package org.argeo.security.ldap.jcr;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
+import java.util.Random;
+import java.util.SortedSet;
import java.util.concurrent.Executor;
import javax.jcr.Node;
-import javax.jcr.Repository;
+import javax.jcr.Property;
import javax.jcr.RepositoryException;
-import javax.jcr.RepositoryFactory;
import javax.jcr.Session;
+import javax.jcr.nodetype.NodeType;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.ArgeoException;
-import org.argeo.jcr.ArgeoJcrConstants;
import org.argeo.jcr.ArgeoNames;
-import org.argeo.jcr.ArgeoTypes;
import org.argeo.jcr.JcrUtils;
import org.argeo.security.jcr.JcrUserDetails;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.GrantedAuthority;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.encoding.PasswordEncoder;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.ldap.UserDetailsContextMapper;
private Map<String, String> propertyToAttributes = new HashMap<String, String>();
private Executor systemExecutor;
- private RepositoryFactory repositoryFactory;
+ private Session session;
+
+ private PasswordEncoder passwordEncoder;
+ private final Random random;
+
+ public JcrUserDetailsContextMapper() {
+ random = createRandom();
+ }
+
+ private static Random createRandom() {
+ try {
+ return SecureRandom.getInstance("SHA1PRNG");
+ } catch (NoSuchAlgorithmException e) {
+ return new Random(System.currentTimeMillis());
+ }
+ }
public UserDetails mapUserFromContext(final DirContextOperations ctx,
final String username, GrantedAuthority[] authorities) {
- if (repositoryFactory == null)
- throw new ArgeoException("No JCR repository factory registered");
+ if (ctx == null)
+ throw new ArgeoException("No LDAP information found for user "
+ + username);
+
final StringBuffer userHomePathT = new StringBuffer("");
- systemExecutor.execute(new Runnable() {
+ Runnable action = new Runnable() {
public void run() {
String userHomepath = mapLdapToJcr(username, ctx);
userHomePathT.append(userHomepath);
}
- });
+ };
+
+ if (SecurityContextHolder.getContext().getAuthentication() == null) {
+ // authentication
+ try {
+ systemExecutor.execute(action);
+ } finally {
+ JcrUtils.logoutQuietly(session);
+ }
+ } else {
+ // authenticated user
+ action.run();
+ }
// password
- byte[] arr = (byte[]) ctx
- .getAttributeSortedStringSet(passwordAttribute).first();
+ SortedSet<?> passwordAttributes = ctx
+ .getAttributeSortedStringSet(passwordAttribute);
+ String password;
+ if (passwordAttributes == null || passwordAttributes.size() == 0) {
+ throw new ArgeoException("No password found for user " + username);
+ } else {
+ byte[] arr = (byte[]) passwordAttributes.first();
+ password = new String(arr);
+ // erase password
+ Arrays.fill(arr, (byte) 0);
+ }
JcrUserDetails userDetails = new JcrUserDetails(
- userHomePathT.toString(), username, new String(arr), true,
- true, true, true, authorities);
- // erase password
- Arrays.fill(arr, (byte) 0);
+ userHomePathT.toString(), username, password, true, true, true,
+ true, authorities);
return userDetails;
}
/** @return path to the user home node */
protected String mapLdapToJcr(String username, DirContextOperations ctx) {
- Session session = null;
try {
- Repository nodeRepo = JcrUtils.getRepositoryByAlias(
- repositoryFactory, ArgeoJcrConstants.ALIAS_NODE);
- session = nodeRepo.login();
Node userHome = JcrUtils.getUserHome(session, username);
if (userHome == null)
- userHome = createUserHome(session, username);
+ userHome = JcrUtils.createUserHome(session, homeBasePath,
+ username);
String userHomePath = userHome.getPath();
- Node userProfile = userHome.hasNode(ARGEO_USER_PROFILE) ? userHome
- .getNode(ARGEO_USER_PROFILE) : userHome
- .addNode(ARGEO_USER_PROFILE);
+ Node userProfile = userHome.getNode(ARGEO_PROFILE);
+ if (userHome.hasNode(ARGEO_PROFILE)) {
+ userProfile = userHome.getNode(ARGEO_PROFILE);
+ } else {
+ userProfile = userHome.addNode(ARGEO_PROFILE);
+ userProfile.addMixin(NodeType.MIX_TITLE);
+ userProfile.addMixin(NodeType.MIX_CREATED);
+ userProfile.addMixin(NodeType.MIX_LAST_MODIFIED);
+ }
+
for (String jcrProperty : propertyToAttributes.keySet())
ldapToJcr(userProfile, jcrProperty, ctx);
+
+ // assign default values
+ if (!userProfile.hasProperty(Property.JCR_DESCRIPTION))
+ userProfile.setProperty(Property.JCR_DESCRIPTION, "");
+ if (!userProfile.hasProperty(Property.JCR_TITLE))
+ userProfile.setProperty(Property.JCR_TITLE, userProfile
+ .getProperty(ARGEO_FIRST_NAME).getString()
+ + " "
+ + userProfile.getProperty(ARGEO_LAST_NAME).getString());
+
session.save();
- if (log.isDebugEnabled())
- log.debug("Mapped " + ctx.getDn() + " to " + userProfile);
+ if (log.isTraceEnabled())
+ log.trace("Mapped " + ctx.getDn() + " to " + userProfile);
return userHomePath;
- } catch (RepositoryException e) {
+ } catch (Exception e) {
JcrUtils.discardQuietly(session);
throw new ArgeoException("Cannot synchronize JCR and LDAP", e);
- } finally {
- session.logout();
- }
- }
-
- protected Node createUserHome(Session session, String username) {
- try {
- Node userHome = JcrUtils.mkdirs(session,
- usernameToHomePath(username));
- userHome.addMixin(ArgeoTypes.ARGEO_USER_HOME);
- userHome.setProperty(ARGEO_USER_ID, username);
- return userHome;
- } catch (RepositoryException e) {
- throw new ArgeoException("Cannot create home node for user "
- + username, e);
}
}
- protected String usernameToHomePath(String username) {
- return homeBasePath + '/' + JcrUtils.firstCharsToPath(username, 2)
- + '/' + username;
- }
-
public void mapUserToContext(UserDetails user, final DirContextAdapter ctx) {
if (!(user instanceof JcrUserDetails))
throw new ArgeoException("Unsupported user details: "
ctx.setAttributeValues("objectClass", userClasses);
ctx.setAttributeValue(usernameAttribute, user.getUsername());
- ctx.setAttributeValue(passwordAttribute, user.getPassword());
+ ctx.setAttributeValue(passwordAttribute,
+ encodePassword(user.getPassword()));
final JcrUserDetails jcrUserDetails = (JcrUserDetails) user;
- systemExecutor.execute(new Runnable() {
- public void run() {
- Session session = null;
- try {
- Repository nodeRepo = JcrUtils.getRepositoryByAlias(
- repositoryFactory, ArgeoJcrConstants.ALIAS_NODE);
- session = nodeRepo.login();
- Node userProfile = session.getNode(jcrUserDetails
- .getHomePath() + '/' + ARGEO_USER_PROFILE);
- for (String jcrProperty : propertyToAttributes.keySet())
- jcrToLdap(userProfile, jcrProperty, ctx);
- if (log.isDebugEnabled())
- log.debug("Mapped " + userProfile + " to "
- + ctx.getDn());
- } catch (RepositoryException e) {
- throw new ArgeoException("Cannot synchronize JCR and LDAP",
- e);
- } finally {
- session.logout();
- }
- }
- });
+ try {
+ Node userProfile = session.getNode(jcrUserDetails.getHomePath()
+ + '/' + ARGEO_PROFILE);
+ for (String jcrProperty : propertyToAttributes.keySet())
+ jcrToLdap(userProfile, jcrProperty, ctx);
+
+ if (log.isTraceEnabled())
+ log.trace("Mapped " + userProfile + " to " + ctx.getDn());
+ } catch (RepositoryException e) {
+ throw new ArgeoException("Cannot synchronize JCR and LDAP", e);
+ }
+ }
+
+ protected String encodePassword(String password) {
+ if (!password.startsWith("{")) {
+ byte[] salt = new byte[16];
+ random.nextBytes(salt);
+ return passwordEncoder.encodePassword(password, salt);
+ } else {
+ return password;
+ }
}
protected void ldapToJcr(Node userProfile, String jcrProperty,
protected void jcrToLdap(Node userProfile, String jcrProperty,
DirContextOperations ctx) {
try {
- if (!userProfile.hasProperty(jcrProperty))
- return;
- String value = userProfile.getProperty(jcrProperty).getString();
-
String ldapAttribute;
if (propertyToAttributes.containsKey(jcrProperty))
ldapAttribute = propertyToAttributes.get(jcrProperty);
throw new ArgeoException(
"No LDAP attribute mapped for JCR proprty "
+ jcrProperty);
+
+ // fix issue with empty 'sn' in LDAP
+ if (ldapAttribute.equals("sn")
+ && (!userProfile.hasProperty(jcrProperty) || userProfile
+ .getProperty(jcrProperty).getString().trim()
+ .equals("")))
+ userProfile.setProperty(jcrProperty, "empty");
+
+ if (ldapAttribute.equals("description")) {
+ String value = userProfile.getProperty(jcrProperty).getString();
+ if (value.trim().equals(""))
+ return;
+ }
+
+ if (!userProfile.hasProperty(jcrProperty))
+ return;
+ String value = userProfile.getProperty(jcrProperty).getString();
+
ctx.setAttributeValue(ldapAttribute, value);
} catch (Exception e) {
throw new ArgeoException("Cannot map JCR property " + jcrProperty
this.homeBasePath = homeBasePath;
}
- public void register(RepositoryFactory repositoryFactory,
- Map<String, String> parameters) {
- this.repositoryFactory = repositoryFactory;
- }
-
- public void unregister(RepositoryFactory repositoryFactory,
- Map<String, String> parameters) {
- this.repositoryFactory = null;
- }
-
public void setUsernameAttribute(String usernameAttribute) {
this.usernameAttribute = usernameAttribute;
}
this.userClasses = userClasses;
}
+ public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+ this.passwordEncoder = passwordEncoder;
+ }
+
+ public void setSession(Session session) {
+ this.session = session;
+ }
+
}