incubator-projects mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Flick <directr...@yahoo.com>
Subject [AltRMI] RFC on Authentication interfaces
Date Tue, 01 Jul 2003 23:10:37 GMT
Hello, I am Edward Flick.  I have been watching the progress of AltRMI for a while now and
have finally decided to try and further support for this wonderful library.  This is a request
for comments on the supplied experimental pluggable authentication interfaces for AltRMI.
 Any and all feedback are welcome.  I thought it would be a good idea to get approval on the
interfaces before I even take one baby step towards integrating it with the existing codebase.
 
Let me start with proposed usage:
 
Client Side:
 
class SomeMainable {
  public static void main(String[] args) throws Exception {
 
    Factory classfactory = new ServerSideClassFactory(false);
    classfactory.setHostContext(new SocketCustomStreamHostContext("somemachine.com", 7124));
 
  /*
   * Start new auth stuff, three possible auth paths given, but not all are required
   */
//Note UserPassAuthGen not implemented yet, waiting for finalization on interfaces.  In final
form it will probably take in a Subject to extract authentication principals and credentials
from.
    NamedAuthenticatorGenerator userpass = new NamedAuthenticatorGenerator("somemache.com/userpass",new
UserPassAuthGen("edward","quijibobble"));  
 
//Note KerberosAuthGen not implemented yet, waiting for finalization on interfaces.  In final
form it will probably take in a Subject to extract authentication principals and credentials
from.
    NamedAuthenticatorGenerator kerberos = new NamedAuthenticatorGenerator("somemachine.com/kerberos",new
KerberosAuthGen());
 
//Note XMLConfiguredNamedAuthGen not implemented yet, waiting for finalization on interfaces.
 In final form it will optionally take in a Subject to extract authentication principals and
credentials from.
    NamedAuthenticatorGenerator xmlconf = new XMLConfiguredNamedAuthGen(args[1],"authentication/NodeForBobsAuthenticationInformation");
 

    AuthenticatorFactory authfac = new GeneratedAuthenticatorFactory( new NamedAuthenticatorGenerator[]
{
             userpass, kerberos, xmlconf
             });                                          
 
    classfactory.setAuthenticatorFactory(authfac, "somemachine.com/*")        //2nd parameter
specifies classfactory should only use authenticators with name matching the regex: somemachine.com/*
 
   /*
    * End authentication portion, everything else is exactly the same
    */

    StockQuoteService sqs = (StockQuoteService) classfactory.lookup("MyStockQuoteService");
    System.out.println("Sun's last sale price was " + sqs.getLastSalePrice("SUNW"));
    System.out.println("Microsoft's last sale price was " + sqs.getLastSalePrice("MSFT"));
  }
}

 
 
Server Side (using Phoenix/Avalon as an example):
 
Should set up an AuthenticatorFactoryBlock as a service
 
Then in code...
 
...
AuthenticatorFactory authfac = (AuthenticatorFactory)ServiceManager.lookup("MyServicesAuthFac");
 AbstractServer as = new CompleteSocketCustomStreamServer(1235);
        TestInterfaceImpl ti = new TestInterfaceImpl();
        as.publish(ti, "Hello", new PublicationDescription(TestInterface.class, TestInterface2.class,authfac,"TestInterface*"));
//Added last two parameters, last parameter added to tell publisher to only use Authenticators
matching the regex: TestInterface* 
        as.start();


...
 
 
For Authenticator plugin developers:
Just write implementations of Authenticator for client and server sides, and extend AuthenticatorGenerator
to configure it (not really necessary if a generic AuthGen like XMLConfiguredAuthGen is used,
because that will be able to configure any Authenticator).
 
 
Thats it?  What do you guys think?  I will post the interfaces (and basic classes) below.
 And I will start work on integrating the Authenticator interfaces in with the main codebase
once/if we get all the kinks worked out.
 
All code is under the Apache Software License (see License section for details or consult
www.apache.org)
 
Classes and Interfaces:
============================================================================= package org.apache.altrmi.security.authentication;
import org.apache.altrmi.common.ConnectionException;
/**
 * Class AuthenticationException
 *
 *
 * @author Paul Hammant
 * @version $Revision: 1.3 $
 */
public class AuthenticationException extends ConnectionException
{
    static final long serialVersionUID = 355399012496642358L;
    /**
     * Constructor AuthenticationException
     *
     *
     * @param msg message that is the cause root of the exception
     *
     */
    public AuthenticationException( String msg )
    {
        super( msg );
    }
}

============================================================================= package org.apache.altrmi.security.authentication;
/**
 * Class AuthenticationFailedException
 *
 *
 * @author Edward Flick
 * @version $Revision: 1.3 $
 */
public class AuthenticationFailedException extends AuthenticationException
{
    static final long serialVersionUID = 39047539845987399L;
    /**
     * Constructor AuthenticationFailedException
     *
     *
     * @param msg message that is the cause root of the exception
     *
     */
    public AuthenticationFailedException( String msg )
    {
        super( msg );
    }
}

=============================================================================  package org.apache.altrmi.security.authentication;
import java.io.Externalizable;
/**
 * Class AuthenticationToken
 * 
 * AuthenticationTokens are the superclass of all Authenticators non-excepting messages.
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $ 
 */
public abstract class AuthenticationToken implements Externalizable {
 
 static final long serialVersionUID = -347927938562692936L;
 
}

=============================================================================
package org.apache.altrmi.security.authentication;
import javax.security.auth.Subject;
import org.apache.altrmi.security.payload.PayloadWrapper;
/**
 * Interface Authenticator
 * 
 * An authenticating agent that negotiates remote authenticity.
 * All implemented Authenticators should be configured through their single constructor
 *
 *
 * @author Edward Flick
 * @version $Revision: 1.3 $
 */
public interface Authenticator
{
 
    /**
     * Method getAuthenticationMechanism
     *
     *  
     * @return String the authentication mechanism supported by this class
     */
    public String getAuthenticationMechansim();
    
    /**
     * Method processAuthentication
     * 
     * Process AuthenticationToken received from peer. 
     * 
     * @param received null to initiate the authentication process
     * @return AuthenticationToken token to send to peer to advance authentication process
     * @throws AuthenticationException
     */
    public AuthenticationToken processAuthentication(AuthenticationToken received)
     throws AuthenticationException;
     
    /**
     * Method isFinished
     * 
     * 
     * @return boolean true when authentication process is complete
     * @throws AuthenticationException if Authentication process has not been started
     */
    public boolean isFinished() throws AuthenticationException;
    
 /**
  * Method setLocalSubject
  * 
  * 
  * @param localSubject the identity of this end.
  */
 public void setLocalSubject(Subject localSubject);
 
 
 /**
  * Method getLocalSubject
  * 
  * 
  * @return Subject the identity of this end.
  */
 public Subject getLocalSubject();
    /**
     * Method getRemoteSubject
     * 
     * After authentication isFinished this will return the remote subject.
     * 
     * @return Subject the remote Subject
     * @throws AuthenticationException if Authentication process has not finished.
     */
    public Subject getRemoteSubject() throws AuthenticationException;
    
    /**
     * Method getPayloadWrapper
     * 
     * 
     * @return PayloadWrapper wrapper negotiated by authentication process for data authentication,
integrity, and security.  null if mechanism doesn't support it
     */
    public PayloadWrapper getPayloadWrapper();
    
}

============================================================================= package org.apache.altrmi.security.authentication;
/**
 * Interface AuthenticatorFactory
 * 
 * Lists supported mechanisms and names of Authenticators capable of producing them.
 * Also generates Authenticators from a supplied list of registered authenticators.
 * All implemented AuthenticatorFactorys should be configured through their single constructor
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $
 */
public interface AuthenticatorFactory
{
    /**
     * Method getSupportedAuthenticationMechanisms
     *
     * 
     * @return String[] authentication mechanisms supported by the associated Authenticators

     */
    public String[] getSupportedAuthenticationMechansims();
    
    /**
     * Method getAuthenticatorNames()
     * 
     * 
     * @return String[] names of all registered Authenticators
     */
    public String[] getAuthenticatorNames();
 /**
  * Method getConfigurationNames()
  * 
  * 
  * @return String[] names of all availabe configurations which implement any of the supplied
AuthMechs
  */
    public String[] getAuthenticatorNames(String[] authenticationMechanisms);
 /**
  * Method getConfiguredAuthenticator
  * 
  * 
  * @param ConfigurationName name of the configured authenticator to return
  * @return Authenticator
  */
    public Authenticator getAuthenticator(String name);
    
}

=============================================================================  package org.apache.altrmi.security.authentication;
import javax.security.auth.Subject;
/**
 * Interface AuthenticatorGenerator 
 * 
 * Generates a configured authenticator
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $ 
 */
public interface AuthenticatorGenerator {
 
 /**
  * Method setLocalSubject
  * 
  * Sets the localSubject of all generated Authenticators to this value.
  * 
  * @param localSubject 
  */
 public void setLocalSubject(Subject localSubject);
 
 
 /**
  * Method getLocalSubject
  * 
  * 
  * @return Subject the localSubject that this AuthenticatorGenerator sets on each Authenticator
it generates.
  */
 public Subject getLocalSubject();

