org.jboss.security.plugins: public class: JaasSecurityDomain

org.jboss.security.plugins
public class: JaasSecurityDomain [javadoc | source]

java.lang.Object
   org.jboss.mx.util.JBossNotificationBroadcasterSupport
      org.jboss.system.ServiceMBeanSupport
         org.jboss.security.plugins.JaasSecurityManager
            org.jboss.security.plugins.JaasSecurityDomain

All Implemented Interfaces:
JaasSecurityDomainMBean, SecurityDomain, RealmMapping, SubjectSecurityManager, org.jboss.kernel.spi.dependency.KernelControllerContextAware, ServiceMBean, MBeanRegistration, NotificationEmitter

The JaasSecurityDomain is an extension of JaasSecurityManager that addes the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases. Attributes:

KeyStoreType: The implementation type name being used, defaults to 'JKS'.
KeyStoreURL: Set the KeyStore database URL string. This is used to obtain an InputStream to initialize the KeyStore. If the string is not a value URL, its treated as a file.
KeyStorePass: the password used to load the KeyStore. Its format is one of:
- The plaintext password for the KeyStore(or whatever format is used by the KeyStore). The toCharArray() value of the string is used without any manipulation.
- A command to execute to obtain the plaintext password. The format is '{EXT}...' where the '...' is the exact command line that will be passed to the Runtime.exec(String) method to execute a platform command. The first line of the command output is used as the password.
- A class to create to obtain the plaintext password. The format is '{CLASS}classname[:ctorarg]' where the '[:ctorarg]' is an optional string delimited by the ':' from the classname that will be passed to the classname ctor. The password is obtained from classname by invoking a 'char[] toCharArray()' method if found, otherwise, the 'String toString()' method is used.
The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key used with the encode/decode operations.
ManagerServiceName: The JMX object name string of the security manager service that the domain registers with to function as a security manager for the security domain name passed to the ctor. The makes the JaasSecurityDomain available under the standard JNDI java:/jaas/(domain) binding.
LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider security provider should be loaded on startup. This is needed when using the Sun JSSE jars without them installed as an extension with JDK 1.3. This should be set to false with JDK 1.4 or when using an alternate JSSE provider
Salt:
IterationCount:

todo: add - support for encode/decode based on a SecretKey in the keystore.

author: Scott.Stark - @jboss.org

author: < - a href="mailto:jasone@greenrivercomputing.com">Jason Essington

version: $ - Revision: 37459 $

Fields inherited from org.jboss.system.ServiceMBeanSupport:
SERVICE_CONTROLLER_SIG, log, server, serviceName

Constructor:

Constructor:
public JaasSecurityDomain() { super(); } Creates a default JaasSecurityDomain for with a securityDomain name of 'other'.
public JaasSecurityDomain(String securityDomain) { this(securityDomain, new SecurityAssociationHandler()); } Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument. Parameters: `securityDomain` - , the name of the security domain
public JaasSecurityDomain(String securityDomain, CallbackHandler handler) { super(securityDomain, handler); } Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument. Parameters: `securityDomain` - , the name of the security domain `handler` - , the CallbackHandler to use to obtain login module info

 public JaasSecurityDomain() {
                  
      super();
}

Creates a default JaasSecurityDomain for with a securityDomain name of 'other'.

 public JaasSecurityDomain(String securityDomain) {
      this(securityDomain, new SecurityAssociationHandler());
}

Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument.

Parameters:

securityDomain - , the name of the security domain

 public JaasSecurityDomain(String securityDomain,
    CallbackHandler handler) {
      super(securityDomain, handler);
}

Creates a JaasSecurityDomain for with a securityDomain name of that given by the 'securityDomain' argument.

Parameters:

securityDomain - , the name of the security domain

handler - , the CallbackHandler to use to obtain login module info

Method from org.jboss.security.plugins.JaasSecurityDomain Summary:
decode, decode64, encode, encode64, getCipherAlgorithm, getKeyManagerFactory, getKeyStore, getKeyStoreType, getKeyStoreURL, getManagerServiceName, getName, getSecurityManagement, getTrustManagerFactory, getTrustStore, getTrustStoreType, getTrustStoreURL, reloadKeyAndTrustStore, setCipherAlgorithm, setIterationCount, setKeyStorePass, setKeyStoreType, setKeyStoreURL, setManagerServiceName, setSalt, setSecurityManagement, setTrustStorePass, setTrustStoreType, setTrustStoreURL, startService, stopService

Method from org.jboss.security.plugins.JaasSecurityDomain Summary:

decode, decode64, encode, encode64, getCipherAlgorithm, getKeyManagerFactory, getKeyStore, getKeyStoreType, getKeyStoreURL, getManagerServiceName, getName, getSecurityManagement, getTrustManagerFactory, getTrustStore, getTrustStoreType, getTrustStoreURL, reloadKeyAndTrustStore, setCipherAlgorithm, setIterationCount, setKeyStorePass, setKeyStoreType, setKeyStoreURL, setManagerServiceName, setSalt, setSecurityManagement, setTrustStorePass, setTrustStoreType, setTrustStoreURL, startService, stopService

Methods from org.jboss.security.plugins.JaasSecurityManager:
doesUserHaveRole, flushCache, getActiveSubject, getPrincipal, getSecurityDomain, getTargetPrincipal, getUserRoles, isValid, isValid, setCachePolicy, setDeepCopySubjectOption

Methods from org.jboss.system.ServiceMBeanSupport:
create, createService, destroy, destroyService, getDeploymentInfo, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, pojoChange, pojoCreate, pojoDestroy, pojoStart, pojoStop, postDeregister, postRegister, preDeregister, preRegister, setKernelControllerContext, start, startService, stop, stopService, unsetKernelControllerContext

Methods from org.jboss.system.ServiceMBeanSupport:

create, createService, destroy, destroyService, getDeploymentInfo, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, pojoChange, pojoCreate, pojoDestroy, pojoStart, pojoStop, postDeregister, postRegister, preDeregister, preRegister, setKernelControllerContext, start, startService, stop, stopService, unsetKernelControllerContext

Methods from org.jboss.mx.util.JBossNotificationBroadcasterSupport:
addNotificationListener, getNotificationInfo, handleNotification, nextNotificationSequenceNumber, removeNotificationListener, removeNotificationListener, sendNotification

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.jboss.security.plugins.JaasSecurityDomain Detail:
public byte[] decode(byte[] secret) throws Exception { SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(decodePermission); Cipher cipher = Cipher.getInstance(cipherAlgorithm); cipher.init(Cipher.DECRYPT_MODE, cipherKey, cipherSpec); byte[] decode = cipher.doFinal(secret); return decode; } Decrypt the secret using the cipherKey.
public byte[] decode64(String secret) throws Exception { byte[] encoding = CryptoUtil.fromb64(secret); byte[] decode = decode(encoding); return decode; } Decrypt the base64 encoded secret using the cipherKey.
public byte[] encode(byte[] secret) throws Exception { SecurityManager sm = System.getSecurityManager(); if (sm != null) { System.out.println("Checking: " + encodePermission); sm.checkPermission(encodePermission); } Cipher cipher = Cipher.getInstance(cipherAlgorithm); cipher.init(Cipher.ENCRYPT_MODE, cipherKey, cipherSpec); byte[] encoding = cipher.doFinal(secret); return encoding; } Encrypt the secret using the cipherKey.
public String encode64(byte[] secret) throws Exception { byte[] encoding = encode(secret); String b64 = CryptoUtil.tob64(encoding); return b64; } Encrypt the secret using the cipherKey and return a base64 encoding.
public String getCipherAlgorithm() { return cipherAlgorithm; }
public KeyManagerFactory getKeyManagerFactory() throws SecurityException { return keyMgr; }
public KeyStore getKeyStore() throws SecurityException { return keyStore; }
public String getKeyStoreType() { return this.keyStoreType; }
public String getKeyStoreURL() { String url = null; if (keyStoreURL != null) url = keyStoreURL.toExternalForm(); return url; }
public ObjectName getManagerServiceName() { return this.managerServiceName; } The JMX object name string of the security manager service.
public String getName() { return "JaasSecurityDomain(" + getSecurityDomain() + ")"; }
public ISecurityManagement getSecurityManagement() { return securityManagement; }
public TrustManagerFactory getTrustManagerFactory() throws SecurityException { return trustMgr; }
public KeyStore getTrustStore() throws SecurityException { return trustStore; }
public String getTrustStoreType() { return this.trustStoreType; }
public String getTrustStoreURL() { String url = null; if (trustStoreURL != null) url = trustStoreURL.toExternalForm(); return url; }
public void reloadKeyAndTrustStore() throws Exception { loadKeyAndTrustStore(); } Reload the key- and truststore
public void setCipherAlgorithm(String cipherAlgorithm) { this.cipherAlgorithm = cipherAlgorithm; }
public void setIterationCount(int iterationCount) { this.iterationCount = iterationCount; }
public void setKeyStorePass(String password) throws Exception { this.keyStorePassword = Util.loadPassword(password); }
public void setKeyStoreType(String type) { this.keyStoreType = type; }
public void setKeyStoreURL(String storeURL) throws IOException { this.keyStoreURL = this.validateStoreURL(storeURL); log.debug("Using KeyStore=" + keyStoreURL.toExternalForm()); }
public void setManagerServiceName(ObjectName managerServiceName) { this.managerServiceName = managerServiceName; } Set the JMX object name string of the security manager service.
public void setSalt(String salt) { this.salt = salt.getBytes(); }
public void setSecurityManagement(ISecurityManagement securityManagement) { this.securityManagement = securityManagement; }
public void setTrustStorePass(String password) throws Exception { this.trustStorePassword = Util.loadPassword(password); }
public void setTrustStoreType(String type) { this.trustStoreType = type; }
public void setTrustStoreURL(String storeURL) throws IOException { this.trustStoreURL = validateStoreURL(storeURL); }
protected void startService() throws Exception { // Load the secret key loadPBESecretKey(); // Load the key and/or truststore into memory loadKeyAndTrustStore(); // Only register with the JaasSecurityManagerService if its defined if (managerServiceName != null) { /* * Register with the JaasSecurityManagerServiceMBean. This allows this JaasSecurityDomain to function as the * security manager for security-domain elements that declare java:/jaas/xxx for our security domain name. */ MBeanServer server = MBeanServerLocator.locateJBoss(); Object[] params = {getSecurityDomain(), this}; String[] signature = new String[]{"java.lang.String", "org.jboss.security.SecurityDomain"}; server.invoke(managerServiceName, "registerSecurityDomain", params, signature); } // Register yourself with the security management if (securityManagement instanceof JNDIBasedSecurityManagement) { JNDIBasedSecurityManagement jbs = (JNDIBasedSecurityManagement) securityManagement; jbs.registerJaasSecurityDomainInstance(getSecurityDomain(), this); } }
protected void stopService() { if (keyStorePassword != null) { Arrays.fill(keyStorePassword, '\0"); keyStorePassword = null; } cipherKey = null; // Deregister yourself with the security management if (securityManagement instanceof JNDIBasedSecurityManagement) { JNDIBasedSecurityManagement jbs = (JNDIBasedSecurityManagement) securityManagement; jbs.deregisterJaasSecurityDomainInstance(getSecurityDomain(), this); } }