Package jadex.ipc.impl.security
Class Security
java.lang.Object
jadex.ipc.impl.security.Security
- All Implemented Interfaces:
ISecurity
Security functionality for active component communication.
Performs authentication and
-
Nested Class Summary
Nested classes/interfaces inherited from interface jadex.ipc.ISecurity
ISecurity.DecodedMessage -
Field Summary
FieldsModifier and TypeFieldDescriptionAvailable crypto suites.protected booleanFlag if connection with platforms without authenticated names are allowed.protected booleanFlag if connection with platforms without authenticated networks are allowed.protected booleanFlag if the security should create a random default network if no network is set.protected jadex.future.IFuture<Void>Crypto-Suite reset in progress.protected jadex.collection.RwMapWrapper<jadex.core.impl.GlobalProcessIdentifier,ICryptoSuite> CryptoSuites currently in use.protected Set<org.bouncycastle.cert.X509CertificateHolder>Custom (non-Java default) trusted authorities for certifying platform names.protected booleanFlag whether to grant default authorization (allow basic service calls if host name or group is authenticated).protected Map<jadex.core.impl.GlobalProcessIdentifier,List<jadex.ipc.impl.security.Security.ExpiringCryptoSuite>> CryptoSuites that are expiring with expiration time.The list of group names (used by all service identifiers).protected Map<String,List<AbstractAuthenticationSecret>> Available groups.protected longHandshake timeout.protected Map<jadex.core.impl.GlobalProcessIdentifier,HandshakeState> CryptoSuites currently initializing, value=Handshake state.protected longLast time cleanup duties were performed.protected booleanFlag whether to use the default Java trust store.protected Set<org.bouncycastle.cert.X509CertificateHolder>Trusted authorities for certifying platform names.protected AbstractX509PemSecretThe platform name certificate if available.protected booleanFlag whether to refuse unauthenticated connections.Map of entities and associated roles.static SecurityThe singleton instance.protected longLifetime of session keys, after which the handshake is repeated and a new session key is generated.The host names that are trusted and identified by name. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidaddNameAuthority(String pemcertificate) Adds an authority for authenticating platform names.voidAdds a role for an entity (platform or network name).voidaddTrustedHost(String host) Adds a name of an authenticated host to allow access.protected voidjadex.future.IFuture<Boolean>checkPlatformPassword(String secret) Check the platform password.protected byte[]checkReceiverAndEncrypt(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] content, ICryptoSuite cs) Checks receiver authorization and, if so, encrypts the message.protected ICryptoSuitecreateCryptoSuite(String name, String convid, boolean initializer) Creates a crypto suite of a particular name.decryptAndAuth(jadex.core.impl.GlobalProcessIdentifier sender, byte[] message) Decrypt and authenticates the message from a sender.protected voidCleans expired objects.byte[]encryptAndSign(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] message) Encrypts and signs the message for a receiver.protected voidexpireCryptosuite(jadex.core.impl.GlobalProcessIdentifier gpid) Expires a cryptosuite.flattenRoleMap(Map<String, Set<String>> rolemap) Helper for flattening the role map.static final Securityget()Get the security instance.Gets all authorities not defined in the Java trust store for authenticating platform names.Gets the current group names.Get access to the stored virtual network configurations.booleanChecks whether to allow connections without name authentication.booleanChecks whether to allow connections without network authentication.booleanChecks whether to allow the default authorization.Set<org.bouncycastle.cert.X509CertificateHolder>Gets the name authorities.Get the platform name certificate.booleanChecks whether to allow untrusted connections.Gets the trusted platform names.Adds an authority for authenticating platform names.Gets a copy of the current role map.Gets the trusted platforms that are specified by names.voidhandleMessage(byte[] message) Handle security handshake message.protected voidinitializeHandshake(jadex.core.impl.GlobalProcessIdentifier gpid) Init handshake with other platform.jadex.future.IFuture<Object>invokeMethod(String methodname, jadex.common.ClassInfo[] argtypes, Object[] args, jadex.common.ClassInfo rettype) Invoke a method reflectively.protected voidRefreshed crypto suite roles.voidremoveGroup(String groupname, String secret) Remove a group or group secret.voidremoveNameAuthority(String pemcertificate) Remvoes an authority for authenticating platform names.voidremoveRole(String entity, String role) Adds a role of an entity (platform or network name).voidremoveTrustedHost(String host) Removes the name of an authenticated host to deny access.protected voidResets the crypto suite in case of security state change (network secret changes etc.).voidsendSecurityHandshakeMessage(jadex.core.impl.GlobalProcessIdentifier receiver, BasicSecurityMessage message) Sends a security handshake message.protected voidsendSecurityMessage(jadex.core.impl.GlobalProcessIdentifier receiver, Object message) Sends a security message.voidSets a new group.voidsetSecInfoMappedRoles(SecurityInfo secinf) Sets the roles of a security info object.voidstart()
-
Field Details
-
security
The singleton instance. -
defaultauthorization
protected boolean defaultauthorizationFlag whether to grant default authorization (allow basic service calls if host name or group is authenticated). -
refuseuntrusted
protected boolean refuseuntrustedFlag whether to refuse unauthenticated connections. -
allownoauthname
protected boolean allownoauthnameFlag if connection with platforms without authenticated names are allowed. -
allownonetwork
protected boolean allownonetworkFlag if connection with platforms without authenticated networks are allowed. -
loadjavatruststore
protected boolean loadjavatruststoreFlag whether to use the default Java trust store. -
createdefaultnetwork
protected boolean createdefaultnetworkFlag if the security should create a random default network if no network is set. -
handshaketimeout
protected long handshaketimeoutHandshake timeout. -
sessionkeylifetime
protected long sessionkeylifetimeLifetime of session keys, after which the handshake is repeated and a new session key is generated. -
groups
Available groups. -
platformnamecertificate
The platform name certificate if available. -
trustedhosts
The host names that are trusted and identified by name. -
nameauthorities
Trusted authorities for certifying platform names. -
customnameauthorities
Custom (non-Java default) trusted authorities for certifying platform names. -
allowedcryptosuites
Available crypto suites. -
initializingcryptosuites
CryptoSuites currently initializing, value=Handshake state. -
currentcryptosuites
protected jadex.collection.RwMapWrapper<jadex.core.impl.GlobalProcessIdentifier,ICryptoSuite> currentcryptosuitesCryptoSuites currently in use. -
expiringcryptosuites
protected Map<jadex.core.impl.GlobalProcessIdentifier,List<jadex.ipc.impl.security.Security.ExpiringCryptoSuite>> expiringcryptosuitesCryptoSuites that are expiring with expiration time. -
roles
Map of entities and associated roles. -
cryptoreset
Crypto-Suite reset in progress. -
lastcleanup
protected volatile long lastcleanupLast time cleanup duties were performed. -
groupnames
The list of group names (used by all service identifiers).
-
-
Constructor Details
-
Security
public Security()
-
-
Method Details
-
get
Get the security instance. -
start
public void start() -
encryptAndSign
public byte[] encryptAndSign(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] message) Encrypts and signs the message for a receiver.- Parameters:
receiver- The receiver.content- The content- Returns:
- Encrypted/signed message.
-
decryptAndAuth
public ISecurity.DecodedMessage decryptAndAuth(jadex.core.impl.GlobalProcessIdentifier sender, byte[] message) Decrypt and authenticates the message from a sender.- Specified by:
decryptAndAuthin interfaceISecurity- Parameters:
sender- The sender.content- The content.- Returns:
- Decrypted/authenticated message or null on invalid message.
-
setGroup
Sets a new group.- Parameters:
groupname- The group name.secret- The secret.
-
getGroups
Get access to the stored virtual network configurations.- Returns:
- The stored virtual network configurations.
-
removeGroup
Remove a group or group secret.- Parameters:
groupname- The network name.secret- The secret, null to remove the group completely.
-
addNameAuthority
Adds an authority for authenticating platform names.- Parameters:
pemcertificate- The pem-encoded certificate.
-
removeNameAuthority
Remvoes an authority for authenticating platform names.- Parameters:
secret- The secret, only X.509 secrets allowed.
-
getNameAuthorities
Adds an authority for authenticating platform names.- Parameters:
secret- The secret, only X.509 secrets allowed.- Returns:
- Null, when done.
-
getCustomNameAuthorities
Gets all authorities not defined in the Java trust store for authenticating platform names.- Returns:
- List of name authorities.
-
getGroupNames
Gets the current group names.- Returns:
- The current group names.
-
addTrustedHost
Adds a name of an authenticated host to allow access.- Parameters:
host- The host name, host name must be authenticated with certificate.
-
removeTrustedHost
Removes the name of an authenticated host to deny access.- Parameters:
host- The host name to remove.
-
getTrustedHosts
Gets the trusted platforms that are specified by names.- Returns:
- The trusted platforms and their roles.
-
addRole
Adds a role for an entity (platform or network name).- Parameters:
entity- The entity name.role- The role name.
-
removeRole
Adds a role of an entity (platform or network name).- Parameters:
entity- The entity name.role- The role name.
-
getRoleMap
Gets a copy of the current role map.- Returns:
- Copy of the role map.
-
getInternalNameAuthorities
Gets the name authorities. -
getInternalTrustedHosts
Gets the trusted platform names. -
getInternalPlatformNameCertificate
Get the platform name certificate. -
getInternalRefuseUntrusted
public boolean getInternalRefuseUntrusted()Checks whether to allow untrusted connections.- Returns:
- True, if used.
-
getInternalAllowNoAuthName
public boolean getInternalAllowNoAuthName()Checks whether to allow connections without name authentication.- Returns:
- True, if used.
-
getInternalAllowNoNetwork
public boolean getInternalAllowNoNetwork()Checks whether to allow connections without network authentication.- Returns:
- True, if used.
-
getInternalDefaultAuthorization
public boolean getInternalDefaultAuthorization()Checks whether to allow the default authorization.- Returns:
- True, if used.
-
setSecInfoMappedRoles
Sets the roles of a security info object.- Parameters:
secinf- Security info.defroles- Default roles that should be added.
-
checkReceiverAndEncrypt
protected byte[] checkReceiverAndEncrypt(jadex.core.impl.GlobalProcessIdentifier receiver, byte[] content, ICryptoSuite cs) Checks receiver authorization and, if so, encrypts the message. Otherwise, an exception is issued.- Parameters:
receiver- Receive ID.content- Message content.cs- The cryptosuite negotiated with receiver.resultfuture- Optional result future if it already exist, if null a future is created.- Returns:
- Result future containing encrypted message or exception.
-
checkCleanup
protected void checkCleanup() -
doCleanup
protected void doCleanup()Cleans expired objects. -
resetCryptoSuites
protected void resetCryptoSuites()Resets the crypto suite in case of security state change (network secret changes etc.). -
createCryptoSuite
Creates a crypto suite of a particular name.- Parameters:
name- Name of the suite.convid- Conversation ID of handshake.remoteversion- The remote Jadex version.initializer- True, if suite should represent the initializer.- Returns:
- The suite, null if not found.
-
expireCryptosuite
protected void expireCryptosuite(jadex.core.impl.GlobalProcessIdentifier gpid) Expires a cryptosuite.- Parameters:
gpid- Global process identifier of communication partner.
-
refreshCryptosuiteRoles
protected void refreshCryptosuiteRoles()Refreshed crypto suite roles. -
sendSecurityHandshakeMessage
public void sendSecurityHandshakeMessage(jadex.core.impl.GlobalProcessIdentifier receiver, BasicSecurityMessage message) Sends a security handshake message.- Parameters:
receiver- Receiver of the message.message- The message.
-
initializeHandshake
protected void initializeHandshake(jadex.core.impl.GlobalProcessIdentifier gpid) Init handshake with other platform.- Parameters:
gpid- The global process id.
-
sendSecurityMessage
protected void sendSecurityMessage(jadex.core.impl.GlobalProcessIdentifier receiver, Object message) Sends a security message.- Parameters:
receiver- Receiver of the message.message- The message.
-
handleMessage
public void handleMessage(byte[] message) Handle security handshake message.- Parameters:
sender- The sender.msg- The message.
-
flattenRoleMap
public static final List<jadex.common.Tuple2<String,String>> flattenRoleMap(Map<String, Set<String>> rolemap) Helper for flattening the role map. -
invokeMethod
public jadex.future.IFuture<Object> invokeMethod(String methodname, jadex.common.ClassInfo[] argtypes, Object[] args, jadex.common.ClassInfo rettype) Invoke a method reflectively.- Parameters:
methodname- The method name.argtypes- The argument types (can be null if method exists only once).args- The arguments.- Returns:
- The result.
-
checkPlatformPassword
Check the platform password.- Parameters:
secret- The platform secret.- Returns:
- True, if platform password is correct.
-