uid: demo
userpassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+dn: uid=root,ou=users,dc=demo,dc=argeo,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: top
+cn: demo User
+description: Superuser
+givenname: Root
+mail: root@localhost
+sn: Root
+uid: root
+userpassword:: e1NIQX1pZVNWNTVRYytlUU9hWURSU2hhL0Fqek5USkU9
+
dn: uid=frodo,ou=users,dc=demo,dc=argeo,dc=org
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: admin
uniquemember: uid=gandalf,ou=users,dc=demo,dc=argeo,dc=org
+uniquemember: uid=root,ou=users,dc=demo,dc=argeo,dc=org
******************
USERS
******************
+getCredentials.security
+> return : userDetails <json> of the logged user
+
getUsersList.security
> param : getNatures <true|false>
> return : users[] <json> : containing username and roles, and depending on the value of getNatures, the natures.
userExists.security
> param : userName <string>
-deleteUser.security
+deleteUser.security (ADMIN only)
> param : userName <string>
getUserDetails.security
> param : userName <string>
> return : userDetails <json> : full details (roles, natures, etc).
-createUser.security
+createUser.security (ADMIN only)
> params : userName <string>, password <string>
-updateUserPassword.security
-> param : userName <string>, password <string>, [oldpassword <string>] (depends on the admin being logged in or not)
+updateUserPassword.security (ADMIN only)
+> param : userName <string>, password <string>
+
+updatePassword.security
+> param : password <string>, oldpassword <string>
******************
> param : aucun
> return : roles[] <json>
-getUsersForRole.security
+#getUsersForRole.security
> param : roleName <string>, getNatures <true|false>
> return : users[] <json> (username and eventually natures)
-createRole.security
+createRole.security (ADMIN only)
> param : roleName <string>
-deleteRole.security
+deleteRole.security (ADMIN only)
> param : roleName <string>
-updateUserRoleLink.security
+#updateUserRoleLink.security
> params : <string> roleName, <string> username, <string> action="set|unset"
LINKS & NATURES
************************
-createUserNature.security
+#createUserNature.security
> params : natureObject <json>, userName <string>
-deleteUserNature.security
+#deleteUserNature.security
> params : natureObject <json>, userName <string>
-updateUserNature.security
+#updateUserNature.security
> params : natureObject <json>, userName <string>
\ No newline at end of file
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
- <bean id="securityDao" class="org.argeo.security.ldap.SecurityDaoLdap">
+ <bean id="securityDao" class="org.argeo.security.ldap.ArgeoSecurityDaoLdap">
<constructor-arg ref="contextSource" />
<property name="userDetailsManager" ref="userDetailsManager" />
<property name="authoritiesPopulator" ref="authoritiesPopulator" />
public void delete(String username);
+ public void createRole(String role, String superuserName);
+
public void deleteRole(String role);
public void updatePassword(String oldPassword, String newPassword);
package org.argeo.security;
-
public interface ArgeoSecurityService {
public void newUser(ArgeoUser argeoUser);
+
+ public void updateUserPassword(String username, String password);
+
public void newRole(String role);
+
public ArgeoSecurityDao getSecurityDao();
}
public BasicArgeoUser(ArgeoUser argeoUser) {
username = argeoUser.getUsername();
+ password = argeoUser.getPassword();
userNatures = new ArrayList<UserNature>(argeoUser.getUserNatures());
roles = new ArrayList<String>(argeoUser.getRoles());
}
}
public ArgeoUserDetails(ArgeoUser argeoUser) {
- this(argeoUser.getUsername(), argeoUser.getUserNatures(), argeoUser.getPassword(),
- rolesToAuthorities(argeoUser.getRoles()));
+ this(argeoUser.getUsername(), argeoUser.getUserNatures(), argeoUser
+ .getPassword(), rolesToAuthorities(argeoUser.getRoles()));
}
public List<UserNature> getUserNatures() {
}
public static BasicArgeoUser createBasicArgeoUser(UserDetails userDetails) {
- BasicArgeoUser argeoUser = new BasicArgeoUser();
- argeoUser.setUsername(userDetails.getUsername());
- addAuthoritiesToRoles(userDetails.getAuthorities(), argeoUser
- .getRoles());
- return argeoUser;
+ if (userDetails instanceof ArgeoUser) {
+ return new BasicArgeoUser((ArgeoUser) userDetails);
+ } else {
+ BasicArgeoUser argeoUser = new BasicArgeoUser();
+ argeoUser.setUsername(userDetails.getUsername());
+ addAuthoritiesToRoles(userDetails.getAuthorities(), argeoUser
+ .getRoles());
+ return argeoUser;
+ }
}
public static ArgeoUser asArgeoUser(Authentication authentication) {
import org.argeo.security.ArgeoSecurityDao;
import org.argeo.security.ArgeoSecurityService;
import org.argeo.security.ArgeoUser;
+import org.argeo.security.BasicArgeoUser;
public class DefaultSecurityService implements ArgeoSecurityService {
private ArgeoSecurity argeoSecurity = new DefaultArgeoSecurity();
}
public void newRole(String role) {
- ArgeoUser superUser = securityDao.getUser(argeoSecurity.getSuperUsername());
- superUser.getRoles().add(role);
- securityDao.update(superUser);
+ securityDao.createRole(role, argeoSecurity.getSuperUsername());
+ }
+
+ public void updateUserPassword(String username, String password) {
+ BasicArgeoUser user = new BasicArgeoUser(securityDao.getUser(username));
+ user.setPassword(password);
+ securityDao.update(user);
}
public void newUser(ArgeoUser user) {
--- /dev/null
+package org.argeo.security.ldap;
+
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.ldap.core.DistinguishedName;
+import org.springframework.security.userdetails.ldap.LdapUserDetailsManager;
+
+public class ArgeoLdapUserDetailsManager extends LdapUserDetailsManager {
+
+ public ArgeoLdapUserDetailsManager(ContextSource contextSource) {
+ super(contextSource);
+ }
+
+ @Override
+ protected DistinguishedName buildGroupDn(String group) {
+ // TODO Auto-generated method stub
+ return super.buildGroupDn(group);
+ }
+
+}
--- /dev/null
+package org.argeo.security.ldap;
+
+import static org.argeo.security.core.ArgeoUserDetails.createBasicArgeoUser;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.naming.Name;
+import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
+
+import org.argeo.security.ArgeoSecurityDao;
+import org.argeo.security.ArgeoUser;
+import org.argeo.security.core.ArgeoUserDetails;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.ldap.core.ContextExecutor;
+import org.springframework.ldap.core.ContextMapper;
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.ldap.core.DirContextAdapter;
+import org.springframework.ldap.core.DistinguishedName;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.security.ldap.DefaultLdapUsernameToDnMapper;
+import org.springframework.security.ldap.LdapUsernameToDnMapper;
+import org.springframework.security.ldap.LdapUtils;
+import org.springframework.security.userdetails.UserDetails;
+import org.springframework.security.userdetails.UserDetailsManager;
+
+public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean {
+ // private final static Log log = LogFactory.getLog(UserDaoLdap.class);
+
+ private UserDetailsManager userDetailsManager;
+ private ArgeoLdapAuthoritiesPopulator authoritiesPopulator;
+ private String userBase = "ou=users";
+ private String usernameAttribute = "uid";
+
+ private final LdapTemplate ldapTemplate;
+
+ /* TODO: factorize with user details manager */
+ private LdapUsernameToDnMapper usernameMapper = null;
+
+ public void afterPropertiesSet() throws Exception {
+ if (usernameMapper == null)
+ usernameMapper = new DefaultLdapUsernameToDnMapper(userBase,
+ usernameAttribute);
+ }
+
+ public ArgeoSecurityDaoLdap(ContextSource contextSource) {
+ ldapTemplate = new LdapTemplate(contextSource);
+ }
+
+ public void create(ArgeoUser user) {
+ userDetailsManager.createUser(new ArgeoUserDetails(user));
+ }
+
+ public ArgeoUser getUser(String uname) {
+ return createBasicArgeoUser(getDetails(uname));
+ }
+
+ @SuppressWarnings("unchecked")
+ public List<ArgeoUser> listUsers() {
+ List<String> usernames = (List<String>) ldapTemplate.listBindings(
+ new DistinguishedName(userBase), new ContextMapper() {
+ public Object mapFromContext(Object ctxArg) {
+ DirContextAdapter ctx = (DirContextAdapter) ctxArg;
+ return ctx.getStringAttribute(usernameAttribute);
+ }
+ });
+
+ List<ArgeoUser> lst = new ArrayList<ArgeoUser>();
+ for (String username : usernames) {
+ lst.add(createBasicArgeoUser(getDetails(username)));
+ }
+ return lst;
+ }
+
+ @SuppressWarnings("unchecked")
+ public List<String> listEditableRoles() {
+ return (List<String>) ldapTemplate.listBindings(authoritiesPopulator
+ .getGroupSearchBase(), new ContextMapper() {
+ public Object mapFromContext(Object ctxArg) {
+ String groupName = ((DirContextAdapter) ctxArg)
+ .getStringAttribute(authoritiesPopulator
+ .getGroupRoleAttribute());
+ String roleName = authoritiesPopulator
+ .convertGroupToRole(groupName);
+ return roleName;
+ }
+ });
+ }
+
+ public void update(ArgeoUser user) {
+ userDetailsManager.updateUser(new ArgeoUserDetails(user));
+ }
+
+ public void delete(String username) {
+ userDetailsManager.deleteUser(username);
+ }
+
+ public void updatePassword(String oldPassword, String newPassword) {
+ userDetailsManager.changePassword(oldPassword, newPassword);
+ }
+
+ public Boolean userExists(String username) {
+ return userDetailsManager.userExists(username);
+ }
+
+ public void createRole(String role, final String superuserName) {
+ String group = convertRoleToGroup(role);
+ DistinguishedName superuserDn = (DistinguishedName) ldapTemplate
+ .executeReadWrite(new ContextExecutor() {
+ public Object executeWithContext(DirContext ctx)
+ throws NamingException {
+ return LdapUtils.getFullDn(usernameMapper
+ .buildDn(superuserName), ctx);
+ }
+ });
+
+ Name groupDn = buildGroupDn(group);
+ DirContextAdapter context = new DirContextAdapter();
+ context.setAttributeValues("objectClass", new String[] { "top",
+ "groupOfUniqueNames" });
+ context.setAttributeValue("cn", group);
+
+ // Add superuser because cannot create empty group
+ context.setAttributeValue("uniqueMember", superuserDn.toString());
+
+ ldapTemplate.bind(groupDn, context, null);
+ }
+
+ public void deleteRole(String role) {
+ String group = convertRoleToGroup(role);
+ Name dn = buildGroupDn(group);
+ ldapTemplate.unbind(dn);
+ }
+
+ protected String convertRoleToGroup(String role) {
+ // FIXME: factorize with spring security
+ String group = role;
+ if (group.startsWith("ROLE_")) {
+ group = group.substring("ROLE_".length());
+ group = group.toLowerCase();
+ }
+ return group;
+ }
+
+ protected Name buildGroupDn(String name) {
+ return new DistinguishedName("cn=" + name + ","
+ + authoritiesPopulator.getGroupSearchBase());
+ }
+
+ public void setUserDetailsManager(UserDetailsManager userDetailsManager) {
+ this.userDetailsManager = userDetailsManager;
+ }
+
+ public void setUserBase(String userBase) {
+ this.userBase = userBase;
+ }
+
+ public void setUsernameAttribute(String usernameAttribute) {
+ this.usernameAttribute = usernameAttribute;
+ }
+
+ public void setAuthoritiesPopulator(
+ ArgeoLdapAuthoritiesPopulator authoritiesPopulator) {
+ this.authoritiesPopulator = authoritiesPopulator;
+ }
+
+ protected UserDetails getDetails(String username) {
+ return userDetailsManager.loadUserByUsername(username);
+ }
+}
+++ /dev/null
-package org.argeo.security.ldap;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.naming.Name;
-
-import org.argeo.security.ArgeoSecurityDao;
-import org.argeo.security.ArgeoUser;
-import org.argeo.security.core.ArgeoUserDetails;
-import org.springframework.ldap.core.ContextMapper;
-import org.springframework.ldap.core.ContextSource;
-import org.springframework.ldap.core.DirContextAdapter;
-import org.springframework.ldap.core.DistinguishedName;
-import org.springframework.ldap.core.LdapTemplate;
-import org.springframework.security.userdetails.UserDetails;
-import org.springframework.security.userdetails.UserDetailsManager;
-
-public class SecurityDaoLdap implements ArgeoSecurityDao {
- // private final static Log log = LogFactory.getLog(UserDaoLdap.class);
-
- private UserDetailsManager userDetailsManager;
- private ArgeoLdapAuthoritiesPopulator authoritiesPopulator;
- private String userBase = "ou=users";
- private String usernameAttribute = "uid";
-
- private final LdapTemplate ldapTemplate;
-
- public SecurityDaoLdap(ContextSource contextSource) {
- ldapTemplate = new LdapTemplate(contextSource);
- }
-
- public void create(ArgeoUser user) {
- userDetailsManager.createUser(new ArgeoUserDetails(user));
- }
-
- public ArgeoUser getUser(String uname) {
- return (ArgeoUser) userDetailsManager.loadUserByUsername(uname);
- }
-
- @SuppressWarnings("unchecked")
- public List<ArgeoUser> listUsers() {
- List<String> usernames = (List<String>) ldapTemplate.listBindings(
- new DistinguishedName(userBase), new ContextMapper() {
- public Object mapFromContext(Object ctxArg) {
- DirContextAdapter ctx = (DirContextAdapter) ctxArg;
- return ctx.getStringAttribute(usernameAttribute);
- }
- });
-
- List<ArgeoUser> lst = new ArrayList<ArgeoUser>();
- for (String username : usernames) {
- UserDetails userDetails = userDetailsManager
- .loadUserByUsername(username);
- lst.add((ArgeoUser) userDetails);
- }
- return lst;
- }
-
- @SuppressWarnings("unchecked")
- public List<String> listEditableRoles() {
- return (List<String>) ldapTemplate.listBindings(authoritiesPopulator
- .getGroupSearchBase(), new ContextMapper() {
- public Object mapFromContext(Object ctxArg) {
- String groupName = ((DirContextAdapter) ctxArg)
- .getStringAttribute(authoritiesPopulator
- .getGroupRoleAttribute());
- String roleName = authoritiesPopulator
- .convertGroupToRole(groupName);
- return roleName;
- }
- });
- }
-
- public void update(ArgeoUser user) {
- userDetailsManager.updateUser(new ArgeoUserDetails(user));
- }
-
- public void delete(String username) {
- userDetailsManager.deleteUser(username);
- }
-
- public void updatePassword(String oldPassword, String newPassword) {
- userDetailsManager.changePassword(oldPassword, newPassword);
- }
-
- public Boolean userExists(String username) {
- return userDetailsManager.userExists(username);
- }
-
- public void deleteRole(String role) {
- if(true)
- throw new UnsupportedOperationException();
-
- Name dn = buildRoleDn(role);
- DirContextAdapter context = new DirContextAdapter();
- context.setAttributeValues("objectClass", new String[] { "top",
- "groupOfUniqueNames" });
- context.setAttributeValue("cn", role);
- ldapTemplate.bind(dn, context, null);
- }
-
- protected Name buildRoleDn(String name) {
- return new DistinguishedName("cn=" + name + ","
- + authoritiesPopulator.getGroupSearchBase());
- }
-
-
- public void setUserDetailsManager(UserDetailsManager userDetailsManager) {
- this.userDetailsManager = userDetailsManager;
- }
-
- public void setUserBase(String userBase) {
- this.userBase = userBase;
- }
-
- public void setUsernameAttribute(String usernameAttribute) {
- this.usernameAttribute = usernameAttribute;
- }
-
- public void setAuthoritiesPopulator(
- ArgeoLdapAuthoritiesPopulator authoritiesPopulator) {
- this.authoritiesPopulator = authoritiesPopulator;
- }
-}
@ModelAttribute(ANSWER_MODEL_KEY)
public ServerAnswer deleteRole(@RequestParam("role") String role) {
securityService.getSecurityDao().deleteRole(role);
- return ServerAnswer.ok("Role " + role + " created");
+ return ServerAnswer.ok("Role " + role + " deleted");
+ }
+
+ @RequestMapping("/updateUserPassword.security")
+ @ModelAttribute(ANSWER_MODEL_KEY)
+ public ServerAnswer updateUserPassword(
+ @RequestParam("username") String username,
+ @RequestParam("password") String password) {
+ securityService.updateUserPassword(username, password);
+ return ServerAnswer.ok("Password updated for user " + username);
+ }
+
+ @RequestMapping("/updatePassword.security")
+ @ModelAttribute(ANSWER_MODEL_KEY)
+ public ServerAnswer updatePassword(
+ @RequestParam("password") String password,
+ @RequestParam("oldPassword") String oldPassword) {
+ securityService.getSecurityDao().updatePassword(oldPassword, password);
+ return ServerAnswer.ok("Password updated");
}
protected void cleanUserBeforeCreate(ArgeoUser user) {