]>
git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
1 package org
.argeo
.cms
.internal
.kernel
;
3 import static org
.argeo
.cms
.internal
.kernel
.KernelUtils
.getOsgiInstanceDir
;
7 import java
.security
.KeyStore
;
8 import java
.util
.Arrays
;
10 import javax
.security
.auth
.Subject
;
12 import org
.apache
.commons
.logging
.Log
;
13 import org
.apache
.commons
.logging
.LogFactory
;
14 import org
.argeo
.cms
.CmsException
;
16 /** Low-level kernel security */
18 class NodeSecurity
implements KernelConstants
{
19 private final static Log log
= LogFactory
.getLog(NodeSecurity
.class);
21 public final static int HARDENED
= 3;
22 public final static int STAGING
= 2;
23 public final static int DEV
= 1;
25 private final boolean firstInit
;
27 private Subject kernelSubject
;
28 private int securityLevel
= STAGING
;
30 private final File keyStoreFile
;
32 public NodeSecurity() {
33 // Configure JAAS first
34 URL url
= getClass().getClassLoader().getResource(KernelConstants
.JAAS_CONFIG
);
35 System
.setProperty("java.security.auth.login.config", url
.toExternalForm());
36 // log.debug("JASS config: " + url.toExternalForm());
37 // disable Jetty autostart
38 // System.setProperty("org.eclipse.equinox.http.jetty.autostart",
41 firstInit
= !new File(getOsgiInstanceDir(), DIR_NODE
).exists();
43 this.keyStoreFile
= new File(KernelUtils
.getOsgiInstanceDir(), "node.p12");
44 createKeyStoreIfNeeded();
45 // if (keyStoreFile.exists())
46 // this.kernelSubject = logInHardenedKernel();
48 // this.kernelSubject = logInKernel();
51 // private Subject logInKernel() {
52 // final Subject kernelSubject = new Subject();
54 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
56 // } catch (LoginException e) {
57 // throw new CmsException("Cannot log in kernel", e);
59 // return kernelSubject;
62 // private Subject logInHardenedKernel() {
63 // final Subject kernelSubject = new Subject();
64 // createKeyStoreIfNeeded();
66 // CallbackHandler cbHandler = new CallbackHandler() {
69 // public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
71 //// ((NameCallback) callbacks[1]).setName(AuthConstants.ROLE_KERNEL);
73 // ((PasswordCallback) callbacks[2]).setPassword("changeit".toCharArray());
75 // ((PasswordCallback) callbacks[3]).setPassword("changeit".toCharArray());
79 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_HARDENED_KERNEL, kernelSubject,
82 // } catch (LoginException e) {
83 // throw new CmsException("Cannot log in kernel", e);
85 // return kernelSubject;
91 // LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
93 // } catch (LoginException e) {
94 // throw new CmsException("Cannot log out kernel", e);
97 // // Security.removeProvider(SECURITY_PROVIDER);
100 public Subject
getKernelSubject() {
101 return kernelSubject
;
104 public synchronized int getSecurityLevel() {
105 return securityLevel
;
108 public boolean isFirstInit() {
112 public void setSecurityLevel(int newValue
) {
113 if (newValue
!= STAGING
|| newValue
!= DEV
)
114 throw new CmsException("Invalid value for security level " + newValue
);
115 if (newValue
>= securityLevel
)
116 throw new CmsException(
117 "Impossible to increase security level (from " + securityLevel
+ " to " + newValue
+ ")");
118 securityLevel
= newValue
;
121 private void createKeyStoreIfNeeded() {
122 // for (Provider provider : Security.getProviders())
123 // System.out.println(provider.getName());
125 char[] ksPwd
= "changeit".toCharArray();
126 char[] keyPwd
= Arrays
.copyOf(ksPwd
, ksPwd
.length
);
127 if (!keyStoreFile
.exists()) {
129 keyStoreFile
.getParentFile().mkdirs();
130 KeyStore keyStore
= PkiUtils
.getKeyStore(keyStoreFile
, ksPwd
);
131 // PkiUtils.generateSelfSignedCertificate(keyStore, new X500Principal(AuthConstants.ROLE_KERNEL), 1024,
133 PkiUtils
.saveKeyStore(keyStoreFile
, ksPwd
, keyStore
);
134 if (log
.isDebugEnabled())
135 log
.debug("Created keystore " + keyStoreFile
);
136 } catch (Exception e
) {
137 if (keyStoreFile
.length() == 0)
138 keyStoreFile
.delete();
139 log
.error("Cannot create keystore " + keyStoreFile
, e
);
144 File
getHttpServerKeyStore() {
148 // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
149 // private final static Log log;
151 // log = LogFactory.getLog(NodeSecurity.class);
152 // // Make Bouncy Castle the default provider
153 // Provider provider = new BouncyCastleProvider();
154 // int position = Security.insertProviderAt(provider, 1);
155 // if (position == -1)
156 // log.error("Provider " + provider.getName()
157 // + " already installed and could not be set as default");
158 // Provider defaultProvider = Security.getProviders()[0];
159 // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
160 // log.error("Provider name is " + defaultProvider.getName()
161 // + " but it should be " + SECURITY_PROVIDER);