geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r576651 - in /geronimo/server/trunk: applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/ modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ modules/geronimo-securit...
Date Tue, 18 Sep 2007 01:50:04 GMT
Author: djencks
Date: Mon Sep 17 18:50:03 2007
New Revision: 576651

URL: http://svn.apache.org/viewvc?rev=576651&view=rev
Log:
GERONIMO-2925 implement pluggable obscuring of passwords in plans etc

Added:
    geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
  (with props)
    geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
  (with props)
    geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
  (with props)
Modified:
    geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
    geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
    geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
    geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
    geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
    geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
    geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java

Modified: geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
(original)
+++ geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
Mon Sep 17 18:50:03 2007
@@ -47,6 +47,7 @@
 import org.apache.geronimo.util.encoders.Base64;
 import org.apache.geronimo.util.encoders.HexTranslator;
 import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
 
 /**
  * @version $Rev$ $Date$
@@ -149,10 +150,7 @@
                 if(digest != null && !digest.equals("")) {
                     realPassword = digestPassword(realPassword, digest, getEncoding());
                 }
-                if (!(realPassword.startsWith("{Standard}"))) {
-                    // update the password
-                    realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
-                }
+                realPassword = EncryptionManager.encrypt(realPassword);
             }
             users.setProperty(name, realPassword);
             store(users, serverInfo.resolveServer(getUsersURI()).toURL());
@@ -189,10 +187,7 @@
                 if(digest != null && !digest.equals("")) {
                     realPassword = digestPassword(realPassword, digest, getEncoding());
                 }
-                if (!(realPassword.startsWith("{Standard}"))) {
-                    // update the password
-                    realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
-                }
+                realPassword = EncryptionManager.encrypt(realPassword);
             }
             users.setProperty(name, realPassword);
             store(users, serverInfo.resolveServer(getUsersURI()).toURL());
@@ -270,10 +265,7 @@
         }
         String realPassword = users.getProperty(userPrincipal);
         if (realPassword != null) {
-            if (realPassword.startsWith("{Standard}")) {
-                // decrypt the password
-                realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
-            }
+            realPassword = (String) EncryptionManager.decrypt(realPassword);
         }
         return realPassword;
     }
@@ -328,10 +320,9 @@
                 String realPassword = users.getProperty(name);
                 // Encrypt the password if needed, so we can compare it with the supplied
one
                 if (realPassword != null) {
-                    if (!(realPassword.startsWith("{Standard}"))) {
-                        // update the password in Properties to be encrypted
-                        users.setProperty(name, "{Standard}"+SimpleEncryption.encrypt(realPassword));
-                        // we have an updated password to save back to the file
+                    String pw = EncryptionManager.encrypt(realPassword);
+                    if (!realPassword.equals(pw)) {
+                        users.setProperty(name, pw);
                         bUpdates = true;
                     }
                 }

Modified: geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
(original)
+++ geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
Mon Sep 17 18:50:03 2007
@@ -31,6 +31,7 @@
 import org.apache.geronimo.cli.deployer.CommandArgs;
 import org.apache.geronimo.common.DeploymentException;
 import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
 
 /**
  * The CLI deployer logic to start.
@@ -54,7 +55,7 @@
             InputStream in = new BufferedInputStream(new FileInputStream(authFile));
             props.load(in);
             in.close();
-            props.setProperty("login."+connection.getServerURI(), "{Standard}"+SimpleEncryption.encrypt(connection.getAuthentication()));
+            props.setProperty("login."+connection.getServerURI(), EncryptionManager.encrypt(connection.getAuthentication()));
             OutputStream save = new BufferedOutputStream(new FileOutputStream(authFile));
             props.store(save, "Saved authentication information to connect to Geronimo servers");
             save.flush();

Modified: geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
(original)
+++ geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
Mon Sep 17 18:50:03 2007
@@ -39,7 +39,7 @@
 import org.apache.geronimo.deployment.plugin.jmx.JMXDeploymentManager;
 import org.apache.geronimo.deployment.plugin.jmx.LocalDeploymentManager;
 import org.apache.geronimo.kernel.Kernel;
-import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
 
 /**
  * Supports online connections to the server, via JSR-88, valid only
@@ -52,7 +52,7 @@
     private final static String DEFAULT_URI = "deployer:geronimo:jmx";
 
     private final DeploymentFactory geronimoDeploymentFactory;
-    
+
     private DeploymentManager manager;
     private PrintWriter out;
     private InputStream in;
@@ -69,7 +69,7 @@
         this.out = out;
         this.in = in;
         boolean offline = false;
-        
+
         String uri = parser.getURI();
         String driver = parser.getDriver();
         String user = parser.getUser();
@@ -144,20 +144,24 @@
                 try {
                     Properties props = new Properties();
                     props.load(in);
-                    String encryped = props.getProperty("login." + useURI);
-                    if (encryped != null) {
-                        if (encryped.startsWith("{Standard}")) {
-                            SavedAuthentication auth = (SavedAuthentication) SimpleEncryption.decrypt(encryped.substring(10));
-                            if (auth.uri.equals(useURI)) {
-                                user = auth.user;
-                                password = new String(auth.password);
-                            }
-                        } else if (encryped.startsWith("{Plain}")) {
-                            int pos = encryped.indexOf("/");
-                            user = encryped.substring(7, pos);
-                            password = encryped.substring(pos + 1);
+                    String encrypted = props.getProperty("login." + useURI);
+                    if (encrypted != null) {
+
+                        if (encrypted.startsWith("{Plain}")) {
+                            int pos = encrypted.indexOf("/");
+                            user = encrypted.substring(7, pos);
+                            password = encrypted.substring(pos + 1);
                         } else {
-                            System.out.print(DeployUtils.reformat("Unknown encryption used
in saved login file", 4, 72));
+                            Object o = EncryptionManager.decrypt(encrypted);
+                            if (o == encrypted) {
+                                System.out.print(DeployUtils.reformat("Unknown encryption
used in saved login file", 4, 72));
+                            } else {
+                                SavedAuthentication auth = (SavedAuthentication) o;
+                                if (auth.uri.equals(useURI)) {
+                                    user = auth.user;
+                                    password = new String(auth.password);
+                                }
+                            }
                         }
                     }
                 } catch (IOException e) {

Modified: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
(original)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Mon Sep 17 18:50:03 2007
@@ -46,6 +46,7 @@
 import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
 import org.apache.geronimo.system.serverinfo.ServerInfo;
 import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
 import org.apache.geronimo.util.encoders.Base64;
 import org.apache.geronimo.util.encoders.HexTranslator;
 
@@ -171,9 +172,7 @@
         String realPassword = users.getProperty(username);
         // Decrypt the password if needed, so we can compare it with the supplied one
         if (realPassword != null) {
-            if (realPassword.startsWith("{Standard}")) {
-                realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
-            }
+            realPassword = (String) EncryptionManager.decrypt(realPassword);
         }
         char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
         password = entered == null ? null : new String(entered);

Added: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
(added)
+++ geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
Mon Sep 17 18:50:03 2007
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.system.util;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.security.SecureRandom;
+
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.system.serverinfo.ServerInfo;
+import org.apache.geronimo.util.AbstractEncryption;
+import org.apache.geronimo.util.EncryptionManager;
+
+/**
+ * Like SimpleEncryption except it uses a stored secret key.  If the key file is missing,
it makes up a new one.
+ *
+ * WARNING: NOT RECOMMENDED. If you lose the secret key file your encrypted passwords will
be unavailable.  Instead, secure
+ * your operationg environment and use something like ldap or a database to store passwords
in.
+ *
+ * To use, include something like this in the rmi-naming module of var/config/config.xml:
+ *
+ * <gbean name="org.apache.geronimo.configs/rmi-naming/2.1-SNAPSHOT/car?name=ConfiguredEncryption,j2eeType=GBean"
gbeanInfo="org.apache.geronimo.system.util.ConfiguredEncryption">
+ * <attribute name="path">var/security/ConfiguredSecretKey.ser</attribute>
+ * <reference name="ServerInfo"><pattern><name>ServerInfo</name></pattern></reference>
+ * </gbean>
+ *
+ * @version $Rev:$ $Date:$
+ */
+public class ConfiguredEncryption extends AbstractEncryption implements GBeanLifecycle {
+
+    private final SecretKeySpec spec;
+
+
+    public ConfiguredEncryption(String path, ServerInfo serverInfo) throws IOException, ClassNotFoundException
{
+        File location = serverInfo.resolve(path);
+        if (location.exists()) {
+            FileInputStream in = new FileInputStream(location);
+            try {
+                ObjectInputStream oin = new ObjectInputStream(in);
+                try {
+                    spec = (SecretKeySpec) oin.readObject();
+                } finally {
+                    oin.close();
+                }
+            } finally {
+                in.close();
+            }
+        } else {
+            SecureRandom random = new SecureRandom();
+            random.setSeed(System.currentTimeMillis());
+            byte[] bytes = new byte[16];
+            random.nextBytes(bytes);
+            spec = new SecretKeySpec(bytes, "AES");
+            File dir = location.getParentFile();
+            if (!dir.exists()) {
+                dir.mkdirs();
+            }
+            if (!dir.exists() || !dir.isDirectory()) {
+                throw new IllegalStateException("Could not create directory for secret key
spec: " + dir);
+            }
+            FileOutputStream out = new FileOutputStream(location);
+            try {
+                ObjectOutputStream oout = new ObjectOutputStream(out);
+                try {
+                    oout.writeObject(spec);
+                    oout.flush();
+                } finally {
+                    oout.close();
+                }
+            } finally {
+                out.close();
+            }
+        }
+    }
+
+    public void doStart() throws Exception {
+        EncryptionManager.setEncryptionPrefix("{Configured}", this);
+    }
+
+    public void doStop() throws Exception {
+    }
+
+    public void doFail() {
+    }
+
+    protected SecretKeySpec getSecretKeySpec() {
+        return spec;
+    }
+
+    public static final GBeanInfo GBEAN_INFO;
+
+    static {
+        GBeanInfoBuilder infoBuilder = GBeanInfoBuilder.createStatic(ConfiguredEncryption.class,
"GBean");
+        infoBuilder.addAttribute("path", String.class, true, true);
+        infoBuilder.addReference("ServerInfo", ServerInfo.class, "GBean");
+        infoBuilder.setConstructor(new String[]{"path", "ServerInfo"});
+        GBEAN_INFO = infoBuilder.getBeanInfo();
+    }
+
+    public static GBeanInfo getGBeanInfo() {
+        return GBEAN_INFO;
+    }
+
+}

Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
(added)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
Mon Sep 17 18:50:03 2007
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.util;
+
+import java.io.Serializable;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ByteArrayInputStream;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.Cipher;
+import javax.crypto.SealedObject;
+
+import org.apache.geronimo.util.encoders.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public abstract class AbstractEncryption implements Encryption {
+    private final static Log log = LogFactory.getLog(SimpleEncryption.class);
+
+    /**
+     * Gets a String which contains the Base64-encoded form of the source,
+     * encrypted with the key from getSecretKeySpec().
+     */
+    public String encrypt(Serializable source) {
+        SecretKeySpec spec = getSecretKeySpec();
+        try {
+            Cipher c = Cipher.getInstance(spec.getAlgorithm());
+            c.init(Cipher.ENCRYPT_MODE, spec);
+            SealedObject so = new SealedObject(source, c);
+            ByteArrayOutputStream store = new ByteArrayOutputStream();
+            ObjectOutputStream out = new ObjectOutputStream(store);
+            out.writeObject(so);
+            out.close();
+            byte[] data = store.toByteArray();
+            byte[] textData = Base64.encode(data);
+            return new String(textData, "US-ASCII");
+        } catch (Exception e) {
+            log.error("Unable to encrypt", e);
+            return null;
+        }
+    }
+
+    /**
+     * Given a String which is the Base64-encoded encrypted data, retrieve
+     * the original Object.
+     */
+    public Serializable decrypt(String source) {
+        SecretKeySpec spec = getSecretKeySpec();
+        try {
+            byte[] data = Base64.decode(source);
+            Cipher c = Cipher.getInstance(spec.getAlgorithm());
+            c.init(Cipher.DECRYPT_MODE, spec);
+            ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data));
+            SealedObject so = (SealedObject) in.readObject();
+            return (Serializable) so.getObject(c);
+        } catch (Exception e) {
+            log.error("Unable to decrypt", e);
+            return null;
+        }
+    }
+
+    protected abstract SecretKeySpec getSecretKeySpec();
+}

