You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2007/09/18 03:50:04 UTC
svn commit: r576651 - in /geronimo/server/trunk:
applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/
modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/
modules/geronimo-securit...
Author: djencks
Date: Mon Sep 17 18:50:03 2007
New Revision: 576651
URL: http://svn.apache.org/viewvc?rev=576651&view=rev
Log:
GERONIMO-2925 implement pluggable obscuring of passwords in plans etc
Added:
geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java (with props)
geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java (with props)
geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java (with props)
Modified:
geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java
Modified: geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java (original)
+++ geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java Mon Sep 17 18:50:03 2007
@@ -47,6 +47,7 @@
import org.apache.geronimo.util.encoders.Base64;
import org.apache.geronimo.util.encoders.HexTranslator;
import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
/**
* @version $Rev$ $Date$
@@ -149,10 +150,7 @@
if(digest != null && !digest.equals("")) {
realPassword = digestPassword(realPassword, digest, getEncoding());
}
- if (!(realPassword.startsWith("{Standard}"))) {
- // update the password
- realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
- }
+ realPassword = EncryptionManager.encrypt(realPassword);
}
users.setProperty(name, realPassword);
store(users, serverInfo.resolveServer(getUsersURI()).toURL());
@@ -189,10 +187,7 @@
if(digest != null && !digest.equals("")) {
realPassword = digestPassword(realPassword, digest, getEncoding());
}
- if (!(realPassword.startsWith("{Standard}"))) {
- // update the password
- realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
- }
+ realPassword = EncryptionManager.encrypt(realPassword);
}
users.setProperty(name, realPassword);
store(users, serverInfo.resolveServer(getUsersURI()).toURL());
@@ -270,10 +265,7 @@
}
String realPassword = users.getProperty(userPrincipal);
if (realPassword != null) {
- if (realPassword.startsWith("{Standard}")) {
- // decrypt the password
- realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
- }
+ realPassword = (String) EncryptionManager.decrypt(realPassword);
}
return realPassword;
}
@@ -328,10 +320,9 @@
String realPassword = users.getProperty(name);
// Encrypt the password if needed, so we can compare it with the supplied one
if (realPassword != null) {
- if (!(realPassword.startsWith("{Standard}"))) {
- // update the password in Properties to be encrypted
- users.setProperty(name, "{Standard}"+SimpleEncryption.encrypt(realPassword));
- // we have an updated password to save back to the file
+ String pw = EncryptionManager.encrypt(realPassword);
+ if (!realPassword.equals(pw)) {
+ users.setProperty(name, pw);
bUpdates = true;
}
}
Modified: geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java (original)
+++ geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/CommandLogin.java Mon Sep 17 18:50:03 2007
@@ -31,6 +31,7 @@
import org.apache.geronimo.cli.deployer.CommandArgs;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
/**
* The CLI deployer logic to start.
@@ -54,7 +55,7 @@
InputStream in = new BufferedInputStream(new FileInputStream(authFile));
props.load(in);
in.close();
- props.setProperty("login."+connection.getServerURI(), "{Standard}"+SimpleEncryption.encrypt(connection.getAuthentication()));
+ props.setProperty("login."+connection.getServerURI(), EncryptionManager.encrypt(connection.getAuthentication()));
OutputStream save = new BufferedOutputStream(new FileOutputStream(authFile));
props.store(save, "Saved authentication information to connect to Geronimo servers");
save.flush();
Modified: geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java (original)
+++ geronimo/server/trunk/modules/geronimo-deploy-tool/src/main/java/org/apache/geronimo/deployment/cli/ServerConnection.java Mon Sep 17 18:50:03 2007
@@ -39,7 +39,7 @@
import org.apache.geronimo.deployment.plugin.jmx.JMXDeploymentManager;
import org.apache.geronimo.deployment.plugin.jmx.LocalDeploymentManager;
import org.apache.geronimo.kernel.Kernel;
-import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
/**
* Supports online connections to the server, via JSR-88, valid only
@@ -52,7 +52,7 @@
private final static String DEFAULT_URI = "deployer:geronimo:jmx";
private final DeploymentFactory geronimoDeploymentFactory;
-
+
private DeploymentManager manager;
private PrintWriter out;
private InputStream in;
@@ -69,7 +69,7 @@
this.out = out;
this.in = in;
boolean offline = false;
-
+
String uri = parser.getURI();
String driver = parser.getDriver();
String user = parser.getUser();
@@ -144,20 +144,24 @@
try {
Properties props = new Properties();
props.load(in);
- String encryped = props.getProperty("login." + useURI);
- if (encryped != null) {
- if (encryped.startsWith("{Standard}")) {
- SavedAuthentication auth = (SavedAuthentication) SimpleEncryption.decrypt(encryped.substring(10));
- if (auth.uri.equals(useURI)) {
- user = auth.user;
- password = new String(auth.password);
- }
- } else if (encryped.startsWith("{Plain}")) {
- int pos = encryped.indexOf("/");
- user = encryped.substring(7, pos);
- password = encryped.substring(pos + 1);
+ String encrypted = props.getProperty("login." + useURI);
+ if (encrypted != null) {
+
+ if (encrypted.startsWith("{Plain}")) {
+ int pos = encrypted.indexOf("/");
+ user = encrypted.substring(7, pos);
+ password = encrypted.substring(pos + 1);
} else {
- System.out.print(DeployUtils.reformat("Unknown encryption used in saved login file", 4, 72));
+ Object o = EncryptionManager.decrypt(encrypted);
+ if (o == encrypted) {
+ System.out.print(DeployUtils.reformat("Unknown encryption used in saved login file", 4, 72));
+ } else {
+ SavedAuthentication auth = (SavedAuthentication) o;
+ if (auth.uri.equals(useURI)) {
+ user = auth.user;
+ password = new String(auth.password);
+ }
+ }
}
}
} catch (IOException e) {
Modified: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java (original)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java Mon Sep 17 18:50:03 2007
@@ -46,6 +46,7 @@
import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
import org.apache.geronimo.system.serverinfo.ServerInfo;
import org.apache.geronimo.util.SimpleEncryption;
+import org.apache.geronimo.util.EncryptionManager;
import org.apache.geronimo.util.encoders.Base64;
import org.apache.geronimo.util.encoders.HexTranslator;
@@ -171,9 +172,7 @@
String realPassword = users.getProperty(username);
// Decrypt the password if needed, so we can compare it with the supplied one
if (realPassword != null) {
- if (realPassword.startsWith("{Standard}")) {
- realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
- }
+ realPassword = (String) EncryptionManager.decrypt(realPassword);
}
char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
password = entered == null ? null : new String(entered);
Added: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java (added)
+++ geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java Mon Sep 17 18:50:03 2007
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.system.util;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.security.SecureRandom;
+
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.system.serverinfo.ServerInfo;
+import org.apache.geronimo.util.AbstractEncryption;
+import org.apache.geronimo.util.EncryptionManager;
+
+/**
+ * Like SimpleEncryption except it uses a stored secret key. If the key file is missing, it makes up a new one.
+ *
+ * WARNING: NOT RECOMMENDED. If you lose the secret key file your encrypted passwords will be unavailable. Instead, secure
+ * your operationg environment and use something like ldap or a database to store passwords in.
+ *
+ * To use, include something like this in the rmi-naming module of var/config/config.xml:
+ *
+ * <gbean name="org.apache.geronimo.configs/rmi-naming/2.1-SNAPSHOT/car?name=ConfiguredEncryption,j2eeType=GBean" gbeanInfo="org.apache.geronimo.system.util.ConfiguredEncryption">
+ * <attribute name="path">var/security/ConfiguredSecretKey.ser</attribute>
+ * <reference name="ServerInfo"><pattern><name>ServerInfo</name></pattern></reference>
+ * </gbean>
+ *
+ * @version $Rev:$ $Date:$
+ */
+public class ConfiguredEncryption extends AbstractEncryption implements GBeanLifecycle {
+
+ private final SecretKeySpec spec;
+
+
+ public ConfiguredEncryption(String path, ServerInfo serverInfo) throws IOException, ClassNotFoundException {
+ File location = serverInfo.resolve(path);
+ if (location.exists()) {
+ FileInputStream in = new FileInputStream(location);
+ try {
+ ObjectInputStream oin = new ObjectInputStream(in);
+ try {
+ spec = (SecretKeySpec) oin.readObject();
+ } finally {
+ oin.close();
+ }
+ } finally {
+ in.close();
+ }
+ } else {
+ SecureRandom random = new SecureRandom();
+ random.setSeed(System.currentTimeMillis());
+ byte[] bytes = new byte[16];
+ random.nextBytes(bytes);
+ spec = new SecretKeySpec(bytes, "AES");
+ File dir = location.getParentFile();
+ if (!dir.exists()) {
+ dir.mkdirs();
+ }
+ if (!dir.exists() || !dir.isDirectory()) {
+ throw new IllegalStateException("Could not create directory for secret key spec: " + dir);
+ }
+ FileOutputStream out = new FileOutputStream(location);
+ try {
+ ObjectOutputStream oout = new ObjectOutputStream(out);
+ try {
+ oout.writeObject(spec);
+ oout.flush();
+ } finally {
+ oout.close();
+ }
+ } finally {
+ out.close();
+ }
+ }
+ }
+
+ public void doStart() throws Exception {
+ EncryptionManager.setEncryptionPrefix("{Configured}", this);
+ }
+
+ public void doStop() throws Exception {
+ }
+
+ public void doFail() {
+ }
+
+ protected SecretKeySpec getSecretKeySpec() {
+ return spec;
+ }
+
+ public static final GBeanInfo GBEAN_INFO;
+
+ static {
+ GBeanInfoBuilder infoBuilder = GBeanInfoBuilder.createStatic(ConfiguredEncryption.class, "GBean");
+ infoBuilder.addAttribute("path", String.class, true, true);
+ infoBuilder.addReference("ServerInfo", ServerInfo.class, "GBean");
+ infoBuilder.setConstructor(new String[]{"path", "ServerInfo"});
+ GBEAN_INFO = infoBuilder.getBeanInfo();
+ }
+
+ public static GBeanInfo getGBeanInfo() {
+ return GBEAN_INFO;
+ }
+
+}
Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/modules/geronimo-system/src/main/java/org/apache/geronimo/system/util/ConfiguredEncryption.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java (added)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java Mon Sep 17 18:50:03 2007
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.util;
+
+import java.io.Serializable;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ByteArrayInputStream;
+
+import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.Cipher;
+import javax.crypto.SealedObject;
+
+import org.apache.geronimo.util.encoders.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public abstract class AbstractEncryption implements Encryption {
+ private final static Log log = LogFactory.getLog(SimpleEncryption.class);
+
+ /**
+ * Gets a String which contains the Base64-encoded form of the source,
+ * encrypted with the key from getSecretKeySpec().
+ */
+ public String encrypt(Serializable source) {
+ SecretKeySpec spec = getSecretKeySpec();
+ try {
+ Cipher c = Cipher.getInstance(spec.getAlgorithm());
+ c.init(Cipher.ENCRYPT_MODE, spec);
+ SealedObject so = new SealedObject(source, c);
+ ByteArrayOutputStream store = new ByteArrayOutputStream();
+ ObjectOutputStream out = new ObjectOutputStream(store);
+ out.writeObject(so);
+ out.close();
+ byte[] data = store.toByteArray();
+ byte[] textData = Base64.encode(data);
+ return new String(textData, "US-ASCII");
+ } catch (Exception e) {
+ log.error("Unable to encrypt", e);
+ return null;
+ }
+ }
+
+ /**
+ * Given a String which is the Base64-encoded encrypted data, retrieve
+ * the original Object.
+ */
+ public Serializable decrypt(String source) {
+ SecretKeySpec spec = getSecretKeySpec();
+ try {
+ byte[] data = Base64.decode(source);
+ Cipher c = Cipher.getInstance(spec.getAlgorithm());
+ c.init(Cipher.DECRYPT_MODE, spec);
+ ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data));
+ SealedObject so = (SealedObject) in.readObject();
+ return (Serializable) so.getObject(c);
+ } catch (Exception e) {
+ log.error("Unable to decrypt", e);
+ return null;
+ }
+ }
+
+ protected abstract SecretKeySpec getSecretKeySpec();
+}
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/AbstractEncryption.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java?rev=576651&view=auto
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java (added)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java Mon Sep 17 18:50:03 2007
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.util;
+
+import java.io.Serializable;
+
+/**
+ * Interface for objects to register with EncryptionManager.
