<service ref="authenticationManager"\r
interface="org.springframework.security.AuthenticationManager"\r
context-class-loader="service-provider" />\r
- <!-- <service ref="ldapAuthenticationProvider" -->\r
- <!-- interface="org.springframework.security.providers.AuthenticationProvider" -->\r
- <!-- context-class-loader="service-provider" /> -->\r
\r
+ <!-- User management -->\r
<service ref="userDetailsManager"\r
interface="org.springframework.security.userdetails.UserDetailsService"\r
context-class-loader="service-provider" />\r
\r
<service ref="systemExecutionService" interface="org.argeo.security.SystemExecutionService" />\r
\r
+ <!-- User management -->\r
+ <service ref="userDetailsManager"\r
+ interface="org.springframework.security.userdetails.UserDetailsService"\r
+ context-class-loader="service-provider" />\r
+ <service ref="userDetailsManager"\r
+ interface="org.springframework.security.userdetails.UserDetailsManager"\r
+ context-class-loader="service-provider" />\r
+ <service ref="userDetailsManager" interface="org.argeo.security.UserAdminService"\r
+ context-class-loader="service-provider" />\r
+\r
</beans:beans>
\ No newline at end of file
<property name="authenticationManager" ref="internalAuthenticationManager" />
</bean>
+ <!-- Dummy user manager -->
+ <bean id="userDetailsManager" class="org.argeo.security.jcr.OsJcrUserAdminService"
+ init-method="init" destroy-method="destroy">
+ <property name="repository" ref="nodeRepository" />
+ </bean>
+
</beans>
\ No newline at end of file
import org.springframework.security.userdetails.User;
import org.springframework.security.userdetails.UserDetails;
+/** @deprecated */
+@Deprecated
public class MatchingAuthenticationProvider extends
AbstractUserDetailsAuthenticationProvider {
* Validates an OS authentication. The id is that it will always be
* authenticated since we are always runnign within an OS, but the fact that the
* {@link Authentication} works properly depends on the proper OS login module
- * having been called as well.
+ * having been called as well. TODO make it more configurable (base roles, is
+ * admin)
*/
public class OsAuthenticationProvider implements AuthenticationProvider {
- private String osUserRole = "ROLE_OS_USER";
- private String userRole = "ROLE_USER";
- private String adminRole = "ROLE_ADMIN";
+ final static String osUserRole = "ROLE_OS_USER";
+ final static String userRole = "ROLE_USER";
+ final static String adminRole = "ROLE_ADMIN";
- private Boolean isAdmin = true;
+ final static Boolean isAdmin = true;
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
return new OsAuthenticationToken(getBaseAuthorities());
}
- protected GrantedAuthority[] getBaseAuthorities() {
+ public static GrantedAuthority[] getBaseAuthorities() {
List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
auths.add(new GrantedAuthorityImpl(osUserRole));
auths.add(new GrantedAuthorityImpl(userRole));
return OsAuthenticationToken.class.isAssignableFrom(authentication);
}
- public void setOsUserRole(String osUserRole) {
- this.osUserRole = osUserRole;
- }
-
- public void setUserRole(String userRole) {
- this.userRole = userRole;
- }
-
- public void setAdminRole(String adminRole) {
- this.adminRole = adminRole;
- }
-
- public void setIsAdmin(Boolean isAdmin) {
- this.isAdmin = isAdmin;
- }
-
}
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
-import javax.jcr.security.Privilege;
import org.argeo.ArgeoException;
import org.argeo.jcr.JcrUtils;
import org.argeo.security.core.OsAuthenticationProvider;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.userdetails.UserDetails;
/** Relies on OS to authenticate and additionally setup JCR */
public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
private Session securitySession;
private Session nodeSession;
+ private UserDetails userDetails;
+
public void init() {
try {
securitySession = repository.login(securityWorkspace);
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
- final OsAuthenticationToken authen = (OsAuthenticationToken) super
- .authenticate(authentication);
- try {
- // WARNING: at this stage we assume that the java properties
- // will have the same value
- String username = System.getProperty("user.name");
- Node userProfile = JcrUtils.createUserProfileIfNeeded(
- securitySession, username);
- JcrUserDetails.checkAccountStatus(userProfile);
-
- // each user should have a writable area in the default workspace of
- // the node
- Node userNodeHome = JcrUtils.createUserHomeIfNeeded(nodeSession,
- username);
- // FIXME how to set user home privileges *before* it is created ?
- // JcrUtils.addPrivilege(nodeSession, userNodeHome.getPath(),
- // username, Privilege.JCR_ALL);
- // if (nodeSession.hasPendingChanges())
- // nodeSession.save();
-
- // user details
- JcrUserDetails userDetails = new JcrUserDetails(userProfile, authen
- .getCredentials().toString(), getBaseAuthorities());
+ if (authentication instanceof UsernamePasswordAuthenticationToken) {
+ // deal with remote access to internal server
+ // FIXME very primitive and unsecure at this stage
+ // consider using the keyring for username / password authentication
+ // or certificate
+ UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication;
+ if (!upat.getPrincipal().toString()
+ .equals(System.getProperty("user.name")))
+ throw new BadCredentialsException("Wrong credentials");
+ UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken(
+ authentication.getPrincipal(),
+ authentication.getCredentials(), getBaseAuthorities());
authen.setDetails(userDetails);
- } catch (RepositoryException e) {
- JcrUtils.discardQuietly(securitySession);
- throw new ArgeoException(
- "Unexpected exception when synchronizing OS and JCR security ",
- e);
- } finally {
- JcrUtils.logoutQuietly(securitySession);
+ return authen;
+ } else if (authentication instanceof OsAuthenticationToken) {
+ OsAuthenticationToken authen = (OsAuthenticationToken) super
+ .authenticate(authentication);
+ try {
+ // WARNING: at this stage we assume that the java properties
+ // will have the same value
+ String username = System.getProperty("user.name");
+ Node userProfile = JcrUtils.createUserProfileIfNeeded(
+ securitySession, username);
+ JcrUserDetails.checkAccountStatus(userProfile);
+
+ // each user should have a writable area in the default
+ // workspace of the node
+ JcrUtils.createUserHomeIfNeeded(nodeSession, username);
+ userDetails = new JcrUserDetails(userProfile, authen
+ .getCredentials().toString(), getBaseAuthorities());
+ authen.setDetails(userDetails);
+ return authen;
+ } catch (RepositoryException e) {
+ JcrUtils.discardQuietly(securitySession);
+ throw new ArgeoException(
+ "Unexpected exception when synchronizing OS and JCR security ",
+ e);
+ } finally {
+ JcrUtils.logoutQuietly(securitySession);
+ }
+ } else {
+ throw new ArgeoException("Unsupported authentication "
+ + authentication.getClass());
}
- return authen;
}
public void setSecurityWorkspace(String securityWorkspace) {
public void setRepository(Repository repository) {
this.repository = repository;
}
+
+ @SuppressWarnings("rawtypes")
+ public boolean supports(Class authentication) {
+ return OsAuthenticationToken.class.isAssignableFrom(authentication)
+ || UsernamePasswordAuthenticationToken.class
+ .isAssignableFrom(authentication);
+ }
+
}
--- /dev/null
+package org.argeo.security.jcr;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.jcr.Node;
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.argeo.ArgeoException;
+import org.argeo.jcr.JcrUtils;
+import org.argeo.security.UserAdminService;
+import org.springframework.dao.DataAccessException;
+import org.springframework.security.userdetails.UserDetails;
+import org.springframework.security.userdetails.UsernameNotFoundException;
+
+/**
+ * Dummy user service to be used when running as a single OS user (typically
+ * desktop). TODO integrate with JCR user / groups
+ */
+public class OsJcrUserAdminService implements UserAdminService {
+ private String securityWorkspace = "security";
+ private Repository repository;
+
+ private Session securitySession;
+
+ public void init() {
+ try {
+ securitySession = repository.login(securityWorkspace);
+ } catch (RepositoryException e) {
+ throw new ArgeoException("Cannot initialize", e);
+ }
+ }
+
+ public void destroy() {
+ JcrUtils.logoutQuietly(securitySession);
+ }
+
+ /** <b>Unsupported</b> */
+ public void createUser(UserDetails user) {
+ throw new UnsupportedOperationException();
+ }
+
+ /** Does nothing */
+ public void updateUser(UserDetails user) {
+
+ }
+
+ /** <b>Unsupported</b> */
+ public void deleteUser(String username) {
+ throw new UnsupportedOperationException();
+ }
+
+ /** <b>Unsupported</b> */
+ public void changePassword(String oldPassword, String newPassword) {
+ throw new UnsupportedOperationException();
+ }
+
+ public boolean userExists(String username) {
+ if (getSPropertyUsername().equals(username))
+ return true;
+ else
+ return false;
+ }
+
+ public UserDetails loadUserByUsername(String username)
+ throws UsernameNotFoundException, DataAccessException {
+ if (getSPropertyUsername().equals(username)) {
+ Node userProfile = JcrUtils.getUserProfile(securitySession,
+ username);
+ JcrUserDetails userDetails;
+ try {
+ userDetails = new JcrUserDetails(userProfile, "",
+ OsJcrAuthenticationProvider.getBaseAuthorities());
+ } catch (RepositoryException e) {
+ throw new ArgeoException("Cannot retrieve user profile for "
+ + username, e);
+ }
+ return userDetails;
+ } else {
+ throw new UnsupportedOperationException();
+ }
+ }
+
+ protected final String getSPropertyUsername() {
+ return System.getProperty("user.name");
+ }
+
+ public Set<String> listUsers() {
+ Set<String> set = new HashSet<String>();
+ set.add(getSPropertyUsername());
+ return set;
+ }
+
+ public Set<String> listUsersInRole(String role) {
+ Set<String> set = new HashSet<String>();
+ set.add(getSPropertyUsername());
+ return set;
+ }
+
+ /** Does nothing */
+ public void synchronize() {
+ }
+
+ /** <b>Unsupported</b> */
+ public void newRole(String role) {
+ throw new UnsupportedOperationException();
+ }
+
+ public Set<String> listEditableRoles() {
+ Set<String> set = new HashSet<String>();
+ return set;
+ }
+
+ /** <b>Unsupported</b> */
+ public void deleteRole(String role) {
+ throw new UnsupportedOperationException();
+ }
+
+ public void setRepository(Repository repository) {
+ this.repository = repository;
+ }
+
+ public void setSecurityWorkspace(String securityWorkspace) {
+ this.securityWorkspace = securityWorkspace;
+ }
+
+}