2 * Copyright (C) 2007-2012 Argeo GmbH
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org
.argeo
.security
.jackrabbit
;
18 import java
.security
.Principal
;
19 import java
.security
.acl
.Group
;
20 import java
.util
.LinkedHashSet
;
24 import javax
.jcr
.Credentials
;
25 import javax
.jcr
.RepositoryException
;
26 import javax
.jcr
.Session
;
27 import javax
.security
.auth
.callback
.CallbackHandler
;
28 import javax
.security
.auth
.login
.LoginException
;
30 import org
.apache
.jackrabbit
.core
.security
.AnonymousPrincipal
;
31 import org
.apache
.jackrabbit
.core
.security
.authentication
.AbstractLoginModule
;
32 import org
.apache
.jackrabbit
.core
.security
.authentication
.Authentication
;
33 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
34 import org
.argeo
.security
.SystemAuthentication
;
35 import org
.springframework
.security
.authentication
.AnonymousAuthenticationToken
;
36 import org
.springframework
.security
.core
.GrantedAuthority
;
37 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
39 /** Jackrabbit login mechanism based on Spring Security */
40 public class ArgeoLoginModule
extends AbstractLoginModule
{
41 private String adminRole
= "ROLE_ADMIN";
44 * Returns the Spring {@link org.springframework.security.Authentication}
48 protected Principal
getPrincipal(Credentials credentials
) {
49 return SecurityContextHolder
.getContext().getAuthentication();
52 protected Set
<Principal
> getPrincipals() {
53 // use linked HashSet instead of HashSet in order to maintain the order
54 // of principals (as in the Subject).
55 org
.springframework
.security
.core
.Authentication authen
= (org
.springframework
.security
.core
.Authentication
) principal
;
57 Set
<Principal
> principals
= new LinkedHashSet
<Principal
>();
58 principals
.add(authen
);
60 if (authen
instanceof SystemAuthentication
) {
61 principals
.add(new AdminPrincipal(authen
.getName()));
62 // principals.add(new ArgeoSystemPrincipal(authen.getName()));
63 } else if (authen
instanceof AnonymousAuthenticationToken
) {
64 principals
.add(new AnonymousPrincipal());
66 for (GrantedAuthority ga
: authen
.getAuthorities()) {
67 if (ga
instanceof Principal
)
68 principals
.add((Principal
) ga
);
69 // FIXME: make it more generic
70 if (adminRole
.equals(ga
.getAuthority()))
71 principals
.add(new AdminPrincipal(authen
.getName()));
75 // remove previous credentials
76 // Set<SimpleCredentials> thisCredentials = subject
77 // .getPublicCredentials(SimpleCredentials.class);
78 // if (thisCredentials != null)
79 // thisCredentials.clear();
85 * Super implementation removes all {@link Principal}, the Spring
86 * {@link org.springframework.security.Authentication} as well. Here we
87 * simply clear Jackrabbit related {@link Principal}s.
90 // public boolean logout() throws LoginException {
91 // Set<Principal> principals = subject.getPrincipals();
92 // for (Principal principal : subject.getPrincipals()) {
93 // if ((principal instanceof AdminPrincipal)
94 // || (principal instanceof ArgeoSystemPrincipal)
95 // || (principal instanceof AnonymousPrincipal)
96 // || (principal instanceof GrantedAuthority)) {
97 // principals.remove(principal);
100 // // clearPrincipals(AdminPrincipal.class);
101 // // clearPrincipals(ArgeoSystemPrincipal.class);
102 // // clearPrincipals(AnonymousPrincipal.class);
103 // // clearPrincipals(GrantedAuthority.class);
107 // private <T extends Principal> void clearPrincipals(Class<T> clss) {
108 // Set<T> principals = subject.getPrincipals(clss);
109 // if (principals != null)
110 // principals.clear();
113 @SuppressWarnings("rawtypes")
115 protected void doInit(CallbackHandler callbackHandler
, Session session
,
116 Map options
) throws LoginException
{
120 protected boolean impersonate(Principal principal
, Credentials credentials
)
121 throws RepositoryException
, LoginException
{
122 throw new UnsupportedOperationException(
123 "Impersonation is not yet supported");
127 protected Authentication
getAuthentication(final Principal principal
,
128 Credentials creds
) throws RepositoryException
{
129 if (principal
instanceof Group
) {
132 return new Authentication() {
133 public boolean canHandle(Credentials credentials
) {
134 return principal
instanceof org
.springframework
.security
.core
.Authentication
;
137 public boolean authenticate(Credentials credentials
)
138 throws RepositoryException
{
139 return ((org
.springframework
.security
.core
.Authentication
) principal
)