security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java

   1 package org.argeo.security.jackrabbit;
   2
   3 import java.security.Principal;
   4 import java.security.acl.Group;
   5 import java.util.LinkedHashSet;
   6 import java.util.Map;
   7 import java.util.Set;
   8
   9 import javax.jcr.Credentials;
  10 import javax.jcr.RepositoryException;
  11 import javax.jcr.Session;
  12 import javax.jcr.SimpleCredentials;
  13 import javax.security.auth.callback.CallbackHandler;
  14 import javax.security.auth.login.LoginException;
  15
  16 import org.apache.jackrabbit.core.security.AnonymousPrincipal;
  17 import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule;
  18 import org.apache.jackrabbit.core.security.authentication.Authentication;
  19 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
  20 import org.argeo.security.SystemAuthentication;
  21 import org.springframework.security.GrantedAuthority;
  22 import org.springframework.security.context.SecurityContextHolder;
  23 import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
  24
  25 public class ArgeoLoginModule extends AbstractLoginModule {
  26         private String adminRole = "ROLE_ADMIN";
  27
  28         /**
  29          * Returns the Spring {@link org.springframework.security.Authentication}
  30          * (which can be null)
  31          */
  32         @Override
  33         protected Principal getPrincipal(Credentials credentials) {
  34                 org.springframework.security.Authentication authen = SecurityContextHolder
  35                                 .getContext().getAuthentication();
  36                 return authen;
  37         }
  38
  39         protected Set<Principal> getPrincipals() {
  40                 // use linked HashSet instead of HashSet in order to maintain the order
  41                 // of principals (as in the Subject).
  42                 Set<Principal> principals = new LinkedHashSet<Principal>();
  43                 principals.add(principal);
  44
  45                 org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal;
  46
  47                 if (authen instanceof SystemAuthentication)
  48                         principals.add(new AdminPrincipal(authen.getName()));
  49                 else if (authen instanceof AnonymousAuthenticationToken)
  50                         principals.add(new AnonymousPrincipal());
  51                 else
  52                         for (GrantedAuthority ga : authen.getAuthorities()) {
  53                                 if (adminRole.equals(ga.getAuthority()))
  54                                         principals.add(new AdminPrincipal(authen.getName()));
  55                         }
  56
  57                 // override credentials since we did not used the one passed to us
  58                 credentials = new SimpleCredentials(authen.getName(), authen
  59                                 .getCredentials().toString().toCharArray());
  60
  61                 return principals;
  62         }
  63
  64         @SuppressWarnings("rawtypes")
  65         @Override
  66         protected void doInit(CallbackHandler callbackHandler, Session session,
  67                         Map options) throws LoginException {
  68         }
  69
  70         @Override
  71         protected boolean impersonate(Principal principal, Credentials credentials)
  72                         throws RepositoryException, LoginException {
  73                 throw new UnsupportedOperationException(
  74                                 "Impersonation is not yet supported");
  75         }
  76
  77         @Override
  78         protected Authentication getAuthentication(final Principal principal,
  79                         Credentials creds) throws RepositoryException {
  80                 if (principal instanceof Group) {
  81                         return null;
  82                 }
  83                 return new Authentication() {
  84                         public boolean canHandle(Credentials credentials) {
  85                                 return principal instanceof org.springframework.security.Authentication;
  86                         }
  87
  88                         public boolean authenticate(Credentials credentials)
  89                                         throws RepositoryException {
  90                                 return ((org.springframework.security.Authentication) principal)
  91                                                 .isAuthenticated();
  92                         }
  93                 };
  94         }
  95
  96 }