try {
// Transaction
transactionManager = new SimpleTransactionManager();
- bundleContext.registerService(TransactionManager.class,
- transactionManager, null);
- bundleContext.registerService(UserTransaction.class,
- transactionManager, null);
- bundleContext.registerService(
- TransactionSynchronizationRegistry.class,
- transactionManager.getTransactionSynchronizationRegistry(),
- null);
// Jackrabbit node
node = new JackrabbitNode(bundleContext);
// Equinox dependency
ExtendedHttpService httpService = waitForHttpService();
- nodeHttp = new NodeHttp(httpService, node, nodeSecurity);
+ nodeHttp = new NodeHttp(httpService, node);
// Kernel thread
kernelThread = new KernelThread(this);
kernelThread.start();
// Publish services to OSGi
+ bundleContext.registerService(TransactionManager.class,
+ transactionManager, null);
+ bundleContext.registerService(UserTransaction.class,
+ transactionManager, null);
+ bundleContext.registerService(
+ TransactionSynchronizationRegistry.class,
+ transactionManager.getTransactionSynchronizationRegistry(),
+ null);
nodeSecurity.publish();
node.publish(repositoryFactory);
bundleContext.registerService(RepositoryFactory.class,
import java.io.File;
import java.io.IOException;
import java.net.URI;
-import java.util.Collections;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.Hashtable;
-import java.util.List;
import java.util.Properties;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.argeo.cms.CmsException;
import org.argeo.cms.KernelHeader;
-import org.argeo.cms.internal.auth.GrantedAuthorityPrincipal;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
/** Package utilities */
class KernelUtils implements KernelConstants {
}
// Security
- @Deprecated
- static void anonymousLogin(AuthenticationManager authenticationManager) {
+ static Subject anonymousLogin() {
+ Subject subject = new Subject();
+ LoginContext lc;
try {
- List<GrantedAuthorityPrincipal> anonAuthorities = Collections
- .singletonList(new GrantedAuthorityPrincipal(
- KernelHeader.ROLE_ANONYMOUS));
- UserDetails anonUser = new User(KernelHeader.USERNAME_ANONYMOUS,
- "", true, true, true, true, anonAuthorities);
- AnonymousAuthenticationToken anonToken = new AnonymousAuthenticationToken(
- DEFAULT_SECURITY_KEY, anonUser, anonAuthorities);
- Authentication authentication = authenticationManager
- .authenticate(anonToken);
- SecurityContextHolder.getContext()
- .setAuthentication(authentication);
- } catch (Exception e) {
- throw new CmsException("Cannot authenticate", e);
+ lc = new LoginContext(KernelHeader.LOGIN_CONTEXT_ANONYMOUS, subject);
+ lc.login();
+ return subject;
+ } catch (LoginException e) {
+ throw new CmsException("Cannot login as anonymous", e);
}
}
+ // @Deprecated
+ // static void anonymousLogin(AuthenticationManager authenticationManager) {
+ // try {
+ // List<GrantedAuthorityPrincipal> anonAuthorities = Collections
+ // .singletonList(new GrantedAuthorityPrincipal(
+ // KernelHeader.ROLE_ANONYMOUS));
+ // UserDetails anonUser = new User(KernelHeader.USERNAME_ANONYMOUS,
+ // "", true, true, true, true, anonAuthorities);
+ // AnonymousAuthenticationToken anonToken = new
+ // AnonymousAuthenticationToken(
+ // DEFAULT_SECURITY_KEY, anonUser, anonAuthorities);
+ // Authentication authentication = authenticationManager
+ // .authenticate(anonToken);
+ // SecurityContextHolder.getContext()
+ // .setAuthentication(authentication);
+ // } catch (Exception e) {
+ // throw new CmsException("Cannot authenticate", e);
+ // }
+ // }
+
// HTTP
static void logRequestHeaders(Log log, HttpServletRequest request) {
if (!log.isDebugEnabled())
package org.argeo.cms.internal.kernel;
-import static org.argeo.jackrabbit.servlet.WebdavServlet.INIT_PARAM_RESOURCE_CONFIG;
-
import java.io.IOException;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.jcr.Repository;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.CmsException;
+import org.argeo.cms.KernelHeader;
import org.argeo.jackrabbit.servlet.OpenInViewSessionProvider;
import org.argeo.jackrabbit.servlet.RemotingServlet;
import org.argeo.jackrabbit.servlet.WebdavServlet;
import org.argeo.jcr.ArgeoJcrConstants;
-import org.argeo.security.NodeAuthenticationToken;
import org.eclipse.equinox.http.servlet.ExtendedHttpService;
import org.osgi.service.http.NamespaceException;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
/**
* Intercepts and enriches http access, mainly focusing on security and
private final static String HEADER_AUTHORIZATION = "Authorization";
private final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
- private final AuthenticationManager authenticationManager;
+ // private final AuthenticationManager authenticationManager;
private final ExtendedHttpService httpService;
// FIXME Make it more unique
// WebDav / JCR remoting
private OpenInViewSessionProvider sessionProvider;
- NodeHttp(ExtendedHttpService httpService, JackrabbitNode node,
- NodeSecurity authenticationManager) {
+ NodeHttp(ExtendedHttpService httpService, JackrabbitNode node) {
// this.bundleContext = bundleContext;
- this.authenticationManager = authenticationManager;
+ // this.authenticationManager = authenticationManager;
this.httpService = httpService;
String pathPrefix = anonymous ? WEBDAV_PUBLIC : WEBDAV_PRIVATE;
String path = pathPrefix + "/" + alias;
Properties ip = new Properties();
- ip.setProperty(INIT_PARAM_RESOURCE_CONFIG, WEBDAV_CONFIG);
+ ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_CONFIG, WEBDAV_CONFIG);
ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_PATH_PREFIX, path);
httpService.registerFilter(path, anonymous ? new AnonymousFilter()
: new DavFilter(), null, null);
httpSession.setAttribute(ATTR_AUTH, Boolean.TRUE);
}
- private NodeAuthenticationToken basicAuth(String authHeader) {
+ private CallbackHandler basicAuth(String authHeader) {
if (authHeader != null) {
StringTokenizer st = new StringTokenizer(authHeader);
if (st.hasMoreTokens()) {
String basic = st.nextToken();
if (basic.equalsIgnoreCase("Basic")) {
try {
+ // TODO manipulate char[]
String credentials = new String(Base64.decodeBase64(st
.nextToken()), "UTF-8");
// log.debug("Credentials: " + credentials);
int p = credentials.indexOf(":");
if (p != -1) {
- String login = credentials.substring(0, p).trim();
- String password = credentials.substring(p + 1)
+ final String login = credentials.substring(0, p)
.trim();
-
- return new NodeAuthenticationToken(login,
- password.toCharArray());
+ final char[] password = credentials
+ .substring(p + 1).trim().toCharArray();
+
+ return new CallbackHandler() {
+ public void handle(Callback[] callbacks) {
+ for (Callback cb : callbacks) {
+ if (cb instanceof NameCallback)
+ ((NameCallback) cb).setName(login);
+ else if (cb instanceof PasswordCallback)
+ ((PasswordCallback) cb)
+ .setPassword(password);
+ }
+ }
+ };
} else {
throw new CmsException(
"Invalid authentication token");
private class AnonymousFilter extends HttpFilter {
@Override
public void doFilter(HttpSession httpSession,
- HttpServletRequest request, HttpServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
+ final HttpServletRequest request,
+ final HttpServletResponse response,
+ final FilterChain filterChain) throws IOException,
+ ServletException {
// Authenticate from session
// if (isSessionAuthenticated(httpSession)) {
// return;
// }
- KernelUtils.anonymousLogin(authenticationManager);
- filterChain.doFilter(request, response);
+ Subject subject = KernelUtils.anonymousLogin();
+ try {
+ Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
+ public Void run() throws IOException, ServletException {
+ filterChain.doFilter(request, response);
+ return null;
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ if (e.getCause() instanceof ServletException)
+ throw (ServletException) e.getCause();
+ else if (e.getCause() instanceof IOException)
+ throw (IOException) e.getCause();
+ else
+ throw new CmsException("Unexpected exception", e.getCause());
+ }
}
}
@Override
public void doFilter(HttpSession httpSession,
- HttpServletRequest request, HttpServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
-
- // Authenticate from session
- // if (isSessionAuthenticated(httpSession)) {
- // filterChain.doFilter(request, response);
- // return;
- // }
+ final HttpServletRequest request,
+ final HttpServletResponse response,
+ final FilterChain filterChain) throws IOException,
+ ServletException {
// Process basic auth
String basicAuth = request.getHeader(HEADER_AUTHORIZATION);
if (basicAuth != null) {
- UsernamePasswordAuthenticationToken token = basicAuth(basicAuth);
- Authentication auth = authenticationManager.authenticate(token);
- SecurityContextHolder.getContext().setAuthentication(auth);
- // httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY,
- // SecurityContextHolder.getContext());
- // httpSession.setAttribute(ATTR_AUTH, Boolean.FALSE);
- filterChain.doFilter(request, response);
+ CallbackHandler token = basicAuth(basicAuth);
+ // FIXME Login
+ // Authentication auth =
+ // authenticationManager.authenticate(token);
+ // SecurityContextHolder.getContext().setAuthentication(auth);
+ // filterChain.doFilter(request, response);
+ Subject subject;
+ try {
+ LoginContext lc = new LoginContext(
+ KernelHeader.LOGIN_CONTEXT_USER, token);
+ lc.login();
+ subject = lc.getSubject();
+ } catch (LoginException e) {
+ throw new CmsException("Could not login", e);
+ }
+ try {
+ Subject.doAs(subject,
+ new PrivilegedExceptionAction<Void>() {
+ public Void run() throws IOException,
+ ServletException {
+ filterChain.doFilter(request, response);
+ return null;
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ if (e.getCause() instanceof ServletException)
+ throw (ServletException) e.getCause();
+ else if (e.getCause() instanceof IOException)
+ throw (IOException) e.getCause();
+ else
+ throw new CmsException("Unexpected exception",
+ e.getCause());
+ }
return;
}
import org.argeo.osgi.useradmin.LdapProperties;
import org.argeo.osgi.useradmin.LdapUserAdmin;
import org.argeo.osgi.useradmin.LdifUserAdmin;
-import org.argeo.osgi.useradmin.UserAdminAggregator;
import org.argeo.osgi.useradmin.UserDirectoryException;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
-public class NodeUserAdmin implements UserAdmin, UserAdminAggregator {
+public class NodeUserAdmin implements UserAdmin {
private final static Log log = LogFactory.getLog(NodeUserAdmin.class);
final static LdapName ROLES_BASE;
static {
private UserAdmin nodeRoles = null;
private Map<LdapName, UserAdmin> userAdmins = new HashMap<LdapName, UserAdmin>();
- private TransactionManager transactionManager;
-
public NodeUserAdmin() {
File osgiInstanceDir = KernelUtils.getOsgiInstanceDir();
File nodeBaseDir = new File(osgiInstanceDir, "node");
@Override
public Authorization getAuthorization(User user) {
+ if (user == null) {
+ return nodeRoles.getAuthorization(null);
+ }
UserAdmin userAdmin = findUserAdmin(user.getName());
Authorization rawAuthorization = userAdmin.getAuthorization(user);
// gather system roles
//
// USER ADMIN AGGREGATOR
//
- @Override
public synchronized void addUserAdmin(String baseDn, UserAdmin userAdmin) {
if (baseDn.equals(KernelHeader.ROLES_BASEDN)) {
nodeRoles = userAdmin;
}
}
- @Override
public synchronized void removeUserAdmin(String baseDn) {
if (baseDn.equals(KernelHeader.ROLES_BASEDN))
throw new UserDirectoryException("Node roles cannot be removed.");
}
public void setTransactionManager(TransactionManager transactionManager) {
- this.transactionManager = transactionManager;
if (nodeRoles instanceof AbstractUserDirectory)
((AbstractUserDirectory) nodeRoles)
.setTransactionManager(transactionManager);
+++ /dev/null
-package org.argeo.osgi.auth;
-
-import java.io.IOException;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.osgi.framework.BundleContext;
-
-public class BundleContextCallbackHander implements CallbackHandler {
- private final BundleContext bundleContext;
-
- public BundleContextCallbackHander(BundleContext bundleContext) {
- this.bundleContext = bundleContext;
- }
-
- @Override
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for (Callback callback : callbacks) {
- if (!(callback instanceof BundleContextCallback))
- throw new UnsupportedCallbackException(callback);
- ((BundleContextCallback) callback).setBundleContext(bundleContext);
- }
-
- }
-
-}
--- /dev/null
+package org.argeo.osgi.auth;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.osgi.framework.BundleContext;
+
+public class BundleContextCallbackHandler implements CallbackHandler {
+ private final BundleContext bundleContext;
+
+ public BundleContextCallbackHandler(BundleContext bundleContext) {
+ this.bundleContext = bundleContext;
+ }
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
+ UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (!(callback instanceof BundleContextCallback))
+ throw new UnsupportedCallbackException(callback);
+ ((BundleContextCallback) callback).setBundleContext(bundleContext);
+ }
+
+ }
+
+}
import javax.transaction.SystemException;
import javax.transaction.Transaction;
import javax.transaction.TransactionManager;
-import javax.transaction.TransactionSynchronizationRegistry;
import javax.transaction.xa.XAException;
import javax.transaction.xa.XAResource;
import javax.transaction.xa.Xid;
return user;
}
+ @SuppressWarnings("unchecked")
@Override
public Role[] getRoles(String filter) throws InvalidSyntaxException {
WorkingCopy wc = getWorkingCopy();
return groupObjectClass;
}
+ protected Dictionary<String, ?> getProperties() {
+ return properties;
+ }
+
public void setExternalRoles(UserAdmin externalRoles) {
this.externalRoles = externalRoles;
}
private final String displayName;
private final List<String> allRoles;
+ @SuppressWarnings("unchecked")
public LdifAuthorization(User user, List<Role> allRoles) {
if (user == null) {
this.name = null;
}
}
+ @SuppressWarnings("unchecked")
protected void load(InputStream in) {
try {
users.clear();
}
}
- // optimise
- // for (LdifGroup group : groups.values())
- // loadMembers(group);
-
// indexes
for (String attr : getIndexedUserProperties())
userIndexes.put(attr, new TreeMap<String, DirectoryUser>());
for (DirectoryUser user : users.values()) {
- Dictionary<String, Object> properties = user.getProperties();
+ Dictionary<String, ?> properties = user.getProperties();
for (String attr : getIndexedUserProperties()) {
Object value = properties.get(attr);
if (value != null) {
return users.containsKey(dn) || groups.containsKey(dn);
}
- // @Override
- // public boolean removeRole(String name) {
- // LdapName dn = toDn(name);
- // LdifUser role = null;
- // if (users.containsKey(dn))
- // role = users.remove(dn);
- // else if (groups.containsKey(dn))
- // role = groups.remove(dn);
- // else
- // throw new UserDirectoryException("There is no role " + name);
- // if (role == null)
- // return false;
- // for (LdifGroup group : getDirectGroups(role)) {
- // group.getAttributes().get(getMemberAttributeId())
- // .remove(dn.toString());
- // }
- // return true;
- // }
-
+ @SuppressWarnings("unchecked")
protected List<DirectoryUser> doGetRoles(Filter f) {
ArrayList<DirectoryUser> res = new ArrayList<DirectoryUser>();
if (f == null) {
+++ /dev/null
-package org.argeo.osgi.useradmin;
-
-import org.osgi.service.useradmin.UserAdmin;
-
-public interface UserAdminAggregator {
- public void addUserAdmin(String baseDn, UserAdmin userAdmin);
-
- public void removeUserAdmin(String baseDn);
-}
+++ /dev/null
-package org.argeo.osgi.useradmin;
-
-import org.osgi.service.useradmin.Role;
-import org.osgi.service.useradmin.UserAdmin;
-
-public interface UserAdminWorkingCopy extends UserAdmin {
- public void commit();
-
- public void rollback();
-
- public Boolean isEditable(Role role);
-
- public <T extends Role> T getPublished(T role);
-}
+++ /dev/null
-package org.argeo.osgi.useradmin;
-
-import javax.transaction.UserTransaction;
-
-import org.osgi.service.useradmin.UserAdmin;
-
-class UserDirectoryTransaction {
- static ThreadLocal<UserDirectoryTransaction> current = new ThreadLocal<UserDirectoryTransaction>();
-
- private UserAdmin userAdmin;
-
- private UserTransaction userTransaction;
-
- public UserDirectoryTransaction(UserAdmin userAdmin) {
- this.userAdmin = userAdmin;
- if (current.get() != null)
- throw new UserDirectoryException("Transaction " + current.get()
- + " already active.");
- current.set(this);
- }
-
- public void setUserTransaction(UserTransaction userTransaction) {
- this.userTransaction = userTransaction;
- }
-
-}
return null;
}
+ @SuppressWarnings("unchecked")
protected void changePassword(char[] oldPassword, char[] newPassword) {
Subject subject = Subject.getSubject(AccessController.getContext());
String name = subject.getPrincipals(X500Principal.class).iterator()
import org.eclipse.swt.widgets.Composite;
import org.eclipse.swt.widgets.Table;
import org.eclipse.ui.part.ViewPart;
-import org.springframework.security.core.Authentication;
/** Information about the currently logged in user */
public class UserProfile extends ViewPart {