X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoLoginModule.java;h=b1da974da67763695ca0484bf158edf7946721c0;hb=1d5afdce3e91054f07ddd3c98309c363b4cf1d46;hp=73ec76a8f7c72b83c18a1de5b7390fa6a7b68bd9;hpb=2745f0c8c57d9468855179d56f858fb2448f779c;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java index 73ec76a8f..b1da974da 100644 --- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java +++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoLoginModule.java @@ -1,3 +1,18 @@ +/* + * Copyright (C) 2007-2012 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.jackrabbit; import java.security.Principal; @@ -22,9 +37,30 @@ import org.springframework.security.GrantedAuthority; import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken; +/** Jackrabbit login mechanism based on Spring Security */ public class ArgeoLoginModule extends AbstractLoginModule { private String adminRole = "ROLE_ADMIN"; + @Override + public boolean login() throws LoginException { + boolean loginOk = super.login(); + if (!loginOk) { + org.springframework.security.Authentication authen = (org.springframework.security.Authentication) SecurityContextHolder + .getContext().getAuthentication(); + } + return loginOk; + } + + @Override + public boolean commit() throws LoginException { + boolean commitOk = super.commit(); + if (!commitOk) { + org.springframework.security.Authentication authen = (org.springframework.security.Authentication) SecurityContextHolder + .getContext().getAuthentication(); + } + return commitOk; + } + /** * Returns the Spring {@link org.springframework.security.Authentication} * (which can be null) @@ -37,27 +73,44 @@ public class ArgeoLoginModule extends AbstractLoginModule { } protected Set getPrincipals() { + // clear already registered Jackrabbit principals + // clearPrincipals(AdminPrincipal.class); + // clearPrincipals(AnonymousPrincipal.class); + // clearPrincipals(GrantedAuthorityPrincipal.class); + + return syncPrincipals(); + } + + protected Set syncPrincipals() { // use linked HashSet instead of HashSet in order to maintain the order // of principals (as in the Subject). - Set principals = new LinkedHashSet(); - principals.add(principal); - org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal; - if (authen instanceof SystemAuthentication) + Set principals = new LinkedHashSet(); + principals.add(authen); + + if (authen instanceof SystemAuthentication) { principals.add(new AdminPrincipal(authen.getName())); - else if (authen instanceof AnonymousAuthenticationToken) + principals.add(new ArgeoSystemPrincipal(authen.getName())); + } else if (authen instanceof AnonymousAuthenticationToken) { principals.add(new AnonymousPrincipal()); - else + } else { for (GrantedAuthority ga : authen.getAuthorities()) { + principals.add(new GrantedAuthorityPrincipal(ga)); // FIXME: make it more generic if (adminRole.equals(ga.getAuthority())) principals.add(new AdminPrincipal(authen.getName())); } + } + // remove previous credentials + Set thisCredentials = subject + .getPublicCredentials(SimpleCredentials.class); + if (thisCredentials != null) + thisCredentials.clear(); // override credentials since we did not used the one passed to us - credentials = new SimpleCredentials(authen.getName(), authen - .getCredentials().toString().toCharArray()); + // credentials = new SimpleCredentials(authen.getName(), authen + // .getCredentials().toString().toCharArray()); return principals; } @@ -69,21 +122,25 @@ public class ArgeoLoginModule extends AbstractLoginModule { */ @Override public boolean logout() throws LoginException { - Set adminPrincipals = subject - .getPrincipals(AdminPrincipal.class); - Set anonymousPrincipals = subject - .getPrincipals(AnonymousPrincipal.class); - Set thisCredentials = subject - .getPublicCredentials(SimpleCredentials.class); - if (thisCredentials != null) - thisCredentials.clear(); - if (adminPrincipals != null) - adminPrincipals.clear(); - if (anonymousPrincipals != null) - anonymousPrincipals.clear(); + clearPrincipals(AdminPrincipal.class); + clearPrincipals(ArgeoSystemPrincipal.class); + clearPrincipals(AnonymousPrincipal.class); + clearPrincipals(GrantedAuthorityPrincipal.class); + + // we resync with Spring Security since the subject may have been reused + // in beetween + // TODO: check if this is clean + // subject.getPrincipals().addAll(syncPrincipals()); + return true; } + private void clearPrincipals(Class clss) { + Set principals = subject.getPrincipals(clss); + if (principals != null) + principals.clear(); + } + @SuppressWarnings("rawtypes") @Override protected void doInit(CallbackHandler callbackHandler, Session session,