org.jboss.iiop.csiv2.SASClientInterceptor (Java2HTML)

/*
* JBoss, the OpenSource J2EE webOS
*
* Distributable under LGPL license.
* See terms of license at gnu.org.
*/
package org.jboss.iiop.csiv2;

/***************************************
 *                                     *
 *  JBoss: The OpenSource J2EE WebOS   *
 *                                     *
 *  Distributable under LGPL license.  *
 *  See terms of license at gnu.org.   *
 *                                     *
 ***************************************/

import java.security.Principal;

import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.MARSHAL;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.ORB;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.TCKind;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.MTContextError;
import org.omg.CSI.SASContextBody;
import org.omg.CSI.SASContextBodyHelper;

import org.omg.CSIIOP.CompoundSecMech;
import org.omg.CSIIOP.TAG_CSI_SEC_MECH_LIST;
import org.omg.CSIIOP.CompoundSecMechListHelper;
import org.omg.CSIIOP.CompoundSecMechList;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.CSIIOP.SAS_ContextSec;
import org.omg.CSIIOP.EstablishTrustInClient;

import org.omg.GSSUP.InitialContextToken;
import org.omg.IOP.Codec;
import org.omg.IOP.CodecPackage.FormatMismatch;
import org.omg.IOP.CodecPackage.TypeMismatch;
import org.omg.IOP.ServiceContext;
import org.omg.IOP.TaggedComponent;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ClientRequestInterceptor;
import org.jacorb.orb.MinorCodes;

import org.jboss.logging.Logger;
import org.jboss.security.SecurityAssociation;

/**
 * This implementation of 
 * <code>org.omg.PortableInterceptor.ClientRequestInterceptor</code> inserts 
 * the security attribute service (SAS) context into outgoing IIOP requests 
 * and handles the SAS messages received from the target security service 
 * in the SAS context of incoming IIOP replies.
 * 
 * @author  <a href="mailto:reverbel@ime.usp.br">Francisco Reverbel</a>
 * @version $Revision: 1.3.4.3 $
 */
public class SASClientInterceptor
   extends LocalObject
   implements ClientRequestInterceptor
{
   // Constants ------------------------------------------------------
   /** @since 4.0.2 */
   private static final long serialVersionUID = 5744355993699264087L;

   private static final int sasContextId =
      org.omg.IOP.SecurityAttributeService.value;

   private static final IdentityToken absentIdentityToken;
   static {
      absentIdentityToken = new IdentityToken();
      absentIdentityToken.absent(true);
   }
   private static final AuthorizationElement[] noAuthorizationToken = {};

   private static final Logger log = 
      Logger.getLogger(SASTargetInterceptor.class);
   private static final boolean traceEnabled = log.isTraceEnabled();


   // Fields ---------------------------------------------------------
    
   private Codec codec;

   // Constructor ---------------------------------------------------
    
   public SASClientInterceptor(Codec codec)
   {
      this.codec = codec;
   }
    
   // Methods  -------------------------------------------------------

    
   // org.omg.PortableInterceptor.Interceptor operations ------------
    
   public String name()
   {
      return "SASClientInterceptor";
   }

   public void destroy()
   {
      // do nothing
   }    
    
   // ClientRequestInterceptor operations ---------------------------
    
   public void send_request(ClientRequestInfo ri)
   {
      try
      {
         CompoundSecMech secMech = 
            CSIv2Util.getMatchingSecurityMech(
               ri,
               codec,
               EstablishTrustInClient.value,  /* client supports */
               (short)0                       /* client requires */);
         if (secMech == null)
            return;

         if ((secMech.as_context_mech.target_supports 
              & EstablishTrustInClient.value) != 0)
         {
            Principal p = SecurityAssociation.getPrincipal();
            if (p != null)
            {
               byte[] encodedTargetName = secMech.as_context_mech.target_name;

               // The name scope needs to be externalized
               String name = p.getName();
               if (name.indexOf('@') < 0)
               {
                  byte[] decodedTargetName = 
                     CSIv2Util.decodeGssExportedName(encodedTargetName);
                  String targetName = new String(decodedTargetName, "UTF-8");
                  name += "@" + targetName; // "@default"
               }
               byte[] username = name.getBytes("UTF-8");
               // I don't know why there is not a better way 
               // to go from char[] -> byte[]
               Object credential = SecurityAssociation.getCredential();
               byte[] password = {};
               if (credential instanceof char[])
               {
                  String tmp = new String((char[]) credential);
                  password = tmp.getBytes("UTF-8");
               }
               else if (credential instanceof byte[])
                  password = (byte[])credential;
               else if (credential != null)
               {
                  String tmp = credential.toString();
                  password = tmp.getBytes("UTF-8");
               }

