X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FOsJcrAuthenticationProvider.java;h=d304dc36571d8e41da2dec883179be220bcdd57b;hb=2134dd19734711b05710c1250b665c32fbe7263c;hp=ef5c1105a1ebfa5d76952b97d2d0eb8ae9fe62db;hpb=fa21f25edf0d804fea9c4d48bd044d81e2efdfe2;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java index ef5c1105a..d304dc365 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java @@ -1,17 +1,35 @@ +/* + * Copyright (C) 2007-2012 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.jcr; import javax.jcr.Node; import javax.jcr.Repository; import javax.jcr.RepositoryException; import javax.jcr.Session; -import javax.jcr.security.Privilege; import org.argeo.ArgeoException; import org.argeo.jcr.JcrUtils; +import org.argeo.jcr.security.SecurityJcrUtils; import org.argeo.security.OsAuthenticationToken; import org.argeo.security.core.OsAuthenticationProvider; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationException; +import org.springframework.security.BadCredentialsException; +import org.springframework.security.providers.UsernamePasswordAuthenticationToken; +import org.springframework.security.userdetails.UserDetails; /** Relies on OS to authenticate and additionally setup JCR */ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider { @@ -20,6 +38,8 @@ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider { private Session securitySession; private Session nodeSession; + private UserDetails userDetails; + public void init() { try { securitySession = repository.login(securityWorkspace); @@ -36,38 +56,50 @@ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider { public Authentication authenticate(Authentication authentication) throws AuthenticationException { - final OsAuthenticationToken authen = (OsAuthenticationToken) super - .authenticate(authentication); - try { - // WARNING: at this stage we assume that the java properties - // will have the same value - String username = System.getProperty("user.name"); - Node userProfile = JcrUtils.createUserProfileIfNeeded( - securitySession, username); - JcrUserDetails.checkAccountStatus(userProfile); - - // each user should have a writable area in the default workspace of - // the node - Node userNodeHome = JcrUtils.createUserHomeIfNeeded(nodeSession, - username); - JcrUtils.addPrivilege(nodeSession, userNodeHome.getPath(), - username, Privilege.JCR_ALL); - if (nodeSession.hasPendingChanges()) - nodeSession.save(); - - // user details - JcrUserDetails userDetails = new JcrUserDetails(userProfile, authen - .getCredentials().toString(), getBaseAuthorities()); + if (authentication instanceof UsernamePasswordAuthenticationToken) { + // deal with remote access to internal server + // FIXME very primitive and unsecure at this stage + // consider using the keyring for username / password authentication + // or certificate + UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication; + if (!upat.getPrincipal().toString() + .equals(System.getProperty("user.name"))) + throw new BadCredentialsException("Wrong credentials"); + UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken( + authentication.getPrincipal(), + authentication.getCredentials(), getBaseAuthorities()); authen.setDetails(userDetails); - } catch (RepositoryException e) { - JcrUtils.discardQuietly(securitySession); - throw new ArgeoException( - "Unexpected exception when synchronizing OS and JCR security ", - e); - } finally { - JcrUtils.logoutQuietly(securitySession); + return authen; + } else if (authentication instanceof OsAuthenticationToken) { + OsAuthenticationToken authen = (OsAuthenticationToken) super + .authenticate(authentication); + try { + // WARNING: at this stage we assume that the java properties + // will have the same value + String username = System.getProperty("user.name"); + Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded( + securitySession, username); + JcrUserDetails.checkAccountStatus(userProfile); + + // each user should have a writable area in the default + // workspace of the node + SecurityJcrUtils.createUserHomeIfNeeded(nodeSession, username); + userDetails = new JcrUserDetails(userProfile, authen + .getCredentials().toString(), getBaseAuthorities()); + authen.setDetails(userDetails); + return authen; + } catch (RepositoryException e) { + JcrUtils.discardQuietly(securitySession); + throw new ArgeoException( + "Unexpected exception when synchronizing OS and JCR security ", + e); + } finally { + JcrUtils.logoutQuietly(securitySession); + } + } else { + throw new ArgeoException("Unsupported authentication " + + authentication.getClass()); } - return authen; } public void setSecurityWorkspace(String securityWorkspace) { @@ -77,4 +109,12 @@ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider { public void setRepository(Repository repository) { this.repository = repository; } + + @SuppressWarnings("rawtypes") + public boolean supports(Class authentication) { + return OsAuthenticationToken.class.isAssignableFrom(authentication) + || UsernamePasswordAuthenticationToken.class + .isAssignableFrom(authentication); + } + }