From: Mathieu Baudier <mbaudier@argeo.org>
Date: Thu, 8 Dec 2011 23:03:49 +0000 (+0000)
Subject: Introduce security manager
X-Git-Tag: argeo-commons-2.1.30~1067
X-Git-Url: https://git.argeo.org/?a=commitdiff_plain;h=747287fd2bc5b5ccf007e403947065acdaa5ef19;p=lgpl%2Fargeo-commons.git

Introduce security manager

git-svn-id: https://svn.argeo.org/commons/trunk@4914 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---

diff --git a/security/modules/org.argeo.security.manager/.project b/security/modules/org.argeo.security.manager/.project
new file mode 100644
index 000000000..964176d62
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/.project
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>org.argeo.security.auth</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.pde.ManifestBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.pde.SchemaBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.pde.PluginNature</nature>
+	</natures>
+</projectDescription>
diff --git a/security/modules/org.argeo.security.manager/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.manager/META-INF/MANIFEST.MF
new file mode 100644
index 000000000..8e0713c1d
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/MANIFEST.MF
@@ -0,0 +1,7 @@
+Manifest-Version: 1.0
+Bundle-ManifestVersion: 2
+Bundle-Name: Manager
+Bundle-SymbolicName: org.argeo.security.auth
+Bundle-Version: 1.0.0.qualifier
+Bundle-Vendor: Argeo
+Bundle-RequiredExecutionEnvironment: J2SE-1.5
diff --git a/security/modules/org.argeo.security.manager/META-INF/spring/auth-jcr.xml b/security/modules/org.argeo.security.manager/META-INF/spring/auth-jcr.xml
new file mode 100644
index 000000000..c8eff5b1b
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/spring/auth-jcr.xml
@@ -0,0 +1,22 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+		http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+		http://www.springframework.org/schema/security
+		http://www.springframework.org/schema/security/spring-security-2.0.4.xsd
+		http://www.springframework.org/schema/util
+		http://www.springframework.org/schema/util/spring-util-2.5.xsd">
+
+	<bean id="argeoDataModel" class="org.argeo.jackrabbit.JackrabbitContainer"
+		init-method="init" destroy-method="destroy">
+		<description><![CDATA[Make sure that Argeo base data model is registered]]></description>
+		<property name="cndFiles">
+			<list>
+				<value>/org/argeo/jcr/argeo.cnd</value>
+			</list>
+		</property>
+		<property name="repository" ref="nodeRepository" />
+		<property name="bundleContext" ref="bundleContext" />
+	</bean>
+</beans>
diff --git a/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap-jcr.xml b/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap-jcr.xml
new file mode 100644
index 000000000..43794f6f8
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap-jcr.xml
@@ -0,0 +1,65 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+		http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+		http://www.springframework.org/schema/security
+		http://www.springframework.org/schema/security/spring-security-2.0.4.xsd
+		http://www.springframework.org/schema/util
+		http://www.springframework.org/schema/util/spring-util-2.5.xsd">
+
+	<bean id="jcrLdapSynchronizer" class="org.argeo.security.ldap.jcr.JcrLdapSynchronizer"
+		init-method="init" destroy-method="destroy" depends-on="argeoDataModel">
+		<!-- LDAP -->
+		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" />
+		<property name="passwordAttribute" value="${argeo.ldap.passwordAttribute}" />
+		<property name="userClasses">
+			<list>
+				<value>${argeo.ldap.userClass}</value>
+			</list>
+		</property>
+		<property name="passwordEncoder" ref="passwordEncoder" />
+		<property name="userBase" value="${argeo.ldap.userBase}" />
+		<property name="usernameMapper" ref="usernameMapper" />
+		<property name="ldapTemplate" ref="ldapTemplate" />
+		<property name="rawLdapTemplate" ref="rawLdapTemplate" />
+		<!-- JCR -->
+		<property name="repository" ref="nodeRepository" />
+		<property name="securityWorkspace" value="${argeo.node.repo.securityWorkspace}" />
+		<property name="propertyToAttributes" ref="propertyToAttributes" />
+	</bean>
+
+	<!-- LDAP / JCR mapping -->
+	<util:map id="propertyToAttributes">
+		<entry value="cn">
+			<key>
+				<util:constant static-field="javax.jcr.Property.JCR_TITLE" />
+			</key>
+		</entry>
+		<entry value="description">
+			<key>
+				<util:constant static-field="javax.jcr.Property.JCR_DESCRIPTION" />
+			</key>
+		</entry>
+		<entry value="givenName">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_FIRST_NAME" />
+			</key>
+		</entry>
+		<entry value="sn">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_LAST_NAME" />
+			</key>
+		</entry>
+		<entry value="mail">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_PRIMARY_EMAIL" />
+			</key>
+		</entry>
+		<entry value="o">
+			<key>
+				<util:constant static-field="org.argeo.jcr.ArgeoNames.ARGEO_PRIMARY_ORGANIZATION" />
+			</key>
+		</entry>
+	</util:map>
+</beans>
diff --git a/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap.xml b/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap.xml
new file mode 100644
index 000000000..a42553f85
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/spring/auth-ldap.xml
@@ -0,0 +1,100 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
+
+
+	<!-- AUTHENTICATION -->
+	<bean id="ldapAuthenticationProvider"
+		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
+		<constructor-arg ref="ldapAuthenticator" />
+		<constructor-arg ref="authoritiesPopulator" />
+		<property name="userDetailsContextMapper" ref="jcrLdapSynchronizer" />
+	</bean>
+
+	<!-- PasswordComparisonAuthenticator doesn't work with SSHA -->
+	<bean id="ldapAuthenticator"
+		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
+		<constructor-arg ref="contextSource" />
+		<property name="userDnPatterns">
+			<list>
+				<value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value>
+			</list>
+		</property>
+		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
+		<property name="passwordEncoder" ref="passwordEncoder" />
+	</bean>
+
+	<!-- Bind authenticator doesn't work with Apache DS 1.0 -->
+	<!-- <bean id="ldapAuthenticator" -->
+	<!-- class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> -->
+	<!-- <constructor-arg ref="contextSource" /> -->
+	<!-- <property name="userDnPatterns"> -->
+	<!-- <list> -->
+	<!-- <value><![CDATA[${argeo.ldap.usernameAttribute}={0},${argeo.ldap.userBase}]]></value> -->
+	<!-- </list> -->
+	<!-- </property> -->
+	<!-- </bean> -->
+
+	<!-- USER DETAILS -->
+	<bean id="ldapUserDetailsService"
+		class="org.springframework.security.userdetails.ldap.LdapUserDetailsService">
+		<constructor-arg ref="ldapUserSearch" />
+		<constructor-arg ref="authoritiesPopulator" />
+		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" />
+	</bean>
+
+	<bean id="ldapUserSearch"
+		class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
+		<!-- search base -->
+		<constructor-arg value="${argeo.ldap.userBase}" />
+		<!-- search filter -->
+		<constructor-arg value="(${argeo.ldap.usernameAttribute}={0})" />
+		<!-- context source -->
+		<constructor-arg ref="contextSource" />
+	</bean>
+
+	<bean id="usernameMapper"
+		class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
+		<constructor-arg value="${argeo.ldap.userBase}" />
+		<constructor-arg value="${argeo.ldap.usernameAttribute}" />
+	</bean>
+
+	<bean id="authoritiesPopulator"
+		class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
+		<constructor-arg ref="contextSource" />
+		<constructor-arg value="${argeo.ldap.groupBase}" />
+		<property name="groupSearchFilter" value="${argeo.ldap.groupMemberAttribute}={0}" />
+		<property name="defaultRole" value="${argeo.security.defaultRole}" />
+		<property name="rolePrefix" value="${argeo.security.rolePrefix}" />
+	</bean>
+
+	<!-- LDAP LOW LEVEL -->
+	<bean id="contextSource"
+		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
+		<constructor-arg
+			value="${argeo.ldap.protocol}://${argeo.ldap.host}:${argeo.ldap.port}/${argeo.ldap.rootdn}" />
+		<property name="userDn" value="${argeo.ldap.manager.userdn}" />
+		<property name="password" value="${argeo.ldap.manager.password}" />
+	</bean>
+
+	<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
+		<constructor-arg ref="contextSource" />
+	</bean>
+
+	<bean id="rawLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
+		<description><![CDATA[LDAP template returning raw dir contexts, see http://forum.springsource.org/showthread.php?55955-Persistent-search-with-spring-ldap]]></description>
+		<constructor-arg>
+			<bean parent="contextSource">
+				<property name="dirObjectFactory">
+					<null />
+				</property>
+			</bean>
+		</constructor-arg>
+	</bean>
+
+	<bean id="passwordEncoder" class="org.argeo.security.ldap.ArgeoLdapShaPasswordEncoder">
+		<property name="useSalt" value="${argeo.ldap.password.useSalt}" />
+	</bean>
+</beans>
diff --git a/security/modules/org.argeo.security.manager/META-INF/spring/auth-osgi.xml b/security/modules/org.argeo.security.manager/META-INF/spring/auth-osgi.xml
new file mode 100644
index 000000000..d0bcd6222
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/spring/auth-osgi.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans:beans xmlns="http://www.springframework.org/schema/osgi"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
+	xsi:schemaLocation="http://www.springframework.org/schema/osgi  
+       http://www.springframework.org/schema/osgi/spring-osgi-1.1.xsd
+       http://www.springframework.org/schema/beans   
+       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<!-- REFERENCES -->
+	<reference id="nodeRepository" interface="javax.jcr.Repository"
+		filter="(argeo.jcr.repository.alias=node)" />
+
+	<!-- SERVICES -->
+	<service ref="systemExecutionService" interface="org.argeo.security.SystemExecutionService" />
+	<service ref="authenticationManager"
+		interface="org.springframework.security.AuthenticationManager"
+		context-class-loader="service-provider" />
