X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fplugins%2Forg.argeo.security.equinox%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fequinox%2FSpringLoginModule.java;h=603640ec8ac0674cfdc6f4793a34fc1cd0fb3464;hb=00474cf92c05359177aba1768bd2ef95a310afaf;hp=71ce5715bc937f5d6a4d310d913aa24af8c3da71;hpb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;p=lgpl%2Fargeo-commons.git diff --git a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java index 71ce5715b..603640ec8 100644 --- a/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java +++ b/security/plugins/org.argeo.security.equinox/src/main/java/org/argeo/security/equinox/SpringLoginModule.java @@ -1,6 +1,23 @@ +/* + * Copyright (C) 2007-2012 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.equinox; +import java.util.Locale; import java.util.Map; +import java.util.UUID; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; @@ -12,10 +29,15 @@ import javax.security.auth.login.LoginException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.security.NodeAuthenticationToken; +import org.argeo.util.LocaleCallback; +import org.argeo.util.LocaleUtils; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationManager; import org.springframework.security.BadCredentialsException; +import org.springframework.security.GrantedAuthority; +import org.springframework.security.GrantedAuthorityImpl; import org.springframework.security.context.SecurityContextHolder; +import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken; import org.springframework.security.providers.jaas.SecurityContextLoginModule; /** Login module which caches one subject per thread. */ @@ -33,6 +55,12 @@ public class SpringLoginModule extends SecurityContextLoginModule { private Long waitBetweenFailedLoginAttempts = 5 * 1000l; private Boolean remote = false; + private Boolean anonymous = false; + /** Comma separated list of locales */ + private String availableLocales = ""; + + private String key = null; + private String anonymousRole = "ROLE_ANONYMOUS"; public SpringLoginModule() { @@ -52,6 +80,10 @@ public class SpringLoginModule extends SecurityContextLoginModule { if (SecurityContextHolder.getContext().getAuthentication() != null) return super.login(); + if (remote && anonymous) + throw new LoginException( + "Cannot have a Spring login module which is remote and anonymous"); + // reset all principals and credentials if (log.isTraceEnabled()) log.trace("Resetting all principals and credentials of " @@ -63,60 +95,88 @@ public class SpringLoginModule extends SecurityContextLoginModule { if (subject.getPublicCredentials() != null) subject.getPublicCredentials().clear(); - if (callbackHandler == null) - throw new LoginException("No call back handler available"); - - // ask for username and password - NameCallback nameCallback = new NameCallback("User"); - PasswordCallback passwordCallback = new PasswordCallback( - "Password", false); - final String defaultNodeUrl = "http://localhost:7070/org.argeo.jcr.webapp/remoting/node"; - final String defaultSecurityWorkspace = "security"; - NameCallback urlCallback = new NameCallback("Site URL", - defaultNodeUrl); - NameCallback securityWorkspaceCallback = new NameCallback( - "Security Workspace", defaultSecurityWorkspace); - - // handle callbacks - if (remote) - callbackHandler.handle(new Callback[] { nameCallback, - passwordCallback, urlCallback, - securityWorkspaceCallback }); - else - callbackHandler.handle(new Callback[] { nameCallback, - passwordCallback }); - - // create credentials - String username = nameCallback.getName(); - if (username == null || username.trim().equals("")) - return false; - - String password = ""; - if (passwordCallback.getPassword() != null) - password = String.valueOf(passwordCallback.getPassword()); - - NodeAuthenticationToken credentials; - if (remote) { - String url = urlCallback.getName(); - String workspace = securityWorkspaceCallback.getName(); - credentials = new NodeAuthenticationToken(username, password, - url, workspace); + Locale selectedLocale = null; + // deals first with public access since it's simple + if (anonymous) { + // multi locale + if (callbackHandler != null && availableLocales != null + && !availableLocales.trim().equals("")) { + LocaleCallback localeCallback = new LocaleCallback( + availableLocales); + callbackHandler.handle(new Callback[] { localeCallback }); + selectedLocale = localeCallback.getSelectedLocale(); + } + + // TODO integrate with JCR? + Object principal = UUID.randomUUID().toString(); + GrantedAuthority[] authorities = { new GrantedAuthorityImpl( + anonymousRole) }; + AnonymousAuthenticationToken anonymousToken = new AnonymousAuthenticationToken( + key, principal, authorities); + Authentication auth = authenticationManager + .authenticate(anonymousToken); + registerAuthentication(auth); } else { - credentials = new NodeAuthenticationToken(username, password); + if (callbackHandler == null) + throw new LoginException("No call back handler available"); + + // ask for username and password + NameCallback nameCallback = new NameCallback("User"); + PasswordCallback passwordCallback = new PasswordCallback( + "Password", false); + final String defaultNodeUrl = System + .getProperty(NODE_REPO_URI, + "http://localhost:7070/org.argeo.jcr.webapp/remoting/node"); + NameCallback urlCallback = new NameCallback("Site URL", + defaultNodeUrl); + LocaleCallback localeCallback = new LocaleCallback( + availableLocales); + + // handle callbacks + if (remote) + callbackHandler.handle(new Callback[] { nameCallback, + passwordCallback, urlCallback, localeCallback }); + else + callbackHandler.handle(new Callback[] { nameCallback, + passwordCallback, localeCallback }); + + selectedLocale = localeCallback.getSelectedLocale(); + + // create credentials + String username = nameCallback.getName(); + if (username == null || username.trim().equals("")) + return false; + + String password = ""; + if (passwordCallback.getPassword() != null) + password = String.valueOf(passwordCallback.getPassword()); + + NodeAuthenticationToken credentials; + if (remote) { + String url = urlCallback.getName(); + credentials = new NodeAuthenticationToken(username, + password, url); + } else { + credentials = new NodeAuthenticationToken(username, + password); + } + + Authentication authentication; + try { + authentication = authenticationManager + .authenticate(credentials); + } catch (BadCredentialsException e) { + // wait between failed login attempts + Thread.sleep(waitBetweenFailedLoginAttempts); + throw e; + } + registerAuthentication(authentication); } - Authentication authentication; - try { - authentication = authenticationManager - .authenticate(credentials); - } catch (BadCredentialsException e) { - // wait between failed login attempts - Thread.sleep(waitBetweenFailedLoginAttempts); - throw e; - } - registerAuthentication(authentication); - boolean res = super.login(); - return res; + if (selectedLocale != null) + LocaleUtils.threadLocale.set(selectedLocale); + + return super.login(); } catch (LoginException e) { throw e; } catch (ThreadDeath e) { @@ -154,7 +214,30 @@ public class SpringLoginModule extends SecurityContextLoginModule { this.authenticationManager = authenticationManager; } + /** Authenticates on a remote node */ public void setRemote(Boolean remote) { this.remote = remote; } + + /** + * Request anonymous authentication (incompatible with remote) + */ + public void setAnonymous(Boolean anonymous) { + this.anonymous = anonymous; + } + + /** Role identifying an anonymous user */ + public void setAnonymousRole(String anonymousRole) { + this.anonymousRole = anonymousRole; + } + + /** System key */ + public void setKey(String key) { + this.key = key; + } + + public void setAvailableLocales(String locales) { + this.availableLocales = locales; + } + }