]> git.argeo.org Git - lgpl/argeo-commons.git/blob - security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Remove old interfaces
[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.jackrabbit / src / main / java / org / argeo / security / jackrabbit / ArgeoLoginModule.java
1 package org.argeo.security.jackrabbit;
2
3 import java.security.Principal;
4 import java.security.acl.Group;
5 import java.util.LinkedHashSet;
6 import java.util.Map;
7 import java.util.Set;
8
9 import javax.jcr.Credentials;
10 import javax.jcr.RepositoryException;
11 import javax.jcr.Session;
12 import javax.jcr.SimpleCredentials;
13 import javax.security.auth.callback.CallbackHandler;
14 import javax.security.auth.login.LoginException;
15
16 import org.apache.jackrabbit.core.security.AnonymousPrincipal;
17 import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule;
18 import org.apache.jackrabbit.core.security.authentication.Authentication;
19 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
20 import org.argeo.security.SystemAuthentication;
21 import org.springframework.security.GrantedAuthority;
22 import org.springframework.security.context.SecurityContextHolder;
23 import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
24
25 public class ArgeoLoginModule extends AbstractLoginModule {
26 private String adminRole = "ROLE_ADMIN";
27
28 /**
29 * Returns the Spring {@link org.springframework.security.Authentication}
30 * (which can be null)
31 */
32 @Override
33 protected Principal getPrincipal(Credentials credentials) {
34 org.springframework.security.Authentication authen = SecurityContextHolder
35 .getContext().getAuthentication();
36 return authen;
37 }
38
39 protected Set<Principal> getPrincipals() {
40 // clear already registered Jackrabbit principals
41 clearPrincipals(AdminPrincipal.class);
42 clearPrincipals(AnonymousPrincipal.class);
43 clearPrincipals(GrantedAuthorityPrincipal.class);
44
45 return syncPrincipals();
46 }
47
48 protected Set<Principal> syncPrincipals() {
49 // use linked HashSet instead of HashSet in order to maintain the order
50 // of principals (as in the Subject).
51 org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal;
52
53 Set<Principal> principals = new LinkedHashSet<Principal>();
54 principals.add(authen);
55
56 if (authen instanceof SystemAuthentication)
57 principals.add(new AdminPrincipal(authen.getName()));
58 else if (authen instanceof AnonymousAuthenticationToken)
59 principals.add(new AnonymousPrincipal());
60 else
61 for (GrantedAuthority ga : authen.getAuthorities()) {
62 principals.add(new GrantedAuthorityPrincipal(ga));
63 // FIXME: make it more generic
64 if (adminRole.equals(ga.getAuthority()))
65 principals.add(new AdminPrincipal(authen.getName()));
66 }
67
68 // remove previous credentials
69 Set<SimpleCredentials> thisCredentials = subject
70 .getPublicCredentials(SimpleCredentials.class);
71 if (thisCredentials != null)
72 thisCredentials.clear();
73 // override credentials since we did not used the one passed to us
74 credentials = new SimpleCredentials(authen.getName(), authen
75 .getCredentials().toString().toCharArray());
76
77 return principals;
78 }
79
80 /**
81 * Super implementation removes all {@link Principal}, the Spring
82 * {@link org.springframework.security.Authentication} as well. Here we
83 * simply clear Jackrabbit related {@link Principal}s.
84 */
85 @Override
86 public boolean logout() throws LoginException {
87 clearPrincipals(AdminPrincipal.class);
88 clearPrincipals(AnonymousPrincipal.class);
89 clearPrincipals(GrantedAuthorityPrincipal.class);
90
91 // we resync with Spring Security since the subject may have been reused
92 // in beetween
93 // TODO: check if this is clean
94 //subject.getPrincipals().addAll(syncPrincipals());
95
96 return true;
97 }
98
99 private <T extends Principal> void clearPrincipals(Class<T> clss) {
100 Set<T> principals = subject.getPrincipals(clss);
101 if (principals != null)
102 principals.clear();
103 }
104
105 @SuppressWarnings("rawtypes")
106 @Override
107 protected void doInit(CallbackHandler callbackHandler, Session session,
108 Map options) throws LoginException {
109 }
110
111 @Override
112 protected boolean impersonate(Principal principal, Credentials credentials)
113 throws RepositoryException, LoginException {
114 throw new UnsupportedOperationException(
115 "Impersonation is not yet supported");
116 }
117
118 @Override
119 protected Authentication getAuthentication(final Principal principal,
120 Credentials creds) throws RepositoryException {
121 if (principal instanceof Group) {
122 return null;
123 }
124 return new Authentication() {
125 public boolean canHandle(Credentials credentials) {
126 return principal instanceof org.springframework.security.Authentication;
127 }
128
129 public boolean authenticate(Credentials credentials)
130 throws RepositoryException {
131 return ((org.springframework.security.Authentication) principal)
132 .isAuthenticated();
133 }
134 };
135 }
136
137 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi