From: Mathieu Baudier Date: Tue, 7 Nov 2017 11:13:39 +0000 (+0100) Subject: Use no IPA JAAS as default X-Git-Tag: argeo-commons-2.1.70~37 X-Git-Url: https://git.argeo.org/?a=commitdiff_plain;h=3152a0fe54d407b812cab4c141936227539a33b2;p=lgpl%2Fargeo-commons.git Use no IPA JAAS as default --- diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java index 07c10f486..10ebb603a 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java @@ -103,25 +103,27 @@ public class CmsDeployment implements NodeDeployment { deployConfig = new DeployConfig(configurationAdmin, cleanState); httpExpected = deployConfig.getProps(KernelConstants.JETTY_FACTORY_PID, "default") != null; try { + // Configuration[] configs = configurationAdmin + // .listConfigurations("(service.factoryPid=" + + // NodeConstants.NODE_REPOS_FACTORY_PID + ")"); + // for (Configuration config : configs) { + // Object cn = config.getProperties().get(NodeConstants.CN); + // if (log.isDebugEnabled()) + // log.debug("Standalone repo cn: " + cn); + // } Configuration[] configs = configurationAdmin - .listConfigurations("(service.factoryPid=" + NodeConstants.NODE_REPOS_FACTORY_PID + ")"); - for (Configuration config : configs) { - Object cn = config.getProperties().get(NodeConstants.CN); - log.debug("Standalone repo cn: " + cn); - } - configs = configurationAdmin .listConfigurations("(service.factoryPid=" + NodeConstants.NODE_USER_ADMIN_PID + ")"); boolean hasDomain = false; for (Configuration config : configs) { Object realm = config.getProperties().get(UserAdminConf.realm.name()); if (realm != null) { - log.debug("Realm: " + realm); + log.debug("Found realm: " + realm); hasDomain = true; } } - if (!hasDomain) { - loadNoIpaJaasConfiguration(); + if (hasDomain) { + loadIpaJaasConfiguration(); } } catch (Exception e) { throw new CmsException("Cannot initialize config", e); @@ -131,13 +133,12 @@ public class CmsDeployment implements NodeDeployment { }.open(); } - private void loadNoIpaJaasConfiguration() { + private void loadIpaJaasConfiguration() { if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) { - String jaasConfig = KernelConstants.JAAS_CONFIG_NOIPA; + String jaasConfig = KernelConstants.JAAS_CONFIG_IPA; URL url = getClass().getClassLoader().getResource(jaasConfig); KernelUtils.setJaasConfiguration(url); - if (log.isDebugEnabled()) - log.debug("Set no-IPA JAAS configuration."); + log.debug("Set IPA JAAS configuration."); } } diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/KernelConstants.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/KernelConstants.java index 25e2f1d41..45f3354b8 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/KernelConstants.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/KernelConstants.java @@ -18,7 +18,7 @@ public interface KernelConstants { // Security String JAAS_CONFIG = "/org/argeo/cms/internal/kernel/jaas.cfg"; - String JAAS_CONFIG_NOIPA = "/org/argeo/cms/internal/kernel/jaas-noipa.cfg"; + String JAAS_CONFIG_IPA = "/org/argeo/cms/internal/kernel/jaas-ipa.cfg"; // Java String JAAS_CONFIG_PROP = "java.security.auth.login.config"; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg new file mode 100644 index 000000000..018c1bf9c --- /dev/null +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg @@ -0,0 +1,40 @@ +USER { + org.argeo.cms.auth.HttpSessionLoginModule sufficient; + org.argeo.cms.auth.SpnegoLoginModule optional; + com.sun.security.auth.module.Krb5LoginModule optional tryFirstPass=true; + org.argeo.cms.auth.UserAdminLoginModule sufficient; +}; + +ANONYMOUS { + org.argeo.cms.auth.HttpSessionLoginModule sufficient; + org.argeo.cms.auth.AnonymousLoginModule sufficient; +}; + +DATA_ADMIN { + org.argeo.cms.auth.DataAdminLoginModule requisite; +}; + +NODE { + com.sun.security.auth.module.Krb5LoginModule optional + keyTab="${osgi.instance.area}node/krb5.keytab" + useKeyTab=true + storeKey=true; + org.argeo.cms.auth.DataAdminLoginModule requisite; +}; + +KEYRING { + org.argeo.cms.auth.KeyringLoginModule required; +}; + +SINGLE_USER { + com.sun.security.auth.module.Krb5LoginModule optional + principal="${user.name}" + storeKey=true + useTicketCache=true + debug=true; + org.argeo.cms.auth.SingleUserLoginModule requisite; +}; + +Jackrabbit { + org.argeo.security.jackrabbit.SystemJackrabbitLoginModule requisite; +}; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-noipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-noipa.cfg deleted file mode 100644 index e32c23f11..000000000 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-noipa.cfg +++ /dev/null @@ -1,29 +0,0 @@ -USER { - org.argeo.cms.auth.HttpSessionLoginModule sufficient; - org.argeo.cms.auth.UserAdminLoginModule sufficient; -}; - -ANONYMOUS { - org.argeo.cms.auth.HttpSessionLoginModule sufficient; - org.argeo.cms.auth.AnonymousLoginModule sufficient; -}; - -DATA_ADMIN { - org.argeo.cms.auth.DataAdminLoginModule requisite; -}; - -NODE { - org.argeo.cms.auth.DataAdminLoginModule requisite; -}; - -KEYRING { - org.argeo.cms.auth.KeyringLoginModule required; -}; - -SINGLE_USER { - org.argeo.cms.auth.SingleUserLoginModule requisite; -}; - -Jackrabbit { - org.argeo.security.jackrabbit.SystemJackrabbitLoginModule requisite; -}; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg index 018c1bf9c..e32c23f11 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg @@ -1,7 +1,5 @@ USER { org.argeo.cms.auth.HttpSessionLoginModule sufficient; - org.argeo.cms.auth.SpnegoLoginModule optional; - com.sun.security.auth.module.Krb5LoginModule optional tryFirstPass=true; org.argeo.cms.auth.UserAdminLoginModule sufficient; }; @@ -15,10 +13,6 @@ DATA_ADMIN { }; NODE { - com.sun.security.auth.module.Krb5LoginModule optional - keyTab="${osgi.instance.area}node/krb5.keytab" - useKeyTab=true - storeKey=true; org.argeo.cms.auth.DataAdminLoginModule requisite; }; @@ -27,11 +21,6 @@ KEYRING { }; SINGLE_USER { - com.sun.security.auth.module.Krb5LoginModule optional - principal="${user.name}" - storeKey=true - useTicketCache=true - debug=true; org.argeo.cms.auth.SingleUserLoginModule requisite; }; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif b/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif index c50a483fd..d9c1fbf40 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif @@ -20,4 +20,8 @@ objectClass: top cn: userAdmin member: cn=admin,ou=roles,ou=node +dn: cn=registering,ou=roles,ou=node +objectClass: groupOfNames +objectClass: top +cn: registering