1 package org
.argeo
.cms
.internal
.auth
;
3 import java
.security
.Principal
;
4 import java
.security
.cert
.CertPath
;
8 import javax
.security
.auth
.Subject
;
9 import javax
.security
.auth
.callback
.CallbackHandler
;
10 import javax
.security
.auth
.login
.LoginException
;
11 import javax
.security
.auth
.spi
.LoginModule
;
12 import javax
.security
.auth
.x500
.X500Principal
;
13 import javax
.security
.auth
.x500
.X500PrivateCredential
;
15 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
16 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
17 import org
.argeo
.cms
.auth
.AuthConstants
;
19 public class KernelLoginModule
implements LoginModule
{
20 private Subject subject
;
23 public void initialize(Subject subject
, CallbackHandler callbackHandler
,
24 Map
<String
, ?
> sharedState
, Map
<String
, ?
> options
) {
25 this.subject
= subject
;
29 public boolean login() throws LoginException
{
30 // TODO check permission at code level ?
35 public boolean commit() throws LoginException
{
36 // Check that kernel has been logged in w/ certificate
38 Set
<X500Principal
> names
= subject
.getPrincipals(X500Principal
.class);
39 if (names
.isEmpty() || names
.size() > 1) {
40 // throw new LoginException("Kernel must have been named");
41 // TODO set not hardened
42 subject
.getPrincipals().add(
43 new X500Principal(AuthConstants
.ROLE_KERNEL
));
45 X500Principal name
= names
.iterator().next();
46 if (!AuthConstants
.ROLE_KERNEL
.equals(name
.getName()))
47 throw new LoginException("Kernel must be named "
48 + AuthConstants
.ROLE_KERNEL
);
49 // Private certificate
50 Set
<X500PrivateCredential
> privateCerts
= subject
51 .getPrivateCredentials(X500PrivateCredential
.class);
52 X500PrivateCredential privateCert
= null;
53 for (X500PrivateCredential pCert
: privateCerts
) {
54 if (pCert
.getCertificate().getSubjectX500Principal()
59 if (privateCert
== null)
60 throw new LoginException(
61 "Kernel must have a private certificate");
63 Set
<CertPath
> certPaths
= subject
64 .getPublicCredentials(CertPath
.class);
65 CertPath certPath
= null;
66 for (CertPath cPath
: certPaths
) {
67 if (cPath
.getCertificates().get(0)
68 .equals(privateCert
.getCertificate())) {
73 throw new LoginException("Kernel must have a certificate path");
75 Set
<Principal
> principals
= subject
.getPrincipals();
78 // Add data access roles
79 principals
.add(new AdminPrincipal(SecurityConstants
.ADMIN_ID
));
85 public boolean abort() throws LoginException
{
90 public boolean logout() throws LoginException
{
92 subject
.getPrincipals().clear();
93 subject
.getPublicCredentials().clear();
94 subject
.getPrivateCredentials().clear();