From: Mathieu Baudier Date: Fri, 13 Feb 2015 23:26:30 +0000 (+0000) Subject: Use GrantedAuthority implementing Principal in order to optimise Jackrabbit login X-Git-Tag: argeo-commons-2.1.30~366 X-Git-Url: http://git.argeo.org/?a=commitdiff_plain;h=5e24d4b3694253125077489270a86f545378f21e;p=lgpl%2Fargeo-commons.git Use GrantedAuthority implementing Principal in order to optimise Jackrabbit login git-svn-id: https://svn.argeo.org/commons/trunk@7859 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc --- diff --git a/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java b/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java index c0b4b4b15..aceb51612 100644 --- a/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java +++ b/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java @@ -26,6 +26,7 @@ import org.argeo.security.NodeAuthenticationToken; import org.argeo.security.UserAdminService; import org.argeo.security.jcr.JcrSecurityModel; import org.argeo.security.jcr.JcrUserDetails; +import org.argeo.security.login.GrantedAuthorityPrincipal; import org.springframework.dao.DataAccessException; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; @@ -33,7 +34,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; @@ -280,16 +280,16 @@ public class JackrabbitUserAdminService implements UserAdminService, if (username == null) username = session.getUserID(); User user = (User) getUserManager().getAuthorizable(username); - ArrayList authorities = new ArrayList(); + ArrayList authorities = new ArrayList(); // FIXME make it more generic - authorities.add(new SimpleGrantedAuthority("ROLE_USER")); + authorities.add(new GrantedAuthorityPrincipal("ROLE_USER")); Iterator groups = user.declaredMemberOf(); while (groups.hasNext()) { Group group = groups.next(); // String role = "ROLE_" // + group.getPrincipal().getName().toUpperCase(); String role = group.getPrincipal().getName(); - authorities.add(new SimpleGrantedAuthority(role)); + authorities.add(new GrantedAuthorityPrincipal(role)); } Node userProfile = UserJcrUtils.getUserProfile(session, username); diff --git a/org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java b/org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java new file mode 100644 index 000000000..c176c04bc --- /dev/null +++ b/org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2007-2012 Argeo GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.argeo.security.login; + +import java.security.Principal; + +import javax.security.auth.Subject; + +import org.springframework.security.core.GrantedAuthority; + +/** + * A {@link Principal} which is also a {@link GrantedAuthority}, so that the + * Spring Security can be used to quickly populate a {@link Subject} principals. + */ +public final class GrantedAuthorityPrincipal implements Principal, + GrantedAuthority { + private static final long serialVersionUID = 6768044196343543328L; + private final String authority; + + public GrantedAuthorityPrincipal(String authority) { + this.authority = authority; + } + + @Override + public String getAuthority() { + return authority; + } + + @Override + public String getName() { + return authority; + } + + @Override + public int hashCode() { + return getName().hashCode(); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof GrantedAuthorityPrincipal)) + return false; + return getName().equals(((GrantedAuthorityPrincipal) obj).getName()); + } + + @Override + public String toString() { + return "Granted Authority " + getName(); + } + +} diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java index 6d8adeb08..2ff913dd2 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java @@ -59,12 +59,13 @@ public class ArgeoLoginModule extends AbstractLoginModule { if (authen instanceof SystemAuthentication) { principals.add(new AdminPrincipal(authen.getName())); - principals.add(new ArgeoSystemPrincipal(authen.getName())); + // principals.add(new ArgeoSystemPrincipal(authen.getName())); } else if (authen instanceof AnonymousAuthenticationToken) { principals.add(new AnonymousPrincipal()); } else { for (GrantedAuthority ga : authen.getAuthorities()) { - principals.add(new GrantedAuthorityPrincipal(ga)); + if (ga instanceof Principal) + principals.add((Principal) ga); // FIXME: make it more generic if (adminRole.equals(ga.getAuthority())) principals.add(new AdminPrincipal(authen.getName())); @@ -85,20 +86,29 @@ public class ArgeoLoginModule extends AbstractLoginModule { * {@link org.springframework.security.Authentication} as well. Here we * simply clear Jackrabbit related {@link Principal}s. */ - @Override - public boolean logout() throws LoginException { - clearPrincipals(AdminPrincipal.class); - clearPrincipals(ArgeoSystemPrincipal.class); - clearPrincipals(AnonymousPrincipal.class); - clearPrincipals(GrantedAuthorityPrincipal.class); - return true; - } - - private void clearPrincipals(Class clss) { - Set principals = subject.getPrincipals(clss); - if (principals != null) - principals.clear(); - } + // @Override + // public boolean logout() throws LoginException { + // Set principals = subject.getPrincipals(); + // for (Principal principal : subject.getPrincipals()) { + // if ((principal instanceof AdminPrincipal) + // || (principal instanceof ArgeoSystemPrincipal) + // || (principal instanceof AnonymousPrincipal) + // || (principal instanceof GrantedAuthority)) { + // principals.remove(principal); + // } + // } + // // clearPrincipals(AdminPrincipal.class); + // // clearPrincipals(ArgeoSystemPrincipal.class); + // // clearPrincipals(AnonymousPrincipal.class); + // // clearPrincipals(GrantedAuthority.class); + // return true; + // } + + // private void clearPrincipals(Class clss) { + // Set principals = subject.getPrincipals(clss); + // if (principals != null) + // principals.clear(); + // } @SuppressWarnings("rawtypes") @Override diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index e785d887e..8d03a205d 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -98,8 +98,8 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) return super.getUserID(subject, workspaceName); // skip Jackrabbit system user (all rights) - if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) - return super.getUserID(subject, workspaceName); + // if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) + // return super.getUserID(subject, workspaceName); // retrieve Spring authentication from JAAS // TODO? use Spring Security context holder diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java index e38981ef4..4f22ac8ca 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java @@ -18,6 +18,7 @@ package org.argeo.security.jackrabbit; import java.security.Principal; /** Principal for non-interactive system actions. */ +@Deprecated class ArgeoSystemPrincipal implements Principal { private String name; diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java deleted file mode 100644 index 1263e68d8..000000000 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (C) 2007-2012 Argeo GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.argeo.security.jackrabbit; - -import java.security.Principal; - -import org.springframework.security.core.GrantedAuthority; - -/** Wraps a {@link GrantedAuthority} as a principal. */ -class GrantedAuthorityPrincipal implements Principal { - private final GrantedAuthority grantedAuthority; - - public GrantedAuthorityPrincipal(GrantedAuthority grantedAuthority) { - this.grantedAuthority = grantedAuthority; - } - - public String getName() { - return grantedAuthority.getAuthority(); - } - - @Override - public int hashCode() { - return getName().hashCode(); - } - - @Override - public boolean equals(Object obj) { - if (!(obj instanceof GrantedAuthorityPrincipal)) - return false; - return getName().equals(((GrantedAuthorityPrincipal) obj).getName()); - } - - @Override - public String toString() { - return "Granted Authority " + getName(); - } - -}