+ *
+ * @version $Rev:$ $Date:$
+ */
+public interface Encryption {
+ /**
+ * encrypt the source according to some scheme and return the result as a String.
+ * @param source object to encrypt
+ * @return encrypted object representing the source.
+ */
+ String encrypt(Serializable source);
+
+ /**
+ * decrypt the source according to some scheme and return the original object.
+ * @param source the string representing the encrypted object
+ * @return (a copy of) the original object.
+ */
+ Serializable decrypt(String source);
+}
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/Encryption.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java (original)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/EncryptionManager.java Mon Sep 17 18:50:03 2007
@@ -16,33 +16,97 @@
*/
package org.apache.geronimo.util;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
import java.io.Serializable;
/**
- * A static class that handles storing and reading values, potentially using
- * encryption. This can be used as the interface to any back-end encryption
- * services.
+ * A static class that uses registered Encryption instances to encypt and decrypt objects, typically strings.
+ * The encrypted strings are preceded by the name of the Encryption object, such as {Simple}, followed by the base64
+ * encoded encrypted bytes.
+ *
+ * Any number of Encryption instances can be registered but only the first to be explicitly registered will be used.
+ * However, when decrypting the Encryption instance is looked up from the name prefix so may be any registered Encryption instance.
+ * Furthermore, encrypt and decrypt are idempotent. Calling encrypt on a string encrypted with a registered Encryption that is not
+ * the one in use will decrypt the string and re-encrypt it with the one in use. This can be useful when changing Encryption.
+ *
+ * The default Encryption instance (that does not need to be registered) is SimpleEncryption which uses a fixed key hardcoded into
+ * the Encryption class itself. Thus it is useful only to hide information from those who don't read code. On the other hand
+ * you can't lose the key and make your server permanently unusable.
+ *
+ * n.b. calling these methods idempotent is a slight exageration as this would apply only if all arguments and return values are Strings.
*
* @version $Rev$ $Date$
*/
public class EncryptionManager {
+
+ private static final Map<String, Encryption> ENCRYPTORS = Collections.synchronizedMap(new HashMap<String, Encryption>());
private final static String SIMPLE_ENCRYPTION_PREFIX = "{Simple}";
+ static {
+ ENCRYPTORS.put(SIMPLE_ENCRYPTION_PREFIX, SimpleEncryption.INSTANCE);
+ //login properties files used to have this
+ ENCRYPTORS.put("{Standard}", SimpleEncryption.INSTANCE);
+ }
+
+ private static String encryptionPrefix = SIMPLE_ENCRYPTION_PREFIX;
+
+ /**
+ * Encryption instances should call this to register themselves.
+ *
+ * @param prefix id in form {name} for the Encryption instance
+ * @param encryption Encryption instance to do the work.
+ */
+ public synchronized static void setEncryptionPrefix(String prefix, Encryption encryption) {
+ if (SIMPLE_ENCRYPTION_PREFIX.equals(encryptionPrefix)) {
+ encryptionPrefix = prefix;
+ }
+ ENCRYPTORS.put(prefix, encryption);
+ }
+
/**
- * Gets a String which contains the Base64-encoded form of the
- * encrypted form of the source.
+ * Idempotent method that outputs string starting with the active registered encryption prefix followed by
+ * the output of the registered Encryption instance. If called with a string encrypted by another
+ * registered Encryption it will re-encrypt with the active Encryption instance.
+ * @param source Serializable object to encrypt, usually a password string or an already encrypted string.
+ * @return the name of the registered Encryption followed by its output.
*/
public static String encrypt(Serializable source) {
- return SIMPLE_ENCRYPTION_PREFIX +SimpleEncryption.encrypt(source);
+ if (source instanceof String) {
+ String sourceString = (String) source;
+ if (sourceString.startsWith(encryptionPrefix)) {
+ return (String) source;
+ } else if (sourceString.startsWith("{")) {
+ source = decrypt(sourceString);
+ }
+ }
+ Encryption encryption = ENCRYPTORS.get(encryptionPrefix);
+ return encryptionPrefix + encryption.encrypt(source);
}
/**
- * Given a String which is the Base64-encoded encrypted data, retrieve
- * the original Object.
+ * Idempotent method that given a String starting with a registered Encryption name will remove the
+ * name prefix and return the result of applying the Encryption to the suffix. If no registered Encryption
+ * name matches the start of the string the input will be returned.