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
(added)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
Mon Sep 17 18:50:03 2007
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.util;
+
+import java.io.Serializable;
+
+/**
+ * Interface for objects to register with EncryptionManager.
+ *
+ * @version $Rev:$ $Date:$
+ */
+public interface Encryption {
+    /**
+     * encrypt the source according to some scheme and return the result as a String.
+     * @param source object to encrypt
+     * @return encrypted object representing the source.
+     */
+    String encrypt(Serializable source);
+
+    /**
+     * decrypt the source according to some scheme and return the original object.
+     * @param source the string representing the encrypted object
+     * @return (a copy of) the original object.                                         
          
+     */
+    Serializable decrypt(String source);
+}

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
(original)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
Mon Sep 17 18:50:03 2007
@@ -16,33 +16,97 @@
  */
 package org.apache.geronimo.util;
 
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 import java.io.Serializable;
 
 /**
- * A static class that handles storing and reading values, potentially using
- * encryption.  This can be used as the interface to any back-end encryption
- * services.
+ * A static class that uses registered Encryption instances to encypt and decrypt objects,
typically strings.
+ * The encrypted strings are preceded by the name of the Encryption object, such as {Simple},
followed by the base64
+ * encoded encrypted bytes.
+ *
+ * Any number of Encryption instances can be registered but only the first to be explicitly
registered will be used.
+ * However, when decrypting the Encryption instance is looked up from the name prefix so
may be any registered Encryption instance.
+ * Furthermore, encrypt and decrypt are idempotent.  Calling encrypt on a string encrypted
with a registered Encryption that is not
+ * the one in use will decrypt the string and re-encrypt it with the one in use.  This can
be useful when changing Encryption.
+ *
+ * The default Encryption instance (that does not need to be registered) is SimpleEncryption
which uses a fixed key hardcoded into
+ * the Encryption class itself.  Thus it is useful only to hide information from those who
don't read code.  On the other hand
+ * you can't lose the key and make your server permanently unusable.
+ *
+ * n.b. calling these methods idempotent is a slight exageration as this would apply only
if all arguments and return values are Strings.
  *
  * @version $Rev$ $Date$
  */
 public class EncryptionManager {
+
+    private static final Map<String, Encryption> ENCRYPTORS = Collections.synchronizedMap(new
HashMap<String, Encryption>());
     private final static String SIMPLE_ENCRYPTION_PREFIX = "{Simple}";
 
+    static {
+        ENCRYPTORS.put(SIMPLE_ENCRYPTION_PREFIX, SimpleEncryption.INSTANCE);
+        //login properties files used to have this
+        ENCRYPTORS.put("{Standard}", SimpleEncryption.INSTANCE);
+    }
+
+    private static String encryptionPrefix = SIMPLE_ENCRYPTION_PREFIX;
+
+    /**
+     * Encryption instances should call this to register themselves.
+     *
+     * @param prefix id in form {name} for the Encryption instance
+     * @param encryption Encryption instance to do the work.
+     */
+    public synchronized static void setEncryptionPrefix(String prefix, Encryption encryption)
{
+        if (SIMPLE_ENCRYPTION_PREFIX.equals(encryptionPrefix)) {
+            encryptionPrefix = prefix;
+        }
+        ENCRYPTORS.put(prefix, encryption);
+    }
+
     /**
-     * Gets a String which contains the Base64-encoded form of the
-     * encrypted form of the source.
+     * Idempotent method that outputs string starting with the active registered encryption
prefix followed by
+     * the output of the registered Encryption instance.  If called with a string encrypted
by another
+     * registered Encryption it will re-encrypt with the active Encryption instance.
+     * @param source Serializable object to encrypt, usually a password string or an already
encrypted string.
+     * @return the name of the registered Encryption followed by its output.
      */
     public static String encrypt(Serializable source) {
-        return SIMPLE_ENCRYPTION_PREFIX +SimpleEncryption.encrypt(source);
+        if (source instanceof String) {
+            String sourceString = (String) source;
+            if (sourceString.startsWith(encryptionPrefix)) {
+                return (String) source;
+            } else if (sourceString.startsWith("{")) {
+                source = decrypt(sourceString);
+            }
+        }
+        Encryption encryption = ENCRYPTORS.get(encryptionPrefix);
+        return encryptionPrefix + encryption.encrypt(source);
     }
 
