]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/auth/KernelLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix issue with session authentication in web.
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / auth / KernelLoginModule.java
1 package org.argeo.cms.internal.auth;
2
3 import java.security.Principal;
4 import java.security.cert.CertPath;
5 import java.util.Map;
6 import java.util.Set;
7
8 import javax.security.auth.Subject;
9 import javax.security.auth.callback.CallbackHandler;
10 import javax.security.auth.login.LoginException;
11 import javax.security.auth.spi.LoginModule;
12 import javax.security.auth.x500.X500Principal;
13 import javax.security.auth.x500.X500PrivateCredential;
14
15 import org.apache.jackrabbit.core.security.SecurityConstants;
16 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
17 import org.argeo.cms.KernelHeader;
18
19 public class KernelLoginModule implements LoginModule {
20 private Subject subject;
21
22 @Override
23 public void initialize(Subject subject, CallbackHandler callbackHandler,
24 Map<String, ?> sharedState, Map<String, ?> options) {
25 this.subject = subject;
26 }
27
28 @Override
29 public boolean login() throws LoginException {
30 // TODO check permission at code level ?
31 return true;
32 }
33
34 @Override
35 public boolean commit() throws LoginException {
36 // Check that kernel has been logged in w/ certificate
37 // Name
38 Set<X500Principal> names = subject.getPrincipals(X500Principal.class);
39 if (names.isEmpty() || names.size() > 1)
40 throw new LoginException("Kernel must have been named");
41 X500Principal name = names.iterator().next();
42 if (!KernelHeader.ROLE_KERNEL.equals(name.getName()))
43 throw new LoginException("Kernel must be named named "
44 + KernelHeader.ROLE_KERNEL);
45 // Private certificate
46 Set<X500PrivateCredential> privateCerts = subject
47 .getPrivateCredentials(X500PrivateCredential.class);
48 X500PrivateCredential privateCert = null;
49 for (X500PrivateCredential pCert : privateCerts) {
50 if (pCert.getCertificate().getSubjectX500Principal().equals(name)) {
51 privateCert = pCert;
52 }
53 }
54 if (privateCert == null)
55 throw new LoginException("Kernel must have a private certificate");
56 // Certificate path
57 Set<CertPath> certPaths = subject.getPublicCredentials(CertPath.class);
58 CertPath certPath = null;
59 for (CertPath cPath : certPaths) {
60 if (cPath.getCertificates().get(0)
61 .equals(privateCert.getCertificate())) {
62 certPath = cPath;
63 }
64 }
65 if (certPath == null)
66 throw new LoginException("Kernel must have a certificate path");
67
68 Set<Principal> principals = subject.getPrincipals();
69 // Add admin roles
70
71 // Add data access roles
72 principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
73
74 return true;
75 }
76
77 @Override
78 public boolean abort() throws LoginException {
79 return true;
80 }
81
82 @Override
83 public boolean logout() throws LoginException {
84 // clear everything
85 subject.getPrincipals().clear();
86 subject.getPublicCredentials().clear();
87 subject.getPrivateCredentials().clear();
88 return true;
89 }
90
91 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi