]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Re-add org.argeo.cms.util.useradmin
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / auth / KernelLoginModule.java
1 package org.argeo.cms.internal.auth;
2
3 import java.security.Principal;
4 import java.security.cert.CertPath;
5 import java.util.Map;
6 import java.util.Set;
7
8 import javax.security.auth.Subject;
9 import javax.security.auth.callback.CallbackHandler;
10 import javax.security.auth.login.LoginException;
11 import javax.security.auth.spi.LoginModule;
12 import javax.security.auth.x500.X500Principal;
13 import javax.security.auth.x500.X500PrivateCredential;
14
15 import org.apache.jackrabbit.core.security.SecurityConstants;
16 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
17 import org.argeo.cms.auth.AuthConstants;
18
19 public class KernelLoginModule implements LoginModule {
20 private Subject subject;
21
22 @Override
23 public void initialize(Subject subject, CallbackHandler callbackHandler,
24 Map<String, ?> sharedState, Map<String, ?> options) {
25 this.subject = subject;
26 }
27
28 @Override
29 public boolean login() throws LoginException {
30 // TODO check permission at code level ?
31 return true;
32 }
33
34 @Override
35 public boolean commit() throws LoginException {
36 // Check that kernel has been logged in w/ certificate
37 // Name
38 Set<X500Principal> names = subject.getPrincipals(X500Principal.class);
39 if (names.isEmpty() || names.size() > 1) {
40 // throw new LoginException("Kernel must have been named");
41 // TODO set not hardened
42 subject.getPrincipals().add(
43 new X500Principal(AuthConstants.ROLE_KERNEL));
44 } else {
45 X500Principal name = names.iterator().next();
46 if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
47 throw new LoginException("Kernel must be named "
48 + AuthConstants.ROLE_KERNEL);
49 // Private certificate
50 Set<X500PrivateCredential> privateCerts = subject
51 .getPrivateCredentials(X500PrivateCredential.class);
52 X500PrivateCredential privateCert = null;
53 for (X500PrivateCredential pCert : privateCerts) {
54 if (pCert.getCertificate().getSubjectX500Principal()
55 .equals(name)) {
56 privateCert = pCert;
57 }
58 }
59 if (privateCert == null)
60 throw new LoginException(
61 "Kernel must have a private certificate");
62 // Certificate path
63 Set<CertPath> certPaths = subject
64 .getPublicCredentials(CertPath.class);
65 CertPath certPath = null;
66 for (CertPath cPath : certPaths) {
67 if (cPath.getCertificates().get(0)
68 .equals(privateCert.getCertificate())) {
69 certPath = cPath;
70 }
71 }
72 if (certPath == null)
73 throw new LoginException("Kernel must have a certificate path");
74 }
75 Set<Principal> principals = subject.getPrincipals();
76 // Add admin roles
77
78 // Add data access roles
79 principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
80
81 return true;
82 }
83
84 @Override
85 public boolean abort() throws LoginException {
86 return true;
87 }
88
89 @Override
90 public boolean logout() throws LoginException {
91 // clear everything
92 subject.getPrincipals().clear();
93 subject.getPublicCredentials().clear();
94 subject.getPrivateCredentials().clear();
95 return true;
96 }
97
98 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi