From 5e24d4b3694253125077489270a86f545378f21e Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Fri, 13 Feb 2015 23:26:30 +0000 Subject: [PATCH] Use GrantedAuthority implementing Principal in order to optimise Jackrabbit login git-svn-id: https://svn.argeo.org/commons/trunk@7859 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc --- .../JackrabbitUserAdminService.java | 8 ++-- .../login}/GrantedAuthorityPrincipal.java | 27 ++++++++---- .../security/jackrabbit/ArgeoLoginModule.java | 42 ++++++++++++------- .../jackrabbit/ArgeoSecurityManager.java | 4 +- .../jackrabbit/ArgeoSystemPrincipal.java | 1 + 5 files changed, 53 insertions(+), 29 deletions(-) rename {org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit => org.argeo.security.core/src/org/argeo/security/login}/GrantedAuthorityPrincipal.java (64%) diff --git a/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java b/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java index c0b4b4b15..aceb51612 100644 --- a/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java +++ b/org.argeo.security.core/src/org/argeo/security/jcr/jackrabbit/JackrabbitUserAdminService.java @@ -26,6 +26,7 @@ import org.argeo.security.NodeAuthenticationToken; import org.argeo.security.UserAdminService; import org.argeo.security.jcr.JcrSecurityModel; import org.argeo.security.jcr.JcrUserDetails; +import org.argeo.security.login.GrantedAuthorityPrincipal; import org.springframework.dao.DataAccessException; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; @@ -33,7 +34,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; @@ -280,16 +280,16 @@ public class JackrabbitUserAdminService implements UserAdminService, if (username == null) username = session.getUserID(); User user = (User) getUserManager().getAuthorizable(username); - ArrayList authorities = new ArrayList(); + ArrayList authorities = new ArrayList(); // FIXME make it more generic - authorities.add(new SimpleGrantedAuthority("ROLE_USER")); + authorities.add(new GrantedAuthorityPrincipal("ROLE_USER")); Iterator groups = user.declaredMemberOf(); while (groups.hasNext()) { Group group = groups.next(); // String role = "ROLE_" // + group.getPrincipal().getName().toUpperCase(); String role = group.getPrincipal().getName(); - authorities.add(new SimpleGrantedAuthority(role)); + authorities.add(new GrantedAuthorityPrincipal(role)); } Node userProfile = UserJcrUtils.getUserProfile(session, username); diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java b/org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java similarity index 64% rename from org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java rename to org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java index 1263e68d8..c176c04bc 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/GrantedAuthorityPrincipal.java +++ b/org.argeo.security.core/src/org/argeo/security/login/GrantedAuthorityPrincipal.java @@ -13,22 +13,35 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.argeo.security.jackrabbit; +package org.argeo.security.login; import java.security.Principal; +import javax.security.auth.Subject; + import org.springframework.security.core.GrantedAuthority; -/** Wraps a {@link GrantedAuthority} as a principal. */ -class GrantedAuthorityPrincipal implements Principal { - private final GrantedAuthority grantedAuthority; +/** + * A {@link Principal} which is also a {@link GrantedAuthority}, so that the + * Spring Security can be used to quickly populate a {@link Subject} principals. + */ +public final class GrantedAuthorityPrincipal implements Principal, + GrantedAuthority { + private static final long serialVersionUID = 6768044196343543328L; + private final String authority; + + public GrantedAuthorityPrincipal(String authority) { + this.authority = authority; + } - public GrantedAuthorityPrincipal(GrantedAuthority grantedAuthority) { - this.grantedAuthority = grantedAuthority; + @Override + public String getAuthority() { + return authority; } + @Override public String getName() { - return grantedAuthority.getAuthority(); + return authority; } @Override diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java index 6d8adeb08..2ff913dd2 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoLoginModule.java @@ -59,12 +59,13 @@ public class ArgeoLoginModule extends AbstractLoginModule { if (authen instanceof SystemAuthentication) { principals.add(new AdminPrincipal(authen.getName())); - principals.add(new ArgeoSystemPrincipal(authen.getName())); + // principals.add(new ArgeoSystemPrincipal(authen.getName())); } else if (authen instanceof AnonymousAuthenticationToken) { principals.add(new AnonymousPrincipal()); } else { for (GrantedAuthority ga : authen.getAuthorities()) { - principals.add(new GrantedAuthorityPrincipal(ga)); + if (ga instanceof Principal) + principals.add((Principal) ga); // FIXME: make it more generic if (adminRole.equals(ga.getAuthority())) principals.add(new AdminPrincipal(authen.getName())); @@ -85,20 +86,29 @@ public class ArgeoLoginModule extends AbstractLoginModule { * {@link org.springframework.security.Authentication} as well. Here we * simply clear Jackrabbit related {@link Principal}s. */ - @Override - public boolean logout() throws LoginException { - clearPrincipals(AdminPrincipal.class); - clearPrincipals(ArgeoSystemPrincipal.class); - clearPrincipals(AnonymousPrincipal.class); - clearPrincipals(GrantedAuthorityPrincipal.class); - return true; - } - - private void clearPrincipals(Class clss) { - Set principals = subject.getPrincipals(clss); - if (principals != null) - principals.clear(); - } + // @Override + // public boolean logout() throws LoginException { + // Set principals = subject.getPrincipals(); + // for (Principal principal : subject.getPrincipals()) { + // if ((principal instanceof AdminPrincipal) + // || (principal instanceof ArgeoSystemPrincipal) + // || (principal instanceof AnonymousPrincipal) + // || (principal instanceof GrantedAuthority)) { + // principals.remove(principal); + // } + // } + // // clearPrincipals(AdminPrincipal.class); + // // clearPrincipals(ArgeoSystemPrincipal.class); + // // clearPrincipals(AnonymousPrincipal.class); + // // clearPrincipals(GrantedAuthority.class); + // return true; + // } + + // private void clearPrincipals(Class clss) { + // Set principals = subject.getPrincipals(clss); + // if (principals != null) + // principals.clear(); + // } @SuppressWarnings("rawtypes") @Override diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index e785d887e..8d03a205d 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -98,8 +98,8 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) return super.getUserID(subject, workspaceName); // skip Jackrabbit system user (all rights) - if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) - return super.getUserID(subject, workspaceName); + // if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) + // return super.getUserID(subject, workspaceName); // retrieve Spring authentication from JAAS // TODO? use Spring Security context holder diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java index e38981ef4..4f22ac8ca 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSystemPrincipal.java @@ -18,6 +18,7 @@ package org.argeo.security.jackrabbit; import java.security.Principal; /** Principal for non-interactive system actions. */ +@Deprecated class ArgeoSystemPrincipal implements Principal { private String name; -- 2.30.2