]> git.argeo.org Git - lgpl/argeo-commons.git/blob - NodeSecurity.java
projects / lgpl / argeo-commons.git / blob


bb33daecf0602339a95596dbc8fba7e297b70a41
[lgpl/argeo-commons.git] / NodeSecurity.java
1 package org.argeo.cms.internal.kernel;
2
3 import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir;
4
5 import java.io.File;
6 import java.io.IOException;
7 import java.net.URL;
8 import java.security.KeyStore;
9 import java.util.Arrays;
10
11 import javax.security.auth.Subject;
12 import javax.security.auth.callback.Callback;
13 import javax.security.auth.callback.CallbackHandler;
14 import javax.security.auth.callback.NameCallback;
15 import javax.security.auth.callback.PasswordCallback;
16 import javax.security.auth.callback.UnsupportedCallbackException;
17 import javax.security.auth.login.LoginContext;
18 import javax.security.auth.login.LoginException;
19 import javax.security.auth.x500.X500Principal;
20
21 import org.argeo.cms.CmsException;
22 import org.argeo.cms.auth.AuthConstants;
23
24 /** Low-level kernel security */
25 class NodeSecurity implements KernelConstants {
26 public final static int HARDENED = 3;
27 public final static int STAGING = 2;
28 public final static int DEV = 1;
29
30 private final boolean firstInit;
31
32 private final Subject kernelSubject;
33 private int securityLevel = STAGING;
34
35 private final File keyStoreFile;
36
37 public NodeSecurity() {
38 // Configure JAAS first
39 URL url = getClass().getClassLoader().getResource(
40 KernelConstants.JAAS_CONFIG);
41 System.setProperty("java.security.auth.login.config",
42 url.toExternalForm());
43 // log.debug("JASS config: " + url.toExternalForm());
44 // disable Jetty autostart
45 // System.setProperty("org.eclipse.equinox.http.jetty.autostart",
46 // "false");
47
48 firstInit = !new File(getOsgiInstanceDir(), DIR_NODE).exists();
49
50 this.keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(),
51 "node.p12");
52 this.kernelSubject = logInKernel();
53 }
54
55 private Subject logInKernel() {
56 final Subject kernelSubject = new Subject();
57 // createKeyStoreIfNeeded();
58
59 CallbackHandler cbHandler = new CallbackHandler() {
60
61 @Override
62 public void handle(Callback[] callbacks) throws IOException,
63 UnsupportedCallbackException {
64 // alias
65 ((NameCallback) callbacks[1])
66 .setName(AuthConstants.ROLE_KERNEL);
67 // store pwd
68 ((PasswordCallback) callbacks[2]).setPassword("changeit"
69 .toCharArray());
70 // key pwd
71 ((PasswordCallback) callbacks[3]).setPassword("changeit"
72 .toCharArray());
73 }
74 };
75 try {
76 LoginContext kernelLc = new LoginContext(
77 KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject,
78 cbHandler);
79 kernelLc.login();
80 } catch (LoginException e) {
81 throw new CmsException("Cannot log in kernel", e);
82 }
83 return kernelSubject;
84 }
85
86 void destroy() {
87 // Logout kernel
88 try {
89 LoginContext kernelLc = new LoginContext(
90 KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
91 kernelLc.logout();
92 } catch (LoginException e) {
93 throw new CmsException("Cannot log out kernel", e);
94 }
95
96 // Security.removeProvider(SECURITY_PROVIDER);
97 }
98
99 public Subject getKernelSubject() {
100 return kernelSubject;
101 }
102
103 public synchronized int getSecurityLevel() {
104 return securityLevel;
105 }
106
107 public boolean isFirstInit() {
108 return firstInit;
109 }
110
111 public void setSecurityLevel(int newValue) {
112 if (newValue != STAGING || newValue != DEV)
113 throw new CmsException("Invalid value for security level "
114 + newValue);
115 if (newValue >= securityLevel)
116 throw new CmsException(
117 "Impossible to increase security level (from "
118 + securityLevel + " to " + newValue + ")");
119 securityLevel = newValue;
120 }
121
122 private void createKeyStoreIfNeeded() {
123 char[] ksPwd = "changeit".toCharArray();
124 char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length);
125 if (!keyStoreFile.exists()) {
126 try {
127 keyStoreFile.getParentFile().mkdirs();
128 KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd);
129 PkiUtils.generateSelfSignedCertificate(keyStore,
130 new X500Principal(AuthConstants.ROLE_KERNEL), keyPwd);
131 PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore);
132 } catch (Exception e) {
133 throw new CmsException("Cannot create key store "
134 + keyStoreFile, e);
135 }
136 }
137 }
138
139 File getHttpServerKeyStore() {
140 return keyStoreFile;
141 }
142
143 // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
144 // private final static Log log;
145 // static {
146 // log = LogFactory.getLog(NodeSecurity.class);
147 // // Make Bouncy Castle the default provider
148 // Provider provider = new BouncyCastleProvider();
149 // int position = Security.insertProviderAt(provider, 1);
150 // if (position == -1)
151 // log.error("Provider " + provider.getName()
152 // + " already installed and could not be set as default");
153 // Provider defaultProvider = Security.getProviders()[0];
154 // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
155 // log.error("Provider name is " + defaultProvider.getName()
156 // + " but it should be " + SECURITY_PROVIDER);
157 // }
158 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi