1 package org
.argeo
.security
.jackrabbit
;
3 import java
.security
.Principal
;
4 import java
.security
.acl
.Group
;
5 import java
.util
.LinkedHashSet
;
9 import javax
.jcr
.Credentials
;
10 import javax
.jcr
.RepositoryException
;
11 import javax
.jcr
.Session
;
12 import javax
.jcr
.SimpleCredentials
;
13 import javax
.security
.auth
.callback
.CallbackHandler
;
14 import javax
.security
.auth
.login
.LoginException
;
16 import org
.apache
.jackrabbit
.core
.security
.AnonymousPrincipal
;
17 import org
.apache
.jackrabbit
.core
.security
.authentication
.AbstractLoginModule
;
18 import org
.apache
.jackrabbit
.core
.security
.authentication
.Authentication
;
19 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
20 import org
.argeo
.security
.SystemAuthentication
;
21 import org
.springframework
.security
.GrantedAuthority
;
22 import org
.springframework
.security
.context
.SecurityContextHolder
;
23 import org
.springframework
.security
.providers
.anonymous
.AnonymousAuthenticationToken
;
25 public class ArgeoLoginModule
extends AbstractLoginModule
{
26 private String adminRole
= "ROLE_ADMIN";
29 * Returns the Spring {@link org.springframework.security.Authentication}
33 protected Principal
getPrincipal(Credentials credentials
) {
34 org
.springframework
.security
.Authentication authen
= SecurityContextHolder
35 .getContext().getAuthentication();
39 protected Set
<Principal
> getPrincipals() {
40 // clear already registered Jackrabbit principals
41 clearPrincipals(AdminPrincipal
.class);
42 clearPrincipals(AnonymousPrincipal
.class);
43 clearPrincipals(GrantedAuthorityPrincipal
.class);
45 return syncPrincipals();
48 protected Set
<Principal
> syncPrincipals() {
49 // use linked HashSet instead of HashSet in order to maintain the order
50 // of principals (as in the Subject).
51 org
.springframework
.security
.Authentication authen
= (org
.springframework
.security
.Authentication
) principal
;
53 Set
<Principal
> principals
= new LinkedHashSet
<Principal
>();
54 principals
.add(authen
);
56 if (authen
instanceof SystemAuthentication
)
57 principals
.add(new AdminPrincipal(authen
.getName()));
58 else if (authen
instanceof AnonymousAuthenticationToken
)
59 principals
.add(new AnonymousPrincipal());
61 for (GrantedAuthority ga
: authen
.getAuthorities()) {
62 principals
.add(new GrantedAuthorityPrincipal(ga
));
63 // FIXME: make it more generic
64 if (adminRole
.equals(ga
.getAuthority()))
65 principals
.add(new AdminPrincipal(authen
.getName()));
68 // remove previous credentials
69 Set
<SimpleCredentials
> thisCredentials
= subject
70 .getPublicCredentials(SimpleCredentials
.class);
71 if (thisCredentials
!= null)
72 thisCredentials
.clear();
73 // override credentials since we did not used the one passed to us
74 credentials
= new SimpleCredentials(authen
.getName(), authen
75 .getCredentials().toString().toCharArray());
81 * Super implementation removes all {@link Principal}, the Spring
82 * {@link org.springframework.security.Authentication} as well. Here we
83 * simply clear Jackrabbit related {@link Principal}s.
86 public boolean logout() throws LoginException
{
87 clearPrincipals(AdminPrincipal
.class);
88 clearPrincipals(AnonymousPrincipal
.class);
89 clearPrincipals(GrantedAuthorityPrincipal
.class);
91 // we resync with Spring Security since the subject may have been reused
93 // TODO: check if this is clean
94 //subject.getPrincipals().addAll(syncPrincipals());
99 private <T
extends Principal
> void clearPrincipals(Class
<T
> clss
) {
100 Set
<T
> principals
= subject
.getPrincipals(clss
);
101 if (principals
!= null)
105 @SuppressWarnings("rawtypes")
107 protected void doInit(CallbackHandler callbackHandler
, Session session
,
108 Map options
) throws LoginException
{
112 protected boolean impersonate(Principal principal
, Credentials credentials
)
113 throws RepositoryException
, LoginException
{
114 throw new UnsupportedOperationException(
115 "Impersonation is not yet supported");
119 protected Authentication
getAuthentication(final Principal principal
,
120 Credentials creds
) throws RepositoryException
{
121 if (principal
instanceof Group
) {
124 return new Authentication() {
125 public boolean canHandle(Credentials credentials
) {
126 return principal
instanceof org
.springframework
.security
.Authentication
;
129 public boolean authenticate(Credentials credentials
)
130 throws RepositoryException
{
131 return ((org
.springframework
.security
.Authentication
) principal
)