From 73b16e3ffff11633572a036f1dd426b57eba712a Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Fri, 15 Jan 2016 19:13:24 +0000 Subject: [PATCH] Adapt for Raspberry Pi git-svn-id: https://svn.argeo.org/commons/trunk@8782 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc --- demo/argeo_node_rap.properties | 4 +- .../cms/internal/auth/KernelLoginModule.java | 59 +++++++++++-------- .../cms/internal/kernel/NodeSecurity.java | 34 +++++------ .../org/argeo/cms/internal/kernel/jaas.cfg | 6 +- 4 files changed, 58 insertions(+), 45 deletions(-) diff --git a/demo/argeo_node_rap.properties b/demo/argeo_node_rap.properties index 322aee34f..b370cae08 100644 --- a/demo/argeo_node_rap.properties +++ b/demo/argeo_node_rap.properties @@ -15,6 +15,8 @@ org.eclipse.equinox.http.registry,\ org.osgi.framework.security=osgi java.security.policy=file:../../all.policy +argeo.node.repo.type=localfs + #argeo.node.useradmin.uris=ldap://uid=admin,ou=system:secret@localhost:10389/dc=example,dc=com #argeo.node.useradmin.uris=ldap://uid=admin,ou=system:secret@localhost:10389\ #/dc=example,dc=com?userBase=ou=users&groupBase=ou=groups @@ -34,7 +36,7 @@ org.osgi.service.http.port=7070 #org.eclipse.equinox.http.jetty.log.stderr.threshold=info # HTTPS -org.osgi.service.http.port.secure=7073 +#org.osgi.service.http.port.secure=7073 #org.eclipse.equinox.http.jetty.https.enabled=true #org.eclipse.equinox.http.jetty.ssl.keystore=../../ssl/server.jks #org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12 diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java index 8983d65dc..00d0085d1 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java @@ -36,35 +36,42 @@ public class KernelLoginModule implements LoginModule { // Check that kernel has been logged in w/ certificate // Name Set names = subject.getPrincipals(X500Principal.class); - if (names.isEmpty() || names.size() > 1) - throw new LoginException("Kernel must have been named"); - X500Principal name = names.iterator().next(); - if (!AuthConstants.ROLE_KERNEL.equals(name.getName())) - throw new LoginException("Kernel must be named named " - + AuthConstants.ROLE_KERNEL); - // Private certificate - Set privateCerts = subject - .getPrivateCredentials(X500PrivateCredential.class); - X500PrivateCredential privateCert = null; - for (X500PrivateCredential pCert : privateCerts) { - if (pCert.getCertificate().getSubjectX500Principal().equals(name)) { - privateCert = pCert; + if (names.isEmpty() || names.size() > 1) { + // throw new LoginException("Kernel must have been named"); + // TODO set not hardened + subject.getPrincipals().add( + new X500Principal(AuthConstants.ROLE_KERNEL)); + } else { + X500Principal name = names.iterator().next(); + if (!AuthConstants.ROLE_KERNEL.equals(name.getName())) + throw new LoginException("Kernel must be named " + + AuthConstants.ROLE_KERNEL); + // Private certificate + Set privateCerts = subject + .getPrivateCredentials(X500PrivateCredential.class); + X500PrivateCredential privateCert = null; + for (X500PrivateCredential pCert : privateCerts) { + if (pCert.getCertificate().getSubjectX500Principal() + .equals(name)) { + privateCert = pCert; + } } - } - if (privateCert == null) - throw new LoginException("Kernel must have a private certificate"); - // Certificate path - Set certPaths = subject.getPublicCredentials(CertPath.class); - CertPath certPath = null; - for (CertPath cPath : certPaths) { - if (cPath.getCertificates().get(0) - .equals(privateCert.getCertificate())) { - certPath = cPath; + if (privateCert == null) + throw new LoginException( + "Kernel must have a private certificate"); + // Certificate path + Set certPaths = subject + .getPublicCredentials(CertPath.class); + CertPath certPath = null; + for (CertPath cPath : certPaths) { + if (cPath.getCertificates().get(0) + .equals(privateCert.getCertificate())) { + certPath = cPath; + } } + if (certPath == null) + throw new LoginException("Kernel must have a certificate path"); } - if (certPath == null) - throw new LoginException("Kernel must have a certificate path"); - Set principals = subject.getPrincipals(); // Add admin roles diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java index eeb2b18b4..977d17b26 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java @@ -59,7 +59,7 @@ class NodeSecurity implements KernelConstants { private Subject logInKernel() { final Subject kernelSubject = new Subject(); - createKeyStoreIfNeeded(); + // createKeyStoreIfNeeded(); CallbackHandler cbHandler = new CallbackHandler() { @@ -98,7 +98,7 @@ class NodeSecurity implements KernelConstants { throw new CmsException("Cannot log out kernel", e); } - Security.removeProvider(SECURITY_PROVIDER); + // Security.removeProvider(SECURITY_PROVIDER); } public Subject getKernelSubject() { @@ -145,19 +145,19 @@ class NodeSecurity implements KernelConstants { return keyStoreFile; } - private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle - private final static Log log; - static { - log = LogFactory.getLog(NodeSecurity.class); - // Make Bouncy Castle the default provider - Provider provider = new BouncyCastleProvider(); - int position = Security.insertProviderAt(provider, 1); - if (position == -1) - log.error("Provider " + provider.getName() - + " already installed and could not be set as default"); - Provider defaultProvider = Security.getProviders()[0]; - if (!defaultProvider.getName().equals(SECURITY_PROVIDER)) - log.error("Provider name is " + defaultProvider.getName() - + " but it should be " + SECURITY_PROVIDER); - } + // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle + // private final static Log log; + // static { + // log = LogFactory.getLog(NodeSecurity.class); + // // Make Bouncy Castle the default provider + // Provider provider = new BouncyCastleProvider(); + // int position = Security.insertProviderAt(provider, 1); + // if (position == -1) + // log.error("Provider " + provider.getName() + // + " already installed and could not be set as default"); + // Provider defaultProvider = Security.getProviders()[0]; + // if (!defaultProvider.getName().equals(SECURITY_PROVIDER)) + // log.error("Provider name is " + defaultProvider.getName() + // + " but it should be " + SECURITY_PROVIDER); + // } } diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg index 61fc28ad0..539aeb9e6 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg @@ -13,8 +13,12 @@ SYSTEM { }; KERNEL { + org.argeo.cms.internal.auth.KernelLoginModule requisite; +}; + +HARDENED_KERNEL { com.sun.security.auth.module.UnixLoginModule requisite; - com.sun.security.auth.module.KeyStoreLoginModule requisite keyStoreURL="${osgi.instance.area}/node.p12" keyStoreType=PKCS12 keyStoreProvider=BC; + com.sun.security.auth.module.KeyStoreLoginModule requisite keyStoreURL="${osgi.instance.area}/node.p12" keyStoreType=PKCS12; org.argeo.cms.internal.auth.KernelLoginModule requisite; }; -- 2.30.2