OF-892: Adding Admin panel support for mutual authentication.

d94b2521 · Guus der Kinderen · 0d75703d · d94b2521 · d94b2521 · d94b2521
Commit d94b2521 authored May 29, 2015 by Guus der Kinderen
16 changed files
--- a/src/i18n/openfire_i18n_cs_CZ.properties
+++ b/src/i18n/openfire_i18n_cs_CZ.properties
@@ -1550,6 +1550,8 @@ ssl.settings.client.label_custom=Vlastn\u00ed
 ssl.settings.client.label_custom_info=Pokro\u010dil\u00e1 nastaven\u00ed
 ssl.settings.client.customSSL=P\u016fvodn\u00ed SSL metoda:
 ssl.settings.client.customTLS=TLS metoda:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Dostupn\u00e9
 ssl.settings.notavailable=Nedostupn\u00e9
 ssl.settings.required=Vy\u017eadov\u00e1no

--- a/src/i18n/openfire_i18n_de.properties
+++ b/src/i18n/openfire_i18n_de.properties
@@ -1488,6 +1488,8 @@ ssl.settings.client.label_custom=Custom
 ssl.settings.client.label_custom_info=Advanced configuration
 ssl.settings.client.customSSL=Old SSL method:
 ssl.settings.client.customTLS=TLS method:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Available
 ssl.settings.notavailable=Not Available
 ssl.settings.required=Required

--- a/src/i18n/openfire_i18n_en.properties
+++ b/src/i18n/openfire_i18n_en.properties
@@ -2270,6 +2270,8 @@ ssl.settings.client.label_custom_info=Advanced configuration
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 ssl.settings.client.customSSL=Old SSL method:
 ssl.settings.client.customTLS=TLS method:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Available
 ssl.settings.notavailable=Not Available
 ssl.settings.required=Required

--- a/src/i18n/openfire_i18n_es.properties
+++ b/src/i18n/openfire_i18n_es.properties
@@ -1541,6 +1541,8 @@ ssl.settings.client.label_custom=A medida
 ssl.settings.client.label_custom_info=Configuraci\u00f3n avanzada
 ssl.settings.client.customSSL=Antiguo m\u00e9todo SSL:
 ssl.settings.client.customTLS=M\u00e9todo TLS:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Disponible
 ssl.settings.notavailable=No Disponible
 ssl.settings.required=Requerido

--- a/src/i18n/openfire_i18n_fr.properties
+++ b/src/i18n/openfire_i18n_fr.properties
@@ -1242,6 +1242,8 @@ ssl.settings.client.label_custom = Personnalis\u00E9
 ssl.settings.client.label_custom_info = Configuration avanc\u00E9e
 ssl.settings.client.customSSL = Ancienne m\u00E9thode SSL \:
 ssl.settings.client.customTLS = m\u00E9thode TLS \:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available = Disponible
 ssl.settings.notavailable = Non Disponible
 ssl.settings.required = Requis

--- a/src/i18n/openfire_i18n_ja_JP.properties
+++ b/src/i18n/openfire_i18n_ja_JP.properties
@@ -1564,6 +1564,8 @@ ssl.settings.client.label_custom=\u30ab\u30b9\u30bf\u30e0
 ssl.settings.client.label_custom_info=\u9ad8\u5ea6\u306a\u8a2d\u5b9a
 ssl.settings.client.customSSL=\u65e7\u5f0fSSL\u63a5\u7d9a\u65b9\u6cd5:
 ssl.settings.client.customTLS=TLS\u65b9\u6cd5:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=\u6709\u52b9
 ssl.settings.notavailable=\u7121\u52b9
 ssl.settings.required=\u5fc5\u9808

--- a/src/i18n/openfire_i18n_nl.properties
+++ b/src/i18n/openfire_i18n_nl.properties
@@ -1484,6 +1484,8 @@ ssl.settings.client.label_custom=Custom
 ssl.settings.client.label_custom_info=Advanced configuration
 ssl.settings.client.customSSL=Old SSL method:
 ssl.settings.client.customTLS=TLS method:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Available
 ssl.settings.notavailable=Not Available
 ssl.settings.required=Required

--- a/src/i18n/openfire_i18n_pl_PL.properties
+++ b/src/i18n/openfire_i18n_pl_PL.properties
@@ -1471,6 +1471,8 @@ ssl.settings.client.label_custom=Dostosuj
 ssl.settings.client.label_custom_info=Ustawienia zaawansowane
 ssl.settings.client.customSSL=Stara metoda SSL:
 ssl.settings.client.customTLS=Metoda TLS:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Dostepny
 ssl.settings.notavailable=Nie dost\u0119pny
 ssl.settings.required=Wymagane

--- a/src/i18n/openfire_i18n_pt_BR.properties
+++ b/src/i18n/openfire_i18n_pt_BR.properties
@@ -1548,6 +1548,8 @@ ssl.settings.client.label_custom=Customizar
 ssl.settings.client.label_custom_info=Configura\u00e7\u00f5es Avan\u00e7adas
 ssl.settings.client.customSSL=Antigo m\u00e9todo SSL:
 ssl.settings.client.customTLS=M\u00e9todo TLS:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Dispon\u00edvel
 ssl.settings.notavailable=Indispon\u00edvel
 ssl.settings.required=Requerido

--- a/src/i18n/openfire_i18n_pt_PT.properties
+++ b/src/i18n/openfire_i18n_pt_PT.properties
@@ -2206,6 +2206,8 @@ ssl.settings.client.label_custom_info=Configura\u00e7\u00f5es Avan\u00e7adas
 ssl.settings.client.label_self-signed=Aceitar certificados auto-assinados. Dialback do servidor sobre TLS j\u00e1 est\u00e1 dispon\u00edvel.
 ssl.settings.client.customSSL=Antigo m\u00e9todo SSL:
 ssl.settings.client.customTLS=M\u00e9todo TLS:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Dispon\u00edvel
 ssl.settings.notavailable=Indispon\u00edvel
 ssl.settings.required=Requerido

--- a/src/i18n/openfire_i18n_ru_RU.properties
+++ b/src/i18n/openfire_i18n_ru_RU.properties
@@ -1651,6 +1651,8 @@ ssl.certificate.details.intro=Below are the details of the certificate with the
 ssl.settings.available=\u0414\u043E\u0441\u0442\u0443\u043F\u043D\u044B\u0439
 ssl.settings.client.customSSL=\u0421\u0442\u0430\u0440\u044B\u0439 \u043C\u0435\u0442\u043E\u0434 SSL\:
 ssl.settings.client.customTLS=\u041C\u0415\u0422\u041E\u0414 TLS\:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.client.info=\u041A\u043B\u0438\u0435\u043D\u0442\u044B \u043C\u043E\u0433\u0443\u0442 \u043F\u043E\u0434\u043A\u043B\u044E\u0447\u0438\u0442\u044C \u043A \u0441\u0435\u0440\u0432\u0435\u0440\u0443, \u0438\u0441\u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0432\u0448\u0435\u043C\u0443 \u0437\u0430\u0449\u0438\u0449\u0435\u043D\u043D\u044B\u0435 \u0438\u043B\u0438 \u043D\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043D\u043D\u044B\u0435 \u0441\u0432\u044F\u0437\u0438. \u0418\u0441\u043F\u043E\u043B\u044C\u0437\u0443\u0439\u0442\u0435 \u0441\u043B\u0435\u0434\u0443\u044E\u0449\u0435\u0435 \u0444\u043E\u0440\u043C\u044B, \u0447\u0442\u043E\u0431\u044B \u043E\u043F\u0440\u0435\u0434\u0435\u043B\u044F\u0442\u044C\u0441\u044F \u043A\u0430\u043A \u043A\u043B\u0438\u0435\u043D\u0442\u044B \u043C\u043E\u0433\u0443\u0442  \u043F\u043E\u0434\u043A\u043B\u044E\u0447\u0438\u0442\u044C\u0441\u044F  \u043A \u0441\u0435\u0440\u0432\u0435\u0440\u0443, \u0438\u0441\u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0432\u0448\u0435\u043C\u0443 \u0437\u0430\u0449\u0438\u0449\u0435\u043D\u043D\u044B\u0435 \u0441\u0432\u044F\u0437\u0438.
 ssl.settings.client.label_custom=\u041E\u0431\u044B\u0447\u043D\u043E
 ssl.settings.client.label_custom_info=\u0420\u0430\u0441\u0448\u0438\u0440\u0435\u043D\u043D\u044B\u0435 \u043D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0438

--- a/src/i18n/openfire_i18n_sk.properties
+++ b/src/i18n/openfire_i18n_sk.properties
@@ -1490,6 +1490,8 @@ ssl.settings.client.label_custom=Vlastn\u00e9
 ssl.settings.client.label_custom_info=Pokro\u010dil\u00e9 nastavenie
 ssl.settings.client.customSSL=Star\u00fd sp\u00f4sob SSL:
 ssl.settings.client.customTLS=Sp\u00f4sob TLS:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=Dostupn\u00e9
 ssl.settings.notavailable=Nedostupn\u00e9
 ssl.settings.required=Vy\u017eaduje sa

--- a/src/i18n/openfire_i18n_zh_CN.properties
+++ b/src/i18n/openfire_i18n_zh_CN.properties
@@ -1437,6 +1437,8 @@ ssl.settings.client.label_custom=\u81ea\u5b9a\u4e49
 ssl.settings.client.label_custom_info=\u9ad8\u7ea7\u914d\u7f6e
 ssl.settings.client.customSSL=\u65e7\u7684SSL\u65b9\u5f0f:
 ssl.settings.client.customTLS=TLS\u65b9\u5f0f:
+ssl.settings.client.custom.mutualauth.socket=Mutual authentication (socket connections)
+ssl.settings.client.custom.mutualauth.bosh=Mutual authentication (BOSH connections)
 ssl.settings.available=\u6709\u6548
 ssl.settings.notavailable=\u65e0\u6548
 ssl.settings.required=\u5fc5\u9700

--- a/src/java/org/jivesoftware/openfire/http/HttpBindManager.java
+++ b/src/java/org/jivesoftware/openfire/http/HttpBindManager.java
@@ -712,6 +712,9 @@ public final class HttpBindManager {
                }
                setSecureHttpBindPort(value);
            }
+            else if (HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY.equalsIgnoreCase( property )) {
+                restartServer();
+            }
        }

        public void propertyDeleted(String property, Map<String, Object> params) {
@@ -724,6 +727,9 @@ public final class HttpBindManager {
            else if (property.equalsIgnoreCase(HTTP_BIND_SECURE_PORT)) {
                setSecureHttpBindPort(HTTP_BIND_SECURE_PORT_DEFAULT);
            }
+            else if (HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY.equalsIgnoreCase( property )) {
+                restartServer();
+            }
        }

        public void xmlPropertySet(String property, Map<String, Object> params) {

--- a/src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java
+++ b/src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
@@ -81,14 +82,11 @@ import org.jivesoftware.openfire.nio.ComponentConnectionHandler;
 import org.jivesoftware.openfire.nio.MultiplexerConnectionHandler;
 import org.jivesoftware.openfire.nio.XMPPCodecFactory;
 import org.jivesoftware.openfire.session.ConnectionSettings;
-import org.jivesoftware.util.CertificateEventListener;
-import org.jivesoftware.util.CertificateManager;
-import org.jivesoftware.util.JiveGlobals;
-import org.jivesoftware.util.LocaleUtils;
+import org.jivesoftware.util.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

-public class ConnectionManagerImpl extends BasicModule implements ConnectionManager, CertificateEventListener {
+public class ConnectionManagerImpl extends BasicModule implements ConnectionManager, CertificateEventListener, PropertyEventListener {

 	private static final int MB = 1024 * 1024;

@@ -825,7 +823,38 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
    public void certificateSigned(KeyStore keyStore, String alias, List<X509Certificate> certificates) {
        restartClientSSLListeners();
    }
-    
+
+    // #####################################################################
+    // Property events
+    // #####################################################################
+    @Override
+    public void propertySet( String property, Map<String, Object> params ) {
+        processPropertyValueChange( property, params );
+    }
+
+    @Override
+    public void propertyDeleted( String property, Map<String, Object> params ) {
+        processPropertyValueChange( property, params );
+    }
+
+    @Override
+    public void xmlPropertySet( String property, Map<String, Object> params ) {
+        processPropertyValueChange( property, params );
+    }
+
+    @Override
+    public void xmlPropertyDeleted( String property, Map<String, Object> params ) {
+        processPropertyValueChange( property, params );
+    }
+
+    private void processPropertyValueChange( String property, Map<String, Object> params ) {
+        Log.debug( "Processing property value change for '"+property +"'." );
+
+        if ("xmpp.client.cert.policy".equalsIgnoreCase( property )) {
+            restartClientSSLListeners();
+        }
+    }
+
    private NioSocketAcceptor buildSocketAcceptor(String name) {
        NioSocketAcceptor socketAcceptor;
        // Create SocketAcceptor with correct number of processors

--- a/src/web/ssl-settings.jsp
+++ b/src/web/ssl-settings.jsp
@@ -42,6 +42,8 @@
    String clientSecurityRequired = ParamUtils.getParameter(request, "clientSecurityRequired");
    String ssl = ParamUtils.getParameter(request, "ssl");
    String tls = ParamUtils.getParameter(request, "tls");
+	String clientMutualAuthenticationSocket = ParamUtils.getParameter(request, "clientMutualAuthenticationSocket");
+	String clientMutualAuthenticationBOSH   = ParamUtils.getParameter(request, "clientMutualAuthenticationBOSH");
    // Server configuration parameters
    String serverSecurityRequired = ParamUtils.getParameter(request, "serverSecurityRequired");
    String dialback = ParamUtils.getParameter(request, "dialback");
@@ -120,10 +122,18 @@
            }
        }
        ServerDialback.setEnabledForSelfSigned(selfSigned);
-        success = true;
+
+		JiveGlobals.setProperty("xmpp.client.cert.policy", clientMutualAuthenticationSocket);
+		JiveGlobals.setProperty("httpbind.client.cert.policy", clientMutualAuthenticationBOSH);
+
+		success = true;
        // Log the event
-        webManager.logEvent("updated SSL configuration", ConnectionSettings.Server.DIALBACK_ENABLED + " = "+JiveGlobals.getProperty(ConnectionSettings.Server.DIALBACK_ENABLED)+
-                "\n"+ ConnectionSettings.Server.TLS_ENABLED+" = "+JiveGlobals.getProperty(ConnectionSettings.Server.TLS_ENABLED));
+        webManager.logEvent("updated SSL configuration",
+                ConnectionSettings.Server.DIALBACK_ENABLED + " = " + JiveGlobals.getProperty(ConnectionSettings.Server.DIALBACK_ENABLED) + "\n" +
+                ConnectionSettings.Server.TLS_ENABLED      + " = " + JiveGlobals.getProperty(ConnectionSettings.Server.TLS_ENABLED) + "\n" +
+                "xmpp.client.cert.policy = "                       + JiveGlobals.getProperty("xmpp.client.cert.policy") + "\n" +
+                "httpbind.client.cert.policy = "                   + JiveGlobals.getProperty("httpbind.client.cert.policy")
+		);
    }

    // Set page vars
@@ -167,6 +177,13 @@
        server_tls = "notavailable";
    }
    selfSigned = ServerDialback.isEnabledForSelfSigned();
+
+    clientMutualAuthenticationSocket = JiveGlobals.getProperty( "xmpp.client.cert.policy",     "disabled" );
+    clientMutualAuthenticationBOSH   = JiveGlobals.getProperty( "httpbind.client.cert.policy", "disabled" );
+
+    if ( !"disabled".equals( clientMutualAuthenticationSocket ) || !"disabled".equals( clientMutualAuthenticationBOSH ) ) {
+        clientSecurityRequired = "custom";
+    }
 %>

 <html>
@@ -293,6 +310,32 @@
 									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb08"><fmt:message key="ssl.settings.required" /></label>
 							</td>
 						</tr>
+						<tr valign="top">
+							<td width="1%" nowrap>
+								<fmt:message key="ssl.settings.client.custom.mutualauth.socket" />
+							</td>
+							<td width="99%">
+								<input type="radio" name="clientMutualAuthenticationSocket" value="disabled" id="rb16" <%= ("disabled".equals(clientMutualAuthenticationSocket) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb16"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
+								<input type="radio" name="clientMutualAuthenticationSocket" value="wanted" id="rb17" <%= ("wanted".equals(clientMutualAuthenticationSocket) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb17"><fmt:message key="ssl.settings.optional" /></label>&nbsp;&nbsp;
+								<input type="radio" name="clientMutualAuthenticationSocket" value="needed" id="rb18" <%= ("needed".equals(clientMutualAuthenticationSocket) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb18"><fmt:message key="ssl.settings.required" /></label>
+							</td>
+						</tr>
+						<tr valign="top">
+							<td width="1%" nowrap>
+								<fmt:message key="ssl.settings.client.custom.mutualauth.bosh" />
+							</td>
+							<td width="99%">
+								<input type="radio" name="clientMutualAuthenticationBOSH" value="disabled" id="rb19" <%= ("disabled".equals(clientMutualAuthenticationBOSH) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb19"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
+								<input type="radio" name="clientMutualAuthenticationBOSH" value="wanted" id="rb20" <%= ("wanted".equals(clientMutualAuthenticationBOSH) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb20"><fmt:message key="ssl.settings.optional" /></label>&nbsp;&nbsp;
+								<input type="radio" name="clientMutualAuthenticationBOSH" value="needed" id="rb21" <%= ("needed".equals(clientMutualAuthenticationBOSH) ? "checked" : "") %>
+									   onclick="this.form.clientSecurityRequired[2].checked=true;">&nbsp;<label for="rb21"><fmt:message key="ssl.settings.required" /></label>
+							</td>
+						</tr>
 						</table>
 					</td>
 				</tr>