X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FKernelLoginModule.java;h=00d0085d1e25f35d9f357ded07ae1bb5812caffc;hb=972528f4de2d00690362c01d3ce843ca9cd10250;hp=f96bc88808b76e39a51331d1c622f7ca5a6ec3ad;hpb=25071ab6bcb2df1fa4057c2c04137f2d606772e7;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
index f96bc8880..00d0085d1 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
@@ -14,7 +14,7 @@ import javax.security.auth.x500.X500PrivateCredential;
 
 import org.apache.jackrabbit.core.security.SecurityConstants;
 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
-import org.argeo.cms.KernelHeader;
+import org.argeo.cms.auth.AuthConstants;
 
 public class KernelLoginModule implements LoginModule {
 	private Subject subject;
@@ -36,35 +36,42 @@ public class KernelLoginModule implements LoginModule {
 		// Check that kernel has been logged in w/ certificate
 		// Name
 		Set<X500Principal> names = subject.getPrincipals(X500Principal.class);
-		if (names.isEmpty() || names.size() > 1)
-			throw new LoginException("Kernel must have been named");
-		X500Principal name = names.iterator().next();
-		if (!KernelHeader.ROLE_KERNEL.equals(name.getName()))
-			throw new LoginException("Kernel must be named named "
-					+ KernelHeader.ROLE_KERNEL);
-		// Private certificate
-		Set<X500PrivateCredential> privateCerts = subject
-				.getPrivateCredentials(X500PrivateCredential.class);
-		X500PrivateCredential privateCert = null;
-		for (X500PrivateCredential pCert : privateCerts) {
-			if (pCert.getCertificate().getSubjectX500Principal().equals(name)) {
-				privateCert = pCert;
+		if (names.isEmpty() || names.size() > 1) {
+			// throw new LoginException("Kernel must have been named");
+			// TODO set not hardened
+			subject.getPrincipals().add(
+					new X500Principal(AuthConstants.ROLE_KERNEL));
+		} else {
+			X500Principal name = names.iterator().next();
+			if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
+				throw new LoginException("Kernel must be named "
+						+ AuthConstants.ROLE_KERNEL);
+			// Private certificate
+			Set<X500PrivateCredential> privateCerts = subject
+					.getPrivateCredentials(X500PrivateCredential.class);
+			X500PrivateCredential privateCert = null;
+			for (X500PrivateCredential pCert : privateCerts) {
+				if (pCert.getCertificate().getSubjectX500Principal()
+						.equals(name)) {
+					privateCert = pCert;
+				}
 			}
-		}
-		if (privateCert == null)
-			throw new LoginException("Kernel must have a private certificate");
-		// Certificate path
-		Set<CertPath> certPaths = subject.getPublicCredentials(CertPath.class);
-		CertPath certPath = null;
-		for (CertPath cPath : certPaths) {
-			if (cPath.getCertificates().get(0)
-					.equals(privateCert.getCertificate())) {
-				certPath = cPath;
+			if (privateCert == null)
+				throw new LoginException(
+						"Kernel must have a private certificate");
+			// Certificate path
+			Set<CertPath> certPaths = subject
+					.getPublicCredentials(CertPath.class);
+			CertPath certPath = null;
+			for (CertPath cPath : certPaths) {
+				if (cPath.getCertificates().get(0)
+						.equals(privateCert.getCertificate())) {
+					certPath = cPath;
+				}
 			}
+			if (certPath == null)
+				throw new LoginException("Kernel must have a certificate path");
 		}
-		if (certPath == null)
-			throw new LoginException("Kernel must have a certificate path");
-
 		Set<Principal> principals = subject.getPrincipals();
 		// Add admin roles