import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.useradmin.JcrUserAdmin;
+import org.argeo.security.SecurityUtils;
import org.argeo.security.UserAdminService;
import org.argeo.security.core.InternalAuthentication;
import org.argeo.security.core.InternalAuthenticationProvider;
import org.argeo.security.jcr.jackrabbit.JackrabbitUserAdminService;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
+import org.osgi.service.useradmin.UserAdmin;
import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
private final InternalAuthenticationProvider internalAuth;
private final AnonymousAuthenticationProvider anonymousAuth;
private final JackrabbitUserAdminService userAdminService;
- // private final JcrUserAdmin userAdmin;
+ private final JcrUserAdmin userAdmin;
private ServiceRegistration<AuthenticationManager> authenticationManagerReg;
private ServiceRegistration<UserAdminService> userAdminServiceReg;
private ServiceRegistration<UserDetailsManager> userDetailsManagerReg;
- // private ServiceRegistration<UserAdmin> userAdminReg;
+ private ServiceRegistration<UserAdmin> userAdminReg;
public NodeSecurity(BundleContext bundleContext, JackrabbitNode node)
throws RepositoryException {
this.bundleContext = bundleContext;
internalAuth = new InternalAuthenticationProvider(
- KernelConstants.DEFAULT_SECURITY_KEY);
+ SecurityUtils.getStaticKey());
anonymousAuth = new AnonymousAuthenticationProvider(
- KernelConstants.DEFAULT_SECURITY_KEY);
+ SecurityUtils.getStaticKey());
// user admin
userAdminService = new JackrabbitUserAdminService();
userAdminService.setSecurityModel(new SimpleJcrSecurityModel());
userAdminService.init();
- // userAdmin = new JcrUserAdmin(bundleContext);
- // userAdmin.setUserAdminService(userAdminService);
+ userAdmin = new JcrUserAdmin(bundleContext, node);
+ userAdmin.setUserAdminService(userAdminService);
}
public void publish() {
UserAdminService.class, userAdminService, null);
userDetailsManagerReg = bundleContext.registerService(
UserDetailsManager.class, userAdminService, null);
- // userAdminReg = bundleContext.registerService(UserAdmin.class,
- // userAdmin, null);
+ userAdminReg = bundleContext.registerService(UserAdmin.class,
+ userAdmin, null);
}
void destroy() {
userDetailsManagerReg.unregister();
userAdminServiceReg.unregister();
authenticationManagerReg.unregister();
- // userAdminReg.unregister();
+ userAdminReg.unregister();
}
@Override
USER {
org.argeo.security.login.EndUserLoginModule requisite;
- org.springframework.security.authentication.jaas.SecurityContextLoginModule required;
+ org.springframework.security.authentication.jaas.SecurityContextLoginModule requisite;
};
ANONYMOUS {
org.argeo.security.login.AnonymousLoginModule requisite;
- org.springframework.security.authentication.jaas.SecurityContextLoginModule required;
+ org.springframework.security.authentication.jaas.SecurityContextLoginModule requisite;
};
SYSTEM {
org.argeo.security.login.SystemLoginModule requisite;
- org.springframework.security.authentication.jaas.SecurityContextLoginModule required;
+ org.springframework.security.authentication.jaas.SecurityContextLoginModule requisite;
};
KEYRING {
import java.util.Dictionary;
-import org.argeo.security.ArgeoUser;
+import org.osgi.service.useradmin.Role;
+import org.osgi.service.useradmin.User;
-abstract class AbstractJcrUser extends JcrRole implements ArgeoUser {
+abstract class AbstractJcrUser extends JcrRole implements User {
+ public AbstractJcrUser(String name) {
+ super(name);
+ }
+
+ @Override
+ public int getType() {
+ return Role.USER;
+ }
@Override
public Dictionary<String, Object> getCredentials() {
--- /dev/null
+package org.argeo.cms.internal.useradmin;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.argeo.security.jcr.JcrUserDetails;
+import org.osgi.service.useradmin.Authorization;
+import org.springframework.security.core.GrantedAuthority;
+
+class JcrAuthorization implements Authorization {
+ private final String name;
+ private final List<String> roles;
+
+ public JcrAuthorization(JcrUserDetails userDetails) {
+ this.name = userDetails.getUsername();
+ List<String> t = new ArrayList<String>();
+ for (GrantedAuthority ga : userDetails.getAuthorities()) {
+ t.add(ga.getAuthority());
+ }
+ roles = Collections.unmodifiableList(t);
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public boolean hasRole(String name) {
+ return roles.contains(name);
+ }
+
+ @Override
+ public String[] getRoles() {
+ return roles.toArray(new String[roles.size()]);
+ }
+
+}
package org.argeo.cms.internal.useradmin;
-import org.springframework.security.core.userdetails.UserDetails;
+import org.argeo.security.jcr.JcrUserDetails;
-class JcrEndUser extends AbstractJcrUser {
- private final UserDetails userDetails;
+class JcrEndUser extends AbstractJcrUser {
+ private final JcrUserDetails userDetails;
- public JcrEndUser(UserDetails userDetails) {
+ public JcrEndUser(JcrUserDetails userDetails) {
+ super(userDetails.getUsername());
this.userDetails = userDetails;
}
- UserDetails getUserDetails() {
+ JcrUserDetails getUserDetails() {
return userDetails;
}
+ public String toString() {
+ return "ArgeoUser: " + getName();
+ }
+
+ public boolean equals(Object obj) {
+ if (!(obj instanceof JcrEndUser))
+ return false;
+ else
+ return ((JcrEndUser) obj).getName().equals(getName());
+ }
+
+ public int hashCode() {
+ return getName().hashCode();
+ }
}
class JcrGroup extends AbstractJcrUser implements Group {
public JcrGroup(String name) {
+ super(name);
+ }
+
+ //
+ // OSGi MODEL
+ //
+ @Override
+ public int getType() {
+ return Role.GROUP;
}
@Override
return null;
}
+ public String toString() {
+ return "ArgeoGroup: " + getName();
+ }
+
+ public boolean equals(Object obj) {
+ if (!(obj instanceof JcrGroup))
+ return false;
+ else
+ return ((JcrGroup) obj).getName().equals(getName());
+ }
+
+ public int hashCode() {
+ return getName().hashCode();
+ }
+
}
import org.osgi.service.useradmin.Role;
-class JcrRole implements Role {
+abstract class JcrRole implements Role {
+ private String name;
+
+ public JcrRole(String name) {
+ this.name = name;
+ }
@Override
public String getName() {
- // TODO Auto-generated method stub
- return null;
+ return name;
}
@Override
public int getType() {
- // TODO Auto-generated method stub
- return 0;
+ return Role.ROLE;
}
@Override
package org.argeo.cms.internal.useradmin;
-import static org.argeo.jcr.ArgeoJcrConstants.ALIAS_NODE;
-import static org.argeo.jcr.ArgeoJcrConstants.JCR_REPOSITORY_ALIAS;
-
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.jcr.Session;
import org.argeo.ArgeoException;
+import org.argeo.jcr.JcrUtils;
import org.argeo.security.UserAdminService;
import org.argeo.security.jcr.JcrSecurityModel;
import org.argeo.security.jcr.JcrUserDetails;
import org.osgi.service.useradmin.UserAdminEvent;
import org.osgi.service.useradmin.UserAdminListener;
import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class JcrUserAdmin implements UserAdmin {
private final JcrSecurityModel jcrSecurityModel = new SimpleJcrSecurityModel();
private final Session session;
- public JcrUserAdmin(BundleContext bundleContext) {
+ public JcrUserAdmin(BundleContext bundleContext, Repository node) {
try {
this.bundleContext = bundleContext;
-
- ServiceReference<Repository> nodeRepo = bundleContext
- .getServiceReferences(Repository.class,
- "(" + JCR_REPOSITORY_ALIAS + "=" + ALIAS_NODE + ")")
- .iterator().next();
- this.session = bundleContext.getService(nodeRepo).login();
+ this.session = node.login();
} catch (Exception e) {
throw new ArgeoException("Cannot initialize user admin", e);
}
}
+ public void destroy() {
+ JcrUtils.logoutQuietly(session);
+ }
+
@Override
public Role createRole(String name, int type) {
try {
@Override
public Role getRole(String name) {
- if (userAdminService().listEditableRoles().contains(name))
- return new JcrGroup(name);
try {
- UserDetails userDetails = userAdminService().loadUserByUsername(
- name);
+ JcrUserDetails userDetails = (JcrUserDetails) userAdminService()
+ .loadUserByUsername(name);
return new JcrEndUser(userDetails);
} catch (UsernameNotFoundException e) {
- return null;
+ if (userAdminService().listEditableRoles().contains(name))
+ return new JcrGroup(name);
+ else
+ return null;
}
}
for (int i = 0; i < roles.size(); i++)
res[i] = new JcrGroup(roles.get(i));
for (int i = 0; i < users.size(); i++)
- res[roles.size() + i] = new JcrEndUser(userAdminService()
- .loadUserByUsername(users.get(i)));
+ res[roles.size() + i] = new JcrEndUser(
+ (JcrUserDetails) userAdminService().loadUserByUsername(
+ users.get(i)));
return res;
}
@Override
public Authorization getAuthorization(User user) {
- return null;
+ return new JcrAuthorization(((JcrEndUser) user).getUserDetails());
}
private synchronized UserAdminService userAdminService() {
+++ /dev/null
-package org.argeo.security;
-
-import org.osgi.service.useradmin.Group;
-
-public interface ArgeoGroup extends ArgeoUser, Group, java.security.acl.Group {
-
-}
+++ /dev/null
-package org.argeo.security;
-
-import java.security.Principal;
-
-import org.osgi.service.useradmin.User;
-
-public interface ArgeoUser extends Principal, User {
-
-}
public Boolean isRemote() {
return url != null;
}
+
+ public String toString() {
+ String username = getName();
+ StringBuilder buf = new StringBuilder("groups=");
+ for (GrantedAuthority ga : getAuthorities()) {
+ if (!ga.getAuthority().equals(username)) {
+ buf.append(ga.getAuthority());
+ buf.append(',');
+ }
+ }
+ buf.deleteCharAt(buf.length() - 1);
+ return "uid=" + getName() + " " + buf.toString();
+ }
}
+++ /dev/null
-package org.argeo.security.core;
-
-import java.security.Principal;
-
-import org.osgi.service.useradmin.Authorization;
-
-/** Wraps an OSGi {@link Authorization} as a JAAS {@link Principal} */
-public final class AuthorizationPrincipal implements Principal {
- private Authorization authorization;
-
- public AuthorizationPrincipal(Authorization authorization) {
- this.authorization = authorization;
- }
-
- @Override
- public String getName() {
- return authorization.getName();
- }
-
- public Authorization getAuthorization() {
- return authorization;
- }
-
-}
+++ /dev/null
-package org.argeo.security.core;
-
-import java.io.Console;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.Arrays;
-import java.util.Locale;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.TextOutputCallback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.argeo.ArgeoException;
-import org.argeo.util.LocaleCallback;
-
-/** Callback handler to be used with a command line UI. */
-public class ConsoleCallbackHandler implements CallbackHandler {
-
- @Override
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- Console console = System.console();
- if (console == null)
- throw new ArgeoException("No console available");
-
- PrintWriter writer = console.writer();
- for (int i = 0; i < callbacks.length; i++) {
- if (callbacks[i] instanceof TextOutputCallback) {
- TextOutputCallback callback = (TextOutputCallback) callbacks[i];
- writer.write(callback.getMessage());
- } else if (callbacks[i] instanceof NameCallback) {
- NameCallback callback = (NameCallback) callbacks[i];
- writer.write(callback.getPrompt());
- if (callback.getDefaultName() != null)
- writer.write(" (" + callback.getDefaultName() + ")");
- writer.write(" : ");
- String answer = console.readLine();
- if (callback.getDefaultName() != null
- && answer.trim().equals(""))
- callback.setName(callback.getDefaultName());
- else
- callback.setName(answer);
- } else if (callbacks[i] instanceof PasswordCallback) {
- PasswordCallback callback = (PasswordCallback) callbacks[i];
- writer.write(callback.getPrompt());
- char[] answer = console.readPassword();
- callback.setPassword(answer);
- Arrays.fill(answer, ' ');
- } else if (callbacks[i] instanceof LocaleCallback) {
- LocaleCallback callback = (LocaleCallback) callbacks[i];
- writer.write(callback.getPrompt());
- writer.write("\n");
- for (int j = 0; j < callback.getAvailableLocales().size(); j++) {
- Locale locale = callback.getAvailableLocales().get(j);
- writer.print(j + " : " + locale.getDisplayName() + "\n");
- }
- writer.write("(" + callback.getDefaultIndex() + ") : ");
- String answer = console.readLine();
- if (answer.trim().equals(""))
- callback.setSelectedIndex(callback.getDefaultIndex());
- else
- callback.setSelectedIndex(new Integer(answer.trim()));
- }
- }
- }
-
-}
import org.argeo.ArgeoException;
import org.argeo.jcr.JcrUtils;
import org.argeo.jcr.UserJcrUtils;
+import org.argeo.security.NodeAuthenticationToken;
import org.argeo.security.UserAdminService;
import org.argeo.security.jcr.JcrSecurityModel;
import org.argeo.security.jcr.JcrUserDetails;
// AUTHENTICATION PROVIDER
public synchronized Authentication authenticate(
Authentication authentication) throws AuthenticationException {
- UsernamePasswordAuthenticationToken siteAuth = (UsernamePasswordAuthenticationToken) authentication;
+ NodeAuthenticationToken siteAuth = (NodeAuthenticationToken) authentication;
String username = siteAuth.getName();
if (!(siteAuth.getCredentials() instanceof char[]))
throw new ArgeoException("Only char array passwords are supported");
try {
JcrUserDetails userDetails = loadJcrUserDetails(adminSession,
username);
- UsernamePasswordAuthenticationToken authenticated = new UsernamePasswordAuthenticationToken(
- siteAuth, "", userDetails.getAuthorities());
+ NodeAuthenticationToken authenticated = new NodeAuthenticationToken(
+ siteAuth, userDetails.getAuthorities());
authenticated.setDetails(userDetails);
return authenticated;
} catch (RepositoryException e) {
--- /dev/null
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.security.login;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+import org.osgi.framework.BundleContext;
+import org.osgi.service.useradmin.UserAdmin;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+/** Login module which caches one subject per thread. */
+abstract class AbstractSpringLoginModule implements LoginModule {
+ // private final static Log log = LogFactory
+ // .getLog(AbstractSpringLoginModule.class);
+ private CallbackHandler callbackHandler;
+ private Subject subject;
+
+ private Authentication authentication;
+
+ protected abstract Authentication processLogin(
+ CallbackHandler callbackHandler) throws LoginException,
+ UnsupportedCallbackException, IOException, InterruptedException;
+
+ @SuppressWarnings("rawtypes")
+ @Override
+ public void initialize(Subject subject, CallbackHandler callbackHandler,
+ Map sharedState, Map options) {
+ this.callbackHandler = callbackHandler;
+ this.subject = subject;
+ }
+
+ @Override
+ public boolean login() throws LoginException {
+ try {
+ // thread already logged in
+ Authentication currentAuth = SecurityContextHolder.getContext()
+ .getAuthentication();
+ if (currentAuth != null) {
+ if (subject.getPrincipals(Authentication.class).size() == 0) {
+ throw new LoginException(
+ "Security context set but not Authentication principal");
+ } else {
+ Authentication principal = subject
+ .getPrincipals(Authentication.class).iterator()
+ .next();
+ if (principal != currentAuth)
+ throw new LoginException(
+ "Already authenticated with a different auth");
+ }
+ return true;
+ }
+
+ if (callbackHandler == null)
+ throw new LoginException("No callback handler available");
+
+ authentication = processLogin(callbackHandler);
+ if (authentication != null) {
+ SecurityContextHolder.getContext().setAuthentication(
+ authentication);
+ return true;
+ } else {
+ throw new LoginException("No authentication returned");
+ }
+ } catch (LoginException e) {
+ throw e;
+ } catch (ThreadDeath e) {
+ LoginException le = new LoginException(
+ "Spring Security login thread died");
+ le.initCause(e);
+ throw le;
+ } catch (Exception e) {
+ LoginException le = new LoginException(
+ "Spring Security login failed");
+ le.initCause(e);
+ throw le;
+ }
+ }
+
+ @Override
+ public boolean logout() throws LoginException {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ return true;
+ }
+
+ @Override
+ public boolean commit() throws LoginException {
+ return true;
+ }
+
+ @Override
+ public boolean abort() throws LoginException {
+ SecurityContextHolder.getContext().setAuthentication(null);
+ return true;
+ }
+
+ protected AuthenticationManager getAuthenticationManager(
+ BundleContextCallback bundleContextCallback) {
+ BundleContext bc = bundleContextCallback.getBundleContext();
+ return bc.getService(bc
+ .getServiceReference(AuthenticationManager.class));
+
+ }
+
+ protected UserAdmin getUserAdmin(BundleContextCallback bundleContextCallback) {
+ BundleContext bc = bundleContextCallback.getBundleContext();
+ return bc.getService(bc.getServiceReference(UserAdmin.class));
+ }
+
+ protected Subject getSubject() {
+ return subject;
+ }
+}
+++ /dev/null
-/*
- * Copyright (C) 2007-2012 Argeo GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.argeo.security.login;
-
-import java.io.IOException;
-import java.util.Map;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
-
-import org.osgi.framework.BundleContext;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-
-/** Login module which caches one subject per thread. */
-abstract class AbstractSpringSecurityLoginModule implements LoginModule {
- private CallbackHandler callbackHandler;
- private Subject subject;
-
- protected abstract Authentication processLogin(
- CallbackHandler callbackHandler) throws LoginException,
- UnsupportedCallbackException, IOException, InterruptedException;
-
- @SuppressWarnings("rawtypes")
- @Override
- public void initialize(Subject subject, CallbackHandler callbackHandler,
- Map sharedState, Map options) {
- this.callbackHandler = callbackHandler;
- this.subject = subject;
- }
-
- @Override
- public boolean login() throws LoginException {
- try {
- // thread already logged in
- Authentication currentAuth = SecurityContextHolder.getContext()
- .getAuthentication();
- if (currentAuth != null) {
- if (subject.getPrincipals(Authentication.class).size() == 0) {
- subject.getPrincipals().add(currentAuth);
- } else {
- Authentication principal = subject
- .getPrincipals(Authentication.class).iterator()
- .next();
- if (principal != currentAuth)
- throw new LoginException(
- "Already authenticated with a different auth");
- }
- return true;
- }
-
- // reset all principals and credentials
- // if (log.isTraceEnabled())
- // log.trace("Resetting all principals and credentials of "
- // + subject);
- // subject.getPrincipals().clear();
- // subject.getPrivateCredentials().clear();
- // subject.getPublicCredentials().clear();
-
- if (callbackHandler == null)
- throw new LoginException("No callback handler available");
-
- Authentication authentication = processLogin(callbackHandler);
- if (authentication != null) {
- SecurityContextHolder.getContext().setAuthentication(
- authentication);
- return true;
- } else {
- throw new LoginException("No authentication returned");
- }
- } catch (LoginException e) {
- throw e;
- } catch (ThreadDeath e) {
- LoginException le = new LoginException(
- "Spring Security login thread died");
- le.initCause(e);
- throw le;
- } catch (Exception e) {
- LoginException le = new LoginException(
- "Spring Security login failed");
- le.initCause(e);
- throw le;
- }
- }
-
- @Override
- public boolean logout() throws LoginException {
- // subject.getPrincipals().clear();
- return true;
- }
-
- @Override
- public boolean commit() throws LoginException {
- return true;
- }
-
- @Override
- public boolean abort() throws LoginException {
- return true;
- }
-
- protected AuthenticationManager getAuthenticationManager(
- BundleContextCallback bundleContextCallback) {
- BundleContext bc = bundleContextCallback.getBundleContext();
- return bc.getService(bc
- .getServiceReference(AuthenticationManager.class));
-
- }
-}
import org.springframework.security.core.authority.SimpleGrantedAuthority;
/** Login module which caches one subject per thread. */
-public class AnonymousLoginModule extends AbstractSpringSecurityLoginModule {
+public class AnonymousLoginModule extends AbstractSpringLoginModule {
private String anonymousRole = "ROLE_ANONYMOUS";
/** Comma separated list of locales */
private String availableLocales = null;
--- /dev/null
+package org.argeo.security.login;
+
+import java.io.Console;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Arrays;
+import java.util.Locale;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.TextOutputCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.argeo.ArgeoException;
+import org.argeo.util.LocaleCallback;
+
+/** Callback handler to be used with a command line UI. */
+public class ConsoleCallbackHandler implements CallbackHandler {
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
+ UnsupportedCallbackException {
+ Console console = System.console();
+ if (console == null)
+ throw new ArgeoException("No console available");
+
+ PrintWriter writer = console.writer();
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof TextOutputCallback) {
+ TextOutputCallback callback = (TextOutputCallback) callbacks[i];
+ writer.write(callback.getMessage());
+ } else if (callbacks[i] instanceof NameCallback) {
+ NameCallback callback = (NameCallback) callbacks[i];
+ writer.write(callback.getPrompt());
+ if (callback.getDefaultName() != null)
+ writer.write(" (" + callback.getDefaultName() + ")");
+ writer.write(" : ");
+ String answer = console.readLine();
+ if (callback.getDefaultName() != null
+ && answer.trim().equals(""))
+ callback.setName(callback.getDefaultName());
+ else
+ callback.setName(answer);
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ PasswordCallback callback = (PasswordCallback) callbacks[i];
+ writer.write(callback.getPrompt());
+ char[] answer = console.readPassword();
+ callback.setPassword(answer);
+ Arrays.fill(answer, ' ');
+ } else if (callbacks[i] instanceof LocaleCallback) {
+ LocaleCallback callback = (LocaleCallback) callbacks[i];
+ writer.write(callback.getPrompt());
+ writer.write("\n");
+ for (int j = 0; j < callback.getAvailableLocales().size(); j++) {
+ Locale locale = callback.getAvailableLocales().get(j);
+ writer.print(j + " : " + locale.getDisplayName() + "\n");
+ }
+ writer.write("(" + callback.getDefaultIndex() + ") : ");
+ String answer = console.readLine();
+ if (answer.trim().equals(""))
+ callback.setSelectedIndex(callback.getDefaultIndex());
+ else
+ callback.setSelectedIndex(new Integer(answer.trim()));
+ }
+ }
+ }
+
+}
import org.springframework.security.core.Authentication;
/** Authenticates an end user */
-public class EndUserLoginModule extends AbstractSpringSecurityLoginModule {
+public class EndUserLoginModule extends AbstractSpringLoginModule {
final static String NODE_REPO_URI = "argeo.node.repo.uri";