               // create authentication token
               InitialContextToken authenticationToken = 
                  new InitialContextToken(username,
                                          password,
                                          encodedTargetName);
               // ASN.1-encode it, as defined in RFC 2743
               byte[] encodedAuthenticationToken =
                  CSIv2Util.encodeInitialContextToken(authenticationToken, 
                                                      codec);

               // create EstablishContext message with the encoded token
               EstablishContext message = 
                  new EstablishContext(0, // stateless ctx id
                                       noAuthorizationToken,
                                       absentIdentityToken,
                                       encodedAuthenticationToken); 

               // create SAS context with the EstablishContext message
               SASContextBody contextBody = new SASContextBody();
               contextBody.establish_msg(message);

               // stuff the SAS context into the outgoing request
               Any any = ORB.init().create_any();
               SASContextBodyHelper.insert(any, contextBody);
               ServiceContext sc =
                  new ServiceContext(sasContextId, codec.encode_value(any));
               ri.add_request_service_context(sc,
                                              true /*replace existing context*/);
            }
         }
      }
      catch (java.io.UnsupportedEncodingException e)
      {
         throw new MARSHAL("Unexpected exception: " + e);
      }
      catch (org.omg.IOP.CodecPackage.InvalidTypeForEncoding e)
      {
         throw new MARSHAL("Unexpected exception: " + e);
      }
   }

   public void send_poll(ClientRequestInfo ri)
   {
      // do nothing
   }

   public void receive_reply(ClientRequestInfo ri)
   {
      try
      {
         ServiceContext sc = ri.get_reply_service_context(sasContextId);
         Any msg = codec.decode_value(sc.context_data,
            SASContextBodyHelper.type());
         SASContextBody contextBody = SASContextBodyHelper.extract(msg);

         // At this point contextBody should contain a 
         // CompleteEstablishContext message, which does not require any 
         // treatment. ContextError messages should arrive via 
         // receive_exception().

         if (traceEnabled)
            log.trace("receive_reply: got SAS reply, type " +
                      contextBody.discriminator());

         if (contextBody.discriminator() == MTContextError.value)
         {
            // should not happen
            log.warn("Unexpected ContextError in SAS reply");
            throw new NO_PERMISSION("Unexpected ContextError in SAS reply",
               MinorCodes.SAS_CSS_FAILURE,
               CompletionStatus.COMPLETED_YES);
         }
      }
      catch (BAD_PARAM e)
      {
         // no service context with sasContextId: do nothing
      }
      catch (FormatMismatch e)
      {
         throw new MARSHAL("Could not parse SAS reply: " + e,
            0,
            CompletionStatus.COMPLETED_YES);
      }
      catch (TypeMismatch e)
      {
         throw new MARSHAL("Could not parse SAS reply: " + e,
            0,
            CompletionStatus.COMPLETED_YES);
      }
   }

   public void receive_exception(ClientRequestInfo ri)
   {
      try
      {
         ServiceContext sc = ri.get_reply_service_context(sasContextId);
         Any msg = codec.decode_value(sc.context_data,
            SASContextBodyHelper.type());
         SASContextBody contextBody = SASContextBodyHelper.extract(msg);

         // At this point contextBody may contain a either a 
         // CompleteEstablishContext message or a ContextError message.
         // Neither message requires any treatment. We decoded the context
         // body just to check that it contains a well-formed message.

         if (traceEnabled)
            log.trace("receive_exception: got SAS reply, type " +
                      contextBody.discriminator());
      }
      catch (BAD_PARAM e)
      {
         // no service context with sasContextId: do nothing
      }
      catch (FormatMismatch e)
      {
         throw new MARSHAL("Could not parse SAS reply: " + e,
            MinorCodes.SAS_CSS_FAILURE,
            CompletionStatus.COMPLETED_MAYBE);
      }
      catch (TypeMismatch e)
      {
         throw new MARSHAL("Could not parse SAS reply: " + e,
            MinorCodes.SAS_CSS_FAILURE,
            CompletionStatus.COMPLETED_MAYBE);
      }
   }

   public void receive_other(ClientRequestInfo ri)
   {
      // do nothing
   }

}