+++ /dev/null
-/*
- * Copyright (C) 2007-2012 Argeo GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.argeo.security.ldap;
-
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Random;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.argeo.ArgeoException;
-import org.argeo.security.UserAdminService;
-import org.springframework.ldap.core.ContextSource;
-import org.springframework.security.Authentication;
-import org.springframework.security.GrantedAuthority;
-import org.springframework.security.context.SecurityContextHolder;
-import org.springframework.security.providers.encoding.PasswordEncoder;
-import org.springframework.security.userdetails.UserDetails;
-import org.springframework.security.userdetails.ldap.LdapUserDetailsManager;
-
-/** Extends {@link LdapUserDetailsManager} by adding password encoding support. */
-public class ArgeoLdapUserDetailsManager extends LdapUserDetailsManager
- implements UserAdminService {
- private String superUsername = "root";
- private ArgeoUserAdminDaoLdap userAdminDao;
- private PasswordEncoder passwordEncoder;
- private final Random random;
-
- public ArgeoLdapUserDetailsManager(ContextSource contextSource) {
- super(contextSource);
- this.random = createRandom();
- }
-
- private static Random createRandom() {
- try {
- return SecureRandom.getInstance("SHA1PRNG");
- } catch (NoSuchAlgorithmException e) {
- return new Random(System.currentTimeMillis());
- }
- }
-
- @Override
- public void changePassword(String oldPassword, String newPassword) {
- Authentication authentication = SecurityContextHolder.getContext()
- .getAuthentication();
- if (authentication == null)
- throw new ArgeoException(
- "Cannot change password without authentication");
- String username = authentication.getName();
- UserDetails userDetails = loadUserByUsername(username);
- String currentPassword = userDetails.getPassword();
- if (currentPassword == null)
- throw new ArgeoException("Cannot access current password");
- if (!passwordEncoder
- .isPasswordValid(currentPassword, oldPassword, null))
- throw new ArgeoException("Old password invalid");
- // Spring Security LDAP 2.0 is buggy when used with OpenLDAP and called
- // with oldPassword argument
- super.changePassword(null, encodePassword(newPassword));
- }
-
- public void newRole(String role) {
- userAdminDao.createRole(role, superUsername);
- }
-
- public void synchronize() {
- for (String username : userAdminDao.listUsers())
- loadUserByUsername(username);
- // TODO: find a way to remove from JCR
- }
-
- public void deleteRole(String role) {
- userAdminDao.deleteRole(role);
- }
-
- public Set<String> listUsers() {
- return userAdminDao.listUsers();
- }
-
- public Set<String> listUsersInRole(String role) {
- Set<String> lst = new TreeSet<String>(
- userAdminDao.listUsersInRole(role));
- Iterator<String> it = lst.iterator();
- while (it.hasNext()) {
- if (it.next().equals(superUsername)) {
- it.remove();
- break;
- }
- }
- return lst;
- }
-
- public List<String> listUserRoles(String username) {
- UserDetails userDetails = loadUserByUsername(username);
- List<String> roles = new ArrayList<String>();
- for (GrantedAuthority ga : userDetails.getAuthorities()) {
- roles.add(ga.getAuthority());
- }
- return Collections.unmodifiableList(roles);
- }
-
- public Set<String> listEditableRoles() {
- return userAdminDao.listEditableRoles();
- }
-
- protected String encodePassword(String password) {
- if (!password.startsWith("{")) {
- byte[] salt = new byte[16];
- random.nextBytes(salt);
- return passwordEncoder.encodePassword(password, salt);
- } else {
- return password;
- }
- }
-
- public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
- this.passwordEncoder = passwordEncoder;
- }
-
- public void setSuperUsername(String superUsername) {
- this.superUsername = superUsername;
- }
-
- public void setUserAdminDao(ArgeoUserAdminDaoLdap userAdminDao) {
- this.userAdminDao = userAdminDao;
- }
-
-}