X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FKernelLoginModule.java;fp=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FKernelLoginModule.java;h=00d0085d1e25f35d9f357ded07ae1bb5812caffc;hb=73b16e3ffff11633572a036f1dd426b57eba712a;hp=8983d65dc7427367e64d92049321a202350ae1ed;hpb=34596b63f0611aa77c29c6cafea752af6e5201c2;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
index 8983d65dc..00d0085d1 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
@@ -36,35 +36,42 @@ public class KernelLoginModule implements LoginModule {
 		// Check that kernel has been logged in w/ certificate
 		// Name
 		Set<X500Principal> names = subject.getPrincipals(X500Principal.class);
-		if (names.isEmpty() || names.size() > 1)
-			throw new LoginException("Kernel must have been named");
-		X500Principal name = names.iterator().next();
-		if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
-			throw new LoginException("Kernel must be named named "
-					+ AuthConstants.ROLE_KERNEL);
-		// Private certificate
-		Set<X500PrivateCredential> privateCerts = subject
-				.getPrivateCredentials(X500PrivateCredential.class);
-		X500PrivateCredential privateCert = null;
-		for (X500PrivateCredential pCert : privateCerts) {
-			if (pCert.getCertificate().getSubjectX500Principal().equals(name)) {
-				privateCert = pCert;
+		if (names.isEmpty() || names.size() > 1) {
+			// throw new LoginException("Kernel must have been named");
+			// TODO set not hardened
+			subject.getPrincipals().add(
+					new X500Principal(AuthConstants.ROLE_KERNEL));
+		} else {
+			X500Principal name = names.iterator().next();
+			if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
+				throw new LoginException("Kernel must be named "
+						+ AuthConstants.ROLE_KERNEL);
+			// Private certificate
+			Set<X500PrivateCredential> privateCerts = subject
+					.getPrivateCredentials(X500PrivateCredential.class);
+			X500PrivateCredential privateCert = null;
+			for (X500PrivateCredential pCert : privateCerts) {
+				if (pCert.getCertificate().getSubjectX500Principal()
+						.equals(name)) {
+					privateCert = pCert;
+				}
 			}
-		}
-		if (privateCert == null)
-			throw new LoginException("Kernel must have a private certificate");
-		// Certificate path
-		Set<CertPath> certPaths = subject.getPublicCredentials(CertPath.class);
-		CertPath certPath = null;
-		for (CertPath cPath : certPaths) {
-			if (cPath.getCertificates().get(0)
-					.equals(privateCert.getCertificate())) {
-				certPath = cPath;
+			if (privateCert == null)
+				throw new LoginException(
+						"Kernel must have a private certificate");
+			// Certificate path
+			Set<CertPath> certPaths = subject
+					.getPublicCredentials(CertPath.class);
+			CertPath certPath = null;
+			for (CertPath cPath : certPaths) {
+				if (cPath.getCertificates().get(0)
+						.equals(privateCert.getCertificate())) {
+					certPath = cPath;
+				}
 			}
+			if (certPath == null)
+				throw new LoginException("Kernel must have a certificate path");
 		}
-		if (certPath == null)
-			throw new LoginException("Kernel must have a certificate path");
-
 		Set<Principal> principals = subject.getPrincipals();
 		// Add admin roles