 /**
  * Method generateAuthenticator
  * 
  * 
  * @return Authenticator a configured Authenticator object
  */
 public Authenticator generateAuthenticator();
 
 /**
  * Method getAuthenticationMechanism
  * 
  * 
  * @return String name of supported authentication mechanism
  */
 public String getAuthenticationMechanism();
}

============================================================================= package org.apache.altrmi.security.authentication.impl;
import org.apache.altrmi.security.authentication.*;
import org.apache.altrmi.security.authentication.Authenticator;
import org.apache.altrmi.security.authentication.AuthenticatorFactory;
/**
 * Class GeneratedAuthenticatorFactory
 *  
 * An AuthenticFactory which uses NamedAuthenticatorGenerators
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $ 
 */
public class GeneratedAuthenticatorFactory implements AuthenticatorFactory {

 protected java.util.HashSet namedAuths = new java.util.HashSet();

 /**
  * Constructor GeneratedAuthenticatorFactory
  * 
  * Constructs an AuthenticatorFactory out of NamedAuthenticatorGenerators
  * 
  * @param nags
  */
 public GeneratedAuthenticatorFactory(NamedAuthenticatorGenerator nags[]) {
  for (int i=0; i<nags.length; i++)
   addNamedAuthenticatorGenerator(nags[i]);
 }
    /**
     * Method addNamedAuthenticatorGenerator
     * 
     * Adds a NamedAuthenticatorGenerator to this registry
     * 
     * @param nag
     */
    public void addNamedAuthenticatorGenerator(NamedAuthenticatorGenerator nag) {
  namedAuths.add(nag);
    }
    
    /**
     * Method addAuthenticatorGenerator
     * 
     * Adds a NamedAuthenticatorGenerator to this registry
     * 
     * @param name
     * @param authgen
     */
    public void addAuthenticatorGenerator(String name, AuthenticatorGenerator authgen) {
  addNamedAuthenticatorGenerator(new NamedAuthenticatorGenerator(name,authgen));
    }
    
    /**
     * Method removeAuthenticatorGenerator
     * 
     * Removes this AuthenticatorGenerator from registry
     * 
     * @param name
     */
    public void removeAuthenticatorGenerator(String name) {
     namedAuths.remove(getNamedAuthenticatorGenerator(name));
 }
    
 /**
  * Method getNamedAuthenticatorGenerator
  * 
  * Gets the NamedAuthenticatorGenerator associated with this name
  * 
  * @param name
  * @return NamedAuthenticatorGenerator
  */
 private NamedAuthenticatorGenerator getNamedAuthenticatorGenerator(String name) {
  java.util.Iterator i = namedAuths.iterator();
  while (i.hasNext()) {
   NamedAuthenticatorGenerator nag = (NamedAuthenticatorGenerator)i.next();
   if (nag.getName().equals(name))
    return nag;
  }
  return null;
 }
 
 /**
  * Method getAuthenticatorGenerator
  * 
  * Gets the AuthenticatorGenerator associated with this name
  * 
  * @param name
  * @return AuthenticatorGenerator
  */
 public AuthenticatorGenerator getAuthenticatorGenerator(String name) {
  return ((getNamedAuthenticatorGenerator(name)==null)?null:getNamedAuthenticatorGenerator(name).getAuthenticatorGenerator());
 }
 
 /**
  * Method getAuthenticator
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorFactory#getAuthenticator(String)
  */
 public Authenticator getAuthenticator(String name) {
  return ((getAuthenticatorGenerator(name)==null)?null:getAuthenticatorGenerator(name).generateAuthenticator());
 }

 /**
  * Method getSupportedAuthenticationMechanisms
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorFactory#getSupportedAuthenticationMechansims()
  */
 public String[] getSupportedAuthenticationMechansims() {
  java.util.HashSet authMechs = new java.util.HashSet();
  authMechs.clear();
  java.util.Iterator i = namedAuths.iterator();
  while (i.hasNext()) {
   authMechs.add( ((NamedAuthenticatorGenerator)i.next()).getAuthenticationMechanism() );
  }
  return (String[])authMechs.toArray();
 }
 /**
  * Method getAuthenticatorNames
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorFactory#getAuthenticatorNames()
  */
 public String[] getAuthenticatorNames() {
  java.util.HashSet names = new java.util.HashSet();
  names.clear();
  java.util.Iterator i = namedAuths.iterator();
  while (i.hasNext()) {
   names.add( ((NamedAuthenticatorGenerator)i.next()).getName() );
  }
  return (String[])names.toArray();
 }
 /**
  * Method getAuthenticatorNames
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorFactory#getAuthenticatorNames(String[])
  */
 public String[] getAuthenticatorNames(String[] authenticationMechanisms) {
  java.util.HashSet names = new java.util.HashSet();
  names.clear();
  java.util.Iterator i = namedAuths.iterator();
  while (i.hasNext()) {
   NamedAuthenticatorGenerator nag = (NamedAuthenticatorGenerator)i.next();
   for (int j=0; j<authenticationMechanisms.length; j++)
    if (nag.getAuthenticationMechanism().equals(authenticationMechanisms[j]))
     names.add( nag.getName() );
  }
  return (String[])names.toArray();
 }

}

=============================================================================  package org.apache.altrmi.security.authentication.impl;
import javax.security.auth.Subject;
import org.apache.altrmi.security.authentication.Authenticator;
import org.apache.altrmi.security.authentication.AuthenticatorGenerator;
/**
 * Class NamedAuthenticatorGenerator
 * 
 * Associates a Name with an AuthenticatorGenerator
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $ 
 */
public class NamedAuthenticatorGenerator implements AuthenticatorGenerator {
 private String name = null;
 private String authmech = null;
 private AuthenticatorGenerator authgen = null;
  
 /**
  * Constructor NamedAuthenticatorGenerator
  * 
  * Associate Name with AuthenticatorGenerator, 
  * 
  * @param _name cannot be null
  * @param _authgen cannot be null
  */
 public NamedAuthenticatorGenerator(String _name, AuthenticatorGenerator _authgen) {
  assert(_name!=null);
  assert(_authgen!=null);
  name = _name;
  authgen = _authgen;
  authmech = authgen.generateAuthenticator().getAuthenticationMechansim();
 }
  
 /**
  * Method setLocalSubject
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorGenerator#setLocalSubject(Subject)
  */
 public void setLocalSubject(Subject localSubject) {
  authgen.setLocalSubject(localSubject);
 }
 
 
 /**
  * Method getLocalSubject
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorGenerator#getLocalSubject()
  */
 public Subject getLocalSubject() {
  return authgen.getLocalSubject();
 }
 
 /**
  * Method getName
  * 
  * 
  * @return String the name associated with this Authenticator
  */
 public String getName() {
  return name;
 }
 
 /**
  * Method getAuthenticationMechanism
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorGenerator#getAuthenticationMechanism()
  */
 public String getAuthenticationMechanism() {
  return authmech;
 }
  
 /**
  * Method getAuthenticatorGenerator
  * 
  * 
  * @return AuthenticatorGenerator the AuthenticatorGenerator associated with this object
  */
 public AuthenticatorGenerator getAuthenticatorGenerator() {
  return authgen;
 }
 /**
  * Method generateAuthenticator
  * 
  * 
  * @see org.apache.altrmi.security.authentication.AuthenticatorGenerator#generateAuthenticator()
  */
 public Authenticator generateAuthenticator() {
  return authgen.generateAuthenticator(); 
 }
}

=============================================================================  package org.apache.altrmi.security.payload;
/**
 * Interface PayloadWrapper
 * 
 * Wraps and unwraps data usually for data privacy, integrity, and authenticity purposes.
 * 
 * @author Edward Flick
 * @version $Revision: 1.3 $ 
 */
public interface PayloadWrapper {
 
 /**
  * Method wrap
  * 
  * 
  * @param payload data to wrap
  * @return byte[] wrapped data
  * @throws Exception
  */
 public byte[] wrap(byte[] payload) throws Exception;
 
 /**
  * Method unwrap
  * 
  * 
  * @param wrappedPayload wrapped data
  * @return byte[] unwrapped data
  * @throws Exception
  */
 public byte[] unwrap(byte[] wrappedPayload) throws Exception;
 
}

=============================================================================











 
License:

/* ====================================================================
 * The Apache Software License, Version 1.1
 *
 * Copyright (c) 1997-2003 The Apache Software Foundation. All rights
 * reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution,
 *    if any, must include the following acknowledgment:
 *    "This product includes software developed by the
 *    Apache Software Foundation (http://www.apache.org/)."
 *    Alternately, this acknowledgment may appear in the software
 *    itself, if and wherever such third-party acknowledgments
 *    normally appear.
 *
 * 4. The names "Incubator", "AltRMI", and "Apache Software Foundation"
 *    must not be used to endorse or promote products derived from this
 *    software without prior written permission. For written
 *    permission, please contact apache@apache.org.
 *
 * 5. Products derived from this software may not be called "Apache",
 *    nor may "Apache" appear in their name, without prior written
 *    permission of the Apache Software Foundation.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation. For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 */




Edward Flick
Enterprise Applications Designer / Database Administrator / Web Administrator
CDF, Inc.

---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message