security/jackrabbit/ArgeoLoginModule.java

   1 package org.argeo.security.jackrabbit;
   2
   3 import java.security.Principal;
   4 import java.security.acl.Group;
   5 import java.util.LinkedHashSet;
   6 import java.util.Map;
   7 import java.util.Set;
   8
   9 import javax.jcr.Credentials;
  10 import javax.jcr.RepositoryException;
  11 import javax.jcr.Session;
  12 import javax.jcr.SimpleCredentials;
  13 import javax.security.auth.callback.CallbackHandler;
  14 import javax.security.auth.login.LoginException;
  15
  16 import org.apache.jackrabbit.core.security.AnonymousPrincipal;
  17 import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule;
  18 import org.apache.jackrabbit.core.security.authentication.Authentication;
  19 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
  20 import org.argeo.security.SystemAuthentication;
  21 import org.springframework.security.GrantedAuthority;
  22 import org.springframework.security.context.SecurityContextHolder;
  23 import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
  24
  25 public class ArgeoLoginModule extends AbstractLoginModule {
  26         private String adminRole = "ROLE_ADMIN";
  27
  28         /**
  29          * Returns the Spring {@link org.springframework.security.Authentication}
  30          * (which can be null)
  31          */
  32         @Override
  33         protected Principal getPrincipal(Credentials credentials) {
  34                 org.springframework.security.Authentication authen = SecurityContextHolder
  35                                 .getContext().getAuthentication();
  36                 return authen;
  37         }
  38
  39         protected Set<Principal> getPrincipals() {
  40                 // use linked HashSet instead of HashSet in order to maintain the order
  41                 // of principals (as in the Subject).
  42                 Set<Principal> principals = new LinkedHashSet<Principal>();
  43                 principals.add(principal);
  44
  45                 org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal;
  46
  47                 if (authen instanceof SystemAuthentication)
  48                         principals.add(new AdminPrincipal(authen.getName()));
  49                 else if (authen instanceof AnonymousAuthenticationToken)
  50                         principals.add(new AnonymousPrincipal());
  51                 else
  52                         for (GrantedAuthority ga : authen.getAuthorities()) {
  53                                 principals.add(new GrantedAuthorityPrincipal(ga));
  54                                 // FIXME: make it more generic
  55                                 if (adminRole.equals(ga.getAuthority()))
  56                                         principals.add(new AdminPrincipal(authen.getName()));
  57                         }
  58
  59                 // override credentials since we did not used the one passed to us
  60                 credentials = new SimpleCredentials(authen.getName(), authen
  61                                 .getCredentials().toString().toCharArray());
  62
  63                 return principals;
  64         }
  65
  66         /**
  67          * Super implementation removes all {@link Principal}, the Spring
  68          * {@link org.springframework.security.Authentication} as well. Here we
  69          * simply clear Jackrabbit related {@link Principal}s.
  70          */
  71         @Override
  72         public boolean logout() throws LoginException {
  73                 clearPrincipals(AdminPrincipal.class);
  74                 clearPrincipals(AnonymousPrincipal.class);
  75                 clearPrincipals(GrantedAuthorityPrincipal.class);
  76                 Set<SimpleCredentials> thisCredentials = subject
  77                                 .getPublicCredentials(SimpleCredentials.class);
  78                 if (thisCredentials != null)
  79                         thisCredentials.clear();
  80                 return true;
  81         }
  82
  83         private <T extends Principal> void clearPrincipals(Class<T> clss) {
  84                 Set<T> principals = subject.getPrincipals(clss);
  85                 if (principals != null)
  86                         principals.clear();
  87         }
  88
  89         @SuppressWarnings("rawtypes")
  90         @Override
  91         protected void doInit(CallbackHandler callbackHandler, Session session,
  92                         Map options) throws LoginException {
  93         }
  94
  95         @Override
  96         protected boolean impersonate(Principal principal, Credentials credentials)
  97                         throws RepositoryException, LoginException {
  98                 throw new UnsupportedOperationException(
  99                                 "Impersonation is not yet supported");
 100         }
 101
 102         @Override
 103         protected Authentication getAuthentication(final Principal principal,
 104                         Credentials creds) throws RepositoryException {
 105                 if (principal instanceof Group) {
 106                         return null;
 107                 }
 108                 return new Authentication() {
 109                         public boolean canHandle(Credentials credentials) {
 110                                 return principal instanceof org.springframework.security.Authentication;
 111                         }
 112
 113                         public boolean authenticate(Credentials credentials)
 114                                         throws RepositoryException {
 115                                 return ((org.springframework.security.Authentication) principal)
 116                                                 .isAuthenticated();
 117                         }
 118                 };
 119         }
 120
 121 }