X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FOsJcrAuthenticationProvider.java;h=aa95e322d21ef8e8bfa6c05099e1f6d7b426a06b;hb=3a3d316af102ba410d1d9e6de349d0c8f7ac044f;hp=192d2fdb2f801ee51a0beed4a77079c3d270edf4;hpb=149023e5969377045847bbecf24b0898b18a67a9;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
index 192d2fdb2..aa95e322d 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
@@ -1,96 +1,115 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.jcr;
 
-import java.util.Map;
-import java.util.concurrent.Executor;
-
 import javax.jcr.Node;
+import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
-import javax.jcr.RepositoryFactory;
 import javax.jcr.Session;
 
 import org.argeo.ArgeoException;
 import org.argeo.jcr.JcrUtils;
 import org.argeo.security.OsAuthenticationToken;
+import org.argeo.security.SecurityUtils;
 import org.argeo.security.core.OsAuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 import org.springframework.security.userdetails.UserDetails;
 
+/** Relies on OS to authenticate and additionally setup JCR */
 public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
-	private RepositoryFactory repositoryFactory;
-	private Executor systemExecutor;
-	private String homeBasePath = "/home";
-	private String repositoryAlias = "node";
-	private String workspace = null;
+	private Repository repository;
+	private Session nodeSession;
 
-	public Authentication authenticate(Authentication authentication)
-			throws AuthenticationException {
-		final OsAuthenticationToken authen = (OsAuthenticationToken) super
-				.authenticate(authentication);
-		systemExecutor.execute(new Runnable() {
-			public void run() {
-				try {
-					Session session = JcrUtils.getRepositoryByAlias(
-							repositoryFactory, repositoryAlias)
-							.login(workspace);
-					Node userHome = JcrUtils.getUserHome(session,
-							authen.getName());
-					if (userHome == null)
-						JcrUtils.createUserHome(session, homeBasePath,
-								authen.getName());
-					authen.setDetails(getUserDetails(userHome, authen));
-				} catch (RepositoryException e) {
-					throw new ArgeoException(
-							"Unexpected exception when synchronizing OS and JCR security ",
-							e);
-				}
-			}
-		});
-		return authen;
-	}
+	private UserDetails userDetails;
+	private JcrSecurityModel jcrSecurityModel = new SimpleJcrSecurityModel();
+
+	private final static String JVM_OSUSER = System.getProperty("user.name");
 
-	/** Builds user details based on the authentication and the user home. */
-	protected UserDetails getUserDetails(Node userHome, Authentication authen) {
+	public void init() {
 		try {
-			// TODO: loads enabled, locked, etc. from the home node.
-			return new JcrUserDetails(userHome.getPath(), authen.getPrincipal()
-					.toString(), authen.getCredentials().toString(),
-					isEnabled(userHome), true, true, true,
-					authen.getAuthorities());
-		} catch (Exception e) {
-			throw new ArgeoException("Cannot get user details for " + userHome,
-					e);
+			nodeSession = repository.login();
+		} catch (RepositoryException e) {
+			throw new ArgeoException("Cannot initialize", e);
 		}
 	}
 
-	protected Boolean isEnabled(Node userHome) {
-		return true;
-	}
-
-	public void register(RepositoryFactory repositoryFactory,
-			Map<String, String> parameters) {
-		this.repositoryFactory = repositoryFactory;
+	public void destroy() {
+		JcrUtils.logoutQuietly(nodeSession);
 	}
 
-	public void unregister(RepositoryFactory repositoryFactory,
-			Map<String, String> parameters) {
-		this.repositoryFactory = null;
-	}
+	public Authentication authenticate(Authentication authentication)
+			throws AuthenticationException {
+		if (authentication instanceof UsernamePasswordAuthenticationToken) {
+			// deal with remote access to internal server
+			// FIXME very primitive and unsecure at this sSession adminSession
+			// =tage
+			// consider using the keyring for username / password authentication
+			// or certificate
+			UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication;
+			if (!upat.getPrincipal().toString().equals(JVM_OSUSER))
+				throw new BadCredentialsException("Wrong credentials");
+			UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken(
+					authentication.getPrincipal(),
+					authentication.getCredentials(), getBaseAuthorities());
+			authen.setDetails(userDetails);
+			return authen;
+		} else if (authentication instanceof OsAuthenticationToken) {
+			OsAuthenticationToken authen = (OsAuthenticationToken) super
+					.authenticate(authentication);
+			try {
+				// WARNING: at this stage we assume that the java properties
+				// will have the same value
+				GrantedAuthority[] authorities = getBaseAuthorities();
+				String username = JVM_OSUSER;
+				Node userProfile = jcrSecurityModel.sync(nodeSession, username,
+						SecurityUtils.authoritiesToStringList(authorities));
+				JcrUserDetails.checkAccountStatus(userProfile);
 
-	public void setSystemExecutor(Executor systemExecutor) {
-		this.systemExecutor = systemExecutor;
+				userDetails = new JcrUserDetails(userProfile, authen
+						.getCredentials().toString(), authorities);
+				authen.setDetails(userDetails);
+				return authen;
+			} catch (RepositoryException e) {
+				JcrUtils.discardQuietly(nodeSession);
+				throw new ArgeoException(
+						"Unexpected exception when synchronizing OS and JCR security ",
+						e);
+			}
+		} else {
+			throw new ArgeoException("Unsupported authentication "
+					+ authentication.getClass());
+		}
 	}
 
-	public void setHomeBasePath(String homeBasePath) {
-		this.homeBasePath = homeBasePath;
+	public void setRepository(Repository repository) {
+		this.repository = repository;
 	}
 
-	public void setRepositoryAlias(String repositoryAlias) {
-		this.repositoryAlias = repositoryAlias;
+	public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+		this.jcrSecurityModel = jcrSecurityModel;
 	}
 
-	public void setWorkspace(String workspace) {
-		this.workspace = workspace;
+	@SuppressWarnings("rawtypes")
+	public boolean supports(Class authentication) {
+		return OsAuthenticationToken.class.isAssignableFrom(authentication)
+				|| UsernamePasswordAuthenticationToken.class
+						.isAssignableFrom(authentication);
 	}
-
-}
+}
\ No newline at end of file