+
+	<service ref="ldapUserDetailsService"
+		interface="org.springframework.security.userdetails.UserDetailsService"
+		context-class-loader="service-provider" />
+</beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.manager/META-INF/spring/auth-services.xml b/security/modules/org.argeo.security.manager/META-INF/spring/auth-services.xml
new file mode 100644
index 000000000..158b18fb4
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/META-INF/spring/auth-services.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="
+       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<!-- COMMON -->
+	<bean
+		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+		<property name="locations">
+			<value>osgibundle:auth.properties</value>
+		</property>
+	</bean>
+
+	<!-- SERVICES -->
+	<bean id="systemExecutionService" class="org.argeo.security.core.KeyBasedSystemExecutionService">
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="systemAuthenticationKey" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<list>
+				<ref bean="anonymousAuthenticationProvider" />
+				<ref bean="authByAdapterProvider" />
+				<ref bean="ldapAuthenticationProvider" />
+			</list>
+		</property>
+	</bean>
+
+	<!-- Authentication provider -->
+	<bean id="authByAdapterProvider"
+		class="org.springframework.security.adapters.AuthByAdapterProvider">
+		<description><![CDATA[System authentication]]></description>
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<bean id="anonymousAuthenticationProvider"
+		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
+		<description><![CDATA[Anonymous authentication]]></description>
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+	<!-- Internal authentication, used by during the general authentication 
+		initialization himself, in order to prevent the following dependency cycle: 
+		Repository.login() <= AuthenticationManager <= LdapAuthenticationProvider 
+		<= Repository.login() in init() -->
+	<bean id="internalAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<list>
+				<ref bean="authByAdapterProvider" />
+			</list>
+		</property>
+	</bean>
+
+	<bean
+		class="org.argeo.security.core.AuthenticatedApplicationContextInitialization">
+		<description><![CDATA[Executes initialization with a system authentication]]></description>
+		<property name="authenticationManager" ref="internalAuthenticationManager" />
+	</bean>
+</beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.manager/auth.properties b/security/modules/org.argeo.security.manager/auth.properties
new file mode 100644
index 000000000..b00b5261f
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/auth.properties
@@ -0,0 +1,33 @@
+argeo.node.repo.securityWorkspace=security
+
+argeo.security.defaultRole=ROLE_USER
+argeo.security.rolePrefix=ROLE_
+
+argeo.security.systemKey=argeo
+
+argeo.ldap.rootdn=dc=demo,dc=argeo,dc=org
+argeo.ldap.protocol=ldap
+argeo.ldap.host=localhost
+# default are for Apache Directory Server
+argeo.ldap.port=10389
+argeo.ldap.manager.userdn=uid=admin,ou=system
+argeo.ldap.manager.password=secret
+
+# USER
+argeo.ldap.userClass=inetOrgPerson
+argeo.ldap.osUserClass=posixAccount
+argeo.ldap.userBase=ou=People
+argeo.ldap.usernameAttribute=uid
+argeo.ldap.passwordAttribute=userPassword
+# ROLES
+argeo.ldap.groupClass=groupOfNames
+argeo.ldap.groupBase=ou=Roles
+argeo.ldap.groupRoleAttribute=cn
+argeo.ldap.groupMemberAttribute=member
+# OS GROUPS
+argeo.ldap.osGroupClass=posixGroup
+argeo.ldap.osGroupBase=ou=Group
+argeo.ldap.osGroupNameAttribute=cn
+argeo.ldap.osGroupMemberAttribute=memberUid
+
+argeo.ldap.password.useSalt=false
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.manager/build.properties b/security/modules/org.argeo.security.manager/build.properties
new file mode 100644
index 000000000..5fc538bc8
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/build.properties
@@ -0,0 +1,4 @@
+source.. = src/main/java/
+output.. = target/classes/
+bin.includes = META-INF/,\
+               .
diff --git a/security/modules/org.argeo.security.manager/pom.xml b/security/modules/org.argeo.security.manager/pom.xml
new file mode 100644
index 000000000..c95067c65
--- /dev/null
+++ b/security/modules/org.argeo.security.manager/pom.xml
@@ -0,0 +1,31 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.argeo.commons.security</groupId>
+		<version>0.3.4-SNAPSHOT</version>
+		<artifactId>modules</artifactId>
+		<relativePath>..</relativePath>
+	</parent>
+	<artifactId>org.argeo.security.auth</artifactId>
+	<name>Commons Security Default Authentication</name>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.felix</groupId>
+				<artifactId>maven-bundle-plugin</artifactId>
+				<configuration>
+					<instructions>
+						<Import-Package>
+							*,
+							org.argeo.jcr,
+							com.sun.jndi.ldap;resolution:=optional,
+							org.springframework.ldap.core.support,
+							org.springframework.security
+						</Import-Package>
+					</instructions>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>
\ No newline at end of file