CmsAuthUtils.java

   1 package org.argeo.cms.auth;
   2
   3 import java.security.Principal;
   4 import java.util.Set;
   5
   6 import javax.naming.InvalidNameException;
   7 import javax.naming.ldap.LdapName;
   8 import javax.security.auth.Subject;
   9 import javax.security.auth.x500.X500Principal;
  10
  11 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
  12 //import org.apache.jackrabbit.core.security.SecurityConstants;
  13 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
  14 import org.argeo.cms.CmsException;
  15 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
  16 import org.argeo.node.security.AnonymousPrincipal;
  17 import org.argeo.node.security.DataAdminPrincipal;
  18 import org.argeo.node.security.NodeSecurityUtils;
  19 import org.osgi.service.useradmin.Authorization;
  20
  21 class CmsAuthUtils {
  22         /** From org.osgi.service.http.HttpContext */
  23         static final String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization";
  24         /** From com.sun.security.auth.module.*LoginModule */
  25         static final String SHARED_STATE_NAME = "javax.security.auth.login.name";
  26         /** From com.sun.security.auth.module.*LoginModule */
  27         static final String SHARED_STATE_PWD = "javax.security.auth.login.password";
  28
  29         static void addAuthentication(Subject subject, Authorization authorization) {
  30                 assert subject != null;
  31                 checkSubjectEmpty(subject);
  32                 assert authorization != null;
  33
  34                 // required for display name:
  35                 subject.getPrivateCredentials().add(authorization);
  36
  37                 Set<Principal> principals = subject.getPrincipals();
  38                 try {
  39                         String authName = authorization.getName();
  40
  41                         // determine user's principal
  42                         final LdapName name;
  43                         final Principal userPrincipal;
  44                         if (authName == null) {
  45                                 name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
  46                                 userPrincipal = new AnonymousPrincipal();
  47                                 principals.add(userPrincipal);
  48                                 // principals.add(new AnonymousPrincipal());
  49                         } else {
  50                                 name = new LdapName(authName);
  51                                 NodeSecurityUtils.checkUserName(name);
  52                                 userPrincipal = new X500Principal(name.toString());
  53                                 principals.add(userPrincipal);
  54                                 principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal));
  55                         }
  56
  57                         // Add roles provided by authorization
  58                         for (String role : authorization.getRoles()) {
  59                                 LdapName roleName = new LdapName(role);
  60                                 if (roleName.equals(name)) {
  61                                         // skip
  62                                 } else {
  63                                         NodeSecurityUtils.checkImpliedPrincipalName(roleName);
  64                                         principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
  65                                         if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME))
  66                                                 principals.add(new DataAdminPrincipal());
  67                                 }
  68                         }
  69
  70                 } catch (InvalidNameException e) {
  71                         throw new CmsException("Cannot commit", e);
  72                 }
  73         }
  74
  75         private static void checkSubjectEmpty(Subject subject) {
  76                 if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
  77                         throw new IllegalStateException("Already logged in as anonymous: " + subject);
  78                 if (!subject.getPrincipals(X500Principal.class).isEmpty())
  79                         throw new IllegalStateException("Already logged in as user: " + subject);
  80                 if (!subject.getPrincipals(DataAdminPrincipal.class).isEmpty())
  81                         throw new IllegalStateException("Already logged in as data admin: " + subject);
  82                 if (!subject.getPrincipals(ImpliedByPrincipal.class).isEmpty())
  83                         throw new IllegalStateException("Already authorized: " + subject);
  84         }
  85
  86         static void cleanUp(Subject subject) {
  87                 // Argeo
  88                 subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
  89                 subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
  90                 // Jackrabbit
  91                 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
  92                 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
  93         }
  94
  95         // SHARED STATE KEYS
  96         // compatible with com.sun.security.auth.module.*LoginModule
  97         // public static final String SHARED_STATE_USERNAME =
  98         // "javax.security.auth.login.name";
  99         // public static final String SHARED_STATE_PASSWORD =
 100         // "javax.security.auth.login.password";
 101
 102         private CmsAuthUtils() {
 103
 104         }
 105 }