Improve login and keyring

[lgpl/argeo-commons.git] / security / plugins / org.argeo.security.equinox / src / main / java / org / argeo / security / equinox / SpringLoginModule.java
diff --git a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java

index c25be6afbdf46b845adc37c083065a3c2d095be5..03f5f35ed960d2c8d529337f4c0f8cef7838cb2c 100644 (file)
--- a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java
+++ b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java
@@ -1,14 +1,12 @@
  package org.argeo.security.equinox;
  
  import java.util.Map;
-import java.util.Set;
  
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.TextOutputCallback;
  import javax.security.auth.login.LoginException;
  
  import org.apache.commons.logging.Log;
@@ -30,6 +28,8 @@ public class SpringLoginModule extends SecurityContextLoginModule {
  
         private Subject subject;
  
+       private Long waitBetweenFailedLoginAttempts = 5 * 1000l;
+
         public SpringLoginModule() {
  
         }
@@ -43,74 +43,80 @@ public class SpringLoginModule extends SecurityContextLoginModule {
         }
  
         public boolean login() throws LoginException {
-               // try to retrieve Authentication from Subject
-               Set<Authentication> auths = subject.getPrincipals(Authentication.class);
-               if (auths.size() > 0)
-                       SecurityContextHolder.getContext().setAuthentication(
-                                       auths.iterator().next());
-
-               // thread already logged in
-               if (SecurityContextHolder.getContext().getAuthentication() != null)
-                       return super.login();
-
-               // ask for username and password
-               Callback label = new TextOutputCallback(TextOutputCallback.INFORMATION,
-                               "Required login");
-               NameCallback nameCallback = new NameCallback("User");
-               PasswordCallback passwordCallback = new PasswordCallback("Password",
-                               false);
-               NameCallback urlCallback = new NameCallback("Site URL");
-
-               if (callbackHandler == null) {
-                       throw new LoginException("No call back handler available");
-                       // return false;
-               }
                 try {
-                       callbackHandler.handle(new Callback[] { label, nameCallback,
-                                       passwordCallback, urlCallback });
-               } catch (Exception e) {
-                       LoginException le = new LoginException("Callback handling failed");
-                       le.initCause(e);
-                       throw le;
-               }
-
-               // Set user name and password
-               String username = nameCallback.getName();
-               String password = "";
-               if (passwordCallback.getPassword() != null) {
-                       password = String.valueOf(passwordCallback.getPassword());
-               }
-               String url = urlCallback.getName();
-               // TODO: set it via system properties
-               String workspace = null;
-
-               // UsernamePasswordAuthenticationToken credentials = new
-               // UsernamePasswordAuthenticationToken(
-               // username, password);
-               SiteAuthenticationToken credentials = new SiteAuthenticationToken(
-                               username, password, url, workspace);
-
-               try {
-                       Authentication authentication = authenticationManager
-                                       .authenticate(credentials);
+                       // thread already logged in
+                       if (SecurityContextHolder.getContext().getAuthentication() != null)
+                               return super.login();
+
+                       // reset all principals and credentials
+                       if (log.isTraceEnabled())
+                               log.trace("Resetting all principals and credentials of "
+                                               + subject);
+                       if (subject.getPrincipals() != null)
+                               subject.getPrincipals().clear();
+                       if (subject.getPrivateCredentials() != null)
+                               subject.getPrivateCredentials().clear();
+                       if (subject.getPublicCredentials() != null)
+                               subject.getPublicCredentials().clear();
+
+                       // ask for username and password
+                       NameCallback nameCallback = new NameCallback("User");
+                       PasswordCallback passwordCallback = new PasswordCallback(
+                                       "Password", false);
+
+                       // NameCallback urlCallback = new NameCallback("Site URL");
+
+                       if (callbackHandler == null)
+                               throw new LoginException("No call back handler available");
+                       callbackHandler.handle(new Callback[] { nameCallback,
+                                       passwordCallback });
+
+                       // Set user name and password
+                       String username = nameCallback.getName();
+                       if (username == null || username.trim().equals(""))
+                               return false;
+
+                       String password = "";
+                       if (passwordCallback.getPassword() != null)
+                               password = String.valueOf(passwordCallback.getPassword());
+
+                       // String url = urlCallback.getName();
+                       // TODO: set it via system properties
+                       String workspace = null;
+
+                       SiteAuthenticationToken credentials = new SiteAuthenticationToken(
+                                       username, password, null, workspace);
+
+                       Authentication authentication;
+                       try {
+                               authentication = authenticationManager
+                                               .authenticate(credentials);
+                       } catch (BadCredentialsException e) {
+                               // wait between failed login attempts
+                               Thread.sleep(waitBetweenFailedLoginAttempts);
+                               throw e;
+                       }
                         registerAuthentication(authentication);
                         boolean res = super.login();
                         return res;
-               } catch (BadCredentialsException bce) {
-                       throw bce;
+               } catch (LoginException e) {
+                       throw e;
+               } catch (ThreadDeath e) {
+                       LoginException le = new LoginException(
+                                       "Spring Security login thread died");
+                       le.initCause(e);
+                       throw le;
                 } catch (Exception e) {
-                       LoginException loginException = new LoginException(
-                                       "Bad credentials");
-                       loginException.initCause(e);
-                       throw loginException;
+                       LoginException le = new LoginException(
+                                       "Spring Security login failed");
+                       le.initCause(e);
+                       throw le;
                 }
-               // }
         }
  
         @Override
         public boolean logout() throws LoginException {
-//             if (log.isDebugEnabled())
-//                     log.debug("logout subject=" + subject);
+               subject.getPrincipals().clear();
                 return super.logout();
         }