]> git.argeo.org Git - lgpl/argeo-commons.git/blob - NodeSecurity.java
projects / lgpl / argeo-commons.git / blob


6d216c651f8de9602e0a7239e6a5fea2fb8775d3
[lgpl/argeo-commons.git] / NodeSecurity.java
1 package org.argeo.cms.internal.kernel;
2
3 import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir;
4
5 import java.io.File;
6 import java.net.URL;
7 import java.security.KeyStore;
8 import java.util.Arrays;
9
10 import javax.security.auth.Subject;
11
12 import org.apache.commons.logging.Log;
13 import org.apache.commons.logging.LogFactory;
14 import org.argeo.cms.CmsException;
15
16 /** Low-level kernel security */
17 @Deprecated
18 class NodeSecurity implements KernelConstants {
19 private final static Log log = LogFactory.getLog(NodeSecurity.class);
20
21 public final static int HARDENED = 3;
22 public final static int STAGING = 2;
23 public final static int DEV = 1;
24
25 private final boolean firstInit;
26
27 private Subject kernelSubject;
28 private int securityLevel = STAGING;
29
30 private final File keyStoreFile;
31
32 public NodeSecurity() {
33 // Configure JAAS first
34 URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG);
35 System.setProperty("java.security.auth.login.config", url.toExternalForm());
36 // log.debug("JASS config: " + url.toExternalForm());
37 // disable Jetty autostart
38 // System.setProperty("org.eclipse.equinox.http.jetty.autostart",
39 // "false");
40
41 firstInit = !new File(getOsgiInstanceDir(), DIR_NODE).exists();
42
43 this.keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(), "node.p12");
44 createKeyStoreIfNeeded();
45 // if (keyStoreFile.exists())
46 // this.kernelSubject = logInHardenedKernel();
47 // else
48 // this.kernelSubject = logInKernel();
49 }
50
51 // private Subject logInKernel() {
52 // final Subject kernelSubject = new Subject();
53 // try {
54 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
55 // kernelLc.login();
56 // } catch (LoginException e) {
57 // throw new CmsException("Cannot log in kernel", e);
58 // }
59 // return kernelSubject;
60 // }
61 //
62 // private Subject logInHardenedKernel() {
63 // final Subject kernelSubject = new Subject();
64 // createKeyStoreIfNeeded();
65 //
66 // CallbackHandler cbHandler = new CallbackHandler() {
67 //
68 // @Override
69 // public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
70 // // alias
71 //// ((NameCallback) callbacks[1]).setName(AuthConstants.ROLE_KERNEL);
72 // // store pwd
73 // ((PasswordCallback) callbacks[2]).setPassword("changeit".toCharArray());
74 // // key pwd
75 // ((PasswordCallback) callbacks[3]).setPassword("changeit".toCharArray());
76 // }
77 // };
78 // try {
79 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_HARDENED_KERNEL, kernelSubject,
80 // cbHandler);
81 // kernelLc.login();
82 // } catch (LoginException e) {
83 // throw new CmsException("Cannot log in kernel", e);
84 // }
85 // return kernelSubject;
86 // }
87
88 // void destroy() {
89 // // Logout kernel
90 // try {
91 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
92 // kernelLc.logout();
93 // } catch (LoginException e) {
94 // throw new CmsException("Cannot log out kernel", e);
95 // }
96 //
97 // // Security.removeProvider(SECURITY_PROVIDER);
98 // }
99
100 public Subject getKernelSubject() {
101 return kernelSubject;
102 }
103
104 public synchronized int getSecurityLevel() {
105 return securityLevel;
106 }
107
108 public boolean isFirstInit() {
109 return firstInit;
110 }
111
112 public void setSecurityLevel(int newValue) {
113 if (newValue != STAGING || newValue != DEV)
114 throw new CmsException("Invalid value for security level " + newValue);
115 if (newValue >= securityLevel)
116 throw new CmsException(
117 "Impossible to increase security level (from " + securityLevel + " to " + newValue + ")");
118 securityLevel = newValue;
119 }
120
121 private void createKeyStoreIfNeeded() {
122 // for (Provider provider : Security.getProviders())
123 // System.out.println(provider.getName());
124
125 char[] ksPwd = "changeit".toCharArray();
126 char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length);
127 if (!keyStoreFile.exists()) {
128 try {
129 keyStoreFile.getParentFile().mkdirs();
130 KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd);
131 // PkiUtils.generateSelfSignedCertificate(keyStore, new X500Principal(AuthConstants.ROLE_KERNEL), 1024,
132 // keyPwd);
133 PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore);
134 if (log.isDebugEnabled())
135 log.debug("Created keystore " + keyStoreFile);
136 } catch (Exception e) {
137 if (keyStoreFile.length() == 0)
138 keyStoreFile.delete();
139 log.error("Cannot create keystore " + keyStoreFile, e);
140 }
141 }
142 }
143
144 File getHttpServerKeyStore() {
145 return keyStoreFile;
146 }
147
148 // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
149 // private final static Log log;
150 // static {
151 // log = LogFactory.getLog(NodeSecurity.class);
152 // // Make Bouncy Castle the default provider
153 // Provider provider = new BouncyCastleProvider();
154 // int position = Security.insertProviderAt(provider, 1);
155 // if (position == -1)
156 // log.error("Provider " + provider.getName()
157 // + " already installed and could not be set as default");
158 // Provider defaultProvider = Security.getProviders()[0];
159 // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
160 // log.error("Provider name is " + defaultProvider.getName()
161 // + " but it should be " + SECURITY_PROVIDER);
162 // }
163 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi