- @Override
- protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
- if (rawAuthorization.getName() == null) {
- sysRoles.add(CmsConstants.ROLE_ANONYMOUS);
- } else {
- sysRoles.add(CmsConstants.ROLE_USER);
- }
- }
-
- protected void postAdd(AbstractUserDirectory userDirectory) {
- // JTA
-// WorkControl tm = tmTracker != null ? tmTracker.getService() : null;
-// if (tm == null)
-// throw new IllegalStateException("A JTA transaction manager must be available.");
- userDirectory.setTransactionControl(transactionManager);
-// if (tmTracker.getService() instanceof BitronixTransactionManager)
-// EhCacheXAResourceProducer.registerXAResource(cacheName, userDirectory.getXaResource());
-
- Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
- if (realm != null) {
- if (Files.exists(nodeKeyTab)) {
- String servicePrincipal = getKerberosServicePrincipal(realm.toString());
- if (servicePrincipal != null) {
- CallbackHandler callbackHandler = new CallbackHandler() {
- @Override
- public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
- for (Callback callback : callbacks)
- if (callback instanceof NameCallback)
- ((NameCallback) callback).setName(servicePrincipal);
-
- }
- };
- try {
- LoginContext nodeLc = new LoginContext(CmsAuth.LOGIN_CONTEXT_NODE, callbackHandler);
- nodeLc.login();
- acceptorCredentials = logInAsAcceptor(nodeLc.getSubject(), servicePrincipal);
- } catch (LoginException e) {
- throw new IllegalStateException("Cannot log in kernel", e);
- }
- }
- }
-
- // Register client-side SPNEGO auth scheme
- AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
- HttpParams params = DefaultHttpParams.getDefaultParams();
- ArrayList<String> schemes = new ArrayList<>();
- schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred
- // schemes.add(AuthPolicy.BASIC);// incompatible with Basic
- params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
- params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
- params.setParameter(HttpMethodParams.COOKIE_POLICY, KernelConstants.COOKIE_POLICY_BROWSER_COMPATIBILITY);
- // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
- }
- }
-
- protected void preDestroy(AbstractUserDirectory userDirectory) {
-// if (tmTracker.getService() instanceof BitronixTransactionManager)
-// EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource());
-
- Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
- if (realm != null) {
- if (acceptorCredentials != null) {
- try {
- acceptorCredentials.dispose();
- } catch (GSSException e) {
- // silent
- }
- acceptorCredentials = null;
- }
- }
- }
-
- private String getKerberosServicePrincipal(String realm) {
- String hostname;
- try (DnsBrowser dnsBrowser = new DnsBrowser()) {
- InetAddress localhost = InetAddress.getLocalHost();
- hostname = localhost.getHostName();
- String dnsZone = hostname.substring(hostname.indexOf('.') + 1);
- String ipfromDns = dnsBrowser.getRecord(hostname, localhost instanceof Inet6Address ? "AAAA" : "A");
- boolean consistentIp = localhost.getHostAddress().equals(ipfromDns);
- String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT");
- if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) {
- return KernelConstants.DEFAULT_KERBEROS_SERVICE + "/" + hostname + "@" + kerberosDomain;
- } else
- return null;
- } catch (Exception e) {
- log.warn("Exception when determining kerberos principal", e);
- return null;
- }
- }
-
- private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) {
- // GSS
- Iterator<KerberosPrincipal> krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator();
- if (!krb5It.hasNext())
- return null;
- KerberosPrincipal krb5Principal = null;
- while (krb5It.hasNext()) {
- KerberosPrincipal principal = krb5It.next();
- if (principal.getName().equals(servicePrincipal))
- krb5Principal = principal;
- }
-
- if (krb5Principal == null)
- return null;
-
- GSSManager manager = GSSManager.getInstance();
- try {
- GSSName gssName = manager.createName(krb5Principal.getName(), null);
- GSSCredential serverCredentials = Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() {
-
- @Override
- public GSSCredential run() throws GSSException {
- return manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, KERBEROS_OID,
- GSSCredential.ACCEPT_ONLY);
-
- }
-
- });
- if (log.isDebugEnabled())
- log.debug("GSS acceptor configured for " + krb5Principal);
- return serverCredentials;
- } catch (Exception gsse) {
- throw new IllegalStateException("Cannot create acceptor credentials for " + krb5Principal, gsse);
- }
- }
-
- public GSSCredential getAcceptorCredentials() {
- return acceptorCredentials;
- }
-
- public boolean hasAcceptorCredentials() {
- return acceptorCredentials != null;
- }
-
- public boolean isSingleUser() {
- return singleUser;
- }
-
- public void setTransactionManager(WorkControl transactionManager) {
- this.transactionManager = transactionManager;
- }
-
- public void setUserTransaction(WorkTransaction userTransaction) {
- this.userTransaction = userTransaction;
- }
-
- /*
- * STATIC
- */
-
- public final static Oid KERBEROS_OID;
- static {
- try {
- KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
- } catch (GSSException e) {
- throw new IllegalStateException("Cannot create Kerberos OID", e);
- }
- }