package org.argeo.cms.internal.useradmin.jackrabbit;
+import static org.argeo.cms.KernelHeader.ROLE_ADMIN;
+import static org.argeo.cms.KernelHeader.USERNAME_ADMIN;
+import static org.argeo.cms.KernelHeader.USERNAME_DEMO;
+
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import org.apache.jackrabbit.core.security.authentication.CryptedSimpleCredentials;
import org.apache.jackrabbit.core.security.user.UserAccessControlProvider;
import org.argeo.ArgeoException;
+import org.argeo.cms.CmsException;
import org.argeo.cms.KernelHeader;
import org.argeo.cms.internal.auth.GrantedAuthorityPrincipal;
import org.argeo.cms.internal.auth.JcrSecurityModel;
import org.argeo.jcr.JcrUtils;
import org.argeo.jcr.UserJcrUtils;
import org.argeo.security.NodeAuthenticationToken;
+import org.argeo.security.SecurityUtils;
import org.argeo.security.UserAdminService;
import org.argeo.security.jcr.JcrUserDetails;
import org.argeo.security.jcr.NewUserDetails;
AuthenticationProvider {
private final static String JACKR_ADMINISTRATORS = "administrators";
private final static String REP_PRINCIPAL_NAME = "rep:principalName";
+ // private final static String REP_PASSWORD = "rep:password";
private Repository repository;
private JcrSecurityModel securityModel;
private JackrabbitSession adminSession = null;
- private String superUserInitialPassword = "demo";
+ private String initialPassword = "demo";
public void init() throws RepositoryException {
Authentication authentication = SecurityContextHolder.getContext()
.getAuthentication();
authentication.getName();
adminSession = (JackrabbitSession) repository.login();
- securityModel.init(adminSession);
- Authorizable adminGroup = getUserManager().getAuthorizable(
- KernelHeader.ROLE_ADMIN);
+ Authorizable adminGroup = getUserManager().getAuthorizable(ROLE_ADMIN);
if (adminGroup == null) {
- adminGroup = getUserManager().createGroup(KernelHeader.ROLE_ADMIN);
+ adminGroup = getUserManager().createGroup(ROLE_ADMIN);
adminSession.save();
}
+
+ // create superuser
Authorizable superUser = getUserManager().getAuthorizable(
- KernelHeader.USERNAME_ADMIN);
+ USERNAME_ADMIN);
if (superUser == null) {
- superUser = getUserManager().createUser(
- KernelHeader.USERNAME_ADMIN, superUserInitialPassword);
+ superUser = getUserManager().createUser(USERNAME_ADMIN,
+ initialPassword);
((Group) adminGroup).addMember(superUser);
- securityModel.sync(adminSession, KernelHeader.USERNAME_ADMIN, null);
+ securityModel.sync(adminSession, USERNAME_ADMIN, null);
+ adminSession.save();
+
+ // create demo user only at initialisation
+ Authorizable demoUser = getUserManager().getAuthorizable(
+ USERNAME_DEMO);
+ if (demoUser != null)
+ throw new CmsException("There is already a demo user");
+ demoUser = getUserManager().createUser(USERNAME_DEMO,
+ initialPassword);
+ securityModel.sync(adminSession, USERNAME_DEMO, null);
adminSession.save();
}
+ securityModel.init(adminSession);
}
public void destroy() throws RepositoryException {
@Override
public void updateUser(UserDetails userDetails) {
try {
- User user = (User) getUserManager().getAuthorizable(
- userDetails.getUsername());
+ String username = userDetails.getUsername();
+ User user = (User) getUserManager().getAuthorizable(username);
if (user == null)
throw new ArgeoException("No user " + userDetails.getUsername());
// new password
String newPassword = userDetails.getPassword();
if (!newPassword.trim().equals("")) {
- SimpleCredentials sp = new SimpleCredentials(
- userDetails.getUsername(), newPassword.toCharArray());
- CryptedSimpleCredentials credentials = (CryptedSimpleCredentials) user
- .getCredentials();
- if (!credentials.matches(sp))
- user.changePassword(new String(newPassword));
+ if (newPassword.startsWith("{SHA-256}")) {
+ // Already hashed password
+ throw new CmsException("Cannot import hashed password");
+ // Value v = adminSession.getValueFactory().createValue(
+ // newPassword);
+ // user.setProperty(REP_PASSWORD, v);
+ // TODO find a way to deal w/ protected property
+ // see
+ // http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/user/UserImporter.html
+ } else {
+ SimpleCredentials sp = new SimpleCredentials(
+ userDetails.getUsername(),
+ newPassword.toCharArray());
+ CryptedSimpleCredentials credentials = (CryptedSimpleCredentials) user
+ .getCredentials();
+
+ if (!credentials.matches(sp))
+ user.changePassword(new String(newPassword));
+ }
}
List<String> roles = new ArrayList<String>();
Group group = (Group) groups.next();
String groupName = group.getPrincipal().getName();
String role = groupNameToRole(groupName);
- if (role != null && !role.equals(KernelHeader.ROLE_GROUP_ADMIN))
+ if (role != null
+ && !role.equals(KernelHeader.ROLE_GROUP_ADMIN)
+ && !(role.equals(KernelHeader.ROLE_ADMIN) && !SecurityUtils
+ .hasCurrentThreadAuthority(KernelHeader.ROLE_ADMIN)))
res.add(role);
}
return res;
projects / lgpl / argeo-commons.git / blobdiff