 +145,13 @@
   private Document<Element> sign(Document<Element> doc) throws SecurityException
 {
     if (signingKey == null || cert == null) return doc; // pass through
     Signature sig = security.getSignature();
-    SignatureOptions options = sig.getDefaultSignatureOptions();    
+    SignatureOptions options = sig.getDefaultSignatureOptions();
     options.setCertificate(cert);
     options.setSigningKey(signingKey);
+    options.setSigningAlgorithm(algorithm);
     Element element = doc.getRoot();
     element = sig.sign(element, options);
     return element.getDocument();
   }
   
-  private Document<Element> getDocument(BufferingResponseWrapper wrapper) {
-    Reader rdr = wrapper.getReader();
-    InputStream in = wrapper.getInputStream();
-    Parser parser = abdera.getParser();
-    try {
-      if (rdr != null) {
-        return parser.parse(rdr);
-      }
-      if (in != null) {
-        return parser.parse(in);
-      }
-    } catch (Exception e) {}
-    return null;
-  }
-  
-  static class BufferingResponseWrapper 
-    extends HttpServletResponseWrapper {
-    
-    CharArrayWriter output = null;
-    ByteArrayOutputStream outStream = null;
-    
-    BufferingResponseWrapper(HttpServletResponse response) {
-      super(response);
-    }
-    
-    @Override
-    public PrintWriter getWriter() throws IOException {
-      if (outStream != null) throw new IllegalStateException();
-      if (output == null) output = new CharArrayWriter();
-      return new PrintWriter(output);
-    }
-    
-    @Override
-    public ServletOutputStream getOutputStream() throws IOException {
-      if (output != null) throw new IllegalStateException();
-      if (outStream == null) outStream = new ByteArrayOutputStream();
-      return new BufferingServletOutputStream(outStream);
-    }
-    
-    public Reader getReader() {
-      if (output == null) return null;
-      return new CharArrayReader(output.toCharArray());
-    }
-    
-    public InputStream getInputStream() {
-      if (outStream == null) return null;
-      return new ByteArrayInputStream(outStream.toByteArray());
-    }
-  }
-  
-  static class BufferingServletOutputStream 
-    extends ServletOutputStream {
-
-    ByteArrayOutputStream out = null;
-    
-    BufferingServletOutputStream(ByteArrayOutputStream out) {
-      this.out = out;
-    }
-    
-    public void write(int b) throws IOException {
-      out.write(b);
-    }
-    
-    public void write(byte[] b) throws IOException {
-      out.write(b);
-    }
-    
-    public void write(byte[] b, int off, int len) throws IOException {
-      out.write(b, off, len);
-    }
-
-    @Override
-    public void close() throws IOException {
-      out.close();
-      super.close();
-    }
-
-    @Override
-    public void flush() throws IOException {
-      out.flush();
-      super.flush();
-    }
-    
-  }
 }

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java?view=diff&rev=482003&r1=482002&r2=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
(original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
Sun Dec  3 17:18:11 2006
@@ -71,7 +71,7 @@
     XMLSignature sig = new XMLSignature(
       domdoc, 
       (baseUri != null) ? baseUri.toString() : "", 
-      XMLSignature.ALGO_ID_SIGNATURE_DSA);
+      options.getSigningAlgorithm());
     dom.appendChild(sig.getElement());
     Transforms transforms = new Transforms(domdoc);
     transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignatureOptions.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignatureOptions.java?view=diff&rev=482003&r1=482002&r2=482003
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignatureOptions.java
(original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignatureOptions.java
Sun Dec  3 17:18:11 2006
@@ -32,6 +32,15 @@
   private PrivateKey signingKey = null;
   private X509Certificate cert = null;
   private List<String> references = null;
+  private String algo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
+  
+  public String getSigningAlgorithm() {
+    return algo;
+  }
+  
+  public void setSigningAlgorithm(String algorithm) {
+    this.algo = algorithm;
+  }
   
   protected XmlSignatureOptions(Abdera abdera) {
     super(abdera);



Mime
View raw message