org.osgi.framework.security=osgi
java.security.policy=file:../../all.policy
+argeo.node.repo.type=localfs
+
#argeo.node.useradmin.uris=ldap://uid=admin,ou=system:secret@localhost:10389/dc=example,dc=com
#argeo.node.useradmin.uris=ldap://uid=admin,ou=system:secret@localhost:10389\
#/dc=example,dc=com?userBase=ou=users&groupBase=ou=groups
#org.eclipse.equinox.http.jetty.log.stderr.threshold=info
# HTTPS
-org.osgi.service.http.port.secure=7073
+#org.osgi.service.http.port.secure=7073
#org.eclipse.equinox.http.jetty.https.enabled=true
#org.eclipse.equinox.http.jetty.ssl.keystore=../../ssl/server.jks
#org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12
// Check that kernel has been logged in w/ certificate
// Name
Set<X500Principal> names = subject.getPrincipals(X500Principal.class);
- if (names.isEmpty() || names.size() > 1)
- throw new LoginException("Kernel must have been named");
- X500Principal name = names.iterator().next();
- if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
- throw new LoginException("Kernel must be named named "
- + AuthConstants.ROLE_KERNEL);
- // Private certificate
- Set<X500PrivateCredential> privateCerts = subject
- .getPrivateCredentials(X500PrivateCredential.class);
- X500PrivateCredential privateCert = null;
- for (X500PrivateCredential pCert : privateCerts) {
- if (pCert.getCertificate().getSubjectX500Principal().equals(name)) {
- privateCert = pCert;
+ if (names.isEmpty() || names.size() > 1) {
+ // throw new LoginException("Kernel must have been named");
+ // TODO set not hardened
+ subject.getPrincipals().add(
+ new X500Principal(AuthConstants.ROLE_KERNEL));
+ } else {
+ X500Principal name = names.iterator().next();
+ if (!AuthConstants.ROLE_KERNEL.equals(name.getName()))
+ throw new LoginException("Kernel must be named "
+ + AuthConstants.ROLE_KERNEL);
+ // Private certificate
+ Set<X500PrivateCredential> privateCerts = subject
+ .getPrivateCredentials(X500PrivateCredential.class);
+ X500PrivateCredential privateCert = null;
+ for (X500PrivateCredential pCert : privateCerts) {
+ if (pCert.getCertificate().getSubjectX500Principal()
+ .equals(name)) {
+ privateCert = pCert;
+ }
}
- }
- if (privateCert == null)
- throw new LoginException("Kernel must have a private certificate");
- // Certificate path
- Set<CertPath> certPaths = subject.getPublicCredentials(CertPath.class);
- CertPath certPath = null;
- for (CertPath cPath : certPaths) {
- if (cPath.getCertificates().get(0)
- .equals(privateCert.getCertificate())) {
- certPath = cPath;
+ if (privateCert == null)
+ throw new LoginException(
+ "Kernel must have a private certificate");
+ // Certificate path
+ Set<CertPath> certPaths = subject
+ .getPublicCredentials(CertPath.class);
+ CertPath certPath = null;
+ for (CertPath cPath : certPaths) {
+ if (cPath.getCertificates().get(0)
+ .equals(privateCert.getCertificate())) {
+ certPath = cPath;
+ }
}
+ if (certPath == null)
+ throw new LoginException("Kernel must have a certificate path");
}
- if (certPath == null)
- throw new LoginException("Kernel must have a certificate path");
-
Set<Principal> principals = subject.getPrincipals();
// Add admin roles
private Subject logInKernel() {
final Subject kernelSubject = new Subject();
- createKeyStoreIfNeeded();
+ // createKeyStoreIfNeeded();
CallbackHandler cbHandler = new CallbackHandler() {
throw new CmsException("Cannot log out kernel", e);
}
- Security.removeProvider(SECURITY_PROVIDER);
+ // Security.removeProvider(SECURITY_PROVIDER);
}
public Subject getKernelSubject() {
return keyStoreFile;
}
- private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
- private final static Log log;
- static {
- log = LogFactory.getLog(NodeSecurity.class);
- // Make Bouncy Castle the default provider
- Provider provider = new BouncyCastleProvider();
- int position = Security.insertProviderAt(provider, 1);
- if (position == -1)
- log.error("Provider " + provider.getName()
- + " already installed and could not be set as default");
- Provider defaultProvider = Security.getProviders()[0];
- if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
- log.error("Provider name is " + defaultProvider.getName()
- + " but it should be " + SECURITY_PROVIDER);
- }
+ // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle
+ // private final static Log log;
+ // static {
+ // log = LogFactory.getLog(NodeSecurity.class);
+ // // Make Bouncy Castle the default provider
+ // Provider provider = new BouncyCastleProvider();
+ // int position = Security.insertProviderAt(provider, 1);
+ // if (position == -1)
+ // log.error("Provider " + provider.getName()
+ // + " already installed and could not be set as default");
+ // Provider defaultProvider = Security.getProviders()[0];
+ // if (!defaultProvider.getName().equals(SECURITY_PROVIDER))
+ // log.error("Provider name is " + defaultProvider.getName()
+ // + " but it should be " + SECURITY_PROVIDER);
+ // }
}
};
KERNEL {
+ org.argeo.cms.internal.auth.KernelLoginModule requisite;
+};
+
+HARDENED_KERNEL {
com.sun.security.auth.module.UnixLoginModule requisite;
- com.sun.security.auth.module.KeyStoreLoginModule requisite keyStoreURL="${osgi.instance.area}/node.p12" keyStoreType=PKCS12 keyStoreProvider=BC;
+ com.sun.security.auth.module.KeyStoreLoginModule requisite keyStoreURL="${osgi.instance.area}/node.p12" keyStoreType=PKCS12;
org.argeo.cms.internal.auth.KernelLoginModule requisite;
};