X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=security%2Fplugins%2Forg.argeo.security.equinox%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fequinox%2FSpringLoginModule.java;h=adeec870eadfd137c746863ab125366f9eb9a0cd;hb=3baeb167c9a92d1f915904bb956632c0aff65b2b;hp=71ce5715bc937f5d6a4d310d913aa24af8c3da71;hpb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;p=lgpl%2Fargeo-commons.git diff --git a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java index 71ce5715b..adeec870e 100644 --- a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java +++ b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java @@ -1,6 +1,22 @@ +/* + * Copyright (C) 2007-2012 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.equinox; import java.util.Map; +import java.util.UUID; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; @@ -15,7 +31,10 @@ import org.argeo.security.NodeAuthenticationToken; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationManager; import org.springframework.security.BadCredentialsException; +import org.springframework.security.GrantedAuthority; +import org.springframework.security.GrantedAuthorityImpl; import org.springframework.security.context.SecurityContextHolder; +import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken; import org.springframework.security.providers.jaas.SecurityContextLoginModule; /** Login module which caches one subject per thread. */ @@ -33,6 +52,10 @@ public class SpringLoginModule extends SecurityContextLoginModule { private Long waitBetweenFailedLoginAttempts = 5 * 1000l; private Boolean remote = false; + private Boolean anonymous = false; + + private String key = null; + private String anonymousRole = "ROLE_ANONYMOUS"; public SpringLoginModule() { @@ -52,6 +75,10 @@ public class SpringLoginModule extends SecurityContextLoginModule { if (SecurityContextHolder.getContext().getAuthentication() != null) return super.login(); + if (remote && anonymous) + throw new LoginException( + "Cannot have a Spring login module which is remote and anonymous"); + // reset all principals and credentials if (log.isTraceEnabled()) log.trace("Resetting all principals and credentials of " @@ -63,6 +90,20 @@ public class SpringLoginModule extends SecurityContextLoginModule { if (subject.getPublicCredentials() != null) subject.getPublicCredentials().clear(); + // deals first with public access since it's simple + if (anonymous) { + // TODO integrate with JCR? + Object principal = UUID.randomUUID().toString(); + GrantedAuthority[] authorities = { new GrantedAuthorityImpl( + anonymousRole) }; + AnonymousAuthenticationToken anonymousToken = new AnonymousAuthenticationToken( + key, principal, authorities); + Authentication auth = authenticationManager + .authenticate(anonymousToken); + registerAuthentication(auth); + return super.login(); + } + if (callbackHandler == null) throw new LoginException("No call back handler available"); @@ -70,18 +111,15 @@ public class SpringLoginModule extends SecurityContextLoginModule { NameCallback nameCallback = new NameCallback("User"); PasswordCallback passwordCallback = new PasswordCallback( "Password", false); - final String defaultNodeUrl = "http://localhost:7070/org.argeo.jcr.webapp/remoting/node"; - final String defaultSecurityWorkspace = "security"; + final String defaultNodeUrl = System.getProperty(NODE_REPO_URI, + "http://localhost:7070/org.argeo.jcr.webapp/remoting/node"); NameCallback urlCallback = new NameCallback("Site URL", defaultNodeUrl); - NameCallback securityWorkspaceCallback = new NameCallback( - "Security Workspace", defaultSecurityWorkspace); // handle callbacks if (remote) callbackHandler.handle(new Callback[] { nameCallback, - passwordCallback, urlCallback, - securityWorkspaceCallback }); + passwordCallback, urlCallback }); else callbackHandler.handle(new Callback[] { nameCallback, passwordCallback }); @@ -98,9 +136,8 @@ public class SpringLoginModule extends SecurityContextLoginModule { NodeAuthenticationToken credentials; if (remote) { String url = urlCallback.getName(); - String workspace = securityWorkspaceCallback.getName(); credentials = new NodeAuthenticationToken(username, password, - url, workspace); + url); } else { credentials = new NodeAuthenticationToken(username, password); } @@ -154,7 +191,26 @@ public class SpringLoginModule extends SecurityContextLoginModule { this.authenticationManager = authenticationManager; } + /** Authenticates on a remote node */ public void setRemote(Boolean remote) { this.remote = remote; } + + /** + * Request anonymous authentication (incompatible with remote) + */ + public void setAnonymous(Boolean anonymous) { + this.anonymous = anonymous; + } + + /** Role identifying an anonymous user */ + public void setAnonymousRole(String anonymousRole) { + this.anonymousRole = anonymousRole; + } + + /** System key */ + public void setKey(String key) { + this.key = key; + } + }