geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jdil...@apache.org
Subject svn commit: r578519 - in /geronimo/sandbox/gshell/trunk/gshell-remote: gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/security/ gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/ gshell-remote-ser...
Date Sat, 22 Sep 2007 22:46:17 GMT
Author: jdillon
Date: Sat Sep 22 15:46:15 2007
New Revision: 578519

URL: http://svn.apache.org/viewvc?rev=578519&view=rev
Log:
Merged the security filter (which seemed like a good idea, but turned out to be hell), into
the server handler
Move the authentication crapo I whipped up to test/validate stuff to the server module, client's
won't need this at all

Added:
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/
      - copied from r578517, geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/security/
Removed:
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/security/
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/SecurityFilter.java
Modified:
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/BaseTransportServer.java
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RemoteShellContainer.java
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RshServerHandler.java
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/BogusUserAuthenticator.java
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/UserAuthenticator.java
    geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/package-info.java

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/BaseTransportServer.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/BaseTransportServer.java?rev=578519&r1=578518&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/BaseTransportServer.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-common/src/main/java/org/apache/geronimo/gshell/remote/transport/base/BaseTransportServer.java
Sat Sep 22 15:46:15 2007
@@ -24,10 +24,8 @@
 import java.util.concurrent.atomic.AtomicLong;
 
 import org.apache.geronimo.gshell.remote.message.MessageHandler;
-import org.apache.geronimo.gshell.remote.security.SecurityFilter;
 import org.apache.geronimo.gshell.remote.session.ThreadPoolModel;
 import org.apache.geronimo.gshell.remote.transport.TransportServer;
-import org.apache.mina.common.DefaultIoFilterChainBuilder;
 import org.apache.mina.common.IoAcceptor;
 
 /**
@@ -80,15 +78,6 @@
         configure(acceptor);
     }
 
-    @Override
-    protected void configure(final DefaultIoFilterChainBuilder chain) throws Exception {
-        assert chain != null;
-
-        super.configure(chain);
-
-        chain.addLast(SecurityFilter.class.getSimpleName(), getSecurityFilter());
-    }
-
     public synchronized void bind() throws Exception {
         if (bound) {
             throw new IllegalStateException("Already bound");
@@ -116,28 +105,5 @@
         finally {
             super.close();
         }
-    }
-
-    //
-    // AutoWire Support, Setters exposed to support Plexus autowire()  Getters exposed to
handle state checking.
-    //
-
-    //
-    // TODO: See if we should tack this puppy on in the handler when the session opens er
something? Since this
-    //       is rather application specific...
-    //
-    
-    private SecurityFilter securityFilter;
-
-    public void setSecurityFilter(final SecurityFilter securityFilter) {
-        this.securityFilter = securityFilter;
-    }
-
-    protected SecurityFilter getSecurityFilter() {
-        if (securityFilter == null) {
-            throw new IllegalStateException("Security filter not bound");
-        }
-
-        return securityFilter;
     }
 }

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RemoteShellContainer.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RemoteShellContainer.java?rev=578519&r1=578518&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RemoteShellContainer.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RemoteShellContainer.java
Sat Sep 22 15:46:15 2007
@@ -19,10 +19,10 @@
 
 package org.apache.geronimo.gshell.remote.server;
 
-import org.codehaus.plexus.DefaultPlexusContainer;
+import org.apache.geronimo.gshell.remote.session.SessionAttributeBinder;
 import org.codehaus.plexus.ContainerConfiguration;
+import org.codehaus.plexus.DefaultPlexusContainer;
 import org.codehaus.plexus.PlexusContainerException;
-import org.apache.geronimo.gshell.remote.session.SessionAttributeBinder;
 
 /**
  * ???

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RshServerHandler.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RshServerHandler.java?rev=578519&r1=578518&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RshServerHandler.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/RshServerHandler.java
Sat Sep 22 15:46:15 2007
@@ -20,8 +20,13 @@
 package org.apache.geronimo.gshell.remote.server;
 
 import java.io.PrintWriter;
+import java.security.PublicKey;
 import java.util.Date;
 import java.util.UUID;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.TimeUnit;
 
 import org.apache.geronimo.gshell.DefaultEnvironment;
 import org.apache.geronimo.gshell.command.IO;
@@ -29,15 +34,21 @@
 import org.apache.geronimo.gshell.lookup.EnvironmentLookup;
 import org.apache.geronimo.gshell.lookup.IOLookup;
 import org.apache.geronimo.gshell.remote.RemoteShell;
+import org.apache.geronimo.gshell.remote.crypto.CryptoContext;
+import org.apache.geronimo.gshell.remote.message.Message;
 import org.apache.geronimo.gshell.remote.message.MessageHandler;
 import org.apache.geronimo.gshell.remote.message.MessageVisitorSupport;
 import org.apache.geronimo.gshell.remote.message.rsh.CloseShellMessage;
 import org.apache.geronimo.gshell.remote.message.rsh.EchoMessage;
 import org.apache.geronimo.gshell.remote.message.rsh.ExecuteMessage;
+import org.apache.geronimo.gshell.remote.message.rsh.HandShakeMessage;
+import org.apache.geronimo.gshell.remote.message.rsh.LoginMessage;
 import org.apache.geronimo.gshell.remote.message.rsh.OpenShellMessage;
+import org.apache.geronimo.gshell.remote.server.auth.UserAuthenticator;
 import org.apache.geronimo.gshell.remote.session.SessionAttributeBinder;
 import org.apache.geronimo.gshell.remote.stream.SessionInputStream;
 import org.apache.geronimo.gshell.remote.stream.SessionOutputStream;
+import org.apache.geronimo.gshell.remote.util.NamedThreadFactory;
 import org.apache.geronimo.gshell.shell.Environment;
 import org.apache.mina.common.IoSession;
 import org.codehaus.plexus.ContainerConfiguration;
@@ -59,16 +70,193 @@
     extends MessageHandler
     implements Initializable
 {
+    private static final SessionAttributeBinder<PublicKey> CLIENT_KEY_BINDER = new
SessionAttributeBinder<PublicKey>(RshServerHandler.class, "clientPublicKey");
+
+    private static final SessionAttributeBinder<UUID> AUTH_BINDER = new SessionAttributeBinder<UUID>(RshServerHandler.class,
"authenticated");
+
+    private static final SessionAttributeBinder<ScheduledFuture> TIMEOUT_BINDER = new
SessionAttributeBinder<ScheduledFuture>(RshServerHandler.class);
+
     @Requirement
     private PlexusContainer parentContainer;
 
+    @Requirement
+    private CryptoContext crypto;
+
+    @Requirement
+    private UserAuthenticator userAuthenticator;
+
+    private ScheduledThreadPoolExecutor scheduler;
+
+    private UUID securityToken;
+
     public void initialize() throws InitializationException {
         setVisitor(new Visitor());
+
+        ThreadFactory tf = new NamedThreadFactory(getClass());
+        scheduler = new ScheduledThreadPoolExecutor(Runtime.getRuntime().availableProcessors(),
tf);
+
+        securityToken = UUID.randomUUID();
+    }
+
+    @Override
+    public void sessionOpened(final IoSession session) throws Exception {
+        assert session != null;
+
+        // Schedule a task to timeout the handshake process
+        scheduleTimeout(session);
+    }
+
+    @Override
+    public void messageReceived(final IoSession session, final Object obj) throws Exception
{
+        assert session != null;
+        assert obj != null;
+
+        UUID token = AUTH_BINDER.lookup(session, null);
+
+        if (securityToken.equals(token)) {
+            super.messageReceived(session, obj);
+        }
+        else if (token != null) {
+            log.error("Invalid security token: {}", token);
+
+            session.close();
+        }
+        else if (obj instanceof HandShakeMessage) {
+            doHandShake(session, (HandShakeMessage)obj);
+        }
+        else if (obj instanceof LoginMessage) {
+            doLogin(session, (LoginMessage)obj);
+        }
+        else {
+            // If we get to here, then the message is not valid, so complain, then kill the
session
+            log.error("Unauthenticated message: {}", obj);
+
+            session.close();
+        }
+    }
+
+    private void setSession(final IoSession session, final Message msg) {
+        assert session != null;
+        assert msg != null;
+
+        // Prep the message for reply, this is normally done by the protocol handler, but
that hasn't a chance to fire at this point
+        msg.setSession(session);
+        msg.freeze();
+    }
+
+    private void doHandShake(final IoSession session, final HandShakeMessage msg) throws
Exception {
+        assert session != null;
+        assert msg != null;
+
+        log.debug("Processing handshake");
+
+        setSession(session, msg);
+
+        // Try to cancel the timeout task
+        if (!cancelTimeout(session)) {
+            log.warn("Aborting handshake processing; timeout has triggered");
+        }
+        else {
+            PublicKey key = msg.getClientKey();
+
+            // Stuff the remote public key into the session
+            CLIENT_KEY_BINDER.bind(session, key);
+
+            //
+            // TODO: Do we want to pass the client back some token which it needs to put
onto messages that are sent for more security?
+            //
+
+            // And then send back our public key to the remote client
+            msg.reply(new HandShakeMessage.Result(crypto.getPublicKey()));
+
+            // Don't wait on the write future
+
+            // Schedule a task to timeout the login process
+            scheduleTimeout(session);
+        }
+    }
+
+    private void doLogin(final IoSession session, final LoginMessage msg) throws Exception
{
+        assert session != null;
+        assert msg != null;
+
+        log.debug("Processing login");
+
+        setSession(session, msg);
+
+        // Try to cancel the timeout task
+        if (!cancelTimeout(session)) {
+            log.warn("Aborting login processing; timeout has triggered");
+        }
+        else {
+            String username = msg.getUsername();
+            String password = msg.getPassword();
+
+            if (!userAuthenticator.authenticate(username, password)) {
+                log.error("Authentication failed for user: {}, at location: {}", username,
session.getRemoteAddress());
+
+                String reason = "Failed to authenticate";
+
+                msg.reply(new LoginMessage.Failure(reason));
+            }
+            else {
+                // Mark the session as authenticated
+                AUTH_BINDER.bind(session, securityToken);
+
+                log.info("Successfull authentication for user: {}, at location: {}", username,
session.getRemoteAddress());
+
+                msg.reply(new LoginMessage.Success());
+
+                // Don't wait on the write future
+            }
+        }
     }
 
     //
-    // TODO: Move the security handling (bits from SecurityFilter) into here
+    // Timeout Support
     //
+
+    private ScheduledFuture scheduleTimeout(final IoSession session, final long l, final
TimeUnit unit) {
+        assert session != null;
+
+        ScheduledFuture task = scheduler.schedule(new TimeoutTask(session), l, unit);
+        TIMEOUT_BINDER.rebind(session, task);
+
+        return task;
+    }
+
+    private ScheduledFuture scheduleTimeout(final IoSession session) {
+        return scheduleTimeout(session, 30, TimeUnit.SECONDS);
+    }
+
+    private boolean cancelTimeout(final IoSession session) {
+        assert session != null;
+
+        ScheduledFuture timeoutTask = TIMEOUT_BINDER.lookup(session);
+
+        return timeoutTask.cancel(false);
+    }
+
+    /**
+     * Task to timeout sessions which fail to handshake or authenticate in a timely manner.
+     */
+    private class TimeoutTask
+        implements Runnable
+    {
+        private final IoSession session;
+
+        public TimeoutTask(final IoSession session) {
+            assert session != null;
+
+            this.session = session;
+        }
+
+        public void run() {
+            log.error("Timeout waiting for handshake or authentication from: " + session.getRemoteAddress());
+
+            session.close();
+        }
+    }
 
     //
     // MessageVisitor

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/BogusUserAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/BogusUserAuthenticator.java?rev=578519&r1=578517&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/BogusUserAuthenticator.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/BogusUserAuthenticator.java
Sat Sep 22 15:46:15 2007
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.geronimo.gshell.remote.security;
+package org.apache.geronimo.gshell.remote.server.auth;
 
 import org.codehaus.plexus.component.annotations.Component;
 import org.codehaus.plexus.util.StringUtils;

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/UserAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/UserAuthenticator.java?rev=578519&r1=578517&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/UserAuthenticator.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/UserAuthenticator.java
Sat Sep 22 15:46:15 2007
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.geronimo.gshell.remote.security;
+package org.apache.geronimo.gshell.remote.server.auth;
 
 /**
  * Provides a simple interface for user authentication.

Modified: geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/package-info.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/package-info.java?rev=578519&r1=578517&r2=578519&view=diff
==============================================================================
--- geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/package-info.java
(original)
+++ geronimo/sandbox/gshell/trunk/gshell-remote/gshell-remote-server/src/main/java/org/apache/geronimo/gshell/remote/server/auth/package-info.java
Sat Sep 22 15:46:15 2007
@@ -18,8 +18,8 @@
  */
 
 /**
- * Support for security and authentication.
+ * Authentication support.
  *
  * @version $Rev$ $Date$
  */
-package org.apache.geronimo.gshell.remote.security;
\ No newline at end of file
+package org.apache.geronimo.gshell.remote.server.auth;
\ No newline at end of file



Mime
View raw message