2 * Copyright (C) 2007-2012 Argeo GmbH
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org
.argeo
.security
.jcr
;
18 import javax
.jcr
.Node
;
19 import javax
.jcr
.Repository
;
20 import javax
.jcr
.RepositoryException
;
21 import javax
.jcr
.Session
;
23 import org
.argeo
.ArgeoException
;
24 import org
.argeo
.jcr
.JcrUtils
;
25 import org
.argeo
.security
.OsAuthenticationToken
;
26 import org
.argeo
.security
.SecurityUtils
;
27 import org
.argeo
.security
.core
.OsAuthenticationProvider
;
28 import org
.springframework
.security
.Authentication
;
29 import org
.springframework
.security
.AuthenticationException
;
30 import org
.springframework
.security
.BadCredentialsException
;
31 import org
.springframework
.security
.GrantedAuthority
;
32 import org
.springframework
.security
.providers
.UsernamePasswordAuthenticationToken
;
33 import org
.springframework
.security
.userdetails
.UserDetails
;
35 /** Relies on OS to authenticate and additionally setup JCR */
36 public class OsJcrAuthenticationProvider
extends OsAuthenticationProvider
{
37 private Repository repository
;
38 private Session nodeSession
;
40 private UserDetails userDetails
;
41 private JcrSecurityModel jcrSecurityModel
= new SimpleJcrSecurityModel();
43 private final static String JVM_OSUSER
= System
.getProperty("user.name");
47 nodeSession
= repository
.login();
48 } catch (RepositoryException e
) {
49 throw new ArgeoException("Cannot initialize", e
);
53 public void destroy() {
54 JcrUtils
.logoutQuietly(nodeSession
);
57 public Authentication
authenticate(Authentication authentication
)
58 throws AuthenticationException
{
59 if (authentication
instanceof UsernamePasswordAuthenticationToken
) {
60 // deal with remote access to internal server
61 // FIXME very primitive and unsecure at this sSession adminSession
63 // consider using the keyring for username / password authentication
65 UsernamePasswordAuthenticationToken upat
= (UsernamePasswordAuthenticationToken
) authentication
;
66 if (!upat
.getPrincipal().toString().equals(JVM_OSUSER
))
67 throw new BadCredentialsException("Wrong credentials");
68 UsernamePasswordAuthenticationToken authen
= new UsernamePasswordAuthenticationToken(
69 authentication
.getPrincipal(),
70 authentication
.getCredentials(), getBaseAuthorities());
71 authen
.setDetails(userDetails
);
73 } else if (authentication
instanceof OsAuthenticationToken
) {
74 OsAuthenticationToken authen
= (OsAuthenticationToken
) super
75 .authenticate(authentication
);
77 // WARNING: at this stage we assume that the java properties
78 // will have the same value
79 GrantedAuthority
[] authorities
= getBaseAuthorities();
80 String username
= JVM_OSUSER
;
81 Node userProfile
= jcrSecurityModel
.sync(nodeSession
, username
,
82 SecurityUtils
.authoritiesToStringList(authorities
));
83 JcrUserDetails
.checkAccountStatus(userProfile
);
85 userDetails
= new JcrUserDetails(userProfile
, authen
86 .getCredentials().toString(), authorities
);
87 authen
.setDetails(userDetails
);
89 } catch (RepositoryException e
) {
90 JcrUtils
.discardQuietly(nodeSession
);
91 throw new ArgeoException(
92 "Unexpected exception when synchronizing OS and JCR security ",
96 throw new ArgeoException("Unsupported authentication "
97 + authentication
.getClass());
101 public void setRepository(Repository repository
) {
102 this.repository
= repository
;
105 public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel
) {
106 this.jcrSecurityModel
= jcrSecurityModel
;
109 @SuppressWarnings("rawtypes")
110 public boolean supports(Class authentication
) {
111 return OsAuthenticationToken
.class.isAssignableFrom(authentication
)
112 || UsernamePasswordAuthenticationToken
.class
113 .isAssignableFrom(authentication
);