Introduce system authenticated bean post processing

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.core / src / main / java / org / argeo / security / core / AbstractSystemExecution.java

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/AbstractSystemExecution.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/AbstractSystemExecution.java
new file mode 100644 (file)
index 0000000..55f0fef
--- /dev/null
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/AbstractSystemExecution.java
@@ -0,0 +1,64 @@
+package org.argeo.security.core;
+
+import java.security.AccessController;
+
+import javax.security.auth.Subject;
+
+import org.argeo.ArgeoException;
+import org.springframework.security.Authentication;
+import org.springframework.security.AuthenticationManager;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
+
+/** Provides base method for executing code with system authorization. */
+public abstract class AbstractSystemExecution {
+       private AuthenticationManager authenticationManager;
+       private String systemAuthenticationKey;
+
+       /**
+        * Authenticate the calling thread to the underlying
+        * {@link AuthenticationManager}
+        */
+       protected void authenticateAsSystem() {
+               SecurityContext securityContext = SecurityContextHolder.getContext();
+               Authentication currentAuth = securityContext.getAuthentication();
+               if (currentAuth != null)
+                       throw new ArgeoException(
+                                       "System execution on an already authenticated thread: "
+                                                       + currentAuth + ", THREAD="
+                                                       + Thread.currentThread().getId());
+
+               Subject subject = Subject.getSubject(AccessController.getContext());
+               if (subject != null
+                               && !subject.getPrincipals(Authentication.class).isEmpty())
+                       throw new ArgeoException(
+                                       "There is already an authenticated subject: " + subject);
+
+               String key = systemAuthenticationKey != null ? systemAuthenticationKey
+                               : System.getProperty(
+                                               InternalAuthentication.SYSTEM_KEY_PROPERTY,
+                                               InternalAuthentication.SYSTEM_KEY_DEFAULT);
+               if (key == null)
+                       throw new ArgeoException("No system key defined");
+               Authentication auth = authenticationManager
+                               .authenticate(new InternalAuthentication(key));
+               securityContext.setAuthentication(auth);
+       }
+
+       /** Removes the authentication from the calling thread. */
+       protected void deauthenticateAsSystem() {
+               // remove the authentication
+               SecurityContext securityContext = SecurityContextHolder.getContext();
+               securityContext.setAuthentication(null);
+       }
+
+       public void setAuthenticationManager(
+                       AuthenticationManager authenticationManager) {
+               this.authenticationManager = authenticationManager;
+       }
+
+       public void setSystemAuthenticationKey(String systemAuthenticationKey) {
+               this.systemAuthenticationKey = systemAuthenticationKey;
+       }
+
+}