summaryrefslogtreecommitdiff
path: root/java/src
diff options
context:
space:
mode:
Diffstat (limited to 'java/src')
-rw-r--r--java/src/IceInternal/PropertyNames.java24
-rw-r--r--java/src/IceSSL/RFC2253.java28
-rw-r--r--java/src/IceSSL/TrustManager.java193
3 files changed, 180 insertions, 65 deletions
diff --git a/java/src/IceInternal/PropertyNames.java b/java/src/IceInternal/PropertyNames.java
index ab58a9d6731..15e20c6b9a5 100644
--- a/java/src/IceInternal/PropertyNames.java
+++ b/java/src/IceInternal/PropertyNames.java
@@ -8,7 +8,7 @@
// **********************************************************************
//
-// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009
// IMPORTANT: Do not edit this file -- any edits made here will be lost!
@@ -33,6 +33,7 @@ public final class PropertyNames
new Property("Ice\\.Admin\\.ThreadPool\\.SizeWarn", false, null),
new Property("Ice\\.Admin\\.ThreadPool\\.StackSize", false, null),
new Property("Ice\\.Admin\\.ThreadPool\\.Serialize", false, null),
+ new Property("Ice\\.Admin\\.ThreadPool\\.ThreadPriority", false, null),
new Property("Ice\\.Admin\\.DelayCreation", false, null),
new Property("Ice\\.Admin\\.Facets", false, null),
new Property("Ice\\.Admin\\.InstanceName", false, null),
@@ -99,11 +100,14 @@ public final class PropertyNames
new Property("Ice\\.ThreadPool\\.Client\\.SizeWarn", false, null),
new Property("Ice\\.ThreadPool\\.Client\\.StackSize", false, null),
new Property("Ice\\.ThreadPool\\.Client\\.Serialize", false, null),
+ new Property("Ice\\.ThreadPool\\.Client\\.ThreadPriority", false, null),
new Property("Ice\\.ThreadPool\\.Server\\.Size", false, null),
new Property("Ice\\.ThreadPool\\.Server\\.SizeMax", false, null),
new Property("Ice\\.ThreadPool\\.Server\\.SizeWarn", false, null),
new Property("Ice\\.ThreadPool\\.Server\\.StackSize", false, null),
new Property("Ice\\.ThreadPool\\.Server\\.Serialize", false, null),
+ new Property("Ice\\.ThreadPool\\.Server\\.ThreadPriority", false, null),
+ new Property("Ice\\.ThreadPriority", false, null),
new Property("Ice\\.Trace\\.GC", false, null),
new Property("Ice\\.Trace\\.Location", true, "Ice.Trace.Locator"),
new Property("Ice\\.Trace\\.Locator", false, null),
@@ -149,6 +153,7 @@ public final class PropertyNames
new Property("IceBox\\.ServiceManager\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceBox\\.ServiceManager\\.ThreadPool\\.StackSize", false, null),
new Property("IceBox\\.ServiceManager\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceBox\\.ServiceManager\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceBox\\.Trace\\.ServiceObserver", false, null),
new Property("IceBox\\.UseSharedCommunicator\\.[^\\s]+", false, null),
null
@@ -195,6 +200,7 @@ public final class PropertyNames
new Property("IceGrid\\.Node\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Node\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Node\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Node\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Node\\.AllowRunningServersAsRoot", false, null),
new Property("IceGrid\\.Node\\.AllowEndpointsOverride", false, null),
new Property("IceGrid\\.Node\\.CollocateRegistry", false, null),
@@ -245,6 +251,7 @@ public final class PropertyNames
new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Registry\\.AdminSessionManager\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.EndpointSelection", false, null),
new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.ConnectionCached", false, null),
new Property("IceGrid\\.Registry\\.AdminSSLPermissionsVerifier\\.PreferSecure", false, null),
@@ -267,6 +274,7 @@ public final class PropertyNames
new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Registry\\.Client\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Registry\\.CryptPasswords", false, null),
new Property("IceGrid\\.Registry\\.Data", false, null),
new Property("IceGrid\\.Registry\\.DefaultTemplates", false, null),
@@ -284,6 +292,7 @@ public final class PropertyNames
new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Registry\\.Internal\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Registry\\.NodeSessionTimeout", false, null),
new Property("IceGrid\\.Registry\\.PermissionsVerifier\\.EndpointSelection", false, null),
new Property("IceGrid\\.Registry\\.PermissionsVerifier\\.ConnectionCached", false, null),
@@ -309,6 +318,7 @@ public final class PropertyNames
new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Registry\\.Server\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Registry\\.SessionFilters", false, null),
new Property("IceGrid\\.Registry\\.SessionManager\\.AdapterId", false, null),
new Property("IceGrid\\.Registry\\.SessionManager\\.Endpoints", false, null),
@@ -323,6 +333,7 @@ public final class PropertyNames
new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.SizeWarn", false, null),
new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.StackSize", false, null),
new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.Serialize", false, null),
+ new Property("IceGrid\\.Registry\\.SessionManager\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IceGrid\\.Registry\\.SessionTimeout", false, null),
new Property("IceGrid\\.Registry\\.SSLPermissionsVerifier\\.EndpointSelection", false, null),
new Property("IceGrid\\.Registry\\.SSLPermissionsVerifier\\.ConnectionCached", false, null),
@@ -364,6 +375,7 @@ public final class PropertyNames
new Property("IcePatch2\\.ThreadPool\\.SizeWarn", false, null),
new Property("IcePatch2\\.ThreadPool\\.StackSize", false, null),
new Property("IcePatch2\\.ThreadPool\\.Serialize", false, null),
+ new Property("IcePatch2\\.ThreadPool\\.ThreadPriority", false, null),
new Property("IcePatch2\\.Admin\\.AdapterId", true, null),
new Property("IcePatch2\\.Admin\\.Endpoints", true, null),
new Property("IcePatch2\\.Admin\\.Locator", true, null),
@@ -408,15 +420,15 @@ public final class PropertyNames
new Property("IceSSL\\.Protocols", false, null),
new Property("IceSSL\\.Random", false, null),
new Property("IceSSL\\.Trace\\.Security", false, null),
+ new Property("IceSSL\\.TrustOnly", false, null),
+ new Property("IceSSL\\.TrustOnly\\.Client", false, null),
+ new Property("IceSSL\\.TrustOnly\\.Server", false, null),
+ new Property("IceSSL\\.TrustOnly\\.Server\\.[^\\s]+", false, null),
new Property("IceSSL\\.Truststore", false, null),
new Property("IceSSL\\.TruststorePassword", false, null),
new Property("IceSSL\\.TruststoreType", false, null),
new Property("IceSSL\\.VerifyDepthMax", false, null),
new Property("IceSSL\\.VerifyPeer", false, null),
- new Property("IceSSL\\.TrustOnly", false, null),
- new Property("IceSSL\\.TrustOnly\\.Client", false, null),
- new Property("IceSSL\\.TrustOnly\\.Server", false, null),
- new Property("IceSSL\\.TrustOnly\\.Server\\.[^\\s]+", false, null),
null
};
@@ -453,6 +465,7 @@ public final class PropertyNames
new Property("Glacier2\\.Client\\.ThreadPool\\.SizeWarn", false, null),
new Property("Glacier2\\.Client\\.ThreadPool\\.StackSize", false, null),
new Property("Glacier2\\.Client\\.ThreadPool\\.Serialize", false, null),
+ new Property("Glacier2\\.Client\\.ThreadPool\\.ThreadPriority", false, null),
new Property("Glacier2\\.Client\\.AlwaysBatch", false, null),
new Property("Glacier2\\.Client\\.Buffered", false, null),
new Property("Glacier2\\.Client\\.ForwardContext", false, null),
@@ -502,6 +515,7 @@ public final class PropertyNames
new Property("Glacier2\\.Server\\.ThreadPool\\.SizeWarn", false, null),
new Property("Glacier2\\.Server\\.ThreadPool\\.StackSize", false, null),
new Property("Glacier2\\.Server\\.ThreadPool\\.Serialize", false, null),
+ new Property("Glacier2\\.Server\\.ThreadPool\\.ThreadPriority", false, null),
new Property("Glacier2\\.Server\\.AlwaysBatch", false, null),
new Property("Glacier2\\.Server\\.Buffered", false, null),
new Property("Glacier2\\.Server\\.ForwardContext", false, null),
diff --git a/java/src/IceSSL/RFC2253.java b/java/src/IceSSL/RFC2253.java
index 13e701ba15d..50d65e17ef8 100644
--- a/java/src/IceSSL/RFC2253.java
+++ b/java/src/IceSSL/RFC2253.java
@@ -40,24 +40,40 @@ class RFC2253
String value;
}
+ static class RDNEntry
+ {
+ java.util.List<RDNPair> rdn = new java.util.LinkedList<RDNPair>();
+ boolean negate = false;
+ }
+
static private class ParseState
{
String data;
int pos;
}
- public static java.util.List<java.util.List<RDNPair> >
+ public static java.util.List<RDNEntry>
parse(String data)
throws ParseException
{
- java.util.List<java.util.List<RDNPair> > results = new java.util.LinkedList<java.util.List<RDNPair> >();
- java.util.List<RDNPair> current = new java.util.LinkedList<RDNPair>();
+ java.util.List<RDNEntry> results = new java.util.LinkedList<RDNEntry>();
+ RDNEntry current = new RDNEntry();
ParseState state = new ParseState();
state.data = data;
state.pos = 0;
while(state.pos < state.data.length())
{
- current.add(parseNameComponent(state));
+ eatWhite(state);
+ if(state.pos < state.data.length() && state.data.charAt(state.pos) == '!')
+ {
+ if(!current.rdn.isEmpty())
+ {
+ throw new ParseException("negation symbol '!' must appear at start of list");
+ }
+ ++state.pos;
+ current.negate = true;
+ }
+ current.rdn.add(parseNameComponent(state));
eatWhite(state);
if(state.pos < state.data.length() && state.data.charAt(state.pos) == ',')
{
@@ -67,14 +83,14 @@ class RFC2253
{
++state.pos;
results.add(current);
- current = new java.util.LinkedList<RDNPair>();
+ current = new RDNEntry();
}
else if(state.pos < state.data.length())
{
throw new ParseException("expected ',' or ';' at `" + state.data.substring(state.pos) + "'");
}
}
- if(!current.isEmpty())
+ if(!current.rdn.isEmpty())
{
results.add(current);
}
diff --git a/java/src/IceSSL/TrustManager.java b/java/src/IceSSL/TrustManager.java
index 5dceca0a1e0..b54b18d16e9 100644
--- a/java/src/IceSSL/TrustManager.java
+++ b/java/src/IceSSL/TrustManager.java
@@ -21,17 +21,29 @@ class TrustManager
try
{
key = "IceSSL.TrustOnly";
- _all = parse(properties.getProperty(key));
+ parse(properties.getProperty(key), _rejectAll, _acceptAll);
key = "IceSSL.TrustOnly.Client";
- _client = parse(properties.getProperty(key));
+ parse(properties.getProperty(key), _rejectClient, _acceptClient);
key = "IceSSL.TrustOnly.Server";
- _allServer = parse(properties.getProperty(key));
+ parse(properties.getProperty(key), _rejectAllServer, _acceptAllServer);
java.util.Map<String, String> dict = properties.getPropertiesForPrefix("IceSSL.TrustOnly.Server.");
for(java.util.Map.Entry<String, String> p : dict.entrySet())
{
key = p.getKey();
String name = key.substring("IceSSL.TrustOnly.Server.".length());
- _server.put(name, parse(p.getValue()));
+ java.util.List<java.util.List<RFC2253.RDNPair> > reject =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ java.util.List<java.util.List<RFC2253.RDNPair> > accept =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ parse(p.getValue(), reject, accept);
+ if(!reject.isEmpty())
+ {
+ _rejectServer.put(name, reject);
+ }
+ if(!accept.isEmpty())
+ {
+ _acceptServer.put(name, accept);
+ }
}
}
catch(RFC2253.ParseException e)
@@ -45,40 +57,68 @@ class TrustManager
boolean
verify(ConnectionInfo info)
{
- java.util.List<java.util.List<java.util.List<RFC2253.RDNPair> > > trustset =
- new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >();
- if(!_all.isEmpty())
+ java.util.List<java.util.List<java.util.List<RFC2253.RDNPair> > >
+ reject = new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >(),
+ accept = new java.util.LinkedList<java.util.List<java.util.List<RFC2253.RDNPair> > >();
+
+ if(!_rejectAll.isEmpty())
+ {
+ reject.add(_rejectAll);
+ }
+ if(info.incoming)
+ {
+ if(!_rejectAllServer.isEmpty())
+ {
+ reject.add(_rejectAllServer);
+ }
+ if(info.adapterName.length() > 0)
+ {
+ java.util.List<java.util.List<RFC2253.RDNPair> > p = _rejectServer.get(info.adapterName);
+ if(p != null)
+ {
+ reject.add(p);
+ }
+ }
+ }
+ else
{
- trustset.add(_all);
+ if(!_rejectClient.isEmpty())
+ {
+ reject.add(_rejectClient);
+ }
}
+ if(!_acceptAll.isEmpty())
+ {
+ accept.add(_acceptAll);
+ }
if(info.incoming)
{
- if(!_allServer.isEmpty())
+ if(!_acceptAllServer.isEmpty())
{
- trustset.add(_allServer);
+ accept.add(_acceptAllServer);
}
if(info.adapterName.length() > 0)
{
- java.util.List<java.util.List<RFC2253.RDNPair> > p = _server.get(info.adapterName);
+ java.util.List<java.util.List<RFC2253.RDNPair> > p = _acceptServer.get(info.adapterName);
if(p != null)
{
- trustset.add(p);
+ accept.add(p);
}
}
}
else
{
- if(!_client.isEmpty())
+ if(!_acceptClient.isEmpty())
{
- trustset.add(_client);
+ accept.add(_acceptClient);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
- if(trustset.isEmpty())
+ if(reject.isEmpty() && accept.isEmpty())
{
return true;
}
@@ -118,34 +158,31 @@ class TrustManager
java.util.List<RFC2253.RDNPair> dn = RFC2253.parseStrict(subjectName);
//
- // Try matching against everything in the trust set.
+ // Fail if we match anything in the reject set.
//
- for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : trustset)
+ for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : reject)
{
if(_traceLevel > 1)
{
- StringBuffer s = new StringBuffer("trust manager matching PDNs:\n");
- boolean addSemi = false;
- for(java.util.List<RFC2253.RDNPair> rdnSet : matchSet)
- {
- if(addSemi)
- {
- s.append(';');
- }
- addSemi = true;
- boolean addComma = false;
- for(RFC2253.RDNPair rdn : rdnSet)
- {
- if(addComma)
- {
- s.append(',');
- }
- addComma = true;
- s.append(rdn.key);
- s.append('=');
- s.append(rdn.value);
- }
- }
+ StringBuilder s = new StringBuilder("trust manager rejecting PDNs:\n");
+ stringify(matchSet, s);
+ _communicator.getLogger().trace("Security", s.toString());
+ }
+ if(match(matchSet, dn))
+ {
+ return false;
+ }
+ }
+
+ //
+ // Succeed if we match anything in the accept set.
+ //
+ for(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet : accept)
+ {
+ if(_traceLevel > 1)
+ {
+ StringBuilder s = new StringBuilder("trust manager accepting PDNs:\n");
+ stringify(matchSet, s);
_communicator.getLogger().trace("Security", s.toString());
}
if(match(matchSet, dn))
@@ -159,6 +196,11 @@ class TrustManager
_communicator.getLogger().warning(
"IceSSL: unable to parse certificate DN `" + subjectName + "'\nreason: " + e.reason);
}
+
+ //
+ // At this point we accept the connection if there are no explicit accept rules.
+ //
+ return accept.isEmpty();
}
return false;
@@ -202,8 +244,9 @@ class TrustManager
return true;
}
- java.util.List<java.util.List<RFC2253.RDNPair> >
- parse(String value)
+ void
+ parse(String value, java.util.List<java.util.List<RFC2253.RDNPair> > reject,
+ java.util.List<java.util.List<RFC2253.RDNPair> > accept)
throws RFC2253.ParseException
{
//
@@ -229,7 +272,7 @@ class TrustManager
// This means that the user input, unless it uses the
// unfriendly OID format, will not directly match the
// principal.
- //
+ //
// Two possible solutions:
//
// Have the RFC2253 parser convert anything that is not CN, L,
@@ -245,14 +288,12 @@ class TrustManager
// DNs on ';' which cannot be blindly split because of quotes,
// \ and such.
//
- java.util.List<java.util.List<RFC2253.RDNPair> > l = RFC2253.parse(value);
- java.util.List<java.util.List<RFC2253.RDNPair> > result =
- new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
- for(java.util.List<RFC2253.RDNPair> dn : l)
+ java.util.List<RFC2253.RDNEntry> l = RFC2253.parse(value);
+ for(RFC2253.RDNEntry e : l)
{
- StringBuffer v = new StringBuffer();
+ StringBuilder v = new StringBuilder();
boolean first = true;
- for(RFC2253.RDNPair pair : dn)
+ for(RFC2253.RDNPair pair : e.rdn)
{
if(!first)
{
@@ -265,17 +306,61 @@ class TrustManager
}
javax.security.auth.x500.X500Principal princ = new javax.security.auth.x500.X500Principal(v.toString());
String subjectName = princ.getName(javax.security.auth.x500.X500Principal.RFC2253);
- result.add(RFC2253.parseStrict(subjectName));
+ if(e.negate)
+ {
+ reject.add(RFC2253.parseStrict(subjectName));
+ }
+ else
+ {
+ accept.add(RFC2253.parseStrict(subjectName));
+ }
+ }
+ }
+
+ private static void
+ stringify(java.util.List<java.util.List<RFC2253.RDNPair>> matchSet, StringBuilder s)
+ {
+ boolean addSemi = false;
+ for(java.util.List<RFC2253.RDNPair> rdnSet : matchSet)
+ {
+ if(addSemi)
+ {
+ s.append(';');
+ }
+ addSemi = true;
+ boolean addComma = false;
+ for(RFC2253.RDNPair rdn : rdnSet)
+ {
+ if(addComma)
+ {
+ s.append(',');
+ }
+ addComma = true;
+ s.append(rdn.key);
+ s.append('=');
+ s.append(rdn.value);
+ }
}
- return result;
}
private Ice.Communicator _communicator;
private int _traceLevel;
- private java.util.List<java.util.List<RFC2253.RDNPair> > _all;
- private java.util.List<java.util.List<RFC2253.RDNPair> > _client;
- private java.util.List<java.util.List<RFC2253.RDNPair> > _allServer;
- private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _server =
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectAll =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectClient =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _rejectAllServer =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _rejectServer =
+ new java.util.HashMap<String, java.util.List<java.util.List<RFC2253.RDNPair> > >();
+
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptAll =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptClient =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.List<java.util.List<RFC2253.RDNPair> > _acceptAllServer =
+ new java.util.LinkedList<java.util.List<RFC2253.RDNPair> >();
+ private java.util.Map<String, java.util.List<java.util.List<RFC2253.RDNPair> > > _acceptServer =
new java.util.HashMap<String, java.util.List<java.util.List<RFC2253.RDNPair> > >();
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 03:06:33 +0000