2 * Copyright (C) 2007-2012 Argeo GmbH
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org
.argeo
.security
.jackrabbit
;
18 import java
.security
.Principal
;
19 import java
.security
.acl
.Group
;
20 import java
.util
.LinkedHashSet
;
24 import javax
.jcr
.Credentials
;
25 import javax
.jcr
.RepositoryException
;
26 import javax
.jcr
.Session
;
27 import javax
.security
.auth
.callback
.CallbackHandler
;
28 import javax
.security
.auth
.login
.LoginException
;
30 import org
.apache
.jackrabbit
.core
.security
.AnonymousPrincipal
;
31 import org
.apache
.jackrabbit
.core
.security
.authentication
.AbstractLoginModule
;
32 import org
.apache
.jackrabbit
.core
.security
.authentication
.Authentication
;
33 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
34 import org
.springframework
.security
.authentication
.AnonymousAuthenticationToken
;
35 import org
.springframework
.security
.core
.GrantedAuthority
;
36 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
38 /** Jackrabbit login mechanism based on Spring Security */
39 public class ArgeoLoginModule
extends AbstractLoginModule
{
40 private String adminRole
= "ROLE_ADMIN";
41 private String systemRole
= "ROLE_SYSTEM";
44 * Returns the Spring {@link org.springframework.security.Authentication}
48 protected Principal
getPrincipal(Credentials credentials
) {
49 return SecurityContextHolder
.getContext().getAuthentication();
52 protected Set
<Principal
> getPrincipals() {
53 // use linked HashSet instead of HashSet in order to maintain the order
54 // of principals (as in the Subject).
55 org
.springframework
.security
.core
.Authentication authen
= (org
.springframework
.security
.core
.Authentication
) principal
;
57 Set
<Principal
> principals
= new LinkedHashSet
<Principal
>();
58 principals
.add(authen
);
60 // if (authen instanceof SystemAuthentication) {
61 // principals.add(new AdminPrincipal(authen.getName()));
62 // // principals.add(new ArgeoSystemPrincipal(authen.getName()));
64 if (authen
instanceof AnonymousAuthenticationToken
) {
65 principals
.add(new AnonymousPrincipal());
67 for (GrantedAuthority ga
: authen
.getAuthorities()) {
68 if (ga
instanceof Principal
)
69 principals
.add((Principal
) ga
);
70 // FIXME: make it more generic
71 String authority
= ga
.getAuthority();
72 if (adminRole
.equals(authority
) || systemRole
.equals(authority
))
73 principals
.add(new AdminPrincipal(authen
.getName()));
77 // remove previous credentials
78 // Set<SimpleCredentials> thisCredentials = subject
79 // .getPublicCredentials(SimpleCredentials.class);
80 // if (thisCredentials != null)
81 // thisCredentials.clear();
87 * Super implementation removes all {@link Principal}, the Spring
88 * {@link org.springframework.security.Authentication} as well. Here we
89 * simply clear Jackrabbit related {@link Principal}s.
92 // public boolean logout() throws LoginException {
93 // Set<Principal> principals = subject.getPrincipals();
94 // for (Principal principal : subject.getPrincipals()) {
95 // if ((principal instanceof AdminPrincipal)
96 // || (principal instanceof ArgeoSystemPrincipal)
97 // || (principal instanceof AnonymousPrincipal)
98 // || (principal instanceof GrantedAuthority)) {
99 // principals.remove(principal);
102 // // clearPrincipals(AdminPrincipal.class);
103 // // clearPrincipals(ArgeoSystemPrincipal.class);
104 // // clearPrincipals(AnonymousPrincipal.class);
105 // // clearPrincipals(GrantedAuthority.class);
109 // private <T extends Principal> void clearPrincipals(Class<T> clss) {
110 // Set<T> principals = subject.getPrincipals(clss);
111 // if (principals != null)
112 // principals.clear();
115 @SuppressWarnings("rawtypes")
117 protected void doInit(CallbackHandler callbackHandler
, Session session
,
118 Map options
) throws LoginException
{
122 protected boolean impersonate(Principal principal
, Credentials credentials
)
123 throws RepositoryException
, LoginException
{
124 throw new UnsupportedOperationException(
125 "Impersonation is not yet supported");
129 protected Authentication
getAuthentication(final Principal principal
,
130 Credentials creds
) throws RepositoryException
{
131 if (principal
instanceof Group
) {
134 return new Authentication() {
135 public boolean canHandle(Credentials credentials
) {
136 return principal
instanceof org
.springframework
.security
.core
.Authentication
;
139 public boolean authenticate(Credentials credentials
)
140 throws RepositoryException
{
141 return ((org
.springframework
.security
.core
.Authentication
) principal
)