]> git.argeo.org Git - lgpl/argeo-commons.git/blobdiff - org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsSecurity.java
Improve logging
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / CmsSecurity.java
index 7983ea771428e740f771ec3b6f9b5cbba00c7e6c..4f25e6106a28ddb95ffead3f3e9d7b0ce44dc071 100644 (file)
@@ -8,6 +8,7 @@ import java.net.UnknownHostException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
 import java.util.Iterator;
 
 import javax.security.auth.Subject;
@@ -20,9 +21,18 @@ import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 
+import org.apache.commons.httpclient.auth.AuthPolicy;
+import org.apache.commons.httpclient.auth.CredentialsProvider;
+import org.apache.commons.httpclient.cookie.CookiePolicy;
+import org.apache.commons.httpclient.params.DefaultHttpParams;
+import org.apache.commons.httpclient.params.HttpMethodParams;
+import org.apache.commons.httpclient.params.HttpParams;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.http.NodeHttp;
+import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
+import org.argeo.cms.internal.http.client.HttpCredentialProvider;
 import org.argeo.naming.DnsBrowser;
 import org.argeo.node.NodeConstants;
 import org.ietf.jgss.GSSCredential;
@@ -32,7 +42,8 @@ import org.ietf.jgss.GSSName;
 import org.ietf.jgss.Oid;
 
 /** Low-level kernel security */
-class CmsSecurity implements KernelConstants {
+@Deprecated
+public class CmsSecurity implements KernelConstants {
        private final static Log log = LogFactory.getLog(CmsSecurity.class);
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        private final static Oid KERBEROS_OID;
@@ -61,11 +72,26 @@ class CmsSecurity implements KernelConstants {
 
        private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
 
-       public CmsSecurity() {
+       CmsSecurity() {
+
                if (!DeployConfig.isInitialized()) // first init
                        FirstInit.prepareInstanceArea();
 
                securityLevel = evaluateSecurityLevel();
+
+               if (securityLevel == DEPLOYED) {
+                       // Register client-side SPNEGO auth scheme
+                       AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
+                       HttpParams params = DefaultHttpParams.getDefaultParams();
+                       ArrayList<String> schemes = new ArrayList<>();
+                       schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred
+                       // schemes.add(AuthPolicy.BASIC);// incompatible with Basic
+                       params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
+                       params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
+                       params.setParameter(HttpMethodParams.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY);
+                       // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
+               }
+
                // Configure JAAS first
                if (System.getProperty(JAAS_CONFIG_PROP) == null) {
                        String jaasConfig = securityLevel < DEPLOYED ? JAAS_CONFIG : JAAS_CONFIG_IPA;
@@ -118,7 +144,8 @@ class CmsSecurity implements KernelConstants {
 
                CallbackHandler callbackHandler;
                if (Files.exists(nodeKeyTab)) {
-                       service = NodeConstants.NODE_SERVICE;
+                       service = NodeHttp.DEFAULT_SERVICE;
+                       // service = NodeConstants.NODE_SERVICE;
                        callbackHandler = new CallbackHandler() {
 
                                @Override
@@ -146,7 +173,7 @@ class CmsSecurity implements KernelConstants {
                        // throw new CmsException("Cannot create text callback handler", e);
                        // }
                        try {
-                               LoginContext kernelLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_SINGLE_USER, nodeSubject);
+                               LoginContext kernelLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_NODE, nodeSubject);
                                kernelLc.login();
                        } catch (LoginException e) {
                                throw new CmsException("Cannot log in kernel", e);
@@ -248,17 +275,17 @@ class CmsSecurity implements KernelConstants {
                return securityLevel;
        }
 
-       public String getKerberosDomain() {
-               return kerberosDomain;
-       }
+//     public String getKerberosDomain() {
+//             return kerberosDomain;
+//     }
 
-       public Subject getNodeSubject() {
-               return nodeSubject;
-       }
+//     public Subject getNodeSubject() {
+//             return nodeSubject;
+//     }
 
-       public GSSCredential getServerCredentials() {
-               return acceptorCredentials;
-       }
+//     public GSSCredential getServerCredentials() {
+//             return acceptorCredentials;
+//     }
 
        // public void setSecurityLevel(int newValue) {
        // if (newValue != STANDALONE || newValue != DEV)