X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FOsJcrAuthenticationProvider.java;h=cb9146a8b662407593675de216655715d1c4504e;hb=0450e423bd759c9e27b43044670e659271392d71;hp=e6f90b165c08cc9efc6d498d88d16f68d5bf5e73;hpb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
index e6f90b165..cb9146a8b 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
@@ -1,78 +1,124 @@
+/*
+ * Copyright (C) 2007-2012 Mathieu Baudier
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.jcr;
 
 import javax.jcr.Node;
 import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.version.VersionManager;
 
 import org.argeo.ArgeoException;
-import org.argeo.jcr.ArgeoNames;
 import org.argeo.jcr.JcrUtils;
 import org.argeo.security.OsAuthenticationToken;
 import org.argeo.security.core.OsAuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.userdetails.UserDetails;
 
-/** Relies on OS to authenticate and additionaly setup JCR */
+/** Relies on OS to authenticate and additionally setup JCR */
 public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
 	private Repository repository;
-	private String securityWorkspace = "security";
-	private Session securitySession;
+	// private String securityWorkspace = "security";
+	// private Session securitySession;
+	private Session nodeSession;
+
+	private UserDetails userDetails;
+	private JcrSecurityModel jcrSecurityModel = new JcrSecurityModel();
 
 	public void init() {
 		try {
-			securitySession = repository.login(securityWorkspace);
+			// securitySession = repository.login();
+			nodeSession = repository.login();
 		} catch (RepositoryException e) {
 			throw new ArgeoException("Cannot initialize", e);
 		}
 	}
 
 	public void destroy() {
-		JcrUtils.logoutQuietly(securitySession);
+		// JcrUtils.logoutQuietly(securitySession);
+		JcrUtils.logoutQuietly(nodeSession);
 	}
 
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
-		final OsAuthenticationToken authen = (OsAuthenticationToken) super
-				.authenticate(authentication);
-		try {
-			// WARNING: at this stage we assume that the java properties
-			// will have the same value
-			String username = System.getProperty("user.name");
-			Node userHome = JcrUtils.createUserHomeIfNeeded(securitySession,
-					username);
-			Node userProfile = userHome.hasNode(ArgeoNames.ARGEO_PROFILE) ? userHome
-					.getNode(ArgeoNames.ARGEO_PROFILE) : JcrUtils
-					.createUserProfile(securitySession, username);
-			if (securitySession.hasPendingChanges())
-				securitySession.save();
-			VersionManager versionManager = securitySession.getWorkspace()
-					.getVersionManager();
-			if (versionManager.isCheckedOut(userProfile.getPath()))
-				versionManager.checkin(userProfile.getPath());
-
-			JcrUserDetails.checkAccountStatus(userProfile);
-			// user details
-			JcrUserDetails userDetails = new JcrUserDetails(userProfile, authen
-					.getCredentials().toString(), getBaseAuthorities());
+		if (authentication instanceof UsernamePasswordAuthenticationToken) {
+			// deal with remote access to internal server
+			// FIXME very primitive and unsecure at this stage
+			// consider using the keyring for username / password authentication
+			// or certificate
+			UsernamePasswordAuthenticationToken upat = (UsernamePasswordAuthenticationToken) authentication;
+			if (!upat.getPrincipal().toString()
+					.equals(System.getProperty("user.name")))
+				throw new BadCredentialsException("Wrong credentials");
+			UsernamePasswordAuthenticationToken authen = new UsernamePasswordAuthenticationToken(
+					authentication.getPrincipal(),
+					authentication.getCredentials(), getBaseAuthorities());
 			authen.setDetails(userDetails);
-		} catch (RepositoryException e) {
-			JcrUtils.discardQuietly(securitySession);
-			throw new ArgeoException(
-					"Unexpected exception when synchronizing OS and JCR security ",
-					e);
-		} finally {
-			JcrUtils.logoutQuietly(securitySession);
+			return authen;
+		} else if (authentication instanceof OsAuthenticationToken) {
+			OsAuthenticationToken authen = (OsAuthenticationToken) super
+					.authenticate(authentication);
+			try {
+				// WARNING: at this stage we assume that the java properties
+				// will have the same value
+				String username = System.getProperty("user.name");
+				Node userProfile = jcrSecurityModel.sync(nodeSession, username);
+				JcrUserDetails.checkAccountStatus(userProfile);
+
+				// each user should have a writable area in the default
+				// workspace of the node
+				// SecurityJcrUtils.createUserHomeIfNeeded(nodeSession,
+				// username);
+				userDetails = new JcrUserDetails(userProfile, authen
+						.getCredentials().toString(), getBaseAuthorities());
+				authen.setDetails(userDetails);
+				return authen;
+			} catch (RepositoryException e) {
+				JcrUtils.discardQuietly(nodeSession);
+				throw new ArgeoException(
+						"Unexpected exception when synchronizing OS and JCR security ",
+						e);
+			} finally {
+				JcrUtils.logoutQuietly(nodeSession);
+			}
+		} else {
+			throw new ArgeoException("Unsupported authentication "
+					+ authentication.getClass());
 		}
-		return authen;
 	}
 
-	public void setSecurityWorkspace(String securityWorkspace) {
-		this.securityWorkspace = securityWorkspace;
-	}
+	// public void setSecurityWorkspace(String securityWorkspace) {
+	// this.securityWorkspace = securityWorkspace;
+	// }
 
 	public void setRepository(Repository repository) {
 		this.repository = repository;
 	}
+
+	public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+		this.jcrSecurityModel = jcrSecurityModel;
+	}
+
+	@SuppressWarnings("rawtypes")
+	public boolean supports(Class authentication) {
+		return OsAuthenticationToken.class.isAssignableFrom(authentication)
+				|| UsernamePasswordAuthenticationToken.class
+						.isAssignableFrom(authentication);
+	}
+
 }