Package jadex.ipc.impl.security
Class Security
java.lang.Object
jadex.ipc.impl.security.Security
- All Implemented Interfaces:
ISecurity
Security functionality for active component communication.
Performs authentication and
-
Nested Class Summary
Nested classes/interfaces inherited from interface jadex.ipc.ISecurity
ISecurity.DecodedMessage
-
Field Summary
FieldsModifier and TypeFieldDescriptionAvailable crypto suites.protected boolean
Flag if connection with platforms without authenticated names are allowed.protected boolean
Flag if connection with platforms without authenticated networks are allowed.protected boolean
Flag if the security should create a random default network if no network is set.protected jadex.future.IFuture
<Void> Crypto-Suite reset in progress.protected jadex.collection.RwMapWrapper
<jadex.core.impl.GlobalProcessIdentifier, ICryptoSuite> CryptoSuites currently in use.protected Set
<org.bouncycastle.cert.X509CertificateHolder> Custom (non-Java default) trusted authorities for certifying platform names.protected boolean
Flag whether to grant default authorization (allow basic service calls if host name or group is authenticated).protected Map
<jadex.core.impl.GlobalProcessIdentifier, List<jadex.ipc.impl.security.Security.ExpiringCryptoSuite>> CryptoSuites that are expiring with expiration time.The list of group names (used by all service identifiers).protected Map
<String, List<AbstractAuthenticationSecret>> Available groups.protected long
Handshake timeout.protected Map
<jadex.core.impl.GlobalProcessIdentifier, HandshakeState> CryptoSuites currently initializing, value=Handshake state.protected long
Last time cleanup duties were performed.protected boolean
Flag whether to use the default Java trust store.protected Set
<org.bouncycastle.cert.X509CertificateHolder> Trusted authorities for certifying platform names.protected AbstractX509PemSecret
The platform name certificate if available.protected boolean
Flag whether to refuse unauthenticated connections.Map of entities and associated roles.static Security
The singleton instance.protected long
Lifetime of session keys, after which the handshake is repeated and a new session key is generated.The host names that are trusted and identified by name. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
addNameAuthority
(String pemcertificate) Adds an authority for authenticating platform names.void
Adds a role for an entity (platform or network name).void
addTrustedHost
(String host) Adds a name of an authenticated host to allow access.protected void
jadex.future.IFuture
<Boolean> checkPlatformPassword
(String secret) Check the platform password.protected byte[]
checkReceiverAndEncrypt
(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] content, ICryptoSuite cs) Checks receiver authorization and, if so, encrypts the message.protected ICryptoSuite
createCryptoSuite
(String name, String convid, boolean initializer) Creates a crypto suite of a particular name.decryptAndAuth
(jadex.core.impl.GlobalProcessIdentifier sender, byte[] message) Decrypt and authenticates the message from a sender.protected void
Cleans expired objects.byte[]
encryptAndSign
(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] message) Encrypts and signs the message for a receiver.protected void
expireCryptosuite
(jadex.core.impl.GlobalProcessIdentifier gpid) Expires a cryptosuite.flattenRoleMap
(Map<String, Set<String>> rolemap) Helper for flattening the role map.static final Security
get()
Get the security instance.Gets all authorities not defined in the Java trust store for authenticating platform names.Gets the current group names.Get access to the stored virtual network configurations.boolean
Checks whether to allow connections without name authentication.boolean
Checks whether to allow connections without network authentication.boolean
Checks whether to allow the default authorization.Set
<org.bouncycastle.cert.X509CertificateHolder> Gets the name authorities.Get the platform name certificate.boolean
Checks whether to allow untrusted connections.Gets the trusted platform names.Adds an authority for authenticating platform names.Gets a copy of the current role map.Gets the trusted platforms that are specified by names.void
handleMessage
(byte[] message) Handle security handshake message.protected void
initializeHandshake
(jadex.core.impl.GlobalProcessIdentifier gpid) Init handshake with other platform.jadex.future.IFuture
<Object> invokeMethod
(String methodname, jadex.common.ClassInfo[] argtypes, Object[] args, jadex.common.ClassInfo rettype) Invoke a method reflectively.protected void
Refreshed crypto suite roles.void
removeGroup
(String groupname, String secret) Remove a group or group secret.void
removeNameAuthority
(String pemcertificate) Remvoes an authority for authenticating platform names.void
removeRole
(String entity, String role) Adds a role of an entity (platform or network name).void
removeTrustedHost
(String host) Removes the name of an authenticated host to deny access.protected void
Resets the crypto suite in case of security state change (network secret changes etc.).void
sendSecurityHandshakeMessage
(jadex.core.impl.GlobalProcessIdentifier receiver, BasicSecurityMessage message) Sends a security handshake message.protected void
sendSecurityMessage
(jadex.core.impl.GlobalProcessIdentifier receiver, Object message) Sends a security message.void
Sets a new group.void
setSecInfoMappedRoles
(SecurityInfo secinf) Sets the roles of a security info object.void
start()
-
Field Details
-
security
The singleton instance. -
defaultauthorization
protected boolean defaultauthorizationFlag whether to grant default authorization (allow basic service calls if host name or group is authenticated). -
refuseuntrusted
protected boolean refuseuntrustedFlag whether to refuse unauthenticated connections. -
allownoauthname
protected boolean allownoauthnameFlag if connection with platforms without authenticated names are allowed. -
allownonetwork
protected boolean allownonetworkFlag if connection with platforms without authenticated networks are allowed. -
loadjavatruststore
protected boolean loadjavatruststoreFlag whether to use the default Java trust store. -
createdefaultnetwork
protected boolean createdefaultnetworkFlag if the security should create a random default network if no network is set. -
handshaketimeout
protected long handshaketimeoutHandshake timeout. -
sessionkeylifetime
protected long sessionkeylifetimeLifetime of session keys, after which the handshake is repeated and a new session key is generated. -
groups
Available groups. -
platformnamecertificate
The platform name certificate if available. -
trustedhosts
The host names that are trusted and identified by name. -
nameauthorities
Trusted authorities for certifying platform names. -
customnameauthorities
Custom (non-Java default) trusted authorities for certifying platform names. -
allowedcryptosuites
Available crypto suites. -
initializingcryptosuites
CryptoSuites currently initializing, value=Handshake state. -
currentcryptosuites
protected jadex.collection.RwMapWrapper<jadex.core.impl.GlobalProcessIdentifier,ICryptoSuite> currentcryptosuitesCryptoSuites currently in use. -
expiringcryptosuites
protected Map<jadex.core.impl.GlobalProcessIdentifier,List<jadex.ipc.impl.security.Security.ExpiringCryptoSuite>> expiringcryptosuitesCryptoSuites that are expiring with expiration time. -
roles
Map of entities and associated roles. -
cryptoreset
Crypto-Suite reset in progress. -
lastcleanup
protected volatile long lastcleanupLast time cleanup duties were performed. -
groupnames
The list of group names (used by all service identifiers).
-
-
Constructor Details
-
Security
public Security()
-
-
Method Details
-
get
Get the security instance. -
start
public void start() -
encryptAndSign
public byte[] encryptAndSign(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] message) Encrypts and signs the message for a receiver.- Parameters:
receiver
- The receiver.content
- The content- Returns:
- Encrypted/signed message.
-
decryptAndAuth
public ISecurity.DecodedMessage decryptAndAuth(jadex.core.impl.GlobalProcessIdentifier sender, byte[] message) Decrypt and authenticates the message from a sender.- Specified by:
decryptAndAuth
in interfaceISecurity
- Parameters:
sender
- The sender.message
- The content.content
- The content.- Returns:
- Decrypted/authenticated message or null on invalid message.
-
setGroup
Sets a new group.- Parameters:
groupname
- The group name.secret
- The secret.
-
getGroups
Get access to the stored virtual network configurations.- Returns:
- The stored virtual network configurations.
-
removeGroup
Remove a group or group secret.- Parameters:
groupname
- The network name.secret
- The secret, null to remove the group completely.
-
addNameAuthority
Adds an authority for authenticating platform names.- Parameters:
pemcertificate
- The pem-encoded certificate.
-
removeNameAuthority
Remvoes an authority for authenticating platform names.- Parameters:
secret
- The secret, only X.509 secrets allowed.
-
getNameAuthorities
Adds an authority for authenticating platform names.- Parameters:
secret
- The secret, only X.509 secrets allowed.- Returns:
- Null, when done.
-
getCustomNameAuthorities
Gets all authorities not defined in the Java trust store for authenticating platform names.- Returns:
- List of name authorities.
-
getGroupNames
Gets the current group names.- Returns:
- The current group names.
-
addTrustedHost
Adds a name of an authenticated host to allow access.- Parameters:
host
- The host name, host name must be authenticated with certificate.
-
removeTrustedHost
Removes the name of an authenticated host to deny access.- Parameters:
host
- The host name to remove.
-
getTrustedHosts
Gets the trusted platforms that are specified by names.- Returns:
- The trusted platforms and their roles.
-
addRole
Adds a role for an entity (platform or network name).- Parameters:
entity
- The entity name.role
- The role name.
-
removeRole
Adds a role of an entity (platform or network name).- Parameters:
entity
- The entity name.role
- The role name.
-
getRoleMap
Gets a copy of the current role map.- Returns:
- Copy of the role map.
-
getInternalNameAuthorities
Gets the name authorities. -
getInternalTrustedHosts
Gets the trusted platform names. -
getInternalPlatformNameCertificate
Get the platform name certificate. -
getInternalRefuseUntrusted
public boolean getInternalRefuseUntrusted()Checks whether to allow untrusted connections.- Returns:
- True, if used.
-
getInternalAllowNoAuthName
public boolean getInternalAllowNoAuthName()Checks whether to allow connections without name authentication.- Returns:
- True, if used.
-
getInternalAllowNoNetwork
public boolean getInternalAllowNoNetwork()Checks whether to allow connections without network authentication.- Returns:
- True, if used.
-
getInternalDefaultAuthorization
public boolean getInternalDefaultAuthorization()Checks whether to allow the default authorization.- Returns:
- True, if used.
-
setSecInfoMappedRoles
Sets the roles of a security info object.- Parameters:
secinf
- Security info.defroles
- Default roles that should be added.
-
checkReceiverAndEncrypt
protected byte[] checkReceiverAndEncrypt(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] content, ICryptoSuite cs) Checks receiver authorization and, if so, encrypts the message. Otherwise, an exception is issued.- Parameters:
receiver
- Receive ID.content
- Message content.cs
- The cryptosuite negotiated with receiver.resultfuture
- Optional result future if it already exist, if null a future is created.- Returns:
- Result future containing encrypted message or exception.
-
checkCleanup
protected void checkCleanup() -
doCleanup
protected void doCleanup()Cleans expired objects. -
resetCryptoSuites
protected void resetCryptoSuites()Resets the crypto suite in case of security state change (network secret changes etc.). -
createCryptoSuite
Creates a crypto suite of a particular name.- Parameters:
name
- Name of the suite.convid
- Conversation ID of handshake.initializer
- True, if suite should represent the initializer.remoteversion
- The remote Jadex version.- Returns:
- The suite, null if not found.
-
expireCryptosuite
protected void expireCryptosuite(jadex.core.impl.GlobalProcessIdentifier gpid) Expires a cryptosuite.- Parameters:
gpid
- Global process identifier of communication partner.
-
refreshCryptosuiteRoles
protected void refreshCryptosuiteRoles()Refreshed crypto suite roles. -
sendSecurityHandshakeMessage
public void sendSecurityHandshakeMessage(jadex.core.impl.GlobalProcessIdentifier receiver, BasicSecurityMessage message) Sends a security handshake message.- Parameters:
receiver
- Receiver of the message.message
- The message.
-
initializeHandshake
protected void initializeHandshake(jadex.core.impl.GlobalProcessIdentifier gpid) Init handshake with other platform.- Parameters:
gpid
- The global process id.
-
sendSecurityMessage
protected void sendSecurityMessage(jadex.core.impl.GlobalProcessIdentifier receiver, Object message) Sends a security message.- Parameters:
receiver
- Receiver of the message.message
- The message.
-
handleMessage
public void handleMessage(byte[] message) Handle security handshake message.- Parameters:
sender
- The sender.msg
- The message.
-
flattenRoleMap
public static final List<jadex.common.Tuple2<String,String>> flattenRoleMap(Map<String, Set<String>> rolemap) Helper for flattening the role map. -
invokeMethod
public jadex.future.IFuture<Object> invokeMethod(String methodname, jadex.common.ClassInfo[] argtypes, Object[] args, jadex.common.ClassInfo rettype) Invoke a method reflectively.- Parameters:
methodname
- The method name.argtypes
- The argument types (can be null if method exists only once).args
- The arguments.- Returns:
- The result.
-
checkPlatformPassword
Check the platform password.- Parameters:
secret
- The platform secret.- Returns:
- True, if platform password is correct.
-