Class Security

java.lang.Object
jadex.ipc.impl.security.Security
All Implemented Interfaces:
ISecurity

public class Security extends Object implements ISecurity
Security functionality for active component communication. Performs authentication and
  • Field Details

    • security

      public static volatile Security security
      The singleton instance.
    • defaultauthorization

      protected boolean defaultauthorization
      Flag whether to grant default authorization (allow basic service calls if host name or group is authenticated).
    • refuseuntrusted

      protected boolean refuseuntrusted
      Flag whether to refuse unauthenticated connections.
    • allownoauthname

      protected boolean allownoauthname
      Flag if connection with platforms without authenticated names are allowed.
    • allownonetwork

      protected boolean allownonetwork
      Flag if connection with platforms without authenticated networks are allowed.
    • loadjavatruststore

      protected boolean loadjavatruststore
      Flag whether to use the default Java trust store.
    • createdefaultnetwork

      protected boolean createdefaultnetwork
      Flag if the security should create a random default network if no network is set.
    • handshaketimeout

      protected long handshaketimeout
      Handshake timeout.
    • sessionkeylifetime

      protected long sessionkeylifetime
      Lifetime of session keys, after which the handshake is repeated and a new session key is generated.
    • groups

      Available groups.
    • platformnamecertificate

      protected AbstractX509PemSecret platformnamecertificate
      The platform name certificate if available.
    • trustedhosts

      protected Set<String> trustedhosts
      The host names that are trusted and identified by name.
    • nameauthorities

      protected Set<org.bouncycastle.cert.X509CertificateHolder> nameauthorities
      Trusted authorities for certifying platform names.
    • customnameauthorities

      protected Set<org.bouncycastle.cert.X509CertificateHolder> customnameauthorities
      Custom (non-Java default) trusted authorities for certifying platform names.
    • allowedcryptosuites

      protected Map<String,Class<?>> allowedcryptosuites
      Available crypto suites.
    • initializingcryptosuites

      protected Map<jadex.core.impl.GlobalProcessIdentifier,HandshakeState> initializingcryptosuites
      CryptoSuites currently initializing, value=Handshake state.
    • currentcryptosuites

      protected jadex.collection.RwMapWrapper<jadex.core.impl.GlobalProcessIdentifier,ICryptoSuite> currentcryptosuites
      CryptoSuites currently in use.
    • expiringcryptosuites

      protected Map<jadex.core.impl.GlobalProcessIdentifier,List<jadex.ipc.impl.security.Security.ExpiringCryptoSuite>> expiringcryptosuites
      CryptoSuites that are expiring with expiration time.
    • roles

      protected Map<String,Set<String>> roles
      Map of entities and associated roles.
    • cryptoreset

      protected jadex.future.IFuture<Void> cryptoreset
      Crypto-Suite reset in progress.
    • lastcleanup

      protected volatile long lastcleanup
      Last time cleanup duties were performed.
    • groupnames

      protected Set<String> groupnames
      The list of group names (used by all service identifiers).
  • Constructor Details

    • Security

      public Security()
  • Method Details

    • get

      public static final Security get()
      Get the security instance.
    • start

      public void start()
    • encryptAndSign

      public byte[] encryptAndSign(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] message)
      Encrypts and signs the message for a receiver.
      Parameters:
      receiver - The receiver.
      content - The content
      Returns:
      Encrypted/signed message.
    • decryptAndAuth

      public ISecurity.DecodedMessage decryptAndAuth(jadex.core.impl.GlobalProcessIdentifier sender, byte[] message)
      Decrypt and authenticates the message from a sender.
      Specified by:
      decryptAndAuth in interface ISecurity
      Parameters:
      sender - The sender.
      message - The content.
      content - The content.
      Returns:
      Decrypted/authenticated message or null on invalid message.
    • setGroup

      public void setGroup(String groupname, String secret)
      Sets a new group.
      Parameters:
      groupname - The group name.
      secret - The secret.
    • getGroups

      Get access to the stored virtual network configurations.
      Returns:
      The stored virtual network configurations.
    • removeGroup

      public void removeGroup(String groupname, String secret)
      Remove a group or group secret.
      Parameters:
      groupname - The network name.
      secret - The secret, null to remove the group completely.
    • addNameAuthority

      public void addNameAuthority(String pemcertificate)
      Adds an authority for authenticating platform names.
      Parameters:
      pemcertificate - The pem-encoded certificate.
    • removeNameAuthority

      public void removeNameAuthority(String pemcertificate)
      Remvoes an authority for authenticating platform names.
      Parameters:
      secret - The secret, only X.509 secrets allowed.
    • getNameAuthorities

      public Set<String> getNameAuthorities()
      Adds an authority for authenticating platform names.
      Parameters:
      secret - The secret, only X.509 secrets allowed.
      Returns:
      Null, when done.
    • getCustomNameAuthorities

      public Set<String> getCustomNameAuthorities()
      Gets all authorities not defined in the Java trust store for authenticating platform names.
      Returns:
      List of name authorities.
    • getGroupNames

      public Set<String> getGroupNames()
      Gets the current group names.
      Returns:
      The current group names.
    • addTrustedHost

      public void addTrustedHost(String host)
      Adds a name of an authenticated host to allow access.
      Parameters:
      host - The host name, host name must be authenticated with certificate.
    • removeTrustedHost

      public void removeTrustedHost(String host)
      Removes the name of an authenticated host to deny access.
      Parameters:
      host - The host name to remove.
    • getTrustedHosts

      public Set<String> getTrustedHosts()
      Gets the trusted platforms that are specified by names.
      Returns:
      The trusted platforms and their roles.
    • addRole

      public void addRole(String entity, String role)
      Adds a role for an entity (platform or network name).
      Parameters:
      entity - The entity name.
      role - The role name.
    • removeRole

      public void removeRole(String entity, String role)
      Adds a role of an entity (platform or network name).
      Parameters:
      entity - The entity name.
      role - The role name.
    • getRoleMap

      public Map<String,Set<String>> getRoleMap()
      Gets a copy of the current role map.
      Returns:
      Copy of the role map.
    • getInternalNameAuthorities

      public Set<org.bouncycastle.cert.X509CertificateHolder> getInternalNameAuthorities()
      Gets the name authorities.
    • getInternalTrustedHosts

      public Set<String> getInternalTrustedHosts()
      Gets the trusted platform names.
    • getInternalPlatformNameCertificate

      public AbstractX509PemSecret getInternalPlatformNameCertificate()
      Get the platform name certificate.
    • getInternalRefuseUntrusted

      public boolean getInternalRefuseUntrusted()
      Checks whether to allow untrusted connections.
      Returns:
      True, if used.
    • getInternalAllowNoAuthName

      public boolean getInternalAllowNoAuthName()
      Checks whether to allow connections without name authentication.
      Returns:
      True, if used.
    • getInternalAllowNoNetwork

      public boolean getInternalAllowNoNetwork()
      Checks whether to allow connections without network authentication.
      Returns:
      True, if used.
    • getInternalDefaultAuthorization

      public boolean getInternalDefaultAuthorization()
      Checks whether to allow the default authorization.
      Returns:
      True, if used.
    • setSecInfoMappedRoles

      public void setSecInfoMappedRoles(SecurityInfo secinf)
      Sets the roles of a security info object.
      Parameters:
      secinf - Security info.
      defroles - Default roles that should be added.
    • checkReceiverAndEncrypt

      protected byte[] checkReceiverAndEncrypt(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] content, ICryptoSuite cs)
      Checks receiver authorization and, if so, encrypts the message. Otherwise, an exception is issued.
      Parameters:
      receiver - Receive ID.
      content - Message content.
      cs - The cryptosuite negotiated with receiver.
      resultfuture - Optional result future if it already exist, if null a future is created.
      Returns:
      Result future containing encrypted message or exception.
    • checkCleanup

      protected void checkCleanup()
    • doCleanup

      protected void doCleanup()
      Cleans expired objects.
    • resetCryptoSuites

      protected void resetCryptoSuites()
      Resets the crypto suite in case of security state change (network secret changes etc.).
    • createCryptoSuite

      protected ICryptoSuite createCryptoSuite(String name, String convid, boolean initializer)
      Creates a crypto suite of a particular name.
      Parameters:
      name - Name of the suite.
      convid - Conversation ID of handshake.
      initializer - True, if suite should represent the initializer.
      remoteversion - The remote Jadex version.
      Returns:
      The suite, null if not found.
    • expireCryptosuite

      protected void expireCryptosuite(jadex.core.impl.GlobalProcessIdentifier gpid)
      Expires a cryptosuite.
      Parameters:
      gpid - Global process identifier of communication partner.
    • refreshCryptosuiteRoles

      protected void refreshCryptosuiteRoles()
      Refreshed crypto suite roles.
    • sendSecurityHandshakeMessage

      public void sendSecurityHandshakeMessage(jadex.core.impl.GlobalProcessIdentifier receiver, BasicSecurityMessage message)
      Sends a security handshake message.
      Parameters:
      receiver - Receiver of the message.
      message - The message.
    • initializeHandshake

      protected void initializeHandshake(jadex.core.impl.GlobalProcessIdentifier gpid)
      Init handshake with other platform.
      Parameters:
      gpid - The global process id.
    • sendSecurityMessage

      protected void sendSecurityMessage(jadex.core.impl.GlobalProcessIdentifier receiver, Object message)
      Sends a security message.
      Parameters:
      receiver - Receiver of the message.
      message - The message.
    • handleMessage

      public void handleMessage(byte[] message)
      Handle security handshake message.
      Parameters:
      sender - The sender.
      msg - The message.
    • flattenRoleMap

      public static final List<jadex.common.Tuple2<String,String>> flattenRoleMap(Map<String,Set<String>> rolemap)
      Helper for flattening the role map.
    • invokeMethod

      public jadex.future.IFuture<Object> invokeMethod(String methodname, jadex.common.ClassInfo[] argtypes, Object[] args, jadex.common.ClassInfo rettype)
      Invoke a method reflectively.
      Parameters:
      methodname - The method name.
      argtypes - The argument types (can be null if method exists only once).
      args - The arguments.
      Returns:
      The result.
    • checkPlatformPassword

      public jadex.future.IFuture<Boolean> checkPlatformPassword(String secret)
      Check the platform password.
      Parameters:
      secret - The platform secret.
      Returns:
      True, if platform password is correct.