package org.argeo.security.jackrabbit;
-import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import javax.security.auth.x500.X500Principal;
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
+import org.argeo.node.DataAdminPrincipal;
public class SystemJackrabbitLoginModule implements LoginModule {
private Subject subject;
@Override
- public void initialize(Subject subject, CallbackHandler callbackHandler,
- Map<String, ?> sharedState, Map<String, ?> options) {
+ public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
+ Map<String, ?> options) {
this.subject = subject;
}
@Override
public boolean commit() throws LoginException {
- Set<Principal> principals = subject.getPrincipals();
- if (principals.isEmpty()) {// system
- subject.getPrincipals().add(new AdminPrincipal("admin"));
+ Set<DataAdminPrincipal> initPrincipal = subject.getPrincipals(DataAdminPrincipal.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals().add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
return true;
}
- boolean isAdmin = false;
- boolean isAnonymous = false;
- // FIXME make it more generic
- for (Principal principal : principals) {
- if (principal.getName().equalsIgnoreCase(
- "cn=admin,ou=system,ou=node"))
- isAdmin = true;
- else if (principal.getName().equalsIgnoreCase(
- "cn=anonymous,ou=system,ou=node"))
- isAnonymous = true;
- }
- if (isAnonymous && isAdmin)
- throw new LoginException("Cannot be admin and anonymous");
+ Set<X500Principal> userPrincipal = subject.getPrincipals(X500Principal.class);
+ if (userPrincipal.isEmpty())
+ throw new LoginException("Subject must be pre-authenticated");
+ if (userPrincipal.size() > 1)
+ throw new LoginException("Multiple user principals " + userPrincipal);
- // Add special Jackrabbit roles
- if (isAdmin)
- principals.add(new AdminPrincipal("admin"));
- if (isAnonymous)// anonymous
- principals.add(new AnonymousPrincipal());
return true;
}
@Override
public boolean logout() throws LoginException {
- subject.getPrincipals().removeAll(
- subject.getPrincipals(AdminPrincipal.class));
+ Set<DataAdminPrincipal> initPrincipal = subject.getPrincipals(DataAdminPrincipal.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals(AdminPrincipal.class);
+ return true;
+ }
return true;
}
-
}