package org.argeo.security.equinox;
import java.util.Map;
-import java.util.concurrent.Executor;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.login.LoginException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.argeo.security.SiteAuthenticationToken;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationManager;
/** Login module which caches one subject per thread. */
public class SpringLoginModule extends SecurityContextLoginModule {
+ final static String NODE_REPO_URI = "argeo.node.repo.uri";
+
+ private final static Log log = LogFactory.getLog(SpringLoginModule.class);
+
private AuthenticationManager authenticationManager;
- private Executor systemExecutor;
private CallbackHandler callbackHandler;
+ private Subject subject;
+
+ private Long waitBetweenFailedLoginAttempts = 5 * 1000l;
+
+ private Boolean remote = false;
+
public SpringLoginModule() {
}
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
- // this.subject.set(subject);
this.callbackHandler = callbackHandler;
+ this.subject = subject;
}
public boolean login() throws LoginException {
- // thread already logged in
- if (SecurityContextHolder.getContext().getAuthentication() != null)
- return super.login();
-
- // if (getSubject().getPrincipals(Authentication.class).size() == 1) {
- // registerAuthentication(getSubject()
- // .getPrincipals(Authentication.class).iterator().next());
- // return super.login();
- // } else if (getSubject().getPrincipals(Authentication.class).size() >
- // 1) {
- // throw new LoginException(
- // "Multiple Authentication principals not supported: "
- // + getSubject().getPrincipals(Authentication.class));
- // } else {
- // ask for username and password
- Callback label = new TextOutputCallback(TextOutputCallback.INFORMATION,
- "Required login");
- NameCallback nameCallback = new NameCallback("User");
- PasswordCallback passwordCallback = new PasswordCallback("Password",
- false);
- NameCallback urlCallback = new NameCallback("Site URL");
-
- if (callbackHandler == null) {
- throw new LoginException("No call back handler available");
- // return false;
- }
try {
- callbackHandler.handle(new Callback[] { label, nameCallback,
- passwordCallback, urlCallback });
- } catch (Exception e) {
- LoginException le = new LoginException("Callback handling failed");
- le.initCause(e);
- throw le;
- }
-
- // Set user name and password
- String username = nameCallback.getName();
- String password = "";
- if (passwordCallback.getPassword() != null) {
- password = String.valueOf(passwordCallback.getPassword());
- }
- String url = urlCallback.getName();
- // TODO: set it via system properties
- String workspace = null;
-
- // UsernamePasswordAuthenticationToken credentials = new
- // UsernamePasswordAuthenticationToken(
- // username, password);
- SiteAuthenticationToken credentials = new SiteAuthenticationToken(
- username, password, url, workspace);
-
- try {
-
- Authentication authentication = authenticationManager
- .authenticate(credentials);
+ // thread already logged in
+ if (SecurityContextHolder.getContext().getAuthentication() != null)
+ return super.login();
+
+ // reset all principals and credentials
+ if (log.isTraceEnabled())
+ log.trace("Resetting all principals and credentials of "
+ + subject);
+ if (subject.getPrincipals() != null)
+ subject.getPrincipals().clear();
+ if (subject.getPrivateCredentials() != null)
+ subject.getPrivateCredentials().clear();
+ if (subject.getPublicCredentials() != null)
+ subject.getPublicCredentials().clear();
+
+ // ask for username and password
+ NameCallback nameCallback = new NameCallback("User");
+ PasswordCallback passwordCallback = new PasswordCallback(
+ "Password", false);
+
+ NameCallback urlCallback = new NameCallback("Site URL");
+
+ if (callbackHandler == null)
+ throw new LoginException("No call back handler available");
+ if (remote)
+ callbackHandler.handle(new Callback[] { nameCallback,
+ passwordCallback, urlCallback });
+ else
+ callbackHandler.handle(new Callback[] { nameCallback,
+ passwordCallback });
+
+ // Set user name and password
+ String username = nameCallback.getName();
+ if (username == null || username.trim().equals(""))
+ return false;
+
+ String password = "";
+ if (passwordCallback.getPassword() != null)
+ password = String.valueOf(passwordCallback.getPassword());
+
+ String url = remote ? urlCallback.getName() : null;
+ if (remote && (url == null || url.trim().equals("")))
+ // for convenience, may be removed in the future
+ url = System.getProperty(NODE_REPO_URI);
+
+ // TODO: set it via system properties
+ String workspace = null;
+
+ SiteAuthenticationToken credentials = new SiteAuthenticationToken(
+ username, password, url, workspace);
+
+ Authentication authentication;
+ try {
+ authentication = authenticationManager
+ .authenticate(credentials);
+ } catch (BadCredentialsException e) {
+ // wait between failed login attempts
+ Thread.sleep(waitBetweenFailedLoginAttempts);
+ throw e;
+ }
registerAuthentication(authentication);
boolean res = super.login();
- // if (log.isDebugEnabled())
- // log.debug("User " + username + " logged in");
return res;
- } catch (BadCredentialsException bce) {
- throw bce;
+ } catch (LoginException e) {
+ throw e;
+ } catch (ThreadDeath e) {
+ LoginException le = new LoginException(
+ "Spring Security login thread died");
+ le.initCause(e);
+ throw le;
} catch (Exception e) {
- LoginException loginException = new LoginException(
- "Bad credentials");
- loginException.initCause(e);
- throw loginException;
+ LoginException le = new LoginException(
+ "Spring Security login failed");
+ le.initCause(e);
+ throw le;
}
- // }
}
@Override
public boolean logout() throws LoginException {
+ subject.getPrincipals().clear();
return super.logout();
}
this.authenticationManager = authenticationManager;
}
- public void setSystemExecutor(Executor systemExecutor) {
- this.systemExecutor = systemExecutor;
+ public void setRemote(Boolean remote) {
+ this.remote = remote;
}
-
- // protected Subject getSubject() {
- // return subject.get();
- // }
-
}