]> git.argeo.org Git - lgpl/argeo-commons.git/blob - ArgeoSecurityDaoLdap.java
projects / lgpl / argeo-commons.git / blob


200ed351e93b48fc92699ab46daf5aa4874290fe
[lgpl/argeo-commons.git] / ArgeoSecurityDaoLdap.java
1 /*
2 * Copyright (C) 2010 Mathieu Baudier <mbaudier@argeo.org>
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package org.argeo.security.ldap;
18
19 import static org.argeo.security.core.ArgeoUserDetails.createSimpleArgeoUser;
20
21 import java.security.NoSuchAlgorithmException;
22 import java.security.SecureRandom;
23 import java.util.Collections;
24 import java.util.List;
25 import java.util.Random;
26 import java.util.Set;
27 import java.util.TreeSet;
28
29 import javax.naming.Name;
30 import javax.naming.NamingException;
31 import javax.naming.directory.DirContext;
32
33 import org.argeo.ArgeoException;
34 import org.argeo.security.ArgeoUser;
35 import org.argeo.security.CurrentUserDao;
36 import org.argeo.security.SimpleArgeoUser;
37 import org.argeo.security.UserAdminDao;
38 import org.argeo.security.core.ArgeoUserDetails;
39 import org.springframework.ldap.core.ContextExecutor;
40 import org.springframework.ldap.core.ContextMapper;
41 import org.springframework.ldap.core.DirContextAdapter;
42 import org.springframework.ldap.core.DistinguishedName;
43 import org.springframework.ldap.core.LdapTemplate;
44 import org.springframework.ldap.core.support.BaseLdapPathContextSource;
45 import org.springframework.security.context.SecurityContextHolder;
46 import org.springframework.security.ldap.LdapUsernameToDnMapper;
47 import org.springframework.security.ldap.LdapUtils;
48 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
49 import org.springframework.security.providers.encoding.PasswordEncoder;
50 import org.springframework.security.userdetails.UserDetails;
51 import org.springframework.security.userdetails.UserDetailsManager;
52
53 /**
54 * Wraps a Spring LDAP user details manager, providing additional methods to
55 * manage roles.
56 */
57 public class ArgeoSecurityDaoLdap implements CurrentUserDao, UserAdminDao {
58 private String userBase;
59 private String usernameAttribute;
60 private String groupBase;
61 private String[] groupClasses;
62
63 private String groupRoleAttribute;
64 private String groupMemberAttribute;
65 private String defaultRole;
66 private String rolePrefix;
67
68 private final LdapTemplate ldapTemplate;
69 private final Random random;
70
71 private LdapUsernameToDnMapper usernameMapper;
72 private UserDetailsManager userDetailsManager;
73
74 private PasswordEncoder passwordEncoder;
75
76 /**
77 * Standard constructor, using the LDAP context source shared with Spring
78 * Security components.
79 */
80 public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) {
81 this(new LdapTemplate(contextSource), createRandom());
82 }
83
84 /**
85 * Advanced constructor allowing to reuse an LDAP template and to explicitly
86 * set the random used as seed for SSHA password generation.
87 */
88 public ArgeoSecurityDaoLdap(LdapTemplate ldapTemplate, Random random) {
89 this.ldapTemplate = ldapTemplate;
90 this.random = random;
91 }
92
93 private static Random createRandom() {
94 try {
95 return SecureRandom.getInstance("SHA1PRNG");
96 } catch (NoSuchAlgorithmException e) {
97 return new Random(System.currentTimeMillis());
98 }
99 }
100
101 public synchronized void createUser(ArgeoUser user) {
102 // normalize password
103 if (user instanceof SimpleArgeoUser) {
104 if (user.getPassword() == null || user.getPassword().equals(""))
105 ((SimpleArgeoUser) user).setPassword(encodePassword(user
106 .getUsername()));
107 else if (!user.getPassword().startsWith("{"))
108 ((SimpleArgeoUser) user).setPassword(encodePassword(user
109 .getPassword()));
110 }
111 userDetailsManager.createUser(new ArgeoUserDetails(user));
112 }
113
114 public synchronized ArgeoUser getUser(String uname) {
115 SimpleArgeoUser user = createSimpleArgeoUser(getDetails(uname));
116 user.setPassword(null);
117 return user;
118 }
119
120 public synchronized ArgeoUser getUserWithPassword(String uname) {
121 return createSimpleArgeoUser(getDetails(uname));
122 }
123
124 @SuppressWarnings("unchecked")
125 public synchronized Set<ArgeoUser> listUsers() {
126 List<String> usernames = (List<String>) ldapTemplate.listBindings(
127 new DistinguishedName(userBase), new ContextMapper() {
128 public Object mapFromContext(Object ctxArg) {
129 DirContextAdapter ctx = (DirContextAdapter) ctxArg;
130 return ctx.getStringAttribute(usernameAttribute);
131 }
132 });
133
134 TreeSet<ArgeoUser> lst = new TreeSet<ArgeoUser>();
135 for (String username : usernames) {
136 lst.add(createSimpleArgeoUser(getDetails(username)));
137 }
138 return Collections.unmodifiableSortedSet(lst);
139 }
140
141 @SuppressWarnings("unchecked")
142 public Set<String> listEditableRoles() {
143 return Collections.unmodifiableSortedSet(new TreeSet<String>(
144 ldapTemplate.listBindings(groupBase, new ContextMapper() {
145 public Object mapFromContext(Object ctxArg) {
146 String groupName = ((DirContextAdapter) ctxArg)
147 .getStringAttribute(groupRoleAttribute);
148 String roleName = convertGroupToRole(groupName);
149 return roleName;
150 }
151 })));
152 }
153
154 @SuppressWarnings("unchecked")
155 public Set<ArgeoUser> listUsersInRole(String role) {
156 return (Set<ArgeoUser>) ldapTemplate.lookup(
157 buildGroupDn(convertRoleToGroup(role)), new ContextMapper() {
158 public Object mapFromContext(Object ctxArg) {
159 DirContextAdapter ctx = (DirContextAdapter) ctxArg;
160 String[] userDns = ctx
161 .getStringAttributes(groupMemberAttribute);
162 TreeSet<ArgeoUser> set = new TreeSet<ArgeoUser>();
163 for (String userDn : userDns) {
164 DistinguishedName dn = new DistinguishedName(userDn);
165 String username = dn.getValue(usernameAttribute);
166 set.add(createSimpleArgeoUser(getDetails(username)));
167 }
168 return Collections.unmodifiableSortedSet(set);
169 }
170 });
171 }
172
173 public synchronized void updateUser(ArgeoUser user) {
174 // normalize password
175 String password = user.getPassword();
176 if (password == null)
177 password = getUserWithPassword(user.getUsername()).getPassword();
178 if (!password.startsWith("{"))
179 password = encodePassword(user.getPassword());
180 SimpleArgeoUser simpleArgeoUser = new SimpleArgeoUser(user);
181 simpleArgeoUser.setPassword(password);
182
183 ArgeoUserDetails argeoUserDetails = new ArgeoUserDetails(user);
184 userDetailsManager.updateUser(new ArgeoUserDetails(user));
185 // refresh logged in user
186 if (ArgeoUserDetails.securityContextUser().getUsername()
187 .equals(argeoUserDetails.getUsername())) {
188 SecurityContextHolder.getContext().setAuthentication(
189 new UsernamePasswordAuthenticationToken(argeoUserDetails,
190 null, argeoUserDetails.getAuthorities()));
191 }
192 }
193
194 public void updateCurrentUserPassword(String oldPassword, String newPassword) {
195 SimpleArgeoUser user = new SimpleArgeoUser(
196 ArgeoUserDetails.securityContextUser());
