|
Oracle® Coherence Java API Reference Release 12.1.2.0.3 E26043-02 |
|||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object
com.tangosol.util.Base
com.tangosol.net.security.DefaultController
public final class DefaultController
The default implementation of the AccessController interface.
Note: The DefaultController requires only a read access to the keystore file, and does not check the integrity of the keystore. The modifications to the keystore at a file system level as well as by the keystore tool (which requires a keystore password) must be controlled by external means (OS user management, ACL, etc.)
Field Summary | |
---|---|
static java.lang.String |
KEYSTORE_TYPE KeyStore type used by this implementation. |
static java.lang.String |
PROPERTY_CONFIG The name of the system property that can be used to override the location of the DefaultController configuration file. |
static java.lang.String |
SIGNATURE_ALGORITHM Digital signature algorithm used by this implementation. |
static java.security.Signature |
SIGNATURE_ENGINE The Signature object used by this implementation. |
Constructor Summary | |
---|---|
DefaultController(java.io.File fileKeyStore, java.io.File filePermits) Construct DefaultController for the specified key store file and permissions description (XML) file. |
Method Summary | |
---|---|
void |
checkPermission(ClusterPermission permission, javax.security.auth.Subject subject) Determine whether the cluster access request indicated by the specified permission should be allowed or denied for a given Subject (requestor). |
protected java.lang.Object |
decrypt(java.security.SignedObject so, java.security.PublicKey keyPublic) Decrypt the specified SignedObject using the specified public key. |
java.lang.Object |
decrypt(java.security.SignedObject so, javax.security.auth.Subject subjEncryptor, javax.security.auth.Subject subjDecryptor) Decrypt the specified SignedObject using the public credentials for a given encryptor Subject in a context represented by the decryptor Subject which is usually associated with the current thread. |
java.security.SignedObject |
encrypt(java.lang.Object o, javax.security.auth.Subject subjEncryptor) Encrypt the specified object using the private credentials for the given Subject (encryptor), which is usually associated with the current thread. |
protected java.security.SignedObject |
encrypt(java.io.Serializable o, java.security.PrivateKey keyPrivate) Encrypt the specified object using the specified private key. |
protected boolean |
equalsMostly(javax.security.auth.Subject subject1, javax.security.auth.Subject subject2) Check whether the specified Subject objects have the same set of principals and public credentials. |
protected java.util.Set |
extractCertificates(java.util.Set setPubCreds) Extract a set of Certificate objects from the set of public credentials. |
protected java.util.Set |
extractPublicKeys(java.util.Set setPubCreds) Extract a set of PublicKeys from the set of public credentials. |
protected java.util.Set |
findPublicKeys(javax.security.auth.Subject subject) Find a set of public keys for the specified Subject. |
protected java.security.Permissions |
getClusterPermissions(java.security.Principal principal) Obtain the permissions for the specified principal. |
XmlElement |
getPermissionsConfig() Obtain the permission configuration descriptor. |
static void |
main(java.lang.String[] asArg) Standalone permission check utility. |
Field Detail |
---|
public static final java.lang.String PROPERTY_CONFIG
The value of this property must be the name of a resource that contains an XML document with the structure defined in the /com/tangosol/net/security/DefaultController.xml configuration descriptor.
public static final java.lang.String KEYSTORE_TYPE
public static final java.lang.String SIGNATURE_ALGORITHM
public static final java.security.Signature SIGNATURE_ENGINE
Constructor Detail |
---|
public DefaultController(java.io.File fileKeyStore, java.io.File filePermits) throws java.io.IOException, java.security.AccessControlException
java.io.IOException
java.security.AccessControlException
Method Detail |
---|
public void checkPermission(ClusterPermission permission, javax.security.auth.Subject subject)
This method quietly returns if the access request is permitted, or throws a suitable AccessControlException if the specified authentication is invalid or insufficient.
checkPermission
in interface AccessController
permission
- the permission object that represents access to a clustered resourcesubject
- the Subject object representing the requestorjava.security.AccessControlException
- if the specified permission is not permitted, based on the current security policypublic java.security.SignedObject encrypt(java.lang.Object o, javax.security.auth.Subject subjEncryptor) throws java.io.IOException, java.security.GeneralSecurityException
encrypt
in interface AccessController
o
- the Object to encryptsubjEncryptor
- the Subject object whose credentials are being used to do the encryptionjava.io.IOException
- if an error occurs during serializationjava.security.GeneralSecurityException
- if the signing failspublic java.lang.Object decrypt(java.security.SignedObject so, javax.security.auth.Subject subjEncryptor, javax.security.auth.Subject subjDecryptor) throws java.lang.ClassNotFoundException, java.io.IOException, java.security.GeneralSecurityException
decrypt
in interface AccessController
so
- the SignedObject to decryptsubjEncryptor
- the Subject object whose credentials were used to do the encryptionsubjDecryptor
- the Subject object whose credentials might be used to do the decryption (optional)java.lang.ClassNotFoundException
- if a necessary class cannot be found during deserializationjava.io.IOException
- if an error occurs during deserializationjava.security.GeneralSecurityException
- if the verification failspublic XmlElement getPermissionsConfig()
protected java.security.Permissions getClusterPermissions(java.security.Principal principal)
principal
- the Principal objectprotected java.security.SignedObject encrypt(java.io.Serializable o, java.security.PrivateKey keyPrivate) throws java.io.IOException, java.security.GeneralSecurityException
o
- the Serializable object to encryptkeyPrivate
- the PrivateKey object to use for encryptionjava.io.IOException
java.security.GeneralSecurityException
protected java.lang.Object decrypt(java.security.SignedObject so, java.security.PublicKey keyPublic) throws java.lang.ClassNotFoundException, java.io.IOException, java.security.GeneralSecurityException
so
- the SignedObject to decryptkeyPublic
- the PublicKey object to use for decryptionjava.lang.ClassNotFoundException
java.io.IOException
java.security.GeneralSecurityException
protected boolean equalsMostly(javax.security.auth.Subject subject1, javax.security.auth.Subject subject2)
protected java.util.Set extractPublicKeys(java.util.Set setPubCreds)
setPubCreds
- set of public credentialsprotected java.util.Set extractCertificates(java.util.Set setPubCreds)
setPubCreds
- set of public credentialsprotected java.util.Set findPublicKeys(javax.security.auth.Subject subject) throws java.security.GeneralSecurityException
Note: We need to prevent a security hole when a caller would construct and send the responder a Subject object with a Principal object that have a high security clearance, but provide a valid certificate representing a low security clearance Principal. To deal with this after we find the caller's certificate in the key store, the principal match must be verified.
subject
- the Subject objectjava.security.GeneralSecurityException
- if a keystore exception occurspublic static void main(java.lang.String[] asArg) throws java.lang.Exception
java com.tangosol.net.security DefaultController [-<option>]* <target> <action> where options include: -keystore:<keystore path> the path to the keystore -module:<name> the login module name -permits:<permits path> the path to permissions file -requestor:<name!password> the requestor's name/password pair -responder:<name!password> the responder's name/password pair
java.lang.Exception
|
Oracle® Coherence Java API Reference Release 12.1.2.0.3 E26043-02 |
|||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |