X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.jackrabbit%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoLoginModule.java;h=c37ad0db3a3fe00c4a26430d7f0fecb27131e4a4;hb=2b3904582518de706357fd2a8216a47ca77dfc39;hp=43c54408390bb619490bfe392be40a4e108eee88;hpb=00154c058c3ce91af6e264e6f5842e22724ea709;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java index 43c544083..c37ad0db3 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java @@ -24,7 +24,6 @@ import java.util.Set; import javax.jcr.Credentials; import javax.jcr.RepositoryException; import javax.jcr.Session; -import javax.jcr.SimpleCredentials; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; @@ -32,36 +31,14 @@ import org.apache.jackrabbit.core.security.AnonymousPrincipal; import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule; import org.apache.jackrabbit.core.security.authentication.Authentication; import org.apache.jackrabbit.core.security.principal.AdminPrincipal; -import org.argeo.security.SystemAuthentication; -import org.springframework.security.GrantedAuthority; -import org.springframework.security.context.SecurityContextHolder; -import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.context.SecurityContextHolder; /** Jackrabbit login mechanism based on Spring Security */ public class ArgeoLoginModule extends AbstractLoginModule { private String adminRole = "ROLE_ADMIN"; - - @SuppressWarnings("unused") - @Override - public boolean login() throws LoginException { - boolean loginOk = super.login(); - if (!loginOk) { - org.springframework.security.Authentication authen = (org.springframework.security.Authentication) SecurityContextHolder - .getContext().getAuthentication(); - } - return loginOk; - } - - @SuppressWarnings("unused") - @Override - public boolean commit() throws LoginException { - boolean commitOk = super.commit(); - if (!commitOk) { - org.springframework.security.Authentication authen = (org.springframework.security.Authentication) SecurityContextHolder - .getContext().getAuthentication(); - } - return commitOk; - } + private String systemRole = "ROLE_SYSTEM"; /** * Returns the Spring {@link org.springframework.security.Authentication} @@ -69,50 +46,39 @@ public class ArgeoLoginModule extends AbstractLoginModule { */ @Override protected Principal getPrincipal(Credentials credentials) { - org.springframework.security.Authentication authen = SecurityContextHolder - .getContext().getAuthentication(); - return authen; + return SecurityContextHolder.getContext().getAuthentication(); } protected Set getPrincipals() { - // clear already registered Jackrabbit principals - // clearPrincipals(AdminPrincipal.class); - // clearPrincipals(AnonymousPrincipal.class); - // clearPrincipals(GrantedAuthorityPrincipal.class); - - return syncPrincipals(); - } - - protected Set syncPrincipals() { // use linked HashSet instead of HashSet in order to maintain the order // of principals (as in the Subject). - org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal; + org.springframework.security.core.Authentication authen = (org.springframework.security.core.Authentication) principal; Set principals = new LinkedHashSet(); principals.add(authen); - if (authen instanceof SystemAuthentication) { - principals.add(new AdminPrincipal(authen.getName())); - principals.add(new ArgeoSystemPrincipal(authen.getName())); - } else if (authen instanceof AnonymousAuthenticationToken) { + // if (authen instanceof SystemAuthentication) { + // principals.add(new AdminPrincipal(authen.getName())); + // // principals.add(new ArgeoSystemPrincipal(authen.getName())); + // } else + if (authen instanceof AnonymousAuthenticationToken) { principals.add(new AnonymousPrincipal()); } else { for (GrantedAuthority ga : authen.getAuthorities()) { - principals.add(new GrantedAuthorityPrincipal(ga)); + if (ga instanceof Principal) + principals.add((Principal) ga); // FIXME: make it more generic - if (adminRole.equals(ga.getAuthority())) + String authority = ga.getAuthority(); + if (adminRole.equals(authority) || systemRole.equals(authority)) principals.add(new AdminPrincipal(authen.getName())); } } // remove previous credentials - Set thisCredentials = subject - .getPublicCredentials(SimpleCredentials.class); - if (thisCredentials != null) - thisCredentials.clear(); - // override credentials since we did not used the one passed to us - // credentials = new SimpleCredentials(authen.getName(), authen - // .getCredentials().toString().toCharArray()); + // Set thisCredentials = subject + // .getPublicCredentials(SimpleCredentials.class); + // if (thisCredentials != null) + // thisCredentials.clear(); return principals; } @@ -122,26 +88,29 @@ public class ArgeoLoginModule extends AbstractLoginModule { * {@link org.springframework.security.Authentication} as well. Here we * simply clear Jackrabbit related {@link Principal}s. */ - @Override - public boolean logout() throws LoginException { - clearPrincipals(AdminPrincipal.class); - clearPrincipals(ArgeoSystemPrincipal.class); - clearPrincipals(AnonymousPrincipal.class); - clearPrincipals(GrantedAuthorityPrincipal.class); - - // we resync with Spring Security since the subject may have been reused - // in beetween - // TODO: check if this is clean - // subject.getPrincipals().addAll(syncPrincipals()); - - return true; - } - - private void clearPrincipals(Class clss) { - Set principals = subject.getPrincipals(clss); - if (principals != null) - principals.clear(); - } + // @Override + // public boolean logout() throws LoginException { + // Set principals = subject.getPrincipals(); + // for (Principal principal : subject.getPrincipals()) { + // if ((principal instanceof AdminPrincipal) + // || (principal instanceof ArgeoSystemPrincipal) + // || (principal instanceof AnonymousPrincipal) + // || (principal instanceof GrantedAuthority)) { + // principals.remove(principal); + // } + // } + // // clearPrincipals(AdminPrincipal.class); + // // clearPrincipals(ArgeoSystemPrincipal.class); + // // clearPrincipals(AnonymousPrincipal.class); + // // clearPrincipals(GrantedAuthority.class); + // return true; + // } + + // private void clearPrincipals(Class clss) { + // Set principals = subject.getPrincipals(clss); + // if (principals != null) + // principals.clear(); + // } @SuppressWarnings("rawtypes") @Override @@ -164,12 +133,12 @@ public class ArgeoLoginModule extends AbstractLoginModule { } return new Authentication() { public boolean canHandle(Credentials credentials) { - return principal instanceof org.springframework.security.Authentication; + return principal instanceof org.springframework.security.core.Authentication; } public boolean authenticate(Credentials credentials) throws RepositoryException { - return ((org.springframework.security.Authentication) principal) + return ((org.springframework.security.core.Authentication) principal) .isAuthenticated(); } };