     /**
-     * Given a String which is the Base64-encoded encrypted data, retrieve
-     * the original Object.
+     * Idempotent method that given a String starting with a registered Encryption name will
remove the
+     * name prefix and return the result of applying the Encryption to the suffix.  If no
registered Encryption
+     * name matches the start of the string the input will be returned.
+     * @param source String that is possibly the output of calling encrypt, consisting of
a Encryption name followed by its encrypt output.
+     * @return the result of applying the Encryption.decrypt method to the input suffix after
identifying the Encryption from the prefix, or the
+     * input if no Encryption name matches.
      */
-    public static Object decrypt(String source) {
-        if(source.startsWith(SIMPLE_ENCRYPTION_PREFIX)) {
-            return SimpleEncryption.decrypt(source.substring(SIMPLE_ENCRYPTION_PREFIX.length()));
+    public static Serializable decrypt(String source) {
+        String prefix = null;
+        Encryption encryption = null;
+        synchronized (ENCRYPTORS) {
+            for (Map.Entry<String, Encryption> entry : ENCRYPTORS.entrySet()) {
+                prefix = entry.getKey();
+                if (source.startsWith(prefix)) {
+                    encryption = entry.getValue();
+                    break;
+                }
+            }
+        }
+        if (encryption != null) {
+            return encryption.decrypt(source.substring(prefix.length()));
         }
         return source;
     }

Modified: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
(original)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
Mon Sep 17 18:50:03 2007
@@ -41,48 +41,16 @@
  *
  * @version $Rev$ $Date$
  */
-public class SimpleEncryption {
-    private final static Log log = LogFactory.getLog(SimpleEncryption.class);
+public final class SimpleEncryption extends AbstractEncryption {
+
+    public final static SimpleEncryption INSTANCE = new SimpleEncryption();
     private final static SecretKeySpec SECRET_KEY = new SecretKeySpec(new byte[]{(byte)-45,(byte)-15,(byte)100,(byte)-34,(byte)70,(byte)83,(byte)75,(byte)-100,(byte)-75,(byte)61,(byte)26,(byte)114,(byte)-20,(byte)-58,(byte)114,(byte)77},
"AES");
 
 
-    /**
-     * Gets a String which contains the Base64-encoded form of the source,
-     * encrypted with the known key.
-     */
-    public static String encrypt(Serializable source) {
-        try {
-            Cipher c = Cipher.getInstance("AES");
-            c.init(Cipher.ENCRYPT_MODE, SECRET_KEY);
-            SealedObject so = new SealedObject(source, c);
-            ByteArrayOutputStream store = new ByteArrayOutputStream();
-            ObjectOutputStream out = new ObjectOutputStream(store);
-            out.writeObject(so);
-            out.close();
-            byte[] data = store.toByteArray();
-            byte[] textData = Base64.encode(data);
-            return new String(textData, "US-ASCII");
-        } catch (Exception e) {
-            log.error("Unable to encrypt", e);
-            return null;
-        }
+    private SimpleEncryption() {
     }
 
-    /**
-     * Given a String which is the Base64-encoded encrypted data, retrieve
-     * the original Object.
-     */
-    public static Object decrypt(String source) {
-        try {
-            byte[] data = Base64.decode(source);
-            Cipher c = Cipher.getInstance("AES");
-            c.init(Cipher.DECRYPT_MODE, SECRET_KEY);
-            ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data));
-            SealedObject so = (SealedObject) in.readObject();
-            return so.getObject(c);
-        } catch (Exception e) {
-            log.error("Unable to decrypt", e);
-            return null;
-        }
+    protected SecretKeySpec getSecretKeySpec() {
+        return SECRET_KEY;
     }
 }

Modified: geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java
(original)
+++ geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java
Mon Sep 17 18:50:03 2007
@@ -24,8 +24,8 @@
 public class SimpleEncryptionTest extends TestSupport {
     public void testSimpleEncryption() {
         Object[] source = new Object[]{"This is a test", new Integer(14)};
-        String text = SimpleEncryption.encrypt(source);
-        Object[] result = (Object[]) SimpleEncryption.decrypt(text);
+        String text = SimpleEncryption.INSTANCE.encrypt(source);
+        Object[] result = (Object[]) SimpleEncryption.INSTANCE.decrypt(text);
         assertEquals(2, result.length);
         assertEquals("This is a test", result[0]);
         assertEquals(new Integer(14), result[1]);



Mime
View raw message