From 469d8a3bd7a681cdb7e23ccb01cc299e0b8b681f Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 5 Feb 2014 09:27:21 +0000
Subject: [PATCH] Copy to create auth.ldap

git-svn-id: https://svn.argeo.org/commons/trunk@6809 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../org.argeo.security.auth.ldap/.project     |  22 ++++
 .../META-INF/spring/security-ldap-jcr.xml     |  79 ++++++++++++
 .../META-INF/spring/security-ldap-osgi.xml    |  27 ++++
 .../spring/security-ldap-services.xml         |  66 ++++++++++
 .../META-INF/spring/security-ldap.xml         | 121 ++++++++++++++++++
 .../build.properties                          |   1 +
 .../ldap.properties                           |  32 +++++
 .../org.argeo.security.auth.ldap/pom.xml      |  30 +++++
 8 files changed, 378 insertions(+)
 create mode 100644 security/modules/org.argeo.security.auth.ldap/.project
 create mode 100644 security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-jcr.xml
 create mode 100644 security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
 create mode 100644 security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
 create mode 100644 security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
 create mode 100644 security/modules/org.argeo.security.auth.ldap/build.properties
 create mode 100644 security/modules/org.argeo.security.auth.ldap/ldap.properties
 create mode 100644 security/modules/org.argeo.security.auth.ldap/pom.xml

diff --git a/security/modules/org.argeo.security.auth.ldap/.project b/security/modules/org.argeo.security.auth.ldap/.project
new file mode 100644
index 000000000..cd8b39380
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/.project
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>org.argeo.security.dao.ldap</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.pde.ManifestBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.pde.SchemaBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.pde.PluginNature</nature>
+	</natures>
+</projectDescription>
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-jcr.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-jcr.xml
new file mode 100644
index 000000000..3235e66f4
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-jcr.xml
@@ -0,0 +1,79 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+		http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+		http://www.springframework.org/schema/security
+		http://www.springframework.org/schema/security/spring-security-2.0.4.xsd
+		http://www.springframework.org/schema/util
+		http://www.springframework.org/schema/util/spring-util-2.5.xsd">
+
+	<bean id="argeoDataModel" class="org.argeo.jackrabbit.JackrabbitWrapper"
+		init-method="init" destroy-method="destroy">
+		<description><![CDATA[Make sure that Argeo base data model is registered]]></description>
+		<property name="cndFiles">
+			<list>
+				<value>/org/argeo/jcr/argeo.cnd</value>
+			</list>
+		</property>
+		<property name="repository" ref="nodeRepository" />
+		<property name="bundleContext" ref="bundleContext" />
+	</bean>
+
+	<bean id="jcrLdapSynchronizer" class="org.argeo.security.ldap.jcr.JcrLdapSynchronizer"
+		init-method="init" destroy-method="destroy" depends-on="argeoDataModel">
+		<!-- LDAP -->
+		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" />
+		<property name="passwordAttribute" value="${argeo.ldap.passwordAttribute}" />
+		<property name="userClasses">
+			<list>
+				<value>${argeo.ldap.userClass}</value>
+			</list>
+		</property>
+		<property name="passwordEncoder" ref="passwordEncoder" />
+		<property name="userBase" value="${argeo.ldap.userBase}" />
+		<property name="usernameMapper" ref="usernameMapper" />
+		<property name="ldapTemplate" ref="ldapTemplate" />
+		<property name="rawLdapTemplate" ref="rawLdapTemplate" />
+		<!-- JCR -->
+		<property name="repository" ref="nodeRepository" />
+		<property name="jcrSecurityModel" ref="jcrSecurityModel" />
+		<property name="propertyToAttributes" ref="propertyToAttributes" />
+	</bean>
+
+	<bean name="jcrSecurityModel" class="org.argeo.security.jackrabbit.JackrabbitSecurityModel" />
+
+	<!-- LDAP / JCR mapping -->
+	<util:map id="propertyToAttributes">
+		<entry value="cn">
+			<key>
+				<util:constant static-field="javax.jcr.Property.JCR_TITLE" />
+			</key>
+		</entry>
+		<entry value="description">
+			<key>
+				<util:constant static-field="javax.jcr.Property.JCR_DESCRIPTION" />
+			</key>
+		</entry>
+		<entry value="givenName">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_FIRST_NAME" />
+			</key>
+		</entry>
+		<entry value="sn">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_LAST_NAME" />
+			</key>
+		</entry>
+		<entry value="mail">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_PRIMARY_EMAIL" />
+			</key>
+		</entry>
+		<entry value="o">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_PRIMARY_ORGANIZATION" />
+			</key>
+		</entry>
+	</util:map>
+</beans>
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
new file mode 100644
index 000000000..aa3b67ac6
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-osgi.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans:beans xmlns="http://www.springframework.org/schema/osgi"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
+	xsi:schemaLocation="http://www.springframework.org/schema/osgi  
+       http://www.springframework.org/schema/osgi/spring-osgi-1.1.xsd
+       http://www.springframework.org/schema/beans   
+       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<!-- REFERENCES -->
+	<reference id="nodeRepository" interface="javax.jcr.Repository"
+		filter="(argeo.jcr.repository.alias=node)" />
+
+	<!-- SERVICES -->
+	<service ref="authenticationManager"
+		interface="org.springframework.security.AuthenticationManager"
+		context-class-loader="service-provider" />
+
+	<!-- User management -->
+	<service ref="userDetailsManager"
+		interface="org.springframework.security.userdetails.UserDetailsService"
+		context-class-loader="service-provider" />
+	<service ref="userDetailsManager"
+		interface="org.springframework.security.userdetails.UserDetailsManager"
+		context-class-loader="service-provider" />
+	<service ref="userDetailsManager" interface="org.argeo.security.UserAdminService"
+		context-class-loader="service-provider" />
+</beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
new file mode 100644
index 000000000..36dedf389
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap-services.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="
+       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<list>
+				<ref bean="authByAdapterProvider" />
+				<ref bean="preAuthProvider" />
+				<ref bean="anonymousAuthenticationProvider" />
+				<ref bean="rememberMeAuthenticationProvider" />
+				<ref bean="ldapAuthenticationProvider" />
+			</list>
+		</property>
+	</bean>
+
+	<!-- Authentication provider -->
+	<bean id="authByAdapterProvider"
+		class="org.springframework.security.adapters.AuthByAdapterProvider">
+		<description><![CDATA[System authentication]]></description>
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<bean id="preAuthProvider"
+		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
+		<description><![CDATA[Pre-authentication]]></description>
+		<property name="preAuthenticatedUserDetailsService">
+			<bean id="userDetailsServiceWrapper"
+				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
+				<property name="userDetailsService" ref="userDetailsManager" />
+			</bean>
+		</property>
+	</bean>
+
+	<bean id="anonymousAuthenticationProvider"
+		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
+		<description><![CDATA[Anonymous authentication]]></description>
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<bean id="rememberMeAuthenticationProvider"
+		class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
+		<description><![CDATA[Remember me authentication]]></description>
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<!-- Internal authentication, used by during the general authentication 
+		initialization himself, in order to prevent the following dependency cycle: 
+		Repository.login() <= AuthenticationManager <= LdapAuthenticationProvider 
+		<= Repository.login() in init() -->
+	<bean id="internalAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<list>
+				<ref bean="authByAdapterProvider" />
+			</list>
+		</property>
+	</bean>
+
+	<bean
+		class="org.argeo.security.core.AuthenticatedApplicationContextInitialization">
+		<description><![CDATA[Executes initialization with a system authentication]]></description>
+		<property name="authenticationManager" ref="internalAuthenticationManager" />
+	</bean>
+</beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
new file mode 100644
index 000000000..3777f8853
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/META-INF/spring/security-ldap.xml
@@ -0,0 +1,121 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
+
+	<!-- COMMON -->
+	<bean
+		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+		<property name="locations">
+			<value>osgibundle:ldap.properties</value>
+		</property>
+	</bean>
+
+	<!-- AUTHENTICATION -->
+	<bean id="ldapAuthenticationProvider"
+		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
+		<constructor-arg ref="ldapAuthenticator" />
+		<constructor-arg ref="authoritiesPopulator" />
+		<property name="userDetailsContextMapper" ref="jcrLdapSynchronizer" />
+	</bean>
+
+	<!-- PasswordComparisonAuthenticator doesn't work with SSHA -->
+	<bean id="ldapAuthenticator"
+		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
+		<constructor-arg ref="contextSource" />
+		<property name="userDnPatterns">
+			<list>
+				<value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value>
+			</list>
+		</property>
+		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
+		<property name="passwordEncoder" ref="passwordEncoder" />
+	</bean>
+
+	<!-- Bind authenticator doesn't work with Apache DS 1.0 -->
+	<!-- <bean id="ldapAuthenticator" -->
+	<!-- class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> -->
+	<!-- <constructor-arg ref="contextSource" /> -->
+	<!-- <property name="userDnPatterns"> -->
+	<!-- <list> -->
+	<!-- <value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value> -->
+	<!-- </list> -->
+	<!-- </property> -->
+	<!-- </bean> -->
+
+	<!-- USER DETAILS -->
+	<bean id="userDetailsManager" class="org.argeo.security.ldap.ArgeoLdapUserDetailsManager">
+		<constructor-arg ref="contextSource" />
+		<property name="groupSearchBase" value="${argeo.ldap.groupBase}" />
+		<property name="groupMemberAttributeName" value="${argeo.ldap.groupMemberAttribute}" />
+		<property name="usernameMapper" ref="usernameMapper" />
+		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" />
+		<property name="userAdminDao" ref="userAdminDao" />
+		<property name="passwordEncoder" ref="passwordEncoder" />
+		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
+		<property name="superUsername" value="${argeo.security.superUsername}" />
+	</bean>
+
+	<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoUserAdminDaoLdap">
+		<constructor-arg ref="contextSource" />
+		<property name="userBase" value="${argeo.ldap.userBase}" />
+		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" />
+		<property name="groupClasses">
+			<list>
+				<value>top</value>
+				<value>${argeo.ldap.groupClass}</value>
+			</list>
+		</property>
+		<property name="groupBase" value="${argeo.ldap.groupBase}" />
+		<property name="groupRoleAttribute" value="${argeo.ldap.groupRoleAttribute}" />
+		<property name="groupMemberAttribute" value="${argeo.ldap.groupMemberAttribute}" />
+		<property name="defaultRole" value="${argeo.security.defaultRole}" />
+		<property name="rolePrefix" value="${argeo.security.rolePrefix}" />
+		<property name="usernameMapper" ref="usernameMapper" />
+	</bean>
+
+	<bean id="usernameMapper"
+		class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
+		<constructor-arg value="${argeo.ldap.userBase}" />
+		<constructor-arg value="${argeo.ldap.usernameAttribute}" />
+	</bean>
+
+	<bean id="authoritiesPopulator"
+		class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
+		<constructor-arg ref="contextSource" />
+		<constructor-arg value="${argeo.ldap.groupBase}" />
+		<property name="groupSearchFilter" value="${argeo.ldap.groupMemberAttribute}={0}" />
+		<property name="defaultRole" value="${argeo.security.defaultRole}" />
+		<property name="rolePrefix" value="${argeo.security.rolePrefix}" />
+	</bean>
+
+	<!-- LDAP LOW LEVEL -->
+	<bean id="contextSource"
+		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
+		<constructor-arg
+			value="${argeo.ldap.protocol}://${argeo.ldap.host}:${argeo.ldap.port}/${argeo.ldap.rootdn}" />
+		<property name="userDn" value="${argeo.ldap.manager.userdn}" />
+		<property name="password" value="${argeo.ldap.manager.password}" />
+	</bean>
+
+	<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
+		<constructor-arg ref="contextSource" />
+	</bean>
+
+	<bean id="rawLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
+		<description><![CDATA[LDAP template returning raw dir contexts, see http://forum.springsource.org/showthread.php?55955-Persistent-search-with-spring-ldap]]></description>
+		<constructor-arg>
+			<bean parent="contextSource">
+				<property name="dirObjectFactory">
+					<null />
+				</property>
+			</bean>
+		</constructor-arg>
+	</bean>
+
+	<bean id="passwordEncoder" class="org.argeo.security.ldap.ArgeoLdapShaPasswordEncoder">
+		<property name="useSalt" value="${argeo.ldap.password.useSalt}" />
+	</bean>
+</beans>
diff --git a/security/modules/org.argeo.security.auth.ldap/build.properties b/security/modules/org.argeo.security.auth.ldap/build.properties
new file mode 100644
index 000000000..5f22cdd44
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/build.properties
@@ -0,0 +1 @@
+bin.includes = META-INF/
diff --git a/security/modules/org.argeo.security.auth.ldap/ldap.properties b/security/modules/org.argeo.security.auth.ldap/ldap.properties
new file mode 100644
index 000000000..0f5164ff3
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/ldap.properties
@@ -0,0 +1,32 @@
+argeo.security.defaultRole=ROLE_USER
+argeo.security.rolePrefix=ROLE_
+
+argeo.security.systemKey=argeo
+argeo.security.superUsername=root
+
+argeo.ldap.rootdn=dc=demo,dc=example,dc=org
+argeo.ldap.protocol=ldap
+argeo.ldap.host=localhost
+# default are for Apache Directory Server
+argeo.ldap.port=10389
+argeo.ldap.manager.userdn=uid=admin,ou=system
+argeo.ldap.manager.password=secret
+
+# USER
+argeo.ldap.userClass=inetOrgPerson
+argeo.ldap.osUserClass=posixAccount
+argeo.ldap.userBase=ou=People
+argeo.ldap.usernameAttribute=uid
+argeo.ldap.passwordAttribute=userPassword
+# ROLES
+argeo.ldap.groupClass=groupOfNames
+argeo.ldap.groupBase=ou=Roles
+argeo.ldap.groupRoleAttribute=cn
+argeo.ldap.groupMemberAttribute=member
+# OS GROUPS
+argeo.ldap.osGroupClass=posixGroup
+argeo.ldap.osGroupBase=ou=Group
+argeo.ldap.osGroupNameAttribute=cn
+argeo.ldap.osGroupMemberAttribute=memberUid
+
+argeo.ldap.password.useSalt=false
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.auth.ldap/pom.xml b/security/modules/org.argeo.security.auth.ldap/pom.xml
new file mode 100644
index 000000000..6c3cf75f4
--- /dev/null
+++ b/security/modules/org.argeo.security.auth.ldap/pom.xml
@@ -0,0 +1,30 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.argeo.commons.security</groupId>
+		<version>2.1.6-SNAPSHOT</version>
+		<artifactId>modules</artifactId>
+		<relativePath>..</relativePath>
+	</parent>
+	<artifactId>org.argeo.security.dao.ldap</artifactId>
+	<name>Commons Security DAO LDAP</name>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.felix</groupId>
+				<artifactId>maven-bundle-plugin</artifactId>
+				<configuration>
+					<instructions>
+						<Import-Package>
+							*,
+							org.argeo.jcr,
+							com.sun.jndi.ldap;resolution:=optional,
+							org.springframework.ldap.core.support,
+							org.springframework.security
+						</Import-Package>
+					</instructions>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>
\ No newline at end of file
-- 
2.30.2