You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@juddi.apache.org by al...@apache.org on 2015/01/19 23:14:30 UTC
juddi git commit: JUDDI-862 added and documented
Repository: juddi
Updated Branches:
refs/heads/master 75f1a2b7d -> 6e03b8244
JUDDI-862 added and documented
Project: http://git-wip-us.apache.org/repos/asf/juddi/repo
Commit: http://git-wip-us.apache.org/repos/asf/juddi/commit/6e03b824
Tree: http://git-wip-us.apache.org/repos/asf/juddi/tree/6e03b824
Diff: http://git-wip-us.apache.org/repos/asf/juddi/diff/6e03b824
Branch: refs/heads/master
Commit: 6e03b82446f162a3cb3b6ac4c27acdf847afefd9
Parents: 75f1a2b
Author: Alex <al...@apache.org>
Authored: Mon Jan 19 17:14:02 2015 -0500
Committer: Alex <al...@apache.org>
Committed: Mon Jan 19 17:14:02 2015 -0500
----------------------------------------------------------------------
.../en-US/GuideConfigurationServer.asciidoc | 9 +
.../juddi/v3/client/cryptor/DigSigUtil.java | 147 +++++--
.../java/org/apache/juddi/config/Property.java | 401 ++++++++++---------
.../juddi/validation/ValidatePublish.java | 127 +++++-
.../src/main/resources/messages.properties | 3 +-
.../src/test/resources/juddiv3-enc-3des.xml | 13 +
.../src/test/resources/juddiv3-enc-aes128.xml | 13 +
.../src/test/resources/juddiv3-enc-aes256.xml | 13 +
.../src/test/resources/juddiv3-enc-default.xml | 13 +
juddi-core/src/test/resources/juddiv3.xml | 13 +
.../resources/juddiv3DisabledTModelKeybag.xml | 13 +
.../org/apache/juddi/samples/EntryPoint.java | 6 +
.../juddi/samples/UddiDigitalSignatureFile.java | 160 ++++++++
juddi-tomcat/juddiv3Node2.xml | 13 +
.../src/main/webapp/WEB-INF/classes/juddiv3.xml | 13 +
.../org/apache/juddi/v3/tck/TckBusiness.java | 8 +-
16 files changed, 732 insertions(+), 233 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc
----------------------------------------------------------------------
diff --git a/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc b/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc
index cb746ed..598e5f5 100644
--- a/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc
+++ b/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc
@@ -143,6 +143,15 @@ RMI Proxy properties that can be referenced in the _juddiv3.xml_ file and is onl
|===========================================================================================
|Property Name |Description |Required |Default Value or [Example Value]
|_juddi/validation/enforceReferentialIntegrity_|As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelInstanceParms and anything else that references a KeyName default value is true. Set to false for backwards compatibility or for a more lax registry.|N|[_true_]
+|_juddi/validation/rejectInvalidSignatures/enable | Enables or Disables the validation of signatures when a publisher attempts to save an entity | N | false
+|_juddi/validation/rejectInvalidSignatures/enable/trustStorePath | Path to the trust store. Can be overridden via system properties. If not specified, the Windows trust store will be used, else the default JRE trust store will be used. | N | [truststore.jks]
+|_juddi/validation/rejectInvalidSignatures/trustStoreType | The type of store to use | N | JKS
+|_juddi/validation/rejectInvalidSignatures/trustStorePassword | The clear text or encrypted password to the trust store | N |
+|_juddi/validation/rejectInvalidSignatures/trustStorePassword@isPasswordEncrypted | True/False | N | false
+|_juddi/validation/rejectInvalidSignatures/trustStorePassword@cryptoProvider | A cryptographic provider, representing the one that was used to encrypt |
+|_juddi/validation/rejectInvalidSignatures/checkTimestamps | If true, certificates are checked against the time validity | N | false
+|_juddi/validation/rejectInvalidSignatures/checkTrust | If true, the certificates trust chain is validated against the trust store | N | false
+|_juddi/validation/rejectInvalidSignatures/checkRevocationCRL | If true, the certificate will attempted to be validated using online certificate revocation protocols | N | false
|===========================================================================================
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
----------------------------------------------------------------------
diff --git a/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java b/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
index 80f317b..fd8628d 100644
--- a/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
+++ b/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
@@ -17,6 +17,7 @@ package org.apache.juddi.v3.client.cryptor;
import java.io.ByteArrayInputStream;
import java.io.File;
+import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
@@ -149,8 +150,38 @@ public class DigSigUtil {
public final static String SIGNATURE_KEYSTORE_FILE_PASSWORD = "filePassword";
public final static String SIGNATURE_KEYSTORE_KEY_PASSWORD = "keyPassword";
public final static String SIGNATURE_KEYSTORE_KEY_ALIAS = "keyAlias";
+ /**
+ *
+ * trust loaded as follows
+ * system property via file
+ * programmatically specified map via file
+ * programmatically specified map thread classloader lookup
+ * programmatically specified map this class's classloader lookup
+ * windows trust store
+ * JDK provided trust store
+ */
public final static String TRUSTSTORE_FILE = "trustStorePath";
+ /**
+ *
+ * trust loaded as follows
+ * system property via file
+ * programmatically specified map via file
+ * programmatically specified map thread classloader lookup
+ * programmatically specified map this class's classloader lookup
+ * windows trust store
+ * JDK provided trust store
+ */
public final static String TRUSTSTORE_FILETYPE = "trustStoreType";
+ /**
+ *
+ * trust loaded as follows
+ * system property via file
+ * programmatically specified map via file
+ * programmatically specified map thread classloader lookup
+ * programmatically specified map this class's classloader lookup
+ * windows trust store
+ * JDK provided trust store
+ */
public final static String TRUSTSTORE_FILE_PASSWORD = "trustStorePassword";
/**
* default is CanonicalizationMethod.EXCLUSIVE
@@ -618,6 +649,17 @@ public class DigSigUtil {
}
}
+ /**
+ * trust loaded as follows
+ * system property via file
+ * programmatically specified map via file
+ * programmatically specified map thread classloader lookup
+ * programmatically specified map this class's classloader lookup
+ * windows trust store
+ * JDK provided trust store
+ * @return
+ * @throws Exception
+ */
private KeyStore GetTrustStore() throws Exception {
String type = map.getProperty(TRUSTSTORE_FILETYPE);
if (type == null) {
@@ -626,17 +668,61 @@ public class DigSigUtil {
KeyStore ks = KeyStore.getInstance(type);
boolean ksLoaded = false;
- //try windows trust store first
- try {
- if (map.getProperty(TRUSTSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-ROOT")) {
- ks.load(null, null);
+ if (!ksLoaded) {
+ String truststore = System.getProperty("javax.net.ssl.keyStore");
+ try {
+
+ String pwd = System.getProperty("javax.net.ssl.keyStorePassword");
+ if (truststore != null && pwd != null) {
+ ks.load(new File(truststore).toURI().toURL().openStream(), pwd.toCharArray());
+ ksLoaded = true;
+ logger.info("trust store loaded from sysprop " + truststore);
+ }
+ } catch (Exception ex) {
+ logger.warn("unable to load truststore from sysprop " + truststore + " " + ex.getMessage());
+ logger.debug("unable to load truststore from sysprop " + ex.getMessage(),ex);
+ }
+ }
+
+ File f=new File(map.getProperty(TRUSTSTORE_FILE));
+ //load as a file
+ if (!ksLoaded) {
+ try {
+ if (f.exists()){
+ URL url = f.toURI().toURL();
+ ks.load(url.openStream(), (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray());
ksLoaded = true;
- logger.info("trust store loaded from windows");
+ logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE));
+ }
+ } catch (Exception x) {
+ logger.warn("unable to load truststore from file "+map.getProperty(TRUSTSTORE_FILE)+" "+ x.getMessage());
+ logger.debug("unable to load truststore from file "+ x.getMessage(), x);
+
+ }
+ }
+
+ if (!ksLoaded) {
+ try {
+ //File f = new File(map.getProperty(TRUSTSTORE_FILE));
+ if (f.exists())
+ {
+ FileInputStream fis = new FileInputStream(f);
+ ks.load(fis, (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray());
+ fis.close();
+ ksLoaded = true;
+ logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE));
+ }
+ } catch (Exception x) {
+ logger.warn("unable to load truststore from file "+map.getProperty(TRUSTSTORE_FILE)+" "+ x.getMessage());
+ logger.debug("unable to load truststore from file "+ x.getMessage(), x);
+
}
- } catch (Exception ex) {
- logger.debug("unable to load truststore from windows", ex);
}
+
+
+
+
//load from thread classloader
if (!ksLoaded) {
try {
@@ -645,6 +731,7 @@ public class DigSigUtil {
ksLoaded = true;
logger.info("trust store loaded from classpath(1) " + map.getProperty(TRUSTSTORE_FILE));
} catch (Exception x) {
+ logger.warn("unable to load truststore from classpath" + map.getProperty(TRUSTSTORE_FILE) + " " +x.getMessage());
logger.debug("unable to load truststore from classpath", x);
}
}
@@ -657,36 +744,11 @@ public class DigSigUtil {
ksLoaded = true;
logger.info("trust store loaded from classpath(2) " + map.getProperty(TRUSTSTORE_FILE));
} catch (Exception x) {
+ logger.warn("unable to load truststore from classpath "+ map.getProperty(TRUSTSTORE_FILE) + " " +x.getMessage());
logger.debug("unable to load truststore from classpath", x);
}
}
- //load as a file
- if (!ksLoaded) {
- try {
- URL url = new File(map.getProperty(TRUSTSTORE_FILE)).toURI().toURL();
- ks.load(url.openStream(), (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray());
- ksLoaded = true;
- logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE));
- } catch (Exception x) {
- logger.debug("unable to load truststore from file", x);
- }
- }
-
- // logger.error("Unable to load user specified trust store! attempting to load the default", ex);
- //load from system property
- if (!ksLoaded) {
- try {
- String truststore = System.getProperty("javax.net.ssl.keyStore");
- String pwd = System.getProperty("javax.net.ssl.keyStorePassword");
- if (truststore != null && pwd != null) {
- ks.load(new File(truststore).toURI().toURL().openStream(), pwd.toCharArray());
- ksLoaded = true;
- logger.info("trust store loaded from sysprop " + truststore);
- }
- } catch (Exception ex) {
- logger.debug("unable to load truststore from sysprop", ex);
- }
- }
+
if (!ksLoaded) {
try {
@@ -695,9 +757,23 @@ public class DigSigUtil {
logger.info("trust store loaded from JRE " + cacerts.toExternalForm());
ksLoaded = true;
} catch (Exception c) {
- logger.debug("unable to load default JDK truststore", c);
+ logger.warn("unable to load default JDK truststore "+ c.getMessage());
+ logger.debug("unable to load default JDK truststore",c);
+ }
+ }
+
+ //try windows trust store first
+ try {
+ if (map.getProperty(TRUSTSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-ROOT")) {
+ ks.load(null, null);
+ ksLoaded = true;
+ logger.info("trust store loaded from windows");
}
+ } catch (Exception ex) {
+ logger.warn("unable to load truststore from windows " +ex.getMessage());
+ logger.debug("unable to load truststore from windows", ex);
}
+
if (!ksLoaded) {
try {
URL cacerts = new File(System.getenv("JAVA_HOME") + File.separator + "jre" + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts").toURI().toURL();
@@ -705,6 +781,7 @@ public class DigSigUtil {
logger.info("trust store loaded from JRE " + cacerts.toExternalForm());
ksLoaded = true;
} catch (Exception c) {
+ logger.warn("unable to load default jdk/jre truststore " +c.getMessage());
logger.debug("unable to load default jdk/jre truststore", c);
}
}
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/java/org/apache/juddi/config/Property.java
----------------------------------------------------------------------
diff --git a/juddi-core/src/main/java/org/apache/juddi/config/Property.java b/juddi-core/src/main/java/org/apache/juddi/config/Property.java
index e855a46..e2c1641 100644
--- a/juddi-core/src/main/java/org/apache/juddi/config/Property.java
+++ b/juddi-core/src/main/java/org/apache/juddi/config/Property.java
@@ -23,198 +23,223 @@ import org.apache.juddi.v3.auth.LdapSimpleAuthenticator;
import org.apache.juddi.v3.auth.MD5XMLDocAuthenticator;
/**
- * This defines constants used for accessing information from jUDDI's juddiv3.properties file
+ * This defines constants used for accessing information from jUDDI's
+ * juddiv3.xml file
+ *
* @author various
*/
public interface Property {
-
- public final static String JUDDI_BASE_URL="juddi.server.baseurl";
- public final static String JUDDI_BASE_URL_SECURE="juddi.server.baseurlsecure";
-
- public final static String JUDDI_ROOT_PUBLISHER = "juddi.root.publisher";
- public final static String JUDDI_LOAD_INSTALL_DATA = "juddi.load.install.data";
- public final static String JUDDI_PERSISTENCEUNIT_NAME = "juddi.persistenceunit.name";
- public final static String JUDDI_CONFIGURATION_RELOAD_DELAY = "juddi.configuration.reload.delay";
-
- /**
- * This is not used in the code base
- */
+
+ public final static String JUDDI_BASE_URL = "juddi.server.baseurl";
+ public final static String JUDDI_BASE_URL_SECURE = "juddi.server.baseurlsecure";
+
+ public final static String JUDDI_ROOT_PUBLISHER = "juddi.root.publisher";
+ public final static String JUDDI_LOAD_INSTALL_DATA = "juddi.load.install.data";
+ public final static String JUDDI_PERSISTENCEUNIT_NAME = "juddi.persistenceunit.name";
+ public final static String JUDDI_CONFIGURATION_RELOAD_DELAY = "juddi.configuration.reload.delay";
+
+ /**
+ * This is not used in the code base
+ */
//public final static String JUDDI_LOCALE = "juddi.locale";
-
//public final static String JUDDI_OPERATOR_EMAIL_ADDRESS = "juddi.operatorEmailAddress";
-
//public final static String JUDDI_MAX_LENGTH = "juddi.maxNameLength";
- //public final static String JUDDI_MAX_NAME_ELEMENTS = "juddi.maxNameElementsAllowed";
- public final static String JUDDI_MAX_BUSINESSES_PER_PUBLISHER = "juddi.maxBusinessesPerPublisher";
- public final static String JUDDI_MAX_SERVICES_PER_BUSINESS = "juddi.maxServicesPerBusiness";
- public final static String JUDDI_MAX_BINDINGS_PER_SERVICE = "juddi.maxBindingsPerService";
- public final static String JUDDI_MAX_TMODELS_PER_PUBLISHER = "juddi.maxTModelsPerPublisher";
- public final static String JUDDI_CRYPTOR = "juddi.cryptor";
- public final static String JUDDI_KEYGENERATOR = "juddi.keygenerator";
- /**
- * used by the Jboss authenticator
- */
- public final static String JUDDI_SECURITY_DOMAIN = "juddi.auth.securityDomain";
- public final static String JUDDI_USERSFILE = "juddi.auth.usersfile";
- public final static String JUDDI_MAX_ROWS = "juddi.maxRows";
- public final static String JUDDI_MAX_IN_CLAUSE = "juddi.maxInClause";
- public final static String JUDDI_ROOT_PARTITION = "juddi.root.partition";
- /**
- * This is the business id that all of the UDDI services on this node will be attached too
- * (generally as defined in the install_data)
- * JUDDI-645
- */
- public final static String JUDDI_NODE_ROOT_BUSINESS = "juddi.root.businessId";
- /**
- * this is the unique identifier of this uddi service provider, primarily used for clustered setups with the replication api
- * JUDDI-645
- */
- public final static String JUDDI_NODE_ID = "juddi.nodeId";
- public final static String JUDDI_TRANSFER_EXPIRATION_DAYS = "juddi.transfer.expiration.days";
- /**
- * identifies whether or not authentication is required for the Inquiry endpoint
- */
- public final static String JUDDI_AUTHENTICATE_INQUIRY = "juddi.auth.Inquiry";
- public final static String JUDDI_AUTH_TOKEN_EXPIRATION = "juddi.auth.token.Expiration";
- public final static String JUDDI_AUTH_TOKEN_TIMEOUT = "juddi.auth.token.Timeout";
-
- /**
- * when set, auth tokens can only be used from the IP address they were issued to.
- *
- */
- public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule";
-
- /**
- * Whether not the token is used with each transition, default should be true
- */
- public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]";
-
- /**
- * This points to the class of the authenticator
- */
- public final static String JUDDI_AUTHENTICATOR = "juddi.auth.authenticator.class";
- /**
- * @see LdapSimpleAuthenticator
- */
- public final static String JUDDI_AUTHENTICATOR_URL = "juddi.auth.authenticator.url";
- /**
- * @see LdapSimpleAuthenticator
- */
- public final static String JUDDI_AUTHENTICATOR_INITIAL_CONTEXT = "juddi.auth.authenticator.initialcontext";
- /**
- * @see LdapSimpleAuthenticator
- */
- public final static String JUDDI_AUTHENTICATOR_STYLE = "juddi.auth.authenticator.style";
- /**
- * @see LdapExpandedAuthenticator
- */
- public final static String JUDDI_AUTHENTICATOR_LDAP_EXPANDED_STR= "juddi.auth.authenticator.ldapexp";
-
-
- /**
- * if enabled, tmodels must exist before using them
- * binding templates must exist before a subscription can be made
- * access point hosting redirector/binding template must exist before it can be made
- * @since 3.1.5
- */
- public final static String JUDDI_ENFORCE_REFERENTIAL_INTEGRITY = "juddi.validation.enforceReferentialIntegrity";
- public final static String JUDDI_SUBSCRIPTION_EXPIRATION_DAYS = "juddi.subscription.expiration.days";
- public final static String JUDDI_SUBSCRIPTION_NOTIFICATION = "juddi.subscription.notification";
- public final static String JUDDI_SUBSCRIPTION_CHUNKEXPIRATION_MINUTES = "juddi.subscription.chunkexpiration.minutes";
- public final static String JUDDI_SUBSCRIPTION_MAXENTITIES="juddi.subscription.maxentities";
-
- /*
- * These are not yet used
- public final static Strin g JUDDI_SUBSCRIPTION_TRUSTSTORE_TYPE="juddi.subscription.truststore.type";
- public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_FILE="juddi.subscription.truststore.filename";
- public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_PASSWORD="juddi.subscription.truststore.password";
- public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_ENCRYPTED="juddi.subscription.truststore.password[@isPasswordEncrypted]";
- public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_CRYPTOPROVIDER="juddi.subscription.truststore.password[@cryptoProvider]";
-
-
- public final static String JUDDI_SUBSCRIPTION_KEYSTORE_TYPE="juddi.subscription.keystore.type";
- public final static String JUDDI_SUBSCRIPTION_KEYSTORE_FILE="juddi.subscription.keystore.filename";
- public final static String JUDDI_SUBSCRIPTION_KEYSTORE_PASSWORD="juddi.subscription.keystore.password";
- public final static String JUDDI_SUBSCRIPTION_KEYALIAS="juddi.subscription.keystore.alias";
- public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD="juddi.subscription.keystore.keypassword";
- public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_ENCRYPTED="juddi.subscription.keystore.keypassword[@isPasswordEncrypted]";
- public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_CRYPTOPROVIDER="juddi.subscription.keypassword.password[@cryptoProvider]";
- public final static String JUDDI_SUBSCRIPTION_KEYSTORE_ENCRYPTED="juddi.subscription.keystore.password[@isPasswordEncrypted]";
- public final static String JUDDI_SUBSCRIPTION_KEYSTORE_CRYPTOPROVIDER="juddi.subscription.keystore.password[@cryptoProvider]";
- */
-
- public final static String JUDDI_NOTIFICATION_START_BUFFER = "juddi.notification.start.buffer";
- public final static String JUDDI_NOTIFICATION_INTERVAL = "juddi.notification.interval";
- /**
- * default value = 1000
- * @see SubscriptionNotifier
- */
- public final static String JUDDI_NOTIFICATION_ACCEPTABLE_LAGTIME = "juddi.notification.acceptableLagtime";
- /**
- * maximum delivery count
- * @see SubscriptionNotifier
- */
- public final static String JUDDI_NOTIFICATION_MAX_TRIES = "juddi.notification.maxTries";
- public final static String JUDDI_NOTIFICATION_LIST_RESET_INTERVAL = "juddi.notification.maxTriesResetInterval";
- /**
- * send an auth token with the result set? default is false
- * @see SubscriptionNotifier
- * @since 3.2
- */
- public final static String JUDDI_NOTIFICATION_SENDAUTHTOKEN="juddi.notification.sendAuthTokenWithResultList";
- public final static String JUDDI_JNDI_REGISTRATION = "juddi.jndi.registration";
- public final static String JUDDI_RMI_PORT = "juddi.rmi.port";
- public final static String JUDDI_RMI_REGISTRATION = "juddi.rmi.registration";
- public final static String JUDDI_RMI_REGISTRY_PORT = "juddi.rmi.registry.port";
-
- public final static String JUDDI_EMAIL_PREFIX = "juddi.mail.smtp.prefix";
- public final static String JUDDI_EMAIL_FROM = "juddi.mail.smtp.from";
- public final static String DEFAULT_JUDDI_EMAIL_PREFIX = "juddi.";
- public final static String DEFAULT_CRYPTOR = "org.apache.juddi.v3.client.cryptor.DefaultCryptor";
- public final static String DEFAULT_USERSFILE = "juddi-users.properties";
- public final static String DEFAULT_XML_USERSFILE = "juddi-users.xml";
- /**
- * @see CryptedXMLDocAuthenticator
- */
- public final static String DEFAULT_ENCRYPTED_XML_USERSFILE = "juddi-users-encrypted.xml";
- /**
- * @see MD5XMLDocAuthenticator
- */
- public final static String DEFAULT_HASHED_XML_USERSFILE = "juddi-users-hashed.xml";
- public final static String DEFAULT_SECURITY_DOMAIN = "java:/jaas/other";
- public final static boolean DEFAULT_LOAD_INSTALL_DATA = true;
- public final static String DEFAULT_BASE_URL = "http://localhost:8080/juddiv3";
- public final static String DEFAULT_BASE_URL_SECURE = "https://localhost:8443/juddiv3";
- /* Allowing the the user to override jpa persistence properties in the juddi.properties file */
- public final static String PERSISTENCE_PROVIDER = "persistenceProvider";
- public final static String DATASOURCE = "hibernate.connection.datasource";
- public final static String HBM_DDL_AUTO = "hibernate.hbm2ddl.auto";
- public final static String DEFAULT_SCHEMA = "hibernate.default_schema";
- public final static String HIBERNATE_DIALECT = "hibernate.dialect";
- /**
- * @since 3.3 FUTURE USE
- */
- public final static String JUDDI_ACCESS_CONTROL_PROVIDER = "juddi.accessControlProvider";
- /**
- * @since 3.2, used for Apache Commons Configuration XML config file
- */
- public static final String ENCRYPTED_ATTRIBUTE="[@encrypted]";
-
- /**
- * Used for HTTP Header based authentication for web proxies
- * @since 3.2.1
- */
- public static final String JUDDI_AUTHENTICATOR_HTTP_HEADER_NAME="juddi.auth.authenticator.header";
-
- /**
- * Records inquiry find* requests to disk, sans auth token
- * @since 3.2.1
- */
- public final static String JUDDI_LOGGING_FindApiCalls = "juddi.logging.logInquirySearchPayloads";
- /**
- * The UDDI v3 spec specifically calls for supporting this, however it creates significant performance problems in jUDDI when there
- * are a large number of business and services. Defaults to true if not defined
- * @since 3.3
- */
- public static String JUDDI_ENABLE_FIND_BUSINESS_TMODEL_BAG_FILTERING="juddi.preformance.enableFindBusinessTModelBagFiltering";
+ //public final static String JUDDI_MAX_NAME_ELEMENTS = "juddi.maxNameElementsAllowed";
+ public final static String JUDDI_MAX_BUSINESSES_PER_PUBLISHER = "juddi.maxBusinessesPerPublisher";
+ public final static String JUDDI_MAX_SERVICES_PER_BUSINESS = "juddi.maxServicesPerBusiness";
+ public final static String JUDDI_MAX_BINDINGS_PER_SERVICE = "juddi.maxBindingsPerService";
+ public final static String JUDDI_MAX_TMODELS_PER_PUBLISHER = "juddi.maxTModelsPerPublisher";
+ public final static String JUDDI_CRYPTOR = "juddi.cryptor";
+ public final static String JUDDI_KEYGENERATOR = "juddi.keygenerator";
+ /**
+ * used by the Jboss authenticator
+ */
+ public final static String JUDDI_SECURITY_DOMAIN = "juddi.auth.securityDomain";
+ public final static String JUDDI_USERSFILE = "juddi.auth.usersfile";
+ public final static String JUDDI_MAX_ROWS = "juddi.maxRows";
+ public final static String JUDDI_MAX_IN_CLAUSE = "juddi.maxInClause";
+ public final static String JUDDI_ROOT_PARTITION = "juddi.root.partition";
+ /**
+ * This is the business id that all of the UDDI services on this node
+ * will be attached too (generally as defined in the install_data)
+ * JUDDI-645
+ */
+ public final static String JUDDI_NODE_ROOT_BUSINESS = "juddi.root.businessId";
+ /**
+ * this is the unique identifier of this uddi service provider,
+ * primarily used for clustered setups with the replication api
+ * JUDDI-645
+ */
+ public final static String JUDDI_NODE_ID = "juddi.nodeId";
+ public final static String JUDDI_TRANSFER_EXPIRATION_DAYS = "juddi.transfer.expiration.days";
+ /**
+ * identifies whether or not authentication is required for the Inquiry
+ * endpoint
+ */
+ public final static String JUDDI_AUTHENTICATE_INQUIRY = "juddi.auth.Inquiry";
+ public final static String JUDDI_AUTH_TOKEN_EXPIRATION = "juddi.auth.token.Expiration";
+ public final static String JUDDI_AUTH_TOKEN_TIMEOUT = "juddi.auth.token.Timeout";
+
+ /**
+ * when set, auth tokens can only be used from the IP address they were
+ * issued to.
+ *
+ */
+ public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule";
+
+ /**
+ * Whether not the token is used with each transition, default should be
+ * true
+ */
+ public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]";
+
+ /**
+ * This points to the class of the authenticator
+ */
+ public final static String JUDDI_AUTHENTICATOR = "juddi.auth.authenticator.class";
+ /**
+ * @see LdapSimpleAuthenticator
+ */
+ public final static String JUDDI_AUTHENTICATOR_URL = "juddi.auth.authenticator.url";
+ /**
+ * @see LdapSimpleAuthenticator
+ */
+ public final static String JUDDI_AUTHENTICATOR_INITIAL_CONTEXT = "juddi.auth.authenticator.initialcontext";
+ /**
+ * @see LdapSimpleAuthenticator
+ */
+ public final static String JUDDI_AUTHENTICATOR_STYLE = "juddi.auth.authenticator.style";
+ /**
+ * @see LdapExpandedAuthenticator
+ */
+ public final static String JUDDI_AUTHENTICATOR_LDAP_EXPANDED_STR = "juddi.auth.authenticator.ldapexp";
+
+ /**
+ * if enabled, tmodels must exist before using them binding templates
+ * must exist before a subscription can be made access point hosting
+ * redirector/binding template must exist before it can be made
+ *
+ * @since 3.1.5
+ */
+ public final static String JUDDI_ENFORCE_REFERENTIAL_INTEGRITY = "juddi.validation.enforceReferentialIntegrity";
+ public final static String JUDDI_SUBSCRIPTION_EXPIRATION_DAYS = "juddi.subscription.expiration.days";
+ public final static String JUDDI_SUBSCRIPTION_NOTIFICATION = "juddi.subscription.notification";
+ public final static String JUDDI_SUBSCRIPTION_CHUNKEXPIRATION_MINUTES = "juddi.subscription.chunkexpiration.minutes";
+ public final static String JUDDI_SUBSCRIPTION_MAXENTITIES = "juddi.subscription.maxentities";
+
+ /*
+ * These are not yet used
+ public final static Strin g JUDDI_SUBSCRIPTION_TRUSTSTORE_TYPE="juddi.subscription.truststore.type";
+ public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_FILE="juddi.subscription.truststore.filename";
+ public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_PASSWORD="juddi.subscription.truststore.password";
+ public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_ENCRYPTED="juddi.subscription.truststore.password[@isPasswordEncrypted]";
+ public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_CRYPTOPROVIDER="juddi.subscription.truststore.password[@cryptoProvider]";
+
+
+ public final static String JUDDI_SUBSCRIPTION_KEYSTORE_TYPE="juddi.subscription.keystore.type";
+ public final static String JUDDI_SUBSCRIPTION_KEYSTORE_FILE="juddi.subscription.keystore.filename";
+ public final static String JUDDI_SUBSCRIPTION_KEYSTORE_PASSWORD="juddi.subscription.keystore.password";
+ public final static String JUDDI_SUBSCRIPTION_KEYALIAS="juddi.subscription.keystore.alias";
+ public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD="juddi.subscription.keystore.keypassword";
+ public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_ENCRYPTED="juddi.subscription.keystore.keypassword[@isPasswordEncrypted]";
+ public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_CRYPTOPROVIDER="juddi.subscription.keypassword.password[@cryptoProvider]";
+ public final static String JUDDI_SUBSCRIPTION_KEYSTORE_ENCRYPTED="juddi.subscription.keystore.password[@isPasswordEncrypted]";
+ public final static String JUDDI_SUBSCRIPTION_KEYSTORE_CRYPTOPROVIDER="juddi.subscription.keystore.password[@cryptoProvider]";
+ */
+ public final static String JUDDI_NOTIFICATION_START_BUFFER = "juddi.notification.start.buffer";
+ public final static String JUDDI_NOTIFICATION_INTERVAL = "juddi.notification.interval";
+ /**
+ * default value = 1000
+ *
+ * @see SubscriptionNotifier
+ */
+ public final static String JUDDI_NOTIFICATION_ACCEPTABLE_LAGTIME = "juddi.notification.acceptableLagtime";
+ /**
+ * maximum delivery count
+ *
+ * @see SubscriptionNotifier
+ */
+ public final static String JUDDI_NOTIFICATION_MAX_TRIES = "juddi.notification.maxTries";
+ public final static String JUDDI_NOTIFICATION_LIST_RESET_INTERVAL = "juddi.notification.maxTriesResetInterval";
+ /**
+ * send an auth token with the result set? default is false
+ *
+ * @see SubscriptionNotifier
+ * @since 3.2
+ */
+ public final static String JUDDI_NOTIFICATION_SENDAUTHTOKEN = "juddi.notification.sendAuthTokenWithResultList";
+ public final static String JUDDI_JNDI_REGISTRATION = "juddi.jndi.registration";
+ public final static String JUDDI_RMI_PORT = "juddi.rmi.port";
+ public final static String JUDDI_RMI_REGISTRATION = "juddi.rmi.registration";
+ public final static String JUDDI_RMI_REGISTRY_PORT = "juddi.rmi.registry.port";
+
+ public final static String JUDDI_EMAIL_PREFIX = "juddi.mail.smtp.prefix";
+ public final static String JUDDI_EMAIL_FROM = "juddi.mail.smtp.from";
+ public final static String DEFAULT_JUDDI_EMAIL_PREFIX = "juddi.";
+ public final static String DEFAULT_CRYPTOR = "org.apache.juddi.v3.client.cryptor.DefaultCryptor";
+ public final static String DEFAULT_USERSFILE = "juddi-users.properties";
+ public final static String DEFAULT_XML_USERSFILE = "juddi-users.xml";
+ /**
+ * @see CryptedXMLDocAuthenticator
+ */
+ public final static String DEFAULT_ENCRYPTED_XML_USERSFILE = "juddi-users-encrypted.xml";
+ /**
+ * @see MD5XMLDocAuthenticator
+ */
+ public final static String DEFAULT_HASHED_XML_USERSFILE = "juddi-users-hashed.xml";
+ public final static String DEFAULT_SECURITY_DOMAIN = "java:/jaas/other";
+ public final static boolean DEFAULT_LOAD_INSTALL_DATA = true;
+ public final static String DEFAULT_BASE_URL = "http://localhost:8080/juddiv3";
+ public final static String DEFAULT_BASE_URL_SECURE = "https://localhost:8443/juddiv3";
+ /* Allowing the the user to override jpa persistence properties in the juddi.properties file */
+ public final static String PERSISTENCE_PROVIDER = "persistenceProvider";
+ public final static String DATASOURCE = "hibernate.connection.datasource";
+ public final static String HBM_DDL_AUTO = "hibernate.hbm2ddl.auto";
+ public final static String DEFAULT_SCHEMA = "hibernate.default_schema";
+ public final static String HIBERNATE_DIALECT = "hibernate.dialect";
+ /**
+ * @since 3.3 FUTURE USE
+ */
+ public final static String JUDDI_ACCESS_CONTROL_PROVIDER = "juddi.accessControlProvider";
+ /**
+ * @since 3.2, used for Apache Commons Configuration XML config file
+ */
+ public static final String ENCRYPTED_ATTRIBUTE = "[@encrypted]";
+
+ /**
+ * Used for HTTP Header based authentication for web proxies
+ *
+ * @since 3.2.1
+ */
+ public static final String JUDDI_AUTHENTICATOR_HTTP_HEADER_NAME = "juddi.auth.authenticator.header";
+
+ /**
+ * Records inquiry find* requests to disk, sans auth token
+ *
+ * @since 3.2.1
+ */
+ public final static String JUDDI_LOGGING_FindApiCalls = "juddi.logging.logInquirySearchPayloads";
+ /**
+ * The UDDI v3 spec specifically calls for supporting this, however it
+ * creates significant performance problems in jUDDI when there are a
+ * large number of business and services. Defaults to true if not
+ * defined
+ *
+ * @since 3.3
+ */
+ public static String JUDDI_ENABLE_FIND_BUSINESS_TMODEL_BAG_FILTERING = "juddi.preformance.enableFindBusinessTModelBagFiltering";
+ /**
+ * When set to true, juddi with reject publish requests when at least
+ * one digitally signed entity cannot be cryptographically validated
+ * JUDDI-862
+ *
+ * Note: this is a prefix
+ *
+ * @since 3.3
+ */
+ public static String JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX = "juddi.validation.rejectInvalidSignatures.";
+ /**
+ * @since 3.3.
+ */
+ public static String JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE = "juddi.validation.rejectInvalidSignatures.enable";
}
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java
----------------------------------------------------------------------
diff --git a/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java b/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java
index 8b3eafa..3bf5b54 100644
--- a/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java
+++ b/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java
@@ -18,12 +18,16 @@ package org.apache.juddi.validation;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.logging.Level;
+import java.util.logging.Logger;
import javax.persistence.EntityManager;
import javax.persistence.EntityTransaction;
@@ -55,6 +59,8 @@ import org.apache.juddi.query.FindTModelByPublisherQuery;
import org.apache.juddi.v3.client.UDDIConstants;
import org.apache.juddi.v3.client.UDDIConstantsV2;
import org.apache.juddi.v3.client.config.TokenResolver;
+import org.apache.juddi.v3.client.cryptor.CryptorFactory;
+import org.apache.juddi.v3.client.cryptor.DigSigUtil;
import org.apache.juddi.v3.error.AssertionNotFoundException;
import org.apache.juddi.v3.error.ErrorMessage;
import org.apache.juddi.v3.error.FatalErrorException;
@@ -288,8 +294,8 @@ public class ValidatePublish extends ValidateUDDIApi {
if (!((UddiEntity) obj).getNodeId().equals(nodeID)) {
//prevent changes to data owned by another node in a replicated environment
//even if you're the boss
- throw new UserMismatchException(new ErrorMessage("errors.usermismatch.InvalidNode", entityKey + " Owning Node: " +((UddiEntity) obj).getNodeId()
- + ", this node: " + nodeID));
+ throw new UserMismatchException(new ErrorMessage("errors.usermismatch.InvalidNode", entityKey + " Owning Node: " + ((UddiEntity) obj).getNodeId()
+ + ", this node: " + nodeID));
}
if (publisher.isOwner((UddiEntity) obj) && nodeID.equals(((UddiEntity) obj).getNodeId())) {
@@ -343,12 +349,10 @@ public class ValidatePublish extends ValidateUDDIApi {
throw new AssertionNotFoundException(new ErrorMessage("errors.pubassertion.AssertionNotFound", entity.getFromKey() + ", " + entity.getToKey()));
}
//JUDDI-908
- if (!publisher.isOwner(pubAssertion.getBusinessEntityByToKey()) &&
- !publisher.isOwner(pubAssertion.getBusinessEntityByFromKey()))
- {
- throw new UserMismatchException(new ErrorMessage("errors.usermismatch.assertion"));
+ if (!publisher.isOwner(pubAssertion.getBusinessEntityByToKey())
+ && !publisher.isOwner(pubAssertion.getBusinessEntityByFromKey())) {
+ throw new UserMismatchException(new ErrorMessage("errors.usermismatch.assertion"));
}
-
}
@@ -734,6 +738,7 @@ public class ValidatePublish extends ValidateUDDIApi {
validateIdentifierBag(businessEntity.getIdentifierBag(), config, false);
validateDescriptions(businessEntity.getDescription());
validateBusinessServices(em, businessEntity.getBusinessServices(), businessEntity, config, publisher);
+ validateSignaturesBusiness(businessEntity, config);
}
@@ -903,6 +908,7 @@ public class ValidatePublish extends ValidateUDDIApi {
validateCategoryBag(businessService.getCategoryBag(), config, false);
validateDescriptions(businessService.getDescription());
validateBindingTemplates(em, businessService.getBindingTemplates(), businessService, config, publisher);
+ validateSignaturesService(businessService, config);
}
}
@@ -1061,6 +1067,7 @@ public class ValidatePublish extends ValidateUDDIApi {
validateDescriptions(bindingTemplate.getDescription());
validateHostingRedirector(em, bindingTemplate.getHostingRedirector(), config);
+ validateSignaturesBinding(bindingTemplate, config);
//validateCheckedTModels(bindingTemplate, config);
}
@@ -1153,6 +1160,7 @@ public class ValidatePublish extends ValidateUDDIApi {
validateOverviewDoc(overviewDoc);
}
}
+ validateSignaturesTModel(tModel, config);
}
@@ -1671,7 +1679,7 @@ public class ValidatePublish extends ValidateUDDIApi {
if (!inserted) {
throw new InvalidKeyPassedException(new ErrorMessage("errors.invalidkey.DuplicateKey", entityKey));
}
-
+
//removed a check for checking if the entity exists which was moved to the juddi api class
//why? because we were looking up the same object twice in the database and its just not efficient
}
@@ -2433,4 +2441,107 @@ public class ValidatePublish extends ValidateUDDIApi {
}
}
+ private org.apache.juddi.v3.client.cryptor.DigSigUtil ds = null;
+
+ private synchronized void initDigSig(Configuration config) {
+ if (ds == null) {
+
+ Properties p = new Properties();
+ /**
+ * <trustStorePath>truststore.jks</trustStorePath>
+ * <trustStoreType>JKS</trustStoreType>
+ * <trustStorePassword
+ * isPasswordEncrypted="false"
+ * cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword>
+ *
+ * <checkTimestamps>true</checkTimestamps>
+ * <checkTrust>true</checkTrust>
+ * <checkRevocationCRL>true</checkRevocationCRL>
+ */
+ p.put(DigSigUtil.TRUSTSTORE_FILE, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePath", ""));
+ p.put(DigSigUtil.TRUSTSTORE_FILETYPE, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStoreType", ""));
+
+ String enc = config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword", "");
+ if (config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword[@isPasswordEncrypted]", false)) {
+ log.info("trust password is encrypted, decrypting...");
+
+ String prov = config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword[@cryptoProvider]", "");
+ try {
+ p.setProperty(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, CryptorFactory.getCryptor(prov).decrypt(enc));
+ } catch (Exception ex) {
+ log.warn("unable to decrypt trust store password " + ex.getMessage());
+ log.debug("unable to decrypt trust store password " + ex.getMessage(), ex);
+ }
+
+ } else if (!"".equals(enc)){
+ log.warn("Hey, you should consider encrypting your trust store password!");
+ p.setProperty(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, enc);
+ }
+
+ p.put(DigSigUtil.CHECK_REVOCATION_STATUS_CRL, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkRevocationCRL", "true"));
+ p.put(DigSigUtil.CHECK_TRUST_CHAIN, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkTrust", "true"));
+ p.put(DigSigUtil.CHECK_TIMESTAMPS, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkTimestamps", "true"));
+
+ try {
+ ds = new DigSigUtil(p);
+ } catch (CertificateException ex) {
+ log.error("", ex);
+ }
+ //System.out.println("loaded from " + AppConfig.getConfigFileURL());
+ //p.list(System.out);
+ }
+ }
+
+ private void validateSignaturesBinding(BindingTemplate bindingTemplate, Configuration config) throws FatalErrorException {
+ boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false);
+ initDigSig(config);
+ if (shouldcheck && !bindingTemplate.getSignature().isEmpty() && ds != null) {
+ AtomicReference<String> outmsg = new AtomicReference<String>();
+ boolean ok = ds.verifySignedUddiEntity(bindingTemplate, outmsg);
+ if (!ok) {
+ throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", bindingTemplate.getBindingKey() + " " + outmsg.get()));
+ }
+
+ }
+ }
+
+ private void validateSignaturesService(BusinessService businessService, Configuration config) throws FatalErrorException {
+ boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false);
+ initDigSig(config);
+ if (shouldcheck && !businessService.getSignature().isEmpty() && ds != null) {
+ AtomicReference<String> outmsg = new AtomicReference<String>();
+ boolean ok = ds.verifySignedUddiEntity(businessService, outmsg);
+ if (!ok) {
+ throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", businessService.getServiceKey() + " " + outmsg.get()));
+ }
+
+ }
+ }
+
+ private void validateSignaturesTModel(TModel tModel, Configuration config) throws FatalErrorException {
+ boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false);
+ initDigSig(config);
+ if (shouldcheck && !tModel.getSignature().isEmpty() && ds != null) {
+ AtomicReference<String> outmsg = new AtomicReference<String>();
+ boolean ok = ds.verifySignedUddiEntity(tModel, outmsg);
+ if (!ok) {
+ throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", tModel.getTModelKey() + " " + outmsg.get()));
+ }
+
+ }
+ }
+
+ private void validateSignaturesBusiness(BusinessEntity businessEntity, Configuration config) throws FatalErrorException {
+ boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false);
+ initDigSig(config);
+ if (shouldcheck && !businessEntity.getSignature().isEmpty() && ds != null) {
+ AtomicReference<String> outmsg = new AtomicReference<String>();
+ boolean ok = ds.verifySignedUddiEntity(businessEntity, outmsg);
+ if (!ok) {
+ throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", businessEntity.getBusinessKey() + " " + outmsg.get()));
+ }
+
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/resources/messages.properties
----------------------------------------------------------------------
diff --git a/juddi-core/src/main/resources/messages.properties b/juddi-core/src/main/resources/messages.properties
index 04b94cd..5b52e16 100644
--- a/juddi-core/src/main/resources/messages.properties
+++ b/juddi-core/src/main/resources/messages.properties
@@ -302,4 +302,5 @@ errors.deleteNode.InReplicationConfig=The node to be deleted is currently refere
errors.usermismatch.InvalidNode=The user is not authorized to alter the given entity. It is not owned by this jUDDI node. Try your request again on the authoritative node.
errors.usermismatch.assertion=You have to be either the owner of the 'from' or 'to' business in order to delete a publisher assertion.
-errors.assertionNotFound=The referenced publisher assertion isn't in the database!
\ No newline at end of file
+errors.assertionNotFound=The referenced publisher assertion isn't in the database!
+errors.digitalsignature.validationfailure=The digital signature the following element failed to validate. Because of this, the request was rejected. Key and validation error as follows.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-3des.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3-enc-3des.xml b/juddi-core/src/test/resources/juddiv3-enc-3des.xml
index b4bf2be..163dbc4 100644
--- a/juddi-core/src/test/resources/juddiv3-enc-3des.xml
+++ b/juddi-core/src/test/resources/juddiv3-enc-3des.xml
@@ -167,6 +167,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-aes128.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3-enc-aes128.xml b/juddi-core/src/test/resources/juddiv3-enc-aes128.xml
index 1b3fadb..6f89433 100644
--- a/juddi-core/src/test/resources/juddiv3-enc-aes128.xml
+++ b/juddi-core/src/test/resources/juddiv3-enc-aes128.xml
@@ -163,6 +163,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-aes256.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3-enc-aes256.xml b/juddi-core/src/test/resources/juddiv3-enc-aes256.xml
index 582c4bd..1b6999a 100644
--- a/juddi-core/src/test/resources/juddiv3-enc-aes256.xml
+++ b/juddi-core/src/test/resources/juddiv3-enc-aes256.xml
@@ -170,6 +170,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-default.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3-enc-default.xml b/juddi-core/src/test/resources/juddiv3-enc-default.xml
index b44358b..2519e9d 100644
--- a/juddi-core/src/test/resources/juddiv3-enc-default.xml
+++ b/juddi-core/src/test/resources/juddiv3-enc-default.xml
@@ -167,6 +167,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3.xml b/juddi-core/src/test/resources/juddiv3.xml
index e0b23dd..72e21f1 100644
--- a/juddi-core/src/test/resources/juddiv3.xml
+++ b/juddi-core/src/test/resources/juddiv3.xml
@@ -170,6 +170,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml
----------------------------------------------------------------------
diff --git a/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml b/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml
index 88dddd9..66e3914 100644
--- a/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml
+++ b/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml
@@ -170,6 +170,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>./src/test/resources/truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>false</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java
----------------------------------------------------------------------
diff --git a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java
index 20d0579..fb7700b 100644
--- a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java
+++ b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java
@@ -76,6 +76,9 @@ public class EntryPoint {
System.out.println("36) UnRegister a node on a jUDDI server");
System.out.println("37) Fetch the replication config from a jUDDI server");
System.out.println("38) Set the replication config on a remote jUDDI server");
+ System.out.println("magic) Sets the replication between two instances of jUDDI on 8080 and 8090");
+ System.out.println("rep) Prints the current replication status of a given node");
+ System.out.println("39) Digitally sign a UDDI entity from a file.");
System.out.println("q) quit");
System.out.print("Selection: ");
@@ -466,6 +469,9 @@ public class EntryPoint {
if (input.equals("rep")) {
new JuddiAdminService().printStatus();
}
+ if (input.equals("39")) {
+ new UddiDigitalSignatureFile().Fire(null, null, null);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java
----------------------------------------------------------------------
diff --git a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java
new file mode 100644
index 0000000..ac1a06f
--- /dev/null
+++ b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java
@@ -0,0 +1,160 @@
+/*
+ * Copyright 2001-2013 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.juddi.samples;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.util.Scanner;
+import java.util.concurrent.atomic.AtomicReference;
+import javax.xml.bind.JAXB;
+
+import org.apache.juddi.v3.client.config.UDDIClient;
+import org.apache.juddi.v3.client.cryptor.DigSigUtil;
+import org.apache.juddi.v3.client.transport.Transport;
+import org.uddi.api_v3.*;
+import org.uddi.v3_service.UDDIInquiryPortType;
+import org.uddi.v3_service.UDDIPublicationPortType;
+import org.uddi.v3_service.UDDISecurityPortType;
+
+/**
+ * This class shows you how to digital sign a business and save to file
+ *
+ * @author <a href="mailto:alexoree@apache.org">Alex O'Ree</a>
+ */
+public class UddiDigitalSignatureFile {
+
+ private static UDDIClient clerkManager = null;
+
+ /**
+ * This sets up the ws proxies using uddi.xml in META-INF
+ */
+ public UddiDigitalSignatureFile() {
+ try {
+ // create a manager and read the config in the archive;
+ // you can use your config file name
+ clerkManager = new UDDIClient("META-INF/simple-publish-uddi.xml");
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public enum UddiType {
+
+ Business, Service, Binding, TModel, PublisherAssertion
+ }
+
+ public void Fire(String fileIn, String fileOut, UddiType type) {
+ try {
+ System.out.println("WARN - All previous signatures will be removed!");
+ if (fileIn == null || fileOut == null || type == null) {
+ System.out.print("Input file: ");
+ fileIn = System.console().readLine();
+ System.out.print("Out file: ");
+ fileOut = System.console().readLine();
+ System.out.println();
+ for (int i = 0; i < UddiType.values().length; i++) {
+ System.out.println("[" + i + "] " + UddiType.values()[i].toString());
+ }
+ System.out.print("UDDI Type: ");
+ String t = System.console().readLine();
+ type = UddiType.values()[Integer.parseInt(t)];
+ }
+
+ DigSigUtil ds = null;
+
+ //option 1), set everything manually
+ ds = new DigSigUtil();
+ ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE, "keystore.jks");
+ ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILETYPE, "JKS");
+ ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE_PASSWORD, "Test");
+ ds.put(DigSigUtil.SIGNATURE_KEYSTORE_KEY_ALIAS, "Test");
+ ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_BASE64, "true");
+
+ ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SERIAL, "true");
+ ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN, "true");
+ ds.put(DigSigUtil.TRUSTSTORE_FILE, "truststore.jks");
+ ds.put(DigSigUtil.TRUSTSTORE_FILETYPE, "JKS");
+ ds.put(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, "Test");
+
+ FileInputStream fis = new FileInputStream(fileIn);
+ Class expectedType = null;
+ switch (type) {
+ case Binding:
+ expectedType = BindingTemplate.class;
+ break;
+ case Business:
+ expectedType = BusinessEntity.class;
+ break;
+ case PublisherAssertion:
+ expectedType = PublisherAssertion.class;
+ break;
+ case Service:
+ expectedType = BusinessService.class;
+ break;
+ case TModel:
+ expectedType = TModel.class;
+ break;
+ }
+ Object be = JAXB.unmarshal(fis, expectedType);
+ fis.close();
+ fis = null;
+
+ switch (type) {
+ case Binding:
+ ((BindingTemplate)be).getSignature().clear();
+ break;
+ case Business:
+ ((BusinessEntity)be).getSignature().clear();
+ break;
+ case PublisherAssertion:
+ ((PublisherAssertion)be).getSignature().clear();
+ break;
+ case Service:
+ ((BusinessService)be).getSignature().clear();
+ break;
+ case TModel:
+ ((TModel)be).getSignature().clear();
+ break;
+ }
+
+ System.out.println("signing");
+ Object signUDDI_JAXBObject = ds.signUddiEntity(be);
+ System.out.println("signed");
+ DigSigUtil.JAXB_ToStdOut(signUDDI_JAXBObject);
+
+
+ System.out.println("verifing");
+ AtomicReference<String> msg = new AtomicReference<String>();
+ boolean verifySigned_UDDI_JAXB_Object = ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+ if (verifySigned_UDDI_JAXB_Object) {
+ System.out.println("signature validation passed (expected)");
+ FileOutputStream fos = new FileOutputStream(fileOut);
+ JAXB.marshal(signUDDI_JAXBObject, fos);
+ fos.close();
+ } else {
+ System.out.println("signature validation failed (not expected)");
+ }
+ System.out.println(msg.get());
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-tomcat/juddiv3Node2.xml
----------------------------------------------------------------------
diff --git a/juddi-tomcat/juddiv3Node2.xml b/juddi-tomcat/juddiv3Node2.xml
index 1efb830..0b193a4 100644
--- a/juddi-tomcat/juddiv3Node2.xml
+++ b/juddi-tomcat/juddiv3Node2.xml
@@ -171,6 +171,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>true</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
----------------------------------------------------------------------
diff --git a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
index c27f730..39279b0 100644
--- a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
+++ b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
@@ -171,6 +171,19 @@
<validation>
<!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry-->
<enforceReferentialIntegrity>true</enforceReferentialIntegrity>
+ <!-- as of 3.3, reject digitally signed items that are invalid-->
+ <rejectInvalidSignatures>
+ <enable>false</enable>
+ <trustStorePath>truststore.jks</trustStorePath>
+ <trustStoreType>JKS</trustStoreType>
+ <trustStorePassword
+ isPasswordEncrypted="false"
+ cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword>
+
+ <checkTimestamps>true</checkTimestamps>
+ <checkTrust>true</checkTrust>
+ <checkRevocationCRL>true</checkRevocationCRL>
+ </rejectInvalidSignatures>
</validation>
<!--As of 3.1.5 Email delivery options for subscription API functions-->
http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java
----------------------------------------------------------------------
diff --git a/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java b/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java
index 8710558..4fc25e1 100644
--- a/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java
+++ b/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java
@@ -15,6 +15,7 @@
package org.apache.juddi.v3.tck;
import java.io.File;
+import java.io.FileInputStream;
import java.net.URL;
import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertNotNull;
@@ -297,15 +298,20 @@ public class TckBusiness {
try {
SaveBusiness sb = new SaveBusiness();
sb.setAuthInfo(authInfo);
-
+
BusinessEntity beIn = (BusinessEntity) EntityCreator.buildFromDoc(businessXML, "org.uddi.api_v3");
if (beIn == null) {
throw new Exception("Unload to load source xml document from " + businessXML);
}
+ if (serialize) {
+ System.out.println("before saving");
+ JAXB.marshal(beIn, System.out);
+ }
sb.getBusinessEntity().add(beIn);
BusinessDetail saveBusiness = publication.saveBusiness(sb);
logger.info("Business saved with key " + saveBusiness.getBusinessEntity().get(0).getBusinessKey());
if (serialize) {
+ System.out.println("after saving");
JAXB.marshal(saveBusiness, System.out);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@juddi.apache.org
For additional commands, e-mail: commits-help@juddi.apache.org