View Javadoc

1   /**
2    * Copyright 2005-2014 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.ksb.messaging;
17  
18  import java.io.ByteArrayInputStream;
19  import java.io.ByteArrayOutputStream;
20  import java.io.IOException;
21  import java.io.InputStream;
22  import java.security.GeneralSecurityException;
23  import java.security.Signature;
24  import java.security.cert.CertificateFactory;
25  
26  import org.apache.commons.codec.binary.Base64;
27  import org.apache.commons.httpclient.Header;
28  import org.apache.commons.httpclient.HttpClient;
29  import org.apache.commons.httpclient.methods.PostMethod;
30  import org.apache.commons.lang.StringUtils;
31  import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
32  import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
33  import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
34  import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
35  import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
36  import org.kuali.rice.ksb.security.service.DigitalSignatureService;
37  import org.kuali.rice.ksb.util.KSBConstants;
38  import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
39  import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
40  
41  
42  /**
43   * At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages.  It's capabilities
44   * to execute the signing and verification can be turned on or off via an application constant.
45   * 
46   * @author Kuali Rice Team (rice.collab@kuali.org)
47   */
48  public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
49  	
50  	private Boolean secure = Boolean.TRUE;
51  	
52  	public KSBHttpInvokerRequestExecutor() {
53  		super();
54  	}
55  	
56  	public KSBHttpInvokerRequestExecutor(Boolean secure) {
57  		super();
58  		this.secure = secure;
59  	}
60  
61  	public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
62  		super(httpClient);
63  	}
64  	
65  	/**
66  	 * Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
67  	 * signature and our alias to the headers of the PostMethod.
68  	 */
69  	@Override
70  	protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
71  		if (isSecure()) {
72  			try {
73  				signRequest(postMethod, baos);	
74  			} catch (Exception e) {
75  				throw new RuntimeException("Failed to sign the outgoing message.", e);
76  			}
77  		}
78  		super.setRequestBody(config, postMethod, baos);
79  	}
80  	
81  	/**
82  	 * Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
83  	 * data has been read.
84  	 */
85  	@Override
86  	protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
87  		if (isSecure()) {
88  			// extract and validate the headers
89  			Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
90  			Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
91  			Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
92  			if (digitalSignatureHeader == null || StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
93  				throw new RuntimeException("A digital signature header was required on the response but none was found.");
94  			}
95  			boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
96  			boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
97  			if (!foundValidCertificate && !foundValidKeystoreAlias) {
98                  throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
99  			}
100 			// decode the digital signature from the header into binary
101 			byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
102 			String errorQualifier = "General Security Error";
103 			try {
104 			    Signature signature = null;
105 			    if (foundValidCertificate) {
106                     errorQualifier = "Error with given certificate";
107 	                // get the Signature for verification based on the alias that was sent to us
108 			        byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
109 		            CertificateFactory cf = CertificateFactory.getInstance("X.509");
110 	                signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
111 			    } else if (foundValidKeystoreAlias) {
112 	                // get the Signature for verification based on the alias that was sent to us
113 			        String keystoreAlias = keyStoreAliasHeader.getValue();
114 			        errorQualifier = "Error with given alias " + keystoreAlias;
115 	                signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
116 			    }
117 			    
118 				// wrap the InputStream in an input stream that will verify the signature
119 				return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
120 			} catch (GeneralSecurityException e) {
121 				throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
122 			}
123 		}
124 		return super.getResponseBody(config, postMethod);
125 	}
126 
127 	
128 	
129 	@Override
130 	protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
131 		if (postMethod.getStatusCode() >= 300) {
132 			throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
133 					", status message = [" + postMethod.getStatusText() + "]");
134 		}
135 	}
136 
137 	/**
138 	 * Signs the request by adding headers to the PostMethod.
139 	 */
140 	protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
141 		Signature signature = getDigitalSignatureService().getSignatureForSigning();
142 		HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
143 		signer.getSignature().update(baos.toByteArray());
144 		signer.sign();
145 	}
146 	
147 	protected boolean isSecure() {
148 		return getSecure();// && Utilities.getBooleanConstant(KewApiConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
149 	}
150 
151 	public Boolean getSecure() {
152 		return this.secure;
153 	}
154 
155 	public void setSecure(Boolean secure) {
156 		this.secure = secure;
157 	}
158 	
159 	protected DigitalSignatureService getDigitalSignatureService() {
160 		return (DigitalSignatureService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
161 	}
162 	
163 	protected JavaSecurityManagementService getJavaSecurityManagementService() {
164 		return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
165 	}
166 	
167 }