private Long waitBetweenFailedLoginAttempts = 5 * 1000l;
Thread.sleep(waitBetweenFailedLoginAttempts);
throw e;
}
+
if (selectedLocale != null)
LocaleUtils.threadLocale.set(selectedLocale);
return auth;
}
+
+ @Override
+ public boolean commit() throws LoginException {
+ return super.commit();
+ }
}
import org.springframework.security.core.Authentication;
/** Login module which caches one subject per thread. */
-public class SystemLoginModule extends AbstractSpringSecurityLoginModule {
+public class SystemLoginModule extends AbstractSpringLoginModule {
@Override
protected Authentication processLogin(CallbackHandler callbackHandler)
throws LoginException, UnsupportedCallbackException, IOException,
+++ /dev/null
-/*
- * Copyright (C) 2007-2012 Argeo GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.argeo.security.login;
-
-import java.util.Locale;
-import java.util.Map;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
-
-import org.argeo.jcr.ArgeoNames;
-import org.argeo.security.core.AuthorizationPrincipal;
-import org.argeo.util.LocaleCallback;
-import org.argeo.util.LocaleUtils;
-import org.osgi.framework.BundleContext;
-import org.osgi.service.useradmin.Authorization;
-import org.osgi.service.useradmin.User;
-import org.osgi.service.useradmin.UserAdmin;
-import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
-
-/** Login module which caches one subject per thread. */
-public class UserAdminLoginModule implements LoginModule {
- // private final static Log log = LogFactory
- // .getLog(UserAdminLoginModule.class);
-
- private CallbackHandler callbackHandler;
-
- private Subject subject;
-
- private Long waitBetweenFailedLoginAttempts = 5 * 1000l;
-
- /** Comma separated list of locales */
- private String availableLocales = "";
-
- private AuthorizationPrincipal auth = null;
- private Locale selectedLocale = null;
-
- @SuppressWarnings("unused")
- private LdapShaPasswordEncoder shaPasswordEncoder = new LdapShaPasswordEncoder();
-
- public UserAdminLoginModule() {
-
- }
-
- @SuppressWarnings("rawtypes")
- public void initialize(Subject subject, CallbackHandler callbackHandler,
- Map sharedState, Map options) {
- this.callbackHandler = callbackHandler;
- this.subject = subject;
- }
-
- public boolean login() throws LoginException {
- try {
- // TODO thread already logged in
- // AuthorizationPrincipal principal = subject
- // .getPrincipals(AuthorizationPrincipal.class).iterator();
-
- if (callbackHandler == null)
- throw new LoginException("No call back handler available");
-
- // ask for username and password
- NameCallback nameCallback = new NameCallback("User");
- PasswordCallback passwordCallback = new PasswordCallback(
- "Password", false);
- LocaleCallback localeCallback = new LocaleCallback(availableLocales);
- BundleContextCallback bundleContextCallback = new BundleContextCallback();
-
- callbackHandler.handle(new Callback[] { nameCallback,
- passwordCallback, localeCallback, bundleContextCallback });
-
- selectedLocale = localeCallback.getSelectedLocale();
-
- // create credentials
- final String username = nameCallback.getName();
- if (username == null || username.trim().equals(""))
- return false;
-
- char[] password = {};
- if (passwordCallback.getPassword() != null)
- password = passwordCallback.getPassword();
-
- BundleContext bc = bundleContextCallback.getBundleContext();
- UserAdmin userAdmin = bc.getService(bc
- .getServiceReference(UserAdmin.class));
-
- User user = (User) userAdmin.getRole(username);
- // TODO use hash
- boolean authenticated = user.hasCredential(
- ArgeoNames.ARGEO_PASSWORD, new String(password));
-
- if (!authenticated) {
- // wait between failed login attempts
- Thread.sleep(waitBetweenFailedLoginAttempts);
- return false;
- }
-
- Authorization authorization = userAdmin.getAuthorization(user);
- auth = new AuthorizationPrincipal(authorization);
- return true;
- } catch (LoginException e) {
- throw e;
- } catch (ThreadDeath e) {
- LoginException le = new LoginException(
- "Spring Security login thread died");
- le.initCause(e);
- throw le;
- } catch (Exception e) {
- LoginException le = new LoginException(
- "Spring Security login failed");
- le.initCause(e);
- throw le;
- }
- }
-
- @Override
- public boolean logout() throws LoginException {
- subject.getPrincipals(AuthorizationPrincipal.class).remove(auth);
- return true;
- }
-
- @Override
- public boolean commit() throws LoginException {
- subject.getPrincipals().add(auth);
- if (selectedLocale != null)
- LocaleUtils.threadLocale.set(selectedLocale);
- return true;
- }
-
- @Override
- public boolean abort() throws LoginException {
- auth = null;
- selectedLocale = null;
- return true;
- }
-
- public void setAvailableLocales(String locales) {
- this.availableLocales = locales;
- }
-}
\ No newline at end of file
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
-import javax.jcr.SimpleCredentials;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
public class ArgeoLoginModule extends AbstractLoginModule {
private String adminRole = "ROLE_ADMIN";
- @SuppressWarnings("unused")
- @Override
- public boolean login() throws LoginException {
- boolean loginOk = super.login();
- if (!loginOk) {
- org.springframework.security.core.Authentication authen = (org.springframework.security.core.Authentication) SecurityContextHolder
- .getContext().getAuthentication();
- }
- return loginOk;
- }
-
- @SuppressWarnings("unused")
- @Override
- public boolean commit() throws LoginException {
- boolean commitOk = super.commit();
- if (!commitOk) {
- org.springframework.security.core.Authentication authen = (org.springframework.security.core.Authentication) SecurityContextHolder
- .getContext().getAuthentication();
- }
- return commitOk;
- }
-
/**
* Returns the Spring {@link org.springframework.security.Authentication}
* (which can be null)
*/
@Override
protected Principal getPrincipal(Credentials credentials) {
- org.springframework.security.core.Authentication authen = SecurityContextHolder
- .getContext().getAuthentication();
- return authen;
+ return SecurityContextHolder.getContext().getAuthentication();
}
protected Set<Principal> getPrincipals() {
- // clear already registered Jackrabbit principals
- // clearPrincipals(AdminPrincipal.class);
- // clearPrincipals(AnonymousPrincipal.class);
- // clearPrincipals(GrantedAuthorityPrincipal.class);
-
- return syncPrincipals();
- }
-
- protected Set<Principal> syncPrincipals() {
// use linked HashSet instead of HashSet in order to maintain the order
// of principals (as in the Subject).
org.springframework.security.core.Authentication authen = (org.springframework.security.core.Authentication) principal;
}
// remove previous credentials
- Set<SimpleCredentials> thisCredentials = subject
- .getPublicCredentials(SimpleCredentials.class);
- if (thisCredentials != null)
- thisCredentials.clear();
- // override credentials since we did not used the one passed to us
- // credentials = new SimpleCredentials(authen.getName(), authen
- // .getCredentials().toString().toCharArray());
+ // Set<SimpleCredentials> thisCredentials = subject
+ // .getPublicCredentials(SimpleCredentials.class);
+ // if (thisCredentials != null)
+ // thisCredentials.clear();
return principals;
}
clearPrincipals(ArgeoSystemPrincipal.class);
clearPrincipals(AnonymousPrincipal.class);
clearPrincipals(GrantedAuthorityPrincipal.class);
-
- // we resync with Spring Security since the subject may have been reused
- // in beetween
- // TODO: check if this is clean
- // subject.getPrincipals().addAll(syncPrincipals());
-
return true;
}