X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FKernelLoginModule.java;h=00d0085d1e25f35d9f357ded07ae1bb5812caffc;hb=12caa0288053858bade6e16372a0998ae4fd2820;hp=ee36d3534c8e005bfd9b2adf42db42e501680afc;hpb=50911fdcc6df5cd35e71a0a4ecddf03f98f742a2;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java index ee36d3534..00d0085d1 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java @@ -14,7 +14,7 @@ import javax.security.auth.x500.X500PrivateCredential; import org.apache.jackrabbit.core.security.SecurityConstants; import org.apache.jackrabbit.core.security.principal.AdminPrincipal; -import org.argeo.cms.KernelHeader; +import org.argeo.cms.auth.AuthConstants; public class KernelLoginModule implements LoginModule { private Subject subject; @@ -27,7 +27,7 @@ public class KernelLoginModule implements LoginModule { @Override public boolean login() throws LoginException { - // TODO check permission at code level + // TODO check permission at code level ? return true; } @@ -36,35 +36,42 @@ public class KernelLoginModule implements LoginModule { // Check that kernel has been logged in w/ certificate // Name Set names = subject.getPrincipals(X500Principal.class); - if (names.isEmpty() || names.size() > 1) - throw new LoginException("Kernel must have been named"); - X500Principal name = names.iterator().next(); - if (!KernelHeader.ROLE_KERNEL.equals(name.getName())) - throw new LoginException("Kernel must be named named " - + KernelHeader.ROLE_KERNEL); - // Private certificate - Set privateCerts = subject - .getPrivateCredentials(X500PrivateCredential.class); - X500PrivateCredential privateCert = null; - for (X500PrivateCredential pCert : privateCerts) { - if (pCert.getCertificate().getSubjectX500Principal().equals(name)) { - privateCert = pCert; + if (names.isEmpty() || names.size() > 1) { + // throw new LoginException("Kernel must have been named"); + // TODO set not hardened + subject.getPrincipals().add( + new X500Principal(AuthConstants.ROLE_KERNEL)); + } else { + X500Principal name = names.iterator().next(); + if (!AuthConstants.ROLE_KERNEL.equals(name.getName())) + throw new LoginException("Kernel must be named " + + AuthConstants.ROLE_KERNEL); + // Private certificate + Set privateCerts = subject + .getPrivateCredentials(X500PrivateCredential.class); + X500PrivateCredential privateCert = null; + for (X500PrivateCredential pCert : privateCerts) { + if (pCert.getCertificate().getSubjectX500Principal() + .equals(name)) { + privateCert = pCert; + } } - } - if (privateCert == null) - throw new LoginException("Kernel must have a private certificate"); - // Certificate path - Set certPaths = subject.getPublicCredentials(CertPath.class); - CertPath certPath = null; - for (CertPath cPath : certPaths) { - if (cPath.getCertificates().get(0) - .equals(privateCert.getCertificate())) { - certPath = cPath; + if (privateCert == null) + throw new LoginException( + "Kernel must have a private certificate"); + // Certificate path + Set certPaths = subject + .getPublicCredentials(CertPath.class); + CertPath certPath = null; + for (CertPath cPath : certPaths) { + if (cPath.getCertificates().get(0) + .equals(privateCert.getCertificate())) { + certPath = cPath; + } } + if (certPath == null) + throw new LoginException("Kernel must have a certificate path"); } - if (certPath == null) - throw new LoginException("Kernel must have a certificate path"); - Set principals = subject.getPrincipals(); // Add admin roles