X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FKernel.java;h=08697503916bfca8c38f154d76d65915c3970e0a;hb=50911fdcc6df5cd35e71a0a4ecddf03f98f742a2;hp=c63184a2435d189f314ebc57319dfabb4469b11b;hpb=35904a4a72fe8a4908c345f73856711c7b4c472c;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java index c63184a24..086975039 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Kernel.java @@ -1,20 +1,38 @@ package org.argeo.cms.internal.kernel; +import java.io.File; +import java.io.IOException; import java.lang.management.ManagementFactory; +import java.net.URL; +import java.security.KeyStore; +import java.security.PrivilegedAction; +import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.HashMap; import java.util.Map; import javax.jcr.Repository; import javax.jcr.RepositoryFactory; +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.x500.X500Principal; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.jackrabbit.util.TransientFileFactory; import org.argeo.ArgeoException; import org.argeo.cms.CmsException; +import org.argeo.cms.KernelHeader; import org.argeo.jackrabbit.OsgiJackrabbitRepositoryFactory; import org.argeo.jcr.ArgeoJcrConstants; import org.argeo.security.core.InternalAuthentication; +import org.argeo.security.crypto.PkiUtils; import org.eclipse.equinox.http.servlet.ExtendedHttpService; import org.osgi.framework.BundleContext; import org.osgi.framework.ServiceEvent; @@ -35,16 +53,65 @@ import org.springframework.security.core.context.SecurityContextHolder; * */ final class Kernel implements ServiceListener { + private final static Log log = LogFactory.getLog(Kernel.class); private final BundleContext bundleContext = Activator.getBundleContext(); - private JackrabbitNode node; - private OsgiJackrabbitRepositoryFactory repositoryFactory; - private NodeSecurity nodeSecurity; - private NodeHttp nodeHttp; + ThreadGroup threadGroup = new ThreadGroup(Kernel.class.getSimpleName()); + JackrabbitNode node; + OsgiJackrabbitRepositoryFactory repositoryFactory; + NodeSecurity nodeSecurity; + NodeHttp nodeHttp; + private KernelThread kernelThread; + + private final Subject kernelSubject = new Subject(); + + public Kernel() { + URL url = getClass().getClassLoader().getResource( + KernelConstants.JAAS_CONFIG); + System.setProperty("java.security.auth.login.config", + url.toExternalForm()); + createKeyStoreIfNeeded(); + + CallbackHandler cbHandler = new CallbackHandler() { + + @Override + public void handle(Callback[] callbacks) throws IOException, + UnsupportedCallbackException { + // alias + ((NameCallback) callbacks[1]).setName(KernelHeader.ROLE_KERNEL); + // store pwd + ((PasswordCallback) callbacks[2]).setPassword("changeit" + .toCharArray()); + // key pwd + ((PasswordCallback) callbacks[3]).setPassword("changeit" + .toCharArray()); + } + }; + try { + LoginContext kernelLc = new LoginContext( + KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject, + cbHandler); + kernelLc.login(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); + } + } + + final void init() { + Subject.doAs(kernelSubject, new PrivilegedAction() { + + @Override + public Void run() { + doInit(); + return null; + } + + }); + } - void init() { + private void doInit() { ClassLoader currentContextCl = Thread.currentThread() .getContextClassLoader(); Thread.currentThread().setContextClassLoader( @@ -68,6 +135,11 @@ final class Kernel implements ServiceListener { ExtendedHttpService httpService = waitForHttpService(); nodeHttp = new NodeHttp(httpService, node, nodeSecurity); + // Kernel thread + kernelThread = new KernelThread(this); + kernelThread.setContextClassLoader(Kernel.class.getClassLoader()); + kernelThread.start(); + // Publish services to OSGi nodeSecurity.publish(); node.publish(repositoryFactory); @@ -94,6 +166,8 @@ final class Kernel implements ServiceListener { void destroy() { long begin = System.currentTimeMillis(); + kernelThread.destroyAndJoin(); + if (nodeHttp != null) nodeHttp.destroy(); if (nodeSecurity != null) @@ -106,6 +180,14 @@ final class Kernel implements ServiceListener { // Clean hanging threads from Jackrabbit TransientFileFactory.shutdown(); + try { + LoginContext kernelLc = new LoginContext( + KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject); + kernelLc.logout(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); + } + long duration = System.currentTimeMillis() - begin; log.info("## ARGEO CMS DOWN in " + (duration / 1000) + "." + (duration % 1000) + "s ##"); @@ -155,6 +237,25 @@ final class Kernel implements ServiceListener { return httpService; } + private void createKeyStoreIfNeeded() { + char[] ksPwd = "changeit".toCharArray(); + char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); + File keyStoreFile = KernelUtils.getOsgiConfigurationFile("node.p12"); + if (!keyStoreFile.exists()) { + try { + KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd); + X509Certificate cert = PkiUtils.generateSelfSignedCertificate( + keyStore, new X500Principal(KernelHeader.ROLE_KERNEL), + keyPwd); + PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); + + } catch (Exception e) { + throw new CmsException("Cannot create key store " + + keyStoreFile, e); + } + } + } + final private static void directorsCut(long initDuration) { // final long ms = 128l + (long) (Math.random() * 128d); long ms = initDuration / 100;