@Override
public String toString() {
- return name.toString() + ", implied by " + causes;
+ return name.toString() + " implied by " + causes;
}
}
import java.nio.charset.Charset;
import java.security.Principal;
import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.argeo.cms.CmsException;
import org.argeo.cms.KernelHeader;
import org.argeo.cms.internal.kernel.Activator;
private CallbackHandler callbackHandler;
private boolean isAnonymous = false;
- private final static LdapName ROLE_USER_NAME, ROLE_ANONYMOUS_NAME;
+ private final static LdapName ROLE_ADMIN_NAME, ROLE_USER_NAME,
+ ROLE_ANONYMOUS_NAME;
+ private final static List<LdapName> RESERVED_ROLES;
private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
static {
try {
+ ROLE_ADMIN_NAME = new LdapName(KernelHeader.ROLE_ADMIN);
ROLE_USER_NAME = new LdapName(KernelHeader.ROLE_USER);
ROLE_ANONYMOUS_NAME = new LdapName(KernelHeader.ROLE_ANONYMOUS);
+ RESERVED_ROLES = Collections.unmodifiableList(Arrays
+ .asList(new LdapName[] { ROLE_ANONYMOUS_NAME,
+ ROLE_USER_NAME, ROLE_ADMIN_NAME,
+ new LdapName(KernelHeader.ROLE_GROUP_ADMIN),
+ new LdapName(KernelHeader.ROLE_USER_ADMIN) }));
ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(
ROLE_ANONYMOUS_NAME.toString());
} catch (InvalidNameException e) {
try {
String authName = authorization.getName();
- // determine user'S principal
+ // determine user's principal
final LdapName name;
final Principal userPrincipal;
if (authName == null) {
name = ROLE_ANONYMOUS_NAME;
userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
principals.add(userPrincipal);
+ principals.add(new AnonymousPrincipal());
} else {
name = new LdapName(authName);
+ checkUserName(name);
userPrincipal = new X500Principal(name.toString());
principals.add(userPrincipal);
principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
// Add roles provided by authorization
for (String role : authorization.getRoles()) {
LdapName roleName = new LdapName(role);
- if (ROLE_USER_NAME.equals(roleName))
- throw new CmsException(ROLE_USER_NAME
- + " cannot be listed as role");
- if (ROLE_ANONYMOUS_NAME.equals(roleName))
- throw new CmsException(ROLE_ANONYMOUS_NAME
- + " cannot be listed as role");
if (roleName.equals(name)) {
// skip
} else {
+ checkImpliedPrincipalName(roleName);
principals.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal));
+ if (roleName.equals(ROLE_ADMIN_NAME))
+ principals.add(new AdminPrincipal(
+ SecurityConstants.ADMIN_ID));
}
}
subject = null;
authorization = null;
}
+
+ private void checkUserName(LdapName name) {
+ if (RESERVED_ROLES.contains(name))
+ throw new CmsException(name + " is a reserved name");
+ }
+
+ private void checkImpliedPrincipalName(LdapName roleName) {
+ if (ROLE_USER_NAME.equals(roleName)
+ || ROLE_ANONYMOUS_NAME.equals(roleName))
+ throw new CmsException(roleName + " cannot be listed as role");
+ }
}
import java.util.UUID;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.argeo.security.SystemAuthentication;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
* access to kernel information for the rest of the bundle (and only it)
*/
public class Activator implements BundleActivator {
+ private final Log log = LogFactory.getLog(Activator.class);
+
private final static String systemKey;
static {
systemKey = UUID.randomUUID().toString();
assert bundleContext == null;
assert kernel == null;
bundleContext = context;
- kernel = new Kernel();
- kernel.init();
+ try {
+ kernel = new Kernel();
+ kernel.init();
+ } catch (Exception e) {
+ log.error("Cannot boot kernel", e);
+ }
}
@Override
import java.lang.management.ManagementFactory;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.Repository;
import javax.jcr.RepositoryFactory;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jackrabbit.util.TransientFileFactory;
import org.argeo.ArgeoException;
import org.argeo.cms.CmsException;
+import org.argeo.cms.KernelHeader;
import org.argeo.jackrabbit.OsgiJackrabbitRepositoryFactory;
import org.argeo.jcr.ArgeoJcrConstants;
import org.argeo.security.core.InternalAuthentication;
NodeHttp nodeHttp;
private KernelThread kernelThread;
- void init() {
+ private final Subject kernelSubject = new Subject();
+
+ public Kernel() {
URL url = getClass().getClassLoader().getResource(
KernelConstants.JAAS_CONFIG);
System.setProperty("java.security.auth.login.config",
url.toExternalForm());
+ try {
+ LoginContext kernelLc = new LoginContext(
+ KernelHeader.LOGIN_CONTEXT_SYSTEM, kernelSubject);
+ kernelLc.login();
+ } catch (LoginException e) {
+ throw new CmsException("Cannot log in kernel", e);
+ }
+ }
+
+ final void init() {
+ Subject.doAs(kernelSubject, new PrivilegedAction<Void>() {
+
+ @Override
+ public Void run() {
+ doInit();
+ return null;
+ }
+
+ });
+ }
+ private void doInit() {
ClassLoader currentContextCl = Thread.currentThread()
.getContextClassLoader();
Thread.currentThread().setContextClassLoader(
// Clean hanging threads from Jackrabbit
TransientFileFactory.shutdown();
+ try {
+ LoginContext kernelLc = new LoginContext(
+ KernelHeader.LOGIN_CONTEXT_SYSTEM, kernelSubject);
+ kernelLc.logout();
+ } catch (LoginException e) {
+ throw new CmsException("Cannot log in kernel", e);
+ }
+
long duration = System.currentTimeMillis() - begin;
log.info("## ARGEO CMS DOWN in " + (duration / 1000) + "."
+ (duration % 1000) + "s ##");
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
+// throw new UnsupportedOperationException(
+// "Authentication manager is deprectaed and should not be used.");
Authentication auth = null;
if (authentication instanceof InternalAuthentication)
auth = internalAuth.authenticate(authentication);
};
SYSTEM {
- org.argeo.cms.internal.auth.SystemLoginModule requisite;
- org.springframework.security.authentication.jaas.SecurityContextLoginModule requisite;
- org.argeo.security.jackrabbit.SystemJackrabbitLoginModule requisite;
+ org.argeo.security.core.SystemLoginModule requisite;
};
OLD_SYSTEM {
--- /dev/null
+package org.argeo.security;
+
+import java.security.Principal;
+
+public final class SystemAuth implements Principal {
+ private final String name = "init";
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public int hashCode() {
+ return name.hashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ return this == obj;
+ }
+
+ @Override
+ public String toString() {
+ return name.toString();
+ }
+
+}
*/
package org.argeo.security.core;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.ArgeoException;
-import org.argeo.security.SystemAuthentication;
import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
/** Provides base method for executing code with system authorization. */
public abstract class AbstractSystemExecution {
- static {
- // Forces Spring Security to use inheritable strategy
- // FIXME find a better place for forcing spring security mode
- // doesn't work for the time being
- // if (System.getProperty(SecurityContextHolder.SYSTEM_PROPERTY) ==
- // null)
- // SecurityContextHolder
- // .setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
- }
-
private final static Log log = LogFactory
.getLog(AbstractSystemExecution.class);
- private AuthenticationManager authenticationManager;
- private String systemAuthenticationKey;
+ // private AuthenticationManager authenticationManager;
+ private final Subject subject = new Subject();
+ // private String systemAuthenticationKey;
+
+ private final String loginModule = "SYSTEM";
/** Whether the current thread was authenticated by this component. */
- private ThreadLocal<Boolean> authenticatedBySelf = new ThreadLocal<Boolean>() {
- protected Boolean initialValue() {
- return false;
- }
- };
+ // private ThreadLocal<Boolean> authenticatedBySelf = new
+ // ThreadLocal<Boolean>() {
+ // protected Boolean initialValue() {
+ // return false;
+ // }
+ // };
/**
* Authenticate the calling thread to the underlying
* {@link AuthenticationManager}
*/
protected void authenticateAsSystem() {
- if (authenticatedBySelf.get())
- return;
- SecurityContext securityContext = SecurityContextHolder.getContext();
- Authentication currentAuth = securityContext.getAuthentication();
- if (currentAuth != null) {
- if (!(currentAuth instanceof SystemAuthentication))
- throw new ArgeoException(
- "System execution on an already authenticated thread: "
- + currentAuth + ", THREAD="
- + Thread.currentThread().getId());
- return;
+ try {
+ LoginContext lc = new LoginContext(loginModule, subject);
+ lc.login();
+ } catch (LoginException e) {
+ throw new ArgeoException("Cannot login as system", e);
}
- // Subject subject = Subject.getSubject(AccessController.getContext());
- // if (subject != null
- // && !subject.getPrincipals(Authentication.class).isEmpty())
+ // if (authenticatedBySelf.get())
+ // return;
+ // SecurityContext securityContext = SecurityContextHolder.getContext();
+ // Authentication currentAuth = securityContext.getAuthentication();
+ // if (currentAuth != null) {
+ // if (!(currentAuth instanceof SystemAuthentication))
// throw new ArgeoException(
- // "There is already an authenticated subject: " + subject);
-
- String key = systemAuthenticationKey != null ? systemAuthenticationKey
- : System.getProperty(
- SystemAuthentication.SYSTEM_KEY_PROPERTY,
- InternalAuthentication.SYSTEM_KEY_DEFAULT);
- if (key == null)
- throw new ArgeoException("No system key defined");
- if (authenticationManager == null)
- throw new ArgeoException("Authentication manager cannot be null.");
- Authentication auth = authenticationManager
- .authenticate(new InternalAuthentication(key));
- securityContext.setAuthentication(auth);
-
- authenticatedBySelf.set(true);
+ // "System execution on an already authenticated thread: "
+ // + currentAuth + ", THREAD="
+ // + Thread.currentThread().getId());
+ // return;
+ // }
+ //
+ // String key = systemAuthenticationKey != null ?
+ // systemAuthenticationKey
+ // : System.getProperty(
+ // SystemAuthentication.SYSTEM_KEY_PROPERTY,
+ // InternalAuthentication.SYSTEM_KEY_DEFAULT);
+ // if (key == null)
+ // throw new ArgeoException("No system key defined");
+ // if (authenticationManager == null)
+ // throw new ArgeoException("Authentication manager cannot be null.");
+ // Authentication auth = authenticationManager
+ // .authenticate(new InternalAuthentication(key));
+ // securityContext.setAuthentication(auth);
+ //
+ // authenticatedBySelf.set(true);
if (log.isTraceEnabled())
log.trace("System authenticated");
}
- // /** Removes the authentication from the calling thread. */
- // protected void deauthenticateAsSystem() {
- // // remove the authentication
- // // SecurityContext securityContext = SecurityContextHolder.getContext();
- // // securityContext.setAuthentication(null);
- // // authenticatedBySelf.set(false);
- // if (log.isTraceEnabled()) {
- // log.trace("System deauthenticated");
- // // Thread.dumpStack();
- // }
- // }
+ protected void deauthenticateAsSystem() {
+ try {
+ LoginContext lc = new LoginContext(loginModule, subject);
+ lc.logout();
+ } catch (LoginException e) {
+ throw new ArgeoException("Cannot logout as system", e);
+ }
+ }
- /**
- * Whether the current thread was authenticated by this component or a
- * parent thread.
- */
- protected Boolean isAuthenticatedBySelf() {
- return authenticatedBySelf.get();
+ protected Subject getSubject() {
+ return subject;
}
+ // /**
+ // * Whether the current thread was authenticated by this component or a
+ // * parent thread.
+ // */
+ // protected Boolean isAuthenticatedBySelf() {
+ // return authenticatedBySelf.get();
+ // }
+ //
public void setAuthenticationManager(
AuthenticationManager authenticationManager) {
- this.authenticationManager = authenticationManager;
+ log.warn("Use of authenticationManager is deprecated, remove this property from the configuration.");
}
public void setSystemAuthenticationKey(String systemAuthenticationKey) {
- this.systemAuthenticationKey = systemAuthenticationKey;
+ log.warn("Use of systemAuthenticationKey is deprecated, remove this property from the configuration.");
+ // this.systemAuthenticationKey = systemAuthenticationKey;
}
}
package org.argeo.security.core;
import java.beans.PropertyDescriptor;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.List;
+import javax.security.auth.Subject;
+
+import org.eclipse.gemini.blueprint.context.DependencyInitializationAwareBeanPostProcessor;
import org.springframework.beans.BeansException;
import org.springframework.beans.PropertyValues;
-import org.springframework.beans.factory.config.InstantiationAwareBeanPostProcessor;
+import org.springframework.beans.factory.support.AbstractBeanFactory;
+import org.springframework.beans.factory.support.SecurityContextProvider;
+import org.springframework.beans.factory.support.SimpleSecurityContextProvider;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.context.event.ContextRefreshedEvent;
* methods of the application context where it has been defined.
*/
public class AuthenticatedApplicationContextInitialization extends
- AbstractSystemExecution implements InstantiationAwareBeanPostProcessor,
- ApplicationListener<ApplicationEvent> {
+ AbstractSystemExecution implements DependencyInitializationAwareBeanPostProcessor,
+ ApplicationListener<ApplicationEvent>, ApplicationContextAware {
// private Log log = LogFactory
// .getLog(AuthenticatedApplicationContextInitialization.class);
/** If non empty, restricts to these beans */
private List<String> beanNames = new ArrayList<String>();
- @SuppressWarnings("rawtypes")
- public Object postProcessBeforeInstantiation(Class beanClass,
- String beanName) throws BeansException {
- // we authenticate when any bean is instantiated
- // we will deauthenticate only when the application context has been
- // refreshed in order to be able to deal with factory beans has well
- if (!isAuthenticatedBySelf()) {
- if (beanNames.size() == 0)
- authenticateAsSystem();
- else if (beanNames.contains(beanName))
- authenticateAsSystem();
- }
- return null;
- }
-
- public boolean postProcessAfterInstantiation(Object bean, String beanName)
- throws BeansException {
- return true;
- }
-
- public PropertyValues postProcessPropertyValues(PropertyValues pvs,
- PropertyDescriptor[] pds, Object bean, String beanName)
- throws BeansException {
- return pvs;
- }
+// @SuppressWarnings("rawtypes")
+// public Object postProcessBeforeInstantiation(Class beanClass,
+// String beanName) throws BeansException {
+// // we authenticate when any bean is instantiated
+// // we will deauthenticate only when the application context has been
+// // refreshed in order to be able to deal with factory beans has well
+// // if (!isAuthenticatedBySelf()) {
+// // if (beanNames.size() == 0)
+// // authenticateAsSystem();
+// // else if (beanNames.contains(beanName))
+// // authenticateAsSystem();
+// // }
+// return null;
+// }
+//
+// public boolean postProcessAfterInstantiation(Object bean, String beanName)
+// throws BeansException {
+// return true;
+// }
+//
+// public PropertyValues postProcessPropertyValues(PropertyValues pvs,
+// PropertyDescriptor[] pds, Object bean, String beanName)
+// throws BeansException {
+// return pvs;
+// }
public Object postProcessBeforeInitialization(Object bean, String beanName)
throws BeansException {
+ if (beanNames.size() == 0 || beanNames.contains(beanName))
+ authenticateAsSystem();
+ // try {
+ // if (beanNames.size() == 0 || beanNames.contains(beanName)) {
+ // LoginContext lc = new LoginContext("INIT", subject);
+ // lc.login();
+ // }
+ // } catch (LoginException e) {
+ // throw new ArgeoException("Cannot login as initialization", e);
+ // }
return bean;
}
// we expect the underlying thread to die and thus the system
// authentication to be lost. We have currently no way to catch the
// exception and perform the deauthentication by ourselves.
- // deauthenticateAsSystem();
+ if (beanNames.size() == 0 || beanNames.contains(beanName))
+ deauthenticateAsSystem();
+ // try {
+ // if (beanNames.size() == 0 || beanNames.contains(beanName)) {
+ // LoginContext lc = new LoginContext("INIT", subject);
+ // lc.logout();
+ // }
+ // } catch (LoginException e) {
+ // // TODO Auto-generated catch block
+ // e.printStackTrace();
+ // }
return bean;
}
this.beanNames = beanNames;
}
+ @Override
+ public void setApplicationContext(ApplicationContext applicationContext)
+ throws BeansException {
+ if (applicationContext.getAutowireCapableBeanFactory() instanceof AbstractBeanFactory) {
+ final AbstractBeanFactory beanFactory = ((AbstractBeanFactory) applicationContext
+ .getAutowireCapableBeanFactory());
+ // retrieve subject's access control context
+ // and set it as the bean factory security context
+ Subject.doAs(getSubject(), new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ SecurityContextProvider scp = new SimpleSecurityContextProvider(
+ AccessController.getContext());
+ beanFactory.setSecurityContextProvider(scp);
+ return null;
+ }
+ });
+ }
+ }
}
--- /dev/null
+package org.argeo.security.core;
+
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+import org.argeo.security.SystemAuth;
+
+public class SystemLoginModule implements LoginModule {
+ private Subject subject;
+
+ @Override
+ public void initialize(Subject subject, CallbackHandler callbackHandler,
+ Map<String, ?> sharedState, Map<String, ?> options) {
+ this.subject = subject;
+ }
+
+ @Override
+ public boolean login() throws LoginException {
+ // TODO check permission?
+ return true;
+ }
+
+ @Override
+ public boolean commit() throws LoginException {
+ subject.getPrincipals().add(new SystemAuth());
+ return true;
+ }
+
+ @Override
+ public boolean abort() throws LoginException {
+ return true;
+ }
+
+ @Override
+ public boolean logout() throws LoginException {
+ // remove ALL credentials (e.g. additional Jackrabbit credentials)
+ subject.getPrincipals().clear();
+ return true;
+ }
+
+}
package org.argeo.security.jackrabbit;
import java.net.URL;
+import java.security.PrivilegedExceptionAction;
import javax.jcr.Repository;
import javax.jcr.Session;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
private final Log log = LogFactory.getLog(JackrabbitAuthTest.class);
public void testLogin() throws Exception {
- // Subject subject = new Subject();
- // LoginContext loginContext = new LoginContext("UNIX",subject);
- // loginContext.login();
-
- Repository repository = getRepository();
- Session session = repository.login();
- log.debug(session.getUserID());
+ Subject subject = new Subject();
+ LoginContext loginContext = new LoginContext("SYSTEM", subject);
+ loginContext.login();
+ Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
+
+ @Override
+ public Void run() throws Exception {
+ Repository repository = getRepository();
+ Session session = repository.login();
+ log.debug(session.getUserID());
+ return null;
+ }
+ });
}
@Override
+SYSTEM {
+ org.argeo.security.core.SystemLoginModule requisite;
+};
+
Jackrabbit {
org.argeo.security.jackrabbit.SystemJackrabbitLoginModule requisite;
};
package org.argeo.security.jackrabbit;
-import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import javax.security.auth.x500.X500Principal;
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
+import org.argeo.security.SystemAuth;
public class SystemJackrabbitLoginModule implements LoginModule {
@Override
public boolean commit() throws LoginException {
- Set<Principal> principals = subject.getPrincipals();
- if (principals.isEmpty()) {// system
- subject.getPrincipals().add(new AdminPrincipal("admin"));
+ Set<SystemAuth> initPrincipal = subject
+ .getPrincipals(SystemAuth.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals().add(
+ new AdminPrincipal(SecurityConstants.ADMIN_ID));
return true;
}
- boolean isAdmin = false;
- boolean isAnonymous = false;
- // FIXME make it more generic
- for (Principal principal : principals) {
- if (principal.getName().equalsIgnoreCase(
- "cn=admin,ou=roles,ou=node"))
- isAdmin = true;
- else if (principal.getName().equalsIgnoreCase(
- "cn=anonymous,ou=roles,ou=node"))
- isAnonymous = true;
- }
- if (isAnonymous && isAdmin)
- throw new LoginException("Cannot be admin and anonymous");
+ Set<X500