]> git.argeo.org Git - lgpl/argeo-commons.git/blobdiff - org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
projects / lgpl / argeo-commons.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix PostgreSQL Jackrabbit configs
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / NodeSecurity.java
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
index b436ac8d11e1e07262736f72d6ef0c78a0b02764..bb33daecf0602339a95596dbc8fba7e297b70a41 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
@@ -1,11 +1,11 @@
 package org.argeo.cms.internal.kernel;
 
+import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir;
+
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
 import java.security.KeyStore;
-import java.security.Provider;
-import java.security.Security;
 import java.util.Arrays;
 
 import javax.security.auth.Subject;
@@ -18,33 +18,21 @@ import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.x500.X500Principal;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.auth.AuthConstants;
-import org.argeo.security.crypto.PkiUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
-/** Authentication and user management. */
-class NodeSecurity {
-       final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
-
-       private final static Log log;
-       static {
-               log = LogFactory.getLog(NodeSecurity.class);
-               // Make Bouncy Castle the default provider
-               Provider provider = new BouncyCastleProvider();
-               int position = Security.insertProviderAt(provider, 1);
-               if (position == -1)
-                       log.error("Provider " + provider.getName()
-                                       + " already installed and could not be set as default");
-               Provider defaultProvider = Security.getProviders()[0];
-               if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
-                       log.error("Provider name is " + defaultProvider.getName()
-                                       + " but it should be " + SECURITY_PROVIDER);
-       }
+
+/** Low-level kernel security */
+class NodeSecurity implements KernelConstants {
+       public final static int HARDENED = 3;
+       public final static int STAGING = 2;
+       public final static int DEV = 1;
+
+       private final boolean firstInit;
 
        private final Subject kernelSubject;
+       private int securityLevel = STAGING;
+
+       private final File keyStoreFile;
 
        public NodeSecurity() {
                // Configure JAAS first
@@ -52,13 +40,21 @@ class NodeSecurity {
                                KernelConstants.JAAS_CONFIG);
                System.setProperty("java.security.auth.login.config",
                                url.toExternalForm());
+               // log.debug("JASS config: " + url.toExternalForm());
+               // disable Jetty autostart
+               // System.setProperty("org.eclipse.equinox.http.jetty.autostart",
+               // "false");
 
-               this.kernelSubject = logKernel();
+               firstInit = !new File(getOsgiInstanceDir(), DIR_NODE).exists();
+
+               this.keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(),
+                               "node.p12");
+               this.kernelSubject = logInKernel();
        }
 
-       private Subject logKernel() {
+       private Subject logInKernel() {
                final Subject kernelSubject = new Subject();
-               createKeyStoreIfNeeded();
+               // createKeyStoreIfNeeded();
 
                CallbackHandler cbHandler = new CallbackHandler() {
 
@@ -66,7 +62,8 @@ class NodeSecurity {
                        public void handle(Callback[] callbacks) throws IOException,
                                        UnsupportedCallbackException {
                                // alias
-                               ((NameCallback) callbacks[1]).setName(AuthConstants.ROLE_KERNEL);
+                               ((NameCallback) callbacks[1])
+                                               .setName(AuthConstants.ROLE_KERNEL);
                                // store pwd
                                ((PasswordCallback) callbacks[2]).setPassword("changeit"
                                                .toCharArray());
@@ -93,21 +90,38 @@ class NodeSecurity {
                                        KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
                        kernelLc.logout();
                } catch (LoginException e) {
-                       throw new CmsException("Cannot log in kernel", e);
+                       throw new CmsException("Cannot log out kernel", e);
                }
 
-               Security.removeProvider(SECURITY_PROVIDER);
+               // Security.removeProvider(SECURITY_PROVIDER);
        }
 
        public Subject getKernelSubject() {
                return kernelSubject;
        }
 
+       public synchronized int getSecurityLevel() {
+               return securityLevel;
+       }
+
+       public boolean isFirstInit() {
+               return firstInit;
+       }
+
+       public void setSecurityLevel(int newValue) {
+               if (newValue != STAGING || newValue != DEV)
+                       throw new CmsException("Invalid value for security level "
+                                       + newValue);
+               if (newValue >= securityLevel)
+                       throw new CmsException(
+                                       "Impossible to increase security level (from "
+                                                       + securityLevel + " to " + newValue + ")");
+               securityLevel = newValue;
+       }
+
        private void createKeyStoreIfNeeded() {
                char[] ksPwd = "changeit".toCharArray();
                char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length);
-               File keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(),
-                               "node.p12");
                if (!keyStoreFile.exists()) {
                        try {
                                keyStoreFile.getParentFile().mkdirs();
@@ -121,4 +135,24 @@ class NodeSecurity {
                        }
                }
        }
+
+       File getHttpServerKeyStore() {
+               return keyStoreFile;
+       }
+
+       // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
+       // private final static Log log;
+       // static {
+       // log = LogFactory.getLog(NodeSecurity.class);
+       // // Make Bouncy Castle the default provider
+       // Provider provider = new BouncyCastleProvider();
+       // int position = Security.insertProviderAt(provider, 1);
+       // if (position == -1)
+       // log.error("Provider " + provider.getName()
+       // + " already installed and could not be set as default");
+       // Provider defaultProvider = Security.getProviders()[0];
+       // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
+       // log.error("Provider name is " + defaultProvider.getName()
+       // + " but it should be " + SECURITY_PROVIDER);
+       // }
 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi