1 package org
.argeo
.cms
.internal
.kernel
;
3 import static org
.argeo
.cms
.internal
.kernel
.KernelUtils
.getOsgiInstanceDir
;
6 import java
.io
.IOException
;
8 import java
.security
.KeyStore
;
9 import java
.util
.Arrays
;
11 import javax
.security
.auth
.Subject
;
12 import javax
.security
.auth
.callback
.Callback
;
13 import javax
.security
.auth
.callback
.CallbackHandler
;
14 import javax
.security
.auth
.callback
.NameCallback
;
15 import javax
.security
.auth
.callback
.PasswordCallback
;
16 import javax
.security
.auth
.callback
.UnsupportedCallbackException
;
17 import javax
.security
.auth
.login
.LoginContext
;
18 import javax
.security
.auth
.login
.LoginException
;
19 import javax
.security
.auth
.x500
.X500Principal
;
21 import org
.argeo
.cms
.CmsException
;
22 import org
.argeo
.cms
.auth
.AuthConstants
;
24 /** Low-level kernel security */
25 class NodeSecurity
implements KernelConstants
{
26 public final static int HARDENED
= 3;
27 public final static int STAGING
= 2;
28 public final static int DEV
= 1;
30 private final boolean firstInit
;
32 private final Subject kernelSubject
;
33 private int securityLevel
= STAGING
;
35 private final File keyStoreFile
;
37 public NodeSecurity() {
38 // Configure JAAS first
39 URL url
= getClass().getClassLoader().getResource(
40 KernelConstants
.JAAS_CONFIG
);
41 System
.setProperty("java.security.auth.login.config",
42 url
.toExternalForm());
43 // log.debug("JASS config: " + url.toExternalForm());
44 // disable Jetty autostart
45 // System.setProperty("org.eclipse.equinox.http.jetty.autostart",
48 firstInit
= !new File(getOsgiInstanceDir(), DIR_NODE
).exists();
50 this.keyStoreFile
= new File(KernelUtils
.getOsgiInstanceDir(),
52 this.kernelSubject
= logInKernel();
55 private Subject
logInKernel() {
56 final Subject kernelSubject
= new Subject();
57 // createKeyStoreIfNeeded();
59 CallbackHandler cbHandler
= new CallbackHandler() {
62 public void handle(Callback
[] callbacks
) throws IOException
,
63 UnsupportedCallbackException
{
65 ((NameCallback
) callbacks
[1])
66 .setName(AuthConstants
.ROLE_KERNEL
);
68 ((PasswordCallback
) callbacks
[2]).setPassword("changeit"
71 ((PasswordCallback
) callbacks
[3]).setPassword("changeit"
76 LoginContext kernelLc
= new LoginContext(
77 KernelConstants
.LOGIN_CONTEXT_KERNEL
, kernelSubject
,
80 } catch (LoginException e
) {
81 throw new CmsException("Cannot log in kernel", e
);
89 LoginContext kernelLc
= new LoginContext(
90 KernelConstants
.LOGIN_CONTEXT_KERNEL
, kernelSubject
);
92 } catch (LoginException e
) {
93 throw new CmsException("Cannot log out kernel", e
);
96 // Security.removeProvider(SECURITY_PROVIDER);
99 public Subject
getKernelSubject() {
100 return kernelSubject
;
103 public synchronized int getSecurityLevel() {
104 return securityLevel
;
107 public boolean isFirstInit() {
111 public void setSecurityLevel(int newValue
) {
112 if (newValue
!= STAGING
|| newValue
!= DEV
)
113 throw new CmsException("Invalid value for security level "
115 if (newValue
>= securityLevel
)
116 throw new CmsException(
117 "Impossible to increase security level (from "
118 + securityLevel
+ " to " + newValue
+ ")");
119 securityLevel
= newValue
;
122 private void createKeyStoreIfNeeded() {
123 char[] ksPwd
= "changeit".toCharArray();
124 char[] keyPwd
= Arrays
.copyOf(ksPwd
, ksPwd
.length
);
125 if (!keyStoreFile
.exists()) {
127 keyStoreFile
.getParentFile().mkdirs();
128 KeyStore keyStore
= PkiUtils
.getKeyStore(keyStoreFile
, ksPwd
);
129 PkiUtils
.generateSelfSignedCertificate(keyStore
,
130 new X500Principal(AuthConstants
.ROLE_KERNEL
), keyPwd
);
131 PkiUtils
.saveKeyStore(keyStoreFile
, ksPwd
, keyStore
);
132 } catch (Exception e
) {
133 throw new CmsException("Cannot create key store "
139 File
getHttpServerKeyStore() {
143 // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
144 // private final static Log log;
146 // log = LogFactory.getLog(NodeSecurity.class);
147 // // Make Bouncy Castle the default provider
148 // Provider provider = new BouncyCastleProvider();
149 // int position = Security.insertProviderAt(provider, 1);
150 // if (position == -1)
151 // log.error("Provider " + provider.getName()
152 // + " already installed and could not be set as default");
153 // Provider defaultProvider = Security.getProviders()[0];
154 // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
155 // log.error("Provider name is " + defaultProvider.getName()
156 // + " but it should be " + SECURITY_PROVIDER);