+ * @param source String that is possibly the output of calling encrypt, consisting of a Encryption name followed by its encrypt output.
+ * @return the result of applying the Encryption.decrypt method to the input suffix after identifying the Encryption from the prefix, or the
+ * input if no Encryption name matches.
*/
- public static Object decrypt(String source) {
- if(source.startsWith(SIMPLE_ENCRYPTION_PREFIX)) {
- return SimpleEncryption.decrypt(source.substring(SIMPLE_ENCRYPTION_PREFIX.length()));
+ public static Serializable decrypt(String source) {
+ String prefix = null;
+ Encryption encryption = null;
+ synchronized (ENCRYPTORS) {
+ for (Map.Entry<String, Encryption> entry : ENCRYPTORS.entrySet()) {
+ prefix = entry.getKey();
+ if (source.startsWith(prefix)) {
+ encryption = entry.getValue();
+ break;
+ }
+ }
+ }
+ if (encryption != null) {
+ return encryption.decrypt(source.substring(prefix.length()));
}
return source;
}
Modified: geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java (original)
+++ geronimo/server/trunk/modules/geronimo-util/src/main/java/org/apache/geronimo/util/SimpleEncryption.java Mon Sep 17 18:50:03 2007
@@ -41,48 +41,16 @@
*
* @version $Rev$ $Date$
*/
-public class SimpleEncryption {
- private final static Log log = LogFactory.getLog(SimpleEncryption.class);
+public final class SimpleEncryption extends AbstractEncryption {
+
+ public final static SimpleEncryption INSTANCE = new SimpleEncryption();
private final static SecretKeySpec SECRET_KEY = new SecretKeySpec(new byte[]{(byte)-45,(byte)-15,(byte)100,(byte)-34,(byte)70,(byte)83,(byte)75,(byte)-100,(byte)-75,(byte)61,(byte)26,(byte)114,(byte)-20,(byte)-58,(byte)114,(byte)77}, "AES");
- /**
- * Gets a String which contains the Base64-encoded form of the source,
- * encrypted with the known key.
- */
- public static String encrypt(Serializable source) {
- try {
- Cipher c = Cipher.getInstance("AES");
- c.init(Cipher.ENCRYPT_MODE, SECRET_KEY);
- SealedObject so = new SealedObject(source, c);
- ByteArrayOutputStream store = new ByteArrayOutputStream();
- ObjectOutputStream out = new ObjectOutputStream(store);
- out.writeObject(so);
- out.close();
- byte[] data = store.toByteArray();
- byte[] textData = Base64.encode(data);
- return new String(textData, "US-ASCII");
- } catch (Exception e) {
- log.error("Unable to encrypt", e);
- return null;
- }
+ private SimpleEncryption() {
}
- /**
- * Given a String which is the Base64-encoded encrypted data, retrieve
- * the original Object.
- */
- public static Object decrypt(String source) {
- try {
- byte[] data = Base64.decode(source);
- Cipher c = Cipher.getInstance("AES");
- c.init(Cipher.DECRYPT_MODE, SECRET_KEY);
- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data));
- SealedObject so = (SealedObject) in.readObject();
- return so.getObject(c);
- } catch (Exception e) {
- log.error("Unable to decrypt", e);
- return null;
- }
+ protected SecretKeySpec getSecretKeySpec() {
+ return SECRET_KEY;
}
}
Modified: geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java?rev=576651&r1=576650&r2=576651&view=diff
==============================================================================
--- geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java (original)
+++ geronimo/server/trunk/modules/geronimo-util/src/test/java/org/apache/geronimo/util/SimpleEncryptionTest.java Mon Sep 17 18:50:03 2007
@@ -24,8 +24,8 @@
public class SimpleEncryptionTest extends TestSupport {
public void testSimpleEncryption() {
Object[] source = new Object[]{"This is a test", new Integer(14)};
- String text = SimpleEncryption.encrypt(source);
- Object[] result = (Object[]) SimpleEncryption.decrypt(text);
+ String text = SimpleEncryption.INSTANCE.encrypt(source);
+ Object[] result = (Object[]) SimpleEncryption.INSTANCE.decrypt(text);
assertEquals(2, result.length);
assertEquals("This is a test", result[0]);
assertEquals(new Integer(14), result[1]);