X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FUserAdminLoginModule.java;h=5fca43be38e2abc31afd0bf282acad4541448ca0;hb=384a3240883b5578a3d2e3d4a95a5307e9914d7d;hp=63ca969b8947890cb9b3f778110effbe4f77a9aa;hpb=cf02d7afd63e6bbef9f7a88ee9674c27ff843d79;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java index 63ca969b8..5fca43be3 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java @@ -1,10 +1,9 @@ package org.argeo.cms.internal.auth; -import java.nio.ByteBuffer; -import java.nio.CharBuffer; -import java.nio.charset.Charset; import java.security.Principal; import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Map; import java.util.Set; @@ -20,8 +19,9 @@ import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.security.auth.x500.X500Principal; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.codec.digest.DigestUtils; +import org.apache.jackrabbit.core.security.AnonymousPrincipal; +import org.apache.jackrabbit.core.security.SecurityConstants; +import org.apache.jackrabbit.core.security.principal.AdminPrincipal; import org.argeo.cms.CmsException; import org.argeo.cms.KernelHeader; import org.argeo.cms.internal.kernel.Activator; @@ -35,12 +35,21 @@ public class UserAdminLoginModule implements LoginModule { private CallbackHandler callbackHandler; private boolean isAnonymous = false; - private final static LdapName ROLE_USER_NAME, ROLE_ANONYMOUS_NAME; + private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, + ROLE_ANONYMOUS_NAME, ROLE_USER_NAME; + private final static List RESERVED_ROLES; private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL; static { try { + ROLE_KERNEL_NAME = new LdapName(KernelHeader.ROLE_KERNEL); + ROLE_ADMIN_NAME = new LdapName(KernelHeader.ROLE_ADMIN); ROLE_USER_NAME = new LdapName(KernelHeader.ROLE_USER); ROLE_ANONYMOUS_NAME = new LdapName(KernelHeader.ROLE_ANONYMOUS); + RESERVED_ROLES = Collections.unmodifiableList(Arrays + .asList(new LdapName[] { ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, + ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, + new LdapName(KernelHeader.ROLE_GROUP_ADMIN), + new LdapName(KernelHeader.ROLE_USER_ADMIN) })); ROLE_ANONYMOUS_PRINCIPAL = new X500Principal( ROLE_ANONYMOUS_NAME.toString()); } catch (InvalidNameException e) { @@ -99,15 +108,10 @@ public class UserAdminLoginModule implements LoginModule { else throw new CredentialNotFoundException("No credentials provided"); - // user = (User) userAdmin.getRole(username); user = userAdmin.getUser(null, username); if (user == null) return false; - - byte[] hashedPassword = ("{SHA}" + Base64 - .encodeBase64String(DigestUtils.sha1(toBytes(password)))) - .getBytes(); - if (!user.hasCredential("userpassword", hashedPassword)) + if (!user.hasCredential(null, password)) return false; } else // anonymous @@ -116,16 +120,6 @@ public class UserAdminLoginModule implements LoginModule { return true; } - private byte[] toBytes(char[] chars) { - CharBuffer charBuffer = CharBuffer.wrap(chars); - ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(charBuffer); - byte[] bytes = Arrays.copyOfRange(byteBuffer.array(), - byteBuffer.position(), byteBuffer.limit()); - Arrays.fill(charBuffer.array(), '\u0000'); // clear sensitive data - Arrays.fill(byteBuffer.array(), (byte) 0); // clear sensitive data - return bytes; - } - @Override public boolean commit() throws LoginException { if (authorization != null) { @@ -133,15 +127,17 @@ public class UserAdminLoginModule implements LoginModule { try { String authName = authorization.getName(); - // determine user'S principal + // determine user's principal final LdapName name; final Principal userPrincipal; if (authName == null) { name = ROLE_ANONYMOUS_NAME; userPrincipal = ROLE_ANONYMOUS_PRINCIPAL; principals.add(userPrincipal); + principals.add(new AnonymousPrincipal()); } else { name = new LdapName(authName); + checkUserName(name); userPrincipal = new X500Principal(name.toString()); principals.add(userPrincipal); principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, @@ -151,17 +147,15 @@ public class UserAdminLoginModule implements LoginModule { // Add roles provided by authorization for (String role : authorization.getRoles()) { LdapName roleName = new LdapName(role); - if (ROLE_USER_NAME.equals(roleName)) - throw new CmsException(ROLE_USER_NAME - + " cannot be listed as role"); - if (ROLE_ANONYMOUS_NAME.equals(roleName)) - throw new CmsException(ROLE_ANONYMOUS_NAME - + " cannot be listed as role"); if (roleName.equals(name)) { // skip } else { + checkImpliedPrincipalName(roleName); principals.add(new ImpliedByPrincipal(roleName .toString(), userPrincipal)); + if (roleName.equals(ROLE_ADMIN_NAME)) + principals.add(new AdminPrincipal( + SecurityConstants.ADMIN_ID)); } } @@ -197,4 +191,16 @@ public class UserAdminLoginModule implements LoginModule { subject = null; authorization = null; } + + private void checkUserName(LdapName name) { + if (RESERVED_ROLES.contains(name)) + throw new CmsException(name + " is a reserved name"); + } + + private void checkImpliedPrincipalName(LdapName roleName) { + if (ROLE_USER_NAME.equals(roleName) + || ROLE_ANONYMOUS_NAME.equals(roleName) + || ROLE_KERNEL_NAME.equals(roleName)) + throw new CmsException(roleName + " cannot be listed as role"); + } }