X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.jackrabbit%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FSystemJackrabbitLoginModule.java;h=62f8fa02b1d23860011f456253e84b54cabadc9a;hb=8260f4470f514ea347ca53f5b4dfc632c4a4de66;hp=b11d7b4b5b2f98594e622a2be85320f56a3f48fa;hpb=27d9f106d83b7e747ae99bfd21cc6d3cdb60c560;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java index b11d7b4b5..62f8fa02b 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java @@ -1,6 +1,5 @@ package org.argeo.security.jackrabbit; -import java.security.Principal; import java.util.Map; import java.util.Set; @@ -8,17 +7,19 @@ import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import javax.security.auth.x500.X500Principal; -import org.apache.jackrabbit.core.security.AnonymousPrincipal; +import org.apache.jackrabbit.core.security.SecurityConstants; import org.apache.jackrabbit.core.security.principal.AdminPrincipal; +import org.argeo.node.DataAdminPrincipal; public class SystemJackrabbitLoginModule implements LoginModule { private Subject subject; @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, - Map sharedState, Map options) { + public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, + Map options) { this.subject = subject; } @@ -29,31 +30,18 @@ public class SystemJackrabbitLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - Set principals = subject.getPrincipals(); - if (principals.isEmpty()) {// system - subject.getPrincipals().add(new AdminPrincipal("admin")); + Set initPrincipal = subject.getPrincipals(DataAdminPrincipal.class); + if (!initPrincipal.isEmpty()) { + subject.getPrincipals().add(new AdminPrincipal(SecurityConstants.ADMIN_ID)); return true; } - boolean isAdmin = false; - boolean isAnonymous = false; - // FIXME make it more generic - for (Principal principal : principals) { - if (principal.getName().equalsIgnoreCase( - "cn=admin,ou=roles,ou=node")) - isAdmin = true; - else if (principal.getName().equalsIgnoreCase( - "cn=anonymous,ou=roles,ou=node")) - isAnonymous = true; - } - if (isAnonymous && isAdmin) - throw new LoginException("Cannot be admin and anonymous"); + Set userPrincipal = subject.getPrincipals(X500Principal.class); + if (userPrincipal.isEmpty()) + throw new LoginException("Subject must be pre-authenticated"); + if (userPrincipal.size() > 1) + throw new LoginException("Multiple user principals " + userPrincipal); - // Add special Jackrabbit roles - if (isAdmin) - principals.add(new AdminPrincipal("admin")); - if (isAnonymous)// anonymous - principals.add(new AnonymousPrincipal()); return true; } @@ -64,9 +52,11 @@ public class SystemJackrabbitLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - subject.getPrincipals().removeAll( - subject.getPrincipals(AdminPrincipal.class)); + Set initPrincipal = subject.getPrincipals(DataAdminPrincipal.class); + if (!initPrincipal.isEmpty()) { + subject.getPrincipals(AdminPrincipal.class); + return true; + } return true; } - }