X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FOsJcrAuthenticationProvider.java;h=aa95e322d21ef8e8bfa6c05099e1f6d7b426a06b;hb=b7133bb90dcade71c106f8a09ee1e37d33a93ddf;hp=2eadf5669724e5f7cb6000e2819f766f929e72c5;hpb=c813b98b8339977ff0fb5f6209b54e5852d3ff6e;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java index 2eadf5669..aa95e322d 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java @@ -1,8 +1,20 @@ +/* + * Copyright (C) 2007-2012 Argeo GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.jcr; -import java.util.Map; -import java.util.concurrent.Executor; - import javax.jcr.Node; import javax.jcr.Repository; import javax.jcr.RepositoryException; @@ -11,113 +23,93 @@ import javax.jcr.Session; import org.argeo.ArgeoException; import org.argeo.jcr.JcrUtils; import org.argeo.security.OsAuthenticationToken; -import org.argeo.security.SystemExecutionService; +import org.argeo.security.SecurityUtils; import org.argeo.security.core.OsAuthenticationProvider; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationException; +import org.springframework.security.BadCredentialsException; +import org.springframework.security.GrantedAuthority; +import org.springframework.security.providers.UsernamePasswordAuthenticationToken; import org.springframework.security.userdetails.UserDetails; +/** Relies on OS to authenticate and additionally setup JCR */ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider { - private Executor systemExecutor; - private String homeBasePath = "/home"; private Repository repository; - private String workspace = null; + private Session nodeSession; - private Long timeout = 5 * 60 * 1000l; + private UserDetails userDetails; + private JcrSecurityModel jcrSecurityModel = new SimpleJcrSecurityModel(); - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { - final OsAuthenticationToken authen = (OsAuthenticationToken) super - .authenticate(authentication); - final Repository repository = getRepositoryBlocking(); - systemExecutor.execute(new Runnable() { - public void run() { - Session session = null; - try { - session = repository.login(workspace); - // WARNING: at this stage we assume that teh java properties - // will have the same value - String userName = System.getProperty("user.name"); - Node userHome = JcrUtils.getUserHome(session, userName); - if (userHome == null) - userHome = JcrUtils.createUserHome(session, - homeBasePath, userName); - // authen.setDetails(getUserDetails(userHome, authen)); - } catch (RepositoryException e) { - throw new ArgeoException( - "Unexpected exception when synchronizing OS and JCR security ", - e); - } finally { - JcrUtils.logoutQuietly(session); - } - } - }); - return authen; - } + private final static String JVM_OSUSER = System.getProperty("user.name"); - /** Builds user details based on the authentication and the user home. */ - protected UserDetails getUserDetails(Node userHome, Authentication authen) { + public void init() { try { - // TODO: loads enabled, locked, etc. from the home node. - return new JcrUserDetails(userHome.getPath(), authen.getPrincipal() - .toString(), authen.getCredentials().toString(), - isEnabled(userHome), true, true, true, - authen.getAuthorities()); - } catch (Exception e) { - throw new ArgeoException("Cannot get user details for " + userHome, - e); + nodeSession = repository.login(); + } catch (RepositoryException e) { + throw new ArgeoException("Cannot initialize", e); } } - protected Boolean isEnabled(Node userHome) { - return true; + public void destroy() { + JcrUtils.logoutQuietly(nodeSession); } - protected Repository getRepositoryBlocking() { - long begin = System.currentTimeMillis(); - while (repository == null) { - synchronized (this) { - try { - wait(500); - } catch (InterruptedException e) { - // silent - } + public Authentication authenticate(Authentication authentication) + throws AuthenticationException { + if (authentication instanceof UsernamePasswordAuthenticationToken) { + // deal with remote access to internal server + // FIXME very primitive and unsecure at this sSession adminSession + // =tage + // consider using the keyring for username / password authentication + // or certificate + UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication; + if (!upat.getPrincipal().toString().equals(JVM_OSUSER)) + throw new BadCredentialsException("Wrong credentials"); + UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken( + authentication.getPrincipal(), + authentication.getCredentials(), getBaseAuthorities()); + authen.setDetails(userDetails); + return authen; + } else if (authentication instanceof OsAuthenticationToken) { + OsAuthenticationToken authen = (OsAuthenticationToken) super + .authenticate(authentication); + try { + // WARNING: at this stage we assume that the java properties + // will have the same value + GrantedAuthority[] authorities = getBaseAuthorities(); + String username = JVM_OSUSER; + Node userProfile = jcrSecurityModel.sync(nodeSession, username, + SecurityUtils.authoritiesToStringList(authorities)); + JcrUserDetails.checkAccountStatus(userProfile); + + userDetails = new JcrUserDetails(userProfile, authen + .getCredentials().toString(), authorities); + authen.setDetails(userDetails); + return authen; + } catch (RepositoryException e) { + JcrUtils.discardQuietly(nodeSession); + throw new ArgeoException( + "Unexpected exception when synchronizing OS and JCR security ", + e); } - if (System.currentTimeMillis() - begin > timeout) - throw new ArgeoException("No repository registered after " - + timeout + " ms"); + } else { + throw new ArgeoException("Unsupported authentication " + + authentication.getClass()); } - return repository; } - public synchronized void register(Repository repository, - Map parameters) { + public void setRepository(Repository repository) { this.repository = repository; - notifyAll(); } - public synchronized void unregister(Repository repository, - Map parameters) { - this.repository = null; - notifyAll(); + public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) { + this.jcrSecurityModel = jcrSecurityModel; } - public void register(SystemExecutionService systemExecutor, - Map parameters) { - this.systemExecutor = systemExecutor; + @SuppressWarnings("rawtypes") + public boolean supports(Class authentication) { + return OsAuthenticationToken.class.isAssignableFrom(authentication) + || UsernamePasswordAuthenticationToken.class + .isAssignableFrom(authentication); } - - public void unregister(SystemExecutionService systemExecutor, - Map parameters) { - this.systemExecutor = null; - } - - public void setHomeBasePath(String homeBasePath) { - this.homeBasePath = homeBasePath; - } - - public void setWorkspace(String workspace) { - this.workspace = workspace; - } - -} +} \ No newline at end of file