package org.argeo.security.jackrabbit;
-import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import javax.security.auth.x500.X500Principal;
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
+import org.argeo.security.SystemAuth;
public class SystemJackrabbitLoginModule implements LoginModule {
@Override
public boolean commit() throws LoginException {
- Set<Principal> principals = subject.getPrincipals();
- if (principals.isEmpty()) {// system
- subject.getPrincipals().add(new AdminPrincipal("admin"));
+ Set<SystemAuth> initPrincipal = subject
+ .getPrincipals(SystemAuth.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals().add(
+ new AdminPrincipal(SecurityConstants.ADMIN_ID));
return true;
}
- boolean isAdmin = false;
- boolean isAnonymous = false;
- // FIXME make it more generic
- for (Principal principal : principals) {
- if (principal.getName().equalsIgnoreCase(
- "cn=admin,ou=roles,ou=node"))
- isAdmin = true;
- else if (principal.getName().equalsIgnoreCase(
- "cn=anonymous,ou=roles,ou=node"))
- isAnonymous = true;
- }
- if (isAnonymous && isAdmin)
- throw new LoginException("Cannot be admin and anonymous");
+ Set<X500Principal> userPrincipal = subject
+ .getPrincipals(X500Principal.class);
+ if (userPrincipal.isEmpty())
+ throw new LoginException("Subject must be pre-authenticated");
+ if (userPrincipal.size() > 1)
+ throw new LoginException("Multiple user principals "
+ + userPrincipal);
- // Add special Jackrabbit roles
- if (isAdmin)
- principals.add(new AdminPrincipal("admin"));
- if (isAnonymous)// anonymous
- principals.add(new AnonymousPrincipal());
return true;
+
+ // Set<Principal> principals = subject.getPrincipals();
+ // if (principals.isEmpty()) {// system
+ // throw new LoginException("Subject must be pre-authenticated");
+ // // subject.getPrincipals().add(new AdminPrincipal("admin"));
+ // // return true;
+ // }
+ // boolean isAdmin = false;
+ // boolean isAnonymous = false;
+ // // FIXME make it more generic
+ // for (Principal principal : principals) {
+ // if (principal.getName().equalsIgnoreCase(
+ // "cn=admin,ou=roles,ou=node"))
+ // isAdmin = true;
+ // else if (principal.getName().equalsIgnoreCase(
+ // "cn=anonymous,ou=roles,ou=node"))
+ // isAnonymous = true;
+ // }
+ //
+ // if (isAnonymous && isAdmin)
+ // throw new LoginException("Cannot be admin and anonymous");
+ //
+ // // Add special Jackrabbit roles
+ // if (isAdmin)
+ // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
+ // if (isAnonymous)// anonymous
+ // principals.add(new AnonymousPrincipal());
+ // return true;
}
@Override
@Override
public boolean logout() throws LoginException {
- subject.getPrincipals().removeAll(
- subject.getPrincipals(AdminPrincipal.class));
+ Set<SystemAuth> initPrincipal = subject
+ .getPrincipals(SystemAuth.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals(AdminPrincipal.class);
+ return true;
+ }
+ // subject.getPrincipals().removeAll(
+ // subject.getPrincipals(AdminPrincipal.class));
return true;
}
-
}
projects / lgpl / argeo-commons.git / blobdiff