X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;ds=inline;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FKernel.java;h=08697503916bfca8c38f154d76d65915c3970e0a;hb=50911fdcc6df5cd35e71a0a4ecddf03f98f742a2;hp=af4f0ff2a75cd868d7597f42f35b63d0d9a8c9ae;hpb=51be851d1253d4858f9b63c533df6bcfe76a393f;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java index af4f0ff2a..086975039 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java @@ -1,20 +1,38 @@ package org.argeo.cms.internal.kernel; +import java.io.File; +import java.io.IOException; import java.lang.management.ManagementFactory; +import java.net.URL; +import java.security.KeyStore; +import java.security.PrivilegedAction; +import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.HashMap; import java.util.Map; import javax.jcr.Repository; import javax.jcr.RepositoryFactory; +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.x500.X500Principal; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.jackrabbit.util.TransientFileFactory; import org.argeo.ArgeoException; import org.argeo.cms.CmsException; +import org.argeo.cms.KernelHeader; import org.argeo.jackrabbit.OsgiJackrabbitRepositoryFactory; import org.argeo.jcr.ArgeoJcrConstants; import org.argeo.security.core.InternalAuthentication; +import org.argeo.security.crypto.PkiUtils; import org.eclipse.equinox.http.servlet.ExtendedHttpService; import org.osgi.framework.BundleContext; import org.osgi.framework.ServiceEvent; @@ -35,6 +53,7 @@ import org.springframework.security.core.context.SecurityContextHolder; * */ final class Kernel implements ServiceListener { + private final static Log log = LogFactory.getLog(Kernel.class); private final BundleContext bundleContext = Activator.getBundleContext(); @@ -46,7 +65,53 @@ final class Kernel implements ServiceListener { NodeHttp nodeHttp; private KernelThread kernelThread; - void init() { + private final Subject kernelSubject = new Subject(); + + public Kernel() { + URL url = getClass().getClassLoader().getResource( + KernelConstants.JAAS_CONFIG); + System.setProperty("java.security.auth.login.config", + url.toExternalForm()); + createKeyStoreIfNeeded(); + + CallbackHandler cbHandler = new CallbackHandler() { + + @Override + public void handle(Callback[] callbacks) throws IOException, + UnsupportedCallbackException { + // alias + ((NameCallback) callbacks[1]).setName(KernelHeader.ROLE_KERNEL); + // store pwd + ((PasswordCallback) callbacks[2]).setPassword("changeit" + .toCharArray()); + // key pwd + ((PasswordCallback) callbacks[3]).setPassword("changeit" + .toCharArray()); + } + }; + try { + LoginContext kernelLc = new LoginContext( + KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject, + cbHandler); + kernelLc.login(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); + } + } + + final void init() { + Subject.doAs(kernelSubject, new PrivilegedAction() { + + @Override + public Void run() { + doInit(); + return null; + } + + }); + } + + private void doInit() { ClassLoader currentContextCl = Thread.currentThread() .getContextClassLoader(); Thread.currentThread().setContextClassLoader( @@ -115,6 +180,14 @@ final class Kernel implements ServiceListener { // Clean hanging threads from Jackrabbit TransientFileFactory.shutdown(); + try { + LoginContext kernelLc = new LoginContext( + KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject); + kernelLc.logout(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); + } + long duration = System.currentTimeMillis() - begin; log.info("## ARGEO CMS DOWN in " + (duration / 1000) + "." + (duration % 1000) + "s ##"); @@ -164,6 +237,25 @@ final class Kernel implements ServiceListener { return httpService; } + private void createKeyStoreIfNeeded() { + char[] ksPwd = "changeit".toCharArray(); + char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); + File keyStoreFile = KernelUtils.getOsgiConfigurationFile("node.p12"); + if (!keyStoreFile.exists()) { + try { + KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd); + X509Certificate cert = PkiUtils.generateSelfSignedCertificate( + keyStore, new X500Principal(KernelHeader.ROLE_KERNEL), + keyPwd); + PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); + + } catch (Exception e) { + throw new CmsException("Cannot create key store " + + keyStoreFile, e); + } + } + } + final private static void directorsCut(long initDuration) { // final long ms = 128l + (long) (Math.random() * 128d); long ms = initDuration / 100;