X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FOsJcrAuthenticationProvider.java;h=aa95e322d21ef8e8bfa6c05099e1f6d7b426a06b;hb=3a3d316af102ba410d1d9e6de349d0c8f7ac044f;hp=5307673ced6eb589e4e49ea822f5a05d57e29f74;hpb=0b7c4d15bef603eed5a7b770482e6cf684bbf381;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
index 5307673ce..aa95e322d 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
@@ -1,28 +1,49 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.jcr;
 
 import javax.jcr.Node;
 import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.security.Privilege;
 
 import org.argeo.ArgeoException;
 import org.argeo.jcr.JcrUtils;
 import org.argeo.security.OsAuthenticationToken;
+import org.argeo.security.SecurityUtils;
 import org.argeo.security.core.OsAuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.userdetails.UserDetails;
 
-/** Relies on OS to authenticate and additionaly setup JCR */
+/** Relies on OS to authenticate and additionally setup JCR */
 public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
 	private Repository repository;
-	private String securityWorkspace = "security";
-	private Session securitySession;
 	private Session nodeSession;
 
+	private UserDetails userDetails;
+	private JcrSecurityModel jcrSecurityModel = new SimpleJcrSecurityModel();
+
+	private final static String JVM_OSUSER = System.getProperty("user.name");
+
 	public void init() {
 		try {
-			securitySession = repository.login(securityWorkspace);
 			nodeSession = repository.login();
 		} catch (RepositoryException e) {
 			throw new ArgeoException("Cannot initialize", e);
@@ -30,51 +51,65 @@ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
 	}
 
 	public void destroy() {
-		JcrUtils.logoutQuietly(securitySession);
 		JcrUtils.logoutQuietly(nodeSession);
 	}
 
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
-		final OsAuthenticationToken authen = (OsAuthenticationToken) super
-				.authenticate(authentication);
-		try {
-			// WARNING: at this stage we assume that the java properties
-			// will have the same value
-			String username = System.getProperty("user.name");
-			Node userProfile = JcrUtils.createUserProfileIfNeeded(
-					securitySession, username);
-			JcrUserDetails.checkAccountStatus(userProfile);
-
-			// each user should have a writable area in the default workspace of
-			// the node
-			Node userNodeHome = JcrUtils.createUserHomeIfNeeded(nodeSession,
-					username);
-			JcrUtils.addPrivilege(nodeSession, userNodeHome.getPath(),
-					username, Privilege.JCR_ALL);
-			if (nodeSession.hasPendingChanges())
-				nodeSession.save();
-
-			// user details
-			JcrUserDetails userDetails = new JcrUserDetails(userProfile, authen
-					.getCredentials().toString(), getBaseAuthorities());
+		if (authentication instanceof UsernamePasswordAuthenticationToken) {
+			// deal with remote access to internal server
+			// FIXME very primitive and unsecure at this sSession adminSession
+			// =tage
+			// consider using the keyring for username / password authentication
+			// or certificate
+			UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication;
+			if (!upat.getPrincipal().toString().equals(JVM_OSUSER))
+				throw new BadCredentialsException("Wrong credentials");
+			UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken(
+					authentication.getPrincipal(),
+					authentication.getCredentials(), getBaseAuthorities());
 			authen.setDetails(userDetails);
-		} catch (RepositoryException e) {
-			JcrUtils.discardQuietly(securitySession);
-			throw new ArgeoException(
-					"Unexpected exception when synchronizing OS and JCR security ",
-					e);
-		} finally {
-			JcrUtils.logoutQuietly(securitySession);
-		}
-		return authen;
-	}
+			return authen;
+		} else if (authentication instanceof OsAuthenticationToken) {
+			OsAuthenticationToken authen = (OsAuthenticationToken) super
+					.authenticate(authentication);
+			try {
+				// WARNING: at this stage we assume that the java properties
+				// will have the same value
+				GrantedAuthority[] authorities = getBaseAuthorities();
+				String username = JVM_OSUSER;
+				Node userProfile = jcrSecurityModel.sync(nodeSession, username,
+						SecurityUtils.authoritiesToStringList(authorities));
+				JcrUserDetails.checkAccountStatus(userProfile);
 
-	public void setSecurityWorkspace(String securityWorkspace) {
-		this.securityWorkspace = securityWorkspace;
+				userDetails = new JcrUserDetails(userProfile, authen
+						.getCredentials().toString(), authorities);
+				authen.setDetails(userDetails);
+				return authen;
+			} catch (RepositoryException e) {
+				JcrUtils.discardQuietly(nodeSession);
+				throw new ArgeoException(
+						"Unexpected exception when synchronizing OS and JCR security ",
+						e);
+			}
+		} else {
+			throw new ArgeoException("Unsupported authentication "
+					+ authentication.getClass());
+		}
 	}
 
 	public void setRepository(Repository repository) {
 		this.repository = repository;
 	}
-}
+
+	public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+		this.jcrSecurityModel = jcrSecurityModel;
+	}
+
+	@SuppressWarnings("rawtypes")
+	public boolean supports(Class authentication) {
+		return OsAuthenticationToken.class.isAssignableFrom(authentication)
+				|| UsernamePasswordAuthenticationToken.class
+						.isAssignableFrom(authentication);
+	}
+}
\ No newline at end of file