import java.nio.file.Files;
import java.nio.file.Path;
import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
+import org.apache.commons.httpclient.auth.AuthPolicy;
+import org.apache.commons.httpclient.auth.CredentialsProvider;
+import org.apache.commons.httpclient.cookie.CookiePolicy;
+import org.apache.commons.httpclient.params.DefaultHttpParams;
+import org.apache.commons.httpclient.params.HttpMethodParams;
+import org.apache.commons.httpclient.params.HttpParams;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.http.NodeHttp;
+import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
+import org.argeo.cms.internal.http.client.HttpCredentialProvider;
import org.argeo.naming.DnsBrowser;
import org.argeo.node.NodeConstants;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.Oid;
/** Low-level kernel security */
-class CmsSecurity implements KernelConstants {
+@Deprecated
+public class CmsSecurity implements KernelConstants {
private final static Log log = LogFactory.getLog(CmsSecurity.class);
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
private final static Oid KERBEROS_OID;
private String service = null;
private GSSCredential acceptorCredentials;
- private Path nodeKeyTab = KernelUtils.getOsgiInstancePath("node/krb5.keytab");
+ private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
+
+ CmsSecurity() {
- public CmsSecurity() {
if (!DeployConfig.isInitialized()) // first init
FirstInit.prepareInstanceArea();
securityLevel = evaluateSecurityLevel();
+
+ if (securityLevel == DEPLOYED) {
+ // Register client-side SPNEGO auth scheme
+ AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
+ HttpParams params = DefaultHttpParams.getDefaultParams();
+ ArrayList<String> schemes = new ArrayList<>();
+ schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred
+ // schemes.add(AuthPolicy.BASIC);// incompatible with Basic
+ params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
+ params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
+ params.setParameter(HttpMethodParams.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY);
+ // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
+ }
+
// Configure JAAS first
if (System.getProperty(JAAS_CONFIG_PROP) == null) {
String jaasConfig = securityLevel < DEPLOYED ? JAAS_CONFIG : JAAS_CONFIG_IPA;
CallbackHandler callbackHandler;
if (Files.exists(nodeKeyTab)) {
- service = NodeConstants.NODE_SERVICE;
+ service = NodeHttp.DEFAULT_SERVICE;
+ // service = NodeConstants.NODE_SERVICE;
callbackHandler = new CallbackHandler() {
@Override
// throw new CmsException("Cannot create text callback handler", e);
// }
try {
- LoginContext kernelLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_SINGLE_USER, nodeSubject);
+ LoginContext kernelLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_NODE, nodeSubject);
kernelLc.login();
} catch (LoginException e) {
throw new CmsException("Cannot log in kernel", e);
return securityLevel;
}
- public String getKerberosDomain() {
- return kerberosDomain;
- }
+// public String getKerberosDomain() {
+// return kerberosDomain;
+// }
- public Subject getNodeSubject() {
- return nodeSubject;
- }
+// public Subject getNodeSubject() {
+// return nodeSubject;
+// }
- public GSSCredential getServerCredentials() {
- return acceptorCredentials;
- }
+// public GSSCredential getServerCredentials() {
+// return acceptorCredentials;
+// }
// public void setSecurityLevel(int newValue) {
// if (newValue != STANDALONE || newValue != DEV)