eu.emi.dsr.security
Class SecurityManager

java.lang.Object
  eu.emi.dsr.security.SecurityManager

public final class SecurityManager
extends Object

access to security components

Author:

schuller, golbi

Nested Class Summary

static class

SecurityManager.NullAuthoriser

Field Summary

static String	DISABLE_SECURITY_AND_ACCESS_CONTROL for unit testing, set this property to "true" to disable security
static Pattern	pattern
protected static String	proxyRE

Method Summary

static void	addCallback(AttributeHandlingCallback aac) add a callback class for dealing with additional security attributes
static void	addSOAPActionsRequiringSignatures(String... actions) add SOAP actions to the special list requiring signed messages
static void	checkAuthentication(SecurityTokens tokens, String action, ResourceDescriptor d) check whether authentication is OK and conforms to this server's policies
static void	checkAuthorisation(Client c, String action, ResourceDescriptor d) Check access by evaluating the XACML policies.
static void	clearLocalCall() for the current thread, clear the "local call" flag
static Client	createAndAuthoriseClient(SecurityTokens tokens) Create an authorised Client object.
static void	createAttributeSource() Creates AttributeSource used for establishing clients' attributes.
static SubjectAttributesHolder	establishAttributes(SecurityTokens tokens) Returns an attribute map for a set of security tokens from the configured Attribute Source
static IAttributeSource	getAtributeSource() get the attribute source
static String	getAuthoriserConnectionStatus() get a human-readable description of the current status of the configured authorisers.
static RegistryPDP	getPDP() get the XACML policy decision point
static X509Certificate	getPeerCertificate(String url, ISecurityProperties security)
static X509Certificate	getPeerCertificate(String url, ISecurityProperties security, int timeout) helper to get the certificate on the other side of a SSL connection to "url"
static X509Certificate	getServerCert() get the certificate of the server
static String	getServerDistinguishedName() get the X500 name of the server in human-friendly form, i.e.
static X500Principal	getServerIdentity() get the server's identity, or null if no server keystore has been configured makeAnonymousClient
protected static Role	getServerRole() server role
static String[]	getTrustedCertificateDNs()
static boolean	isAccessControlEnabled()
static boolean	isAccessible(Client client, String serviceName, String wsResourceID, String owner) Can the given client access the given (server-local!) endpoint? This will not give the correct result if the action plays a role
static boolean	isAdmin(Client c) checks whether the given client has the "admin" role
static boolean	isLocalCall() check whether the current request is local (i.e.
static boolean	isProxyDN(String dn)
static boolean	isServer(CertPath path) checks whether the given CertPath is the server identity
static boolean	isServer(Client c) checks whether the given client has the server identity
static boolean	isServer(X509Certificate cert) checks whether the given certificate is the server identity
protected static Client	makeAnonymousClient(String dn) a special client useful for anonymous requests
static boolean	needSignature(String soapAction)
static void	registerAuthNCheckingStrategies(AuthNCheckingStrategy... strategies) register checking strategies
static void	setAccessControlEnabled(boolean isAccessControlEnabled)
static void	setLocalCall() for the current thread, set the "local call" flag.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DISABLE_SECURITY_AND_ACCESS_CONTROL

public static final String DISABLE_SECURITY_AND_ACCESS_CONTROL

for unit testing, set this property to "true" to disable security

See Also:

Constant Field Values

proxyRE

protected static final String proxyRE

See Also:

Constant Field Values

pattern

public static final Pattern pattern

Method Detail

addCallback

public static void addCallback(AttributeHandlingCallback aac)

add a callback class for dealing with additional security attributes

Parameters:

aac - - an AttributeHandlingCallback

getServerCert

public static X509Certificate getServerCert()

get the certificate of the server

Returns:

getServerIdentity

public static X500Principal getServerIdentity()

get the server's identity, or null if no server keystore has been configured makeAnonymousClient

Returns:

an X500Principal or null

See Also:

getServerCert()

getServerDistinguishedName

public static String getServerDistinguishedName()

get the X500 name of the server in human-friendly form, i.e. using X500Principal.toString()

Returns:

the human-friendly form of the server DN

See Also:

getServerIdentity()

getTrustedCertificateDNs

public static String[] getTrustedCertificateDNs()

getPDP

public static RegistryPDP getPDP()

get the XACML policy decision point

Returns:

XacmlPDP

establishAttributes

public static SubjectAttributesHolder establishAttributes(SecurityTokens tokens)
                                                   throws Exception

Returns an attribute map for a set of security tokens from the configured Attribute Source

Parameters:

tokens -

Returns:

attributes

Throws:

Exception

createAttributeSource

public static void createAttributeSource()
                                  throws Exception

Creates AttributeSource used for establishing clients' attributes.

Throws:

Exception

createAndAuthoriseClient

public static Client createAndAuthoriseClient(SecurityTokens tokens)

Create an authorised Client object. This will use the supplied security tokens to make a call to an authoriser (such as the XUUDB) and set client attributes such as role, xlogin, etc based on the authoriser's reply.

Parameters:

tokens - - Security tokens

Returns:

authorised Client object

getServerRole

protected static Role getServerRole()

server role

makeAnonymousClient

protected static Client makeAnonymousClient(String dn)

a special client useful for anonymous requests

Returns:

checkAuthentication

public static void checkAuthentication(SecurityTokens tokens,
                                       String action,
                                       ResourceDescriptor d)

check whether authentication is OK and conforms to this server's policies

Parameters:

tokens - - SecurityTokens from the request

action - - the method being invoked

d - - the resource being accessed

registerAuthNCheckingStrategies

public static void registerAuthNCheckingStrategies(AuthNCheckingStrategy... strategies)

register checking strategies

Parameters:

strategies - - AuthNCheckingStrategy objects

checkAuthorisation

public static void checkAuthorisation(Client c,
                                      String action,
                                      ResourceDescriptor d)
                               throws AuthorisationException

Check access by evaluating the XACML policies. I access is DENIED then AuthorisationException is thrown.

Parameters:

c -

action -

d -

Throws:

AuthorisationException

isAccessible

public static boolean isAccessible(Client client,
                                   String serviceName,
                                   String wsResourceID,
                                   String owner)
                            throws Exception

Can the given client access the given (server-local!) endpoint? This will not give the correct result if the action plays a role

Parameters:

client - - the client

serviceName - - can be null

wsResourceID - - can be null

Returns:

true if the

Throws:

Exception

setLocalCall

public static void setLocalCall()

for the current thread, set the "local call" flag. This should be used always in using a try-finally construct, i.e.

  SecurityManager.setLocalCall();
  try{
    //... perform call
  }
  finally{
    SecurityManager.clearLocalCall();
  }
 

clearLocalCall

public static void clearLocalCall()

for the current thread, clear the "local call" flag

isLocalCall

public static boolean isLocalCall()

check whether the current request is local (i.e. made from within the same VM)

isServer

public static boolean isServer(Client c)

checks whether the given client has the server identity

isServer

public static boolean isServer(X509Certificate cert)

checks whether the given certificate is the server identity

isServer

public static boolean isServer(CertPath path)

checks whether the given CertPath is the server identity

isAdmin

public static boolean isAdmin(Client c)

checks whether the given client has the "admin" role

getPeerCertificate

public static X509Certificate getPeerCertificate(String url,
                                                 ISecurityProperties security)

getPeerCertificate

public static X509Certificate getPeerCertificate(String url,
                                                 ISecurityProperties security,
                                                 int timeout)

helper to get the certificate on the other side of a SSL connection to "url"

Parameters:

url - - the URL to connect to

security - - the IUASSecurityProperties to use

timeout - - the time to wait for a connection before giving up

isAccessControlEnabled

public static boolean isAccessControlEnabled()

setAccessControlEnabled

public static void setAccessControlEnabled(boolean isAccessControlEnabled)

getAuthoriserConnectionStatus

public static String getAuthoriserConnectionStatus()
                                            throws Exception

get a human-readable description of the current status of the configured authorisers.

Throws:

Exception

getAtributeSource

public static IAttributeSource getAtributeSource()
                                          throws Exception

get the attribute source

Throws:

Exception

isProxyDN

public static boolean isProxyDN(String dn)

addSOAPActionsRequiringSignatures

public static void addSOAPActionsRequiringSignatures(String... actions)

add SOAP actions to the special list requiring signed messages

Parameters:

actions -

needSignature

public static boolean needSignature(String soapAction)