197 if (!passwordEncoder.isPasswordValid(user.getPassword(), oldPassword,
198 null))
199 throw new ArgeoException("Old password is not correct.");
200 user.setPassword(encodePassword(newPassword));
201 updateUser(user);
202 //userDetailsManager.changePassword(oldPassword, newPassword);
203 }
204
205 public void updateUserPassword(String username, String password) {
206 SimpleArgeoUser user = new SimpleArgeoUser(getUser(username));
207 user.setPassword(encodePassword(password));
208 updateUser(user);
209 }
210
211 protected String encodePassword(String password) {
212 byte[] salt = new byte[16];
213 random.nextBytes(salt);
214 return passwordEncoder.encodePassword(password, salt);
215 }
216
217 public synchronized void deleteUser(String username) {
218 userDetailsManager.deleteUser(username);
219 }
220
221 public synchronized Boolean userExists(String username) {
222 return userDetailsManager.userExists(username);
223 }
224
225 public void createRole(String role, final String superuserName) {
226 String group = convertRoleToGroup(role);
227 DistinguishedName superuserDn = (DistinguishedName) ldapTemplate
228 .executeReadWrite(new ContextExecutor() {
229 public Object executeWithContext(DirContext ctx)
230 throws NamingException {
231 return LdapUtils.getFullDn(
232 usernameMapper.buildDn(superuserName), ctx);
233 }
234 });
235
236 Name groupDn = buildGroupDn(group);
237 DirContextAdapter context = new DirContextAdapter();
238 context.setAttributeValues("objectClass", groupClasses);
239 context.setAttributeValue("cn", group);
240 // Add superuser because cannot create empty group
241 context.setAttributeValue(groupMemberAttribute, superuserDn.toString());
242 ldapTemplate.bind(groupDn, context, null);
243 }
244
245 public void deleteRole(String role) {
246 String group = convertRoleToGroup(role);
247 Name dn = buildGroupDn(group);
248 ldapTemplate.unbind(dn);
249 }
250
251 /** Maps a role (ROLE_XXX) to the related LDAP group (xxx) */
252 protected String convertRoleToGroup(String role) {
253 String group = role;
254 if (group.startsWith(rolePrefix)) {
255 group = group.substring(rolePrefix.length());
256 group = group.toLowerCase();
257 }
258 return group;
259 }
260
261 /** Maps anLDAP group (xxx) to the related role (ROLE_XXX) */
262 protected String convertGroupToRole(String groupName) {
263 groupName = groupName.toUpperCase();
264
265 return rolePrefix + groupName;
266 }
267
268 protected Name buildGroupDn(String name) {
269 return new DistinguishedName(groupRoleAttribute + "=" + name + ","
270 + groupBase);
271 }
272
273 public void setUserDetailsManager(UserDetailsManager userDetailsManager) {
274 this.userDetailsManager = userDetailsManager;
275 }
276
277 public void setUserBase(String userBase) {
278 this.userBase = userBase;
279 }
280
281 public void setUsernameAttribute(String usernameAttribute) {
282 this.usernameAttribute = usernameAttribute;
283 }
284
285 protected UserDetails getDetails(String username) {
286 return userDetailsManager.loadUserByUsername(username);
287 }
288
289 public void setGroupBase(String groupBase) {
290 this.groupBase = groupBase;
291 }
292
293 public void setGroupRoleAttribute(String groupRoleAttributeName) {
294 this.groupRoleAttribute = groupRoleAttributeName;
295 }
296
297 public void setGroupMemberAttribute(String groupMemberAttributeName) {
298 this.groupMemberAttribute = groupMemberAttributeName;
299 }
300
301 public void setDefaultRole(String defaultRole) {
302 this.defaultRole = defaultRole;
303 }
304
305 public void setRolePrefix(String rolePrefix) {
306 this.rolePrefix = rolePrefix;
307 }
308
309 public void setUsernameMapper(LdapUsernameToDnMapper usernameMapper) {
310 this.usernameMapper = usernameMapper;
311 }
312
313 public String getDefaultRole() {
314 return defaultRole;
315 }
316
317 public void setGroupClasses(String[] groupClasses) {
318 this.groupClasses = groupClasses;
319 }
320
321 public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
322 this.passwordEncoder = passwordEncoder;
323 }
324
325 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi