]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Improve properties
[lgpl/argeo-commons.git] / org.argeo.security.jackrabbit / src / org / argeo / security / jackrabbit / ArgeoLoginModule.java
1 /*
2 * Copyright (C) 2007-2012 Argeo GmbH
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.argeo.security.jackrabbit;
17
18 import java.security.Principal;
19 import java.security.acl.Group;
20 import java.util.LinkedHashSet;
21 import java.util.Map;
22 import java.util.Set;
23
24 import javax.jcr.Credentials;
25 import javax.jcr.RepositoryException;
26 import javax.jcr.Session;
27 import javax.security.auth.callback.CallbackHandler;
28 import javax.security.auth.login.LoginException;
29
30 import org.apache.jackrabbit.core.security.AnonymousPrincipal;
31 import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule;
32 import org.apache.jackrabbit.core.security.authentication.Authentication;
33 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
34 import org.springframework.security.authentication.AnonymousAuthenticationToken;
35 import org.springframework.security.core.GrantedAuthority;
36 import org.springframework.security.core.context.SecurityContextHolder;
37
38 /** Jackrabbit login mechanism based on Spring Security */
39 public class ArgeoLoginModule extends AbstractLoginModule {
40 private String adminRole = "ROLE_ADMIN";
41 private String systemRole = "ROLE_SYSTEM";
42
43 /**
44 * Returns the Spring {@link org.springframework.security.Authentication}
45 * (which can be null)
46 */
47 @Override
48 protected Principal getPrincipal(Credentials credentials) {
49 return SecurityContextHolder.getContext().getAuthentication();
50 }
51
52 protected Set<Principal> getPrincipals() {
53 // use linked HashSet instead of HashSet in order to maintain the order
54 // of principals (as in the Subject).
55 org.springframework.security.core.Authentication authen = (org.springframework.security.core.Authentication) principal;
56
57 Set<Principal> principals = new LinkedHashSet<Principal>();
58 principals.add(authen);
59
60 // if (authen instanceof SystemAuthentication) {
61 // principals.add(new AdminPrincipal(authen.getName()));
62 // // principals.add(new ArgeoSystemPrincipal(authen.getName()));
63 // } else
64 if (authen instanceof AnonymousAuthenticationToken) {
65 principals.add(new AnonymousPrincipal());
66 } else {
67 for (GrantedAuthority ga : authen.getAuthorities()) {
68 if (ga instanceof Principal)
69 principals.add((Principal) ga);
70 // FIXME: make it more generic
71 String authority = ga.getAuthority();
72 if (adminRole.equals(authority) || systemRole.equals(authority))
73 principals.add(new AdminPrincipal(authen.getName()));
74 }
75 }
76
77 // remove previous credentials
78 // Set<SimpleCredentials> thisCredentials = subject
79 // .getPublicCredentials(SimpleCredentials.class);
80 // if (thisCredentials != null)
81 // thisCredentials.clear();
82
83 return principals;
84 }
85
86 /**
87 * Super implementation removes all {@link Principal}, the Spring
88 * {@link org.springframework.security.Authentication} as well. Here we
89 * simply clear Jackrabbit related {@link Principal}s.
90 */
91 // @Override
92 // public boolean logout() throws LoginException {
93 // Set<Principal> principals = subject.getPrincipals();
94 // for (Principal principal : subject.getPrincipals()) {
95 // if ((principal instanceof AdminPrincipal)
96 // || (principal instanceof ArgeoSystemPrincipal)
97 // || (principal instanceof AnonymousPrincipal)
98 // || (principal instanceof GrantedAuthority)) {
99 // principals.remove(principal);
100 // }
101 // }
102 // // clearPrincipals(AdminPrincipal.class);
103 // // clearPrincipals(ArgeoSystemPrincipal.class);
104 // // clearPrincipals(AnonymousPrincipal.class);
105 // // clearPrincipals(GrantedAuthority.class);
106 // return true;
107 // }
108
109 // private <T extends Principal> void clearPrincipals(Class<T> clss) {
110 // Set<T> principals = subject.getPrincipals(clss);
111 // if (principals != null)
112 // principals.clear();
113 // }
114
115 @SuppressWarnings("rawtypes")
116 @Override
117 protected void doInit(CallbackHandler callbackHandler, Session session,
118 Map options) throws LoginException {
119 }
120
121 @Override
122 protected boolean impersonate(Principal principal, Credentials credentials)
123 throws RepositoryException, LoginException {
124 throw new UnsupportedOperationException(
125 "Impersonation is not yet supported");
126 }
127
128 @Override
129 protected Authentication getAuthentication(final Principal principal,
130 Credentials creds) throws RepositoryException {
131 if (principal instanceof Group) {
132 return null;
133 }
134 return new Authentication() {
135 public boolean canHandle(Credentials credentials) {
136 return principal instanceof org.springframework.security.core.Authentication;
137 }
138
139 public boolean authenticate(Credentials credentials)
140 throws RepositoryException {
141 return ((org.springframework.security.core.Authentication) principal)
142 .isAuthenticated();
143 }
144 };
145 }
146
147 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi