1 package org
.argeo
.cms
.internal
.auth
;
3 import java
.security
.Principal
;
4 import java
.security
.cert
.CertPath
;
8 import javax
.security
.auth
.Subject
;
9 import javax
.security
.auth
.callback
.CallbackHandler
;
10 import javax
.security
.auth
.login
.LoginException
;
11 import javax
.security
.auth
.spi
.LoginModule
;
12 import javax
.security
.auth
.x500
.X500Principal
;
13 import javax
.security
.auth
.x500
.X500PrivateCredential
;
15 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
16 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
17 import org
.argeo
.cms
.auth
.AuthConstants
;
19 public class KernelLoginModule
implements LoginModule
{
20 private Subject subject
;
23 public void initialize(Subject subject
, CallbackHandler callbackHandler
,
24 Map
<String
, ?
> sharedState
, Map
<String
, ?
> options
) {
25 this.subject
= subject
;
29 public boolean login() throws LoginException
{
30 // TODO check permission at code level ?
35 public boolean commit() throws LoginException
{
36 // Check that kernel has been logged in w/ certificate
38 Set
<X500Principal
> names
= subject
.getPrincipals(X500Principal
.class);
39 if (names
.isEmpty() || names
.size() > 1)
40 throw new LoginException("Kernel must have been named");
41 X500Principal name
= names
.iterator().next();
42 if (!AuthConstants
.ROLE_KERNEL
.equals(name
.getName()))
43 throw new LoginException("Kernel must be named named "
44 + AuthConstants
.ROLE_KERNEL
);
45 // Private certificate
46 Set
<X500PrivateCredential
> privateCerts
= subject
47 .getPrivateCredentials(X500PrivateCredential
.class);
48 X500PrivateCredential privateCert
= null;
49 for (X500PrivateCredential pCert
: privateCerts
) {
50 if (pCert
.getCertificate().getSubjectX500Principal().equals(name
)) {
54 if (privateCert
== null)
55 throw new LoginException("Kernel must have a private certificate");
57 Set
<CertPath
> certPaths
= subject
.getPublicCredentials(CertPath
.class);
58 CertPath certPath
= null;
59 for (CertPath cPath
: certPaths
) {
60 if (cPath
.getCertificates().get(0)
61 .equals(privateCert
.getCertificate())) {
66 throw new LoginException("Kernel must have a certificate path");
68 Set
<Principal
> principals
= subject
.getPrincipals();
71 // Add data access roles
72 principals
.add(new AdminPrincipal(SecurityConstants
.ADMIN_ID
));
78 public boolean abort() throws LoginException
{
83 public boolean logout() throws LoginException
{
85 subject
.getPrincipals().clear();
86 subject
.getPublicCredentials().clear();
87 subject
.getPrivateCredentials().clear();