NationalSecurityAgency · lbschanno · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/commons/pom.xml b/commons/pom.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>gov.nsa.datawave</groupId>
+        <artifactId>datawave-parent</artifactId>
+        <version>7.40.0-SNAPSHOT</version>
+    </parent>
+
+    <groupId>gov.nsa.datawave.commons</groupId>
+    <artifactId>datawave-commons-parent</artifactId>
+    <packaging>pom</packaging>
+    <name>${project.artifactId}</name>
+
+    <modules>
+        <module>security</module>
+    </modules>
+</project>
diff --git a/commons/security/README.md b/commons/security/README.md
@@ -0,0 +1,6 @@
+# Overview
+
+This project contains security-related classes that are commonly used between the main Datawave project and the microservices. It is expected that this project will be configured and deployed as a JBOSS module via the [Wildfly assembly](../../web-services/deploy/application) project to make it available to the Datawave EAR deployment.
+
+## Note:
+Any compile dependencies here are expected to be imported into the Datawave webservices projects with scope `provided`, and provided via JBOSS modules. This is required to avoid classloader conflicts between the JBOSS modules and the Datawave EAR deployment. See the [Wildfly assembly README](../../web-services/deploy/application/README.md) for more details.
diff --git a/commons/security/pom.xml b/commons/security/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>gov.nsa.datawave.commons</groupId>
+        <artifactId>datawave-commons-parent</artifactId>
+        <version>7.40.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>datawave-commons-security</artifactId>
+    <name>${project.artifactId}</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>${version.jackson}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${version.jackson}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>${version.jjwt}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>${version.jjwt}</version>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.xml.bind</groupId>
+            <artifactId>jakarta.xml.bind-api</artifactId>
+            <version>${version.jakarta}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.junit-pioneer</groupId>
+            <artifactId>junit-pioneer</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/...authorization/AuthorizationException.java → ...authorization/AuthorizationException.java b/...authorization/AuthorizationException.java → ...authorization/AuthorizationException.java
diff --git a/...horization/CachedDatawaveUserService.java → ...horization/CachedDatawaveUserService.java b/...horization/CachedDatawaveUserService.java → ...horization/CachedDatawaveUserService.java
diff --git a/...rity/authorization/DatawavePrincipal.java → ...rity/authorization/DatawavePrincipal.java b/...rity/authorization/DatawavePrincipal.java → ...rity/authorization/DatawavePrincipal.java
@@ -17,7 +17,7 @@
 import javax.xml.bind.annotation.XmlType;
 
 import datawave.security.authorization.DatawaveUser.UserType;
-import datawave.security.util.ProxiedEntityUtils;
+import datawave.security.util.DnUtils;
 
 /**
  * A {@link Principal} that represents a set of proxied {@link DatawaveUser}s. For example, this proxied user could represent a GUI server acting on behalf of a
@@ -103,8 +103,8 @@ static protected List<DatawaveUser> orderProxiedUsers(List<DatawaveUser> datawav
         if (position >= 0) {
             users.add(datawaveUsers.get(position));
             if (datawaveUsers.size() > 1) {
-                datawaveUsers.stream().limit(position).forEach(u -> users.add(u));
-                datawaveUsers.stream().skip(position + 1).forEach(u -> users.add(u));
+                datawaveUsers.stream().limit(position).forEach(users::add);
+                datawaveUsers.stream().skip(position + 1).forEach(users::add);
             }
         }
         return users;
@@ -152,7 +152,7 @@ public String getName() {
 
     @Override
     public String getShortName() {
-        return ProxiedEntityUtils.getShortName(getPrimaryUser().getName());
+        return DnUtils.getShortName(getPrimaryUser().getName());
     }
 
     public SubjectIssuerDNPair getUserDN() {

diff --git a/.../security/authorization/DatawaveUser.java → .../security/authorization/DatawaveUser.java b/.../security/authorization/DatawaveUser.java → .../security/authorization/DatawaveUser.java
@@ -12,20 +12,22 @@
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Multimaps;
 
-import datawave.security.util.ProxiedEntityUtils;
+import datawave.security.util.DnUtils;
 
 /**
  * A user of a DATAWAVE service. Typically, one or more of these users (a chain where a user called an intermediate service which in turn called us) is
  * represented with a DatawavePrincipal.
  */
 public class DatawaveUser implements Serializable {
+
     private static final long serialVersionUID = -6676807246749142999L;
 
     public enum UserType {
         USER, SERVER
     }
 
     public static final DatawaveUser ANONYMOUS_USER = new DatawaveUser(SubjectIssuerDNPair.of("ANONYMOUS"), UserType.USER, null, null, null, null, -1L);
+
     private final String name;
     private final String commonName;
     private final String email;
@@ -58,8 +60,8 @@ public DatawaveUser(@JsonProperty(value = "dn", required = true) SubjectIssuerDN
                     @JsonProperty(value = "creationTime", defaultValue = "-1L") long creationTime,
                     @JsonProperty(value = "expirationTime", defaultValue = "-1L") long expirationTime) {
         this.name = dn.toString();
-        this.commonName = ProxiedEntityUtils.getCommonName(dn.subjectDN());
-        this.login = ProxiedEntityUtils.getShortName(dn.subjectDN());
+        this.commonName = DnUtils.getCommonName(dn.subjectDN());
+        this.login = DnUtils.getShortName(dn.subjectDN());
         this.email = email;
         this.dn = dn;
         this.userType = userType;

diff --git a/...urity/authorization/DatawaveUserInfo.java → ...urity/authorization/DatawaveUserInfo.java b/...urity/authorization/DatawaveUserInfo.java → ...urity/authorization/DatawaveUserInfo.java
diff --git a/...ty/authorization/DatawaveUserService.java → ...ty/authorization/DatawaveUserService.java b/...ty/authorization/DatawaveUserService.java → ...ty/authorization/DatawaveUserService.java
diff --git a/...ecurity/authorization/DatawaveUserV1.java → ...ecurity/authorization/DatawaveUserV1.java b/...ecurity/authorization/DatawaveUserV1.java → ...ecurity/authorization/DatawaveUserV1.java
diff --git a/...curity/authorization/JWTTokenHandler.java → ...curity/authorization/JWTTokenHandler.java b/...curity/authorization/JWTTokenHandler.java → ...curity/authorization/JWTTokenHandler.java
@@ -137,7 +137,7 @@ public Collection<DatawaveUser> createUsersFromToken(String token, String claimN
         return principalsClaim.stream().map(obj -> objectMapper.convertValue(obj, DatawaveUser.class)).collect(Collectors.toList());
     }
 
-    private class CustomJWTBuilder extends DefaultJwtBuilder {
+    private static class CustomJWTBuilder extends DefaultJwtBuilder {
         private final ObjectMapper objectMapper;
 
         private CustomJWTBuilder(ObjectMapper objectMapper) {

diff --git a/...ity/authorization/ProxiedUserDetails.java → ...ity/authorization/ProxiedUserDetails.java b/...ity/authorization/ProxiedUserDetails.java → ...ity/authorization/ProxiedUserDetails.java
diff --git a/...ty/authorization/SubjectIssuerDNPair.java → ...ty/authorization/SubjectIssuerDNPair.java b/...ty/authorization/SubjectIssuerDNPair.java → ...ty/authorization/SubjectIssuerDNPair.java
@@ -8,12 +8,12 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.base.Preconditions;
 
-import datawave.security.util.ProxiedEntityUtils;
+import datawave.security.util.DnUtils;
 
 /**
  * A simple pair containing a subject and (optional) issuer DN. The supplied DN values are normalized into a lower-case form with the CN portion first.
  *
- * @see ProxiedEntityUtils#normalizeDN(String)
+ * @see DnUtils#normalizeDN(String)
  */
 public class SubjectIssuerDNPair implements Serializable {
 
@@ -61,7 +61,7 @@ public static SubjectIssuerDNPair of(@JsonProperty("subjectDN") String subjectDN
      *             if DNs cannot be parsed from the argument, or if exactly two DNs are not parsed
      */
     public static SubjectIssuerDNPair parse(String value) {
-        String[] dns = ProxiedEntityUtils.splitProxiedSubjectIssuerDNs(value);
+        String[] dns = DnUtils.splitProxiedSubjectIssuerDNs(value);
         if (dns.length != 2) {
             throw new IllegalArgumentException("'" + value + "' must contain a single subject and issuer DN");
         }
@@ -70,9 +70,9 @@ public static SubjectIssuerDNPair parse(String value) {
 
     protected SubjectIssuerDNPair(String subjectDN, String issuerDN) {
         Preconditions.checkNotNull(subjectDN, "Parameter subjectDN must not be null");
-        this.subjectDN = ProxiedEntityUtils.normalizeDN(subjectDN);
+        this.subjectDN = DnUtils.normalizeDN(subjectDN);
         if (issuerDN != null) {
-            this.issuerDN = ProxiedEntityUtils.normalizeDN(issuerDN);
+            this.issuerDN = DnUtils.normalizeDN(issuerDN);
         } else {
             this.issuerDN = null;
         }
@@ -90,7 +90,7 @@ public String issuerDN() {
 
     @Override
     public String toString() {
-        return issuerDN == null ? subjectDN + "<>" : ProxiedEntityUtils.buildProxiedDN(subjectDN, issuerDN);
+        return issuerDN == null ? subjectDN + "<>" : DnUtils.buildProxiedDN(subjectDN, issuerDN);
     }
 
     @Override

diff --git a/commons/security/src/main/java/datawave/security/cert/DatawaveCertVerifier.java b/commons/security/src/main/java/datawave/security/cert/DatawaveCertVerifier.java
@@ -0,0 +1,122 @@
+package datawave.security.cert;
+
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+
+import org.slf4j.Logger;
+
+/**
+ * A Datawave-specific {@link X509CertificateVerifier} implementation.
+ */
+public class DatawaveCertVerifier implements X509CertificateVerifier {
+
+    public enum OcspLevel {
+        OFF, OPTIONAL, REQUIRED
+    }
+
+    protected Logger log;
+    protected boolean trace;
+    protected OcspLevel ocspLevel = OcspLevel.OFF;
+
+    /**
+     * Verify the given certificate
+     *
+     * @param cert
+     *            the X509Certificate to verify
+     * @param alias
+     *            the certificate alias
+     * @param keystore
+     *            the keystore for the cert
+     * @param truststore
+     *            the truststore for the cert
+     * @return whether the certificate is considered valid
+     */
+    @Override
+    public boolean verify(X509Certificate cert, String alias, KeyStore keystore, KeyStore truststore) {
+        boolean validity = false;
+        try {
+            cert.checkValidity();
+            validity = checkOCSP(cert, alias, truststore);
+        } catch (Exception e) {
+            if (trace)
+                log.trace("Validity exception", e);
+        }
+        return validity;
+
+    }
+
+    /**
+     * Handle OSCP initialization.
+     */
+    protected void initOcsp() {}
+
+    /**
+     * Return the OSCP level set for this verifier is supported for the given certificate.
+     *
+     * @param cert
+     *            the certificate
+     * @param alias
+     *            the certificate alias
+     * @param truststore
+     *            the truststore
+     * @return true if the OSCP level is supported, or false otherwise
+     */
+    protected boolean checkOCSP(X509Certificate cert, String alias, KeyStore truststore) {
+        if (Objects.requireNonNull(ocspLevel) == OcspLevel.OFF) {
+            return true;
+        } else {
+            log.error("OCSP level {} is not supported!", ocspLevel);
+            throw new IllegalArgumentException("OCSP level " + ocspLevel + " is not supported!");
+        }
+    }
+
+    /**
+     * Return whether the given issuer is supported.
+     *
+     * @param issuerSubjectDn
+     *            the issuer DN
+     * @param trustStore
+     *            the truststore
+     * @return true if the issuer is supported, or false otherwise
+     */
+    public boolean isIssuerSupported(String issuerSubjectDn, KeyStore trustStore) {
+        return true;
+    }
+
+    /**
+     * Set the delegate logger for this {@link DatawaveCertVerifier}.
+     *
+     * @param log
+     *            the logger
+     */
+    public void setLogger(Logger log) {
+        this.log = log;
+        this.trace = log.isTraceEnabled();
+    }
+
+    /**
+     * Return the OSCP level.
+     *
+     * @return the OSCP level
+     */
+    public OcspLevel getOcspLevel() {
+        return ocspLevel;
+    }
+
+    /**
+     * Set the OSCP level.
+     *
+     * @param level
+     *            the OSCP level
+     */
+    public void setOcspLevel(String level) {
+        ocspLevel = OcspLevel.valueOf(level.toUpperCase());
+        switch (ocspLevel) {
+            case REQUIRED:
+            case OPTIONAL:
+                initOcsp();
+                break;
+        }
+    }
+}
diff --git a/commons/security/src/main/java/datawave/security/cert/SSLStores.java b/commons/security/src/main/java/datawave/security/cert/SSLStores.java
@@ -0,0 +1,49 @@
+package datawave.security.cert;
+
+import java.security.KeyStore;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.TrustManager;
+
+/**
+ * Represents a key store/trust store pair.
+ */
+public interface SSLStores {
+
+    /**
+     * Return the key store
+     *
+     * @return the keystore
+     */
+    default KeyStore getKeyStore() {
+        return null;
+    }
+
+    /**
+     * Return the key managers
+     *
+     * @return the key managers
+     */
+    default KeyManager[] getKeyManagers() {
+        return new KeyManager[0];
+    }
+
+    /**
+     * Return the trust store
+     *
+     * @return the truststore
+     */
+    default KeyStore getTrustStore() {
+        return null;
+    }
+
+    /**
+     * Return the trust managers
+     *
+     * @return the trust managers
+     */
+    default TrustManager[] getTrustManagers() {
+        return new TrustManager[0];
+    }
+
+}