X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fcore%2FAbstractSystemExecution.java;h=81eeadf21b146f42d628aeff841c64ba2128d639;hb=86140b8db15a11cfd942892eface6a4f90329a41;hp=0d075c3a60b5b0039a17fb95de648b12d2dbe952;hpb=759a7c0396796565b231738b855c8b0a8413be6b;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.core/src/org/argeo/security/core/AbstractSystemExecution.java b/org.argeo.security.core/src/org/argeo/security/core/AbstractSystemExecution.java index 0d075c3a6..81eeadf21 100644 --- a/org.argeo.security.core/src/org/argeo/security/core/AbstractSystemExecution.java +++ b/org.argeo.security.core/src/org/argeo/security/core/AbstractSystemExecution.java @@ -15,133 +15,47 @@ */ package org.argeo.security.core; +import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.ArgeoException; -import org.argeo.security.SystemAuthentication; -import org.argeo.security.login.BundleContextCallbackHandler; -import org.osgi.framework.BundleContext; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.BadCredentialsException; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContext; -import org.springframework.security.core.context.SecurityContextHolder; /** Provides base method for executing code with system authorization. */ public abstract class AbstractSystemExecution { - static { - // Forces Spring Security to use inheritable strategy - // FIXME find a better place for forcing spring security mode - // doesn't work for the time being - // if (System.getProperty(SecurityContextHolder.SYSTEM_PROPERTY) == - // null) - // SecurityContextHolder - // .setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL); - } - private final static Log log = LogFactory .getLog(AbstractSystemExecution.class); - private AuthenticationManager authenticationManager; - private BundleContext bundleContext; - private String systemAuthenticationKey; - private String loginContextName = "SYSTEM"; + private final Subject subject = new Subject(); - /** Whether the current thread was authenticated by this component. */ - private ThreadLocal authenticatedBySelf = new ThreadLocal() { - protected Boolean initialValue() { - return false; - } - }; + private final String loginModule = "SYSTEM"; /** * Authenticate the calling thread to the underlying * {@link AuthenticationManager} */ protected void authenticateAsSystem() { - if (authenticatedBySelf.get()) - return; - SecurityContext securityContext = SecurityContextHolder.getContext(); - Authentication currentAuth = securityContext.getAuthentication(); - if (currentAuth != null) { - if (!(currentAuth instanceof SystemAuthentication)) - throw new ArgeoException( - "System execution on an already authenticated thread: " - + currentAuth + ", THREAD=" - + Thread.currentThread().getId()); - return; + try { + LoginContext lc = new LoginContext(loginModule, subject); + lc.login(); + } catch (LoginException e) { + throw new ArgeoException("Cannot login as system", e); } - // Subject subject = Subject.getSubject(AccessController.getContext()); - // if (subject != null - // && !subject.getPrincipals(Authentication.class).isEmpty()) - // throw new ArgeoException( - // "There is already an authenticated subject: " + subject); - - String key = systemAuthenticationKey != null ? systemAuthenticationKey - : System.getProperty( - InternalAuthentication.SYSTEM_KEY_PROPERTY, - InternalAuthentication.SYSTEM_KEY_DEFAULT); - if (key == null) - throw new ArgeoException("No system key defined"); - if (authenticationManager != null) { - Authentication auth = authenticationManager - .authenticate(new InternalAuthentication(key)); - securityContext.setAuthentication(auth); - } else { - try { - // TODO test this - if (bundleContext == null) - throw new ArgeoException("bundleContext must be set"); - BundleContextCallbackHandler callbackHandler = new BundleContextCallbackHandler( - bundleContext); - LoginContext loginContext = new LoginContext(loginContextName, - callbackHandler); - loginContext.login(); - } catch (LoginException e) { - throw new BadCredentialsException("Cannot authenticate"); - } - } - authenticatedBySelf.set(true); if (log.isTraceEnabled()) log.trace("System authenticated"); } - // /** Removes the authentication from the calling thread. */ - // protected void deauthenticateAsSystem() { - // // remove the authentication - // // SecurityContext securityContext = SecurityContextHolder.getContext(); - // // securityContext.setAuthentication(null); - // // authenticatedBySelf.set(false); - // if (log.isTraceEnabled()) { - // log.trace("System deauthenticated"); - // // Thread.dumpStack(); - // } - // } - - /** - * Whether the current thread was authenticated by this component or a - * parent thread. - */ - protected Boolean isAuthenticatedBySelf() { - return authenticatedBySelf.get(); - } - - @Deprecated - public void setAuthenticationManager( - AuthenticationManager authenticationManager) { - // log.warn("This approach is deprecated, inject bundleContext instead"); - this.authenticationManager = authenticationManager; - } - - @Deprecated - public void setSystemAuthenticationKey(String systemAuthenticationKey) { - this.systemAuthenticationKey = systemAuthenticationKey; + protected void deauthenticateAsSystem() { + try { + LoginContext lc = new LoginContext(loginModule, subject); + lc.logout(); + } catch (LoginException e) { + throw new ArgeoException("Cannot logout as system", e); + } } - public void setBundleContext(BundleContext bundleContext) { - this.bundleContext = bundleContext; + protected Subject getSubject() { + return subject; } - }