X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fauth%2FUserAdminLoginModule.java;h=5fca43be38e2abc31afd0bf282acad4541448ca0;hb=384a3240883b5578a3d2e3d4a95a5307e9914d7d;hp=f598515217d6dbce821fd4bba5e4181cfdce699b;hpb=f7944a8accf7b9cfc3cffe6e6f5c611cd48f592c;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java index f59851521..5fca43be3 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/UserAdminLoginModule.java @@ -1,8 +1,5 @@ package org.argeo.cms.internal.auth; -import java.nio.ByteBuffer; -import java.nio.CharBuffer; -import java.nio.charset.Charset; import java.security.Principal; import java.util.Arrays; import java.util.Collections; @@ -22,8 +19,6 @@ import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.security.auth.x500.X500Principal; -import org.apache.commons.codec.binary.Base64; -import org.apache.commons.codec.digest.DigestUtils; import org.apache.jackrabbit.core.security.AnonymousPrincipal; import org.apache.jackrabbit.core.security.SecurityConstants; import org.apache.jackrabbit.core.security.principal.AdminPrincipal; @@ -40,18 +35,19 @@ public class UserAdminLoginModule implements LoginModule { private CallbackHandler callbackHandler; private boolean isAnonymous = false; - private final static LdapName ROLE_ADMIN_NAME, ROLE_USER_NAME, - ROLE_ANONYMOUS_NAME; + private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, + ROLE_ANONYMOUS_NAME, ROLE_USER_NAME; private final static List RESERVED_ROLES; private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL; static { try { + ROLE_KERNEL_NAME = new LdapName(KernelHeader.ROLE_KERNEL); ROLE_ADMIN_NAME = new LdapName(KernelHeader.ROLE_ADMIN); ROLE_USER_NAME = new LdapName(KernelHeader.ROLE_USER); ROLE_ANONYMOUS_NAME = new LdapName(KernelHeader.ROLE_ANONYMOUS); RESERVED_ROLES = Collections.unmodifiableList(Arrays - .asList(new LdapName[] { ROLE_ANONYMOUS_NAME, - ROLE_USER_NAME, ROLE_ADMIN_NAME, + .asList(new LdapName[] { ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, + ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(KernelHeader.ROLE_GROUP_ADMIN), new LdapName(KernelHeader.ROLE_USER_ADMIN) })); ROLE_ANONYMOUS_PRINCIPAL = new X500Principal( @@ -112,15 +108,10 @@ public class UserAdminLoginModule implements LoginModule { else throw new CredentialNotFoundException("No credentials provided"); - // user = (User) userAdmin.getRole(username); user = userAdmin.getUser(null, username); if (user == null) return false; - - byte[] hashedPassword = ("{SHA}" + Base64 - .encodeBase64String(DigestUtils.sha1(toBytes(password)))) - .getBytes(); - if (!user.hasCredential("userpassword", hashedPassword)) + if (!user.hasCredential(null, password)) return false; } else // anonymous @@ -129,16 +120,6 @@ public class UserAdminLoginModule implements LoginModule { return true; } - private byte[] toBytes(char[] chars) { - CharBuffer charBuffer = CharBuffer.wrap(chars); - ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(charBuffer); - byte[] bytes = Arrays.copyOfRange(byteBuffer.array(), - byteBuffer.position(), byteBuffer.limit()); - Arrays.fill(charBuffer.array(), '\u0000'); // clear sensitive data - Arrays.fill(byteBuffer.array(), (byte) 0); // clear sensitive data - return bytes; - } - @Override public boolean commit() throws LoginException { if (authorization != null) { @@ -218,7 +199,8 @@ public class UserAdminLoginModule implements LoginModule { private void checkImpliedPrincipalName(LdapName roleName) { if (ROLE_USER_NAME.equals(roleName) - || ROLE_ANONYMOUS_NAME.equals(roleName)) + || ROLE_ANONYMOUS_NAME.equals(roleName) + || ROLE_KERNEL_NAME.equals(roleName)) throw new CmsException(roleName + " cannot be listed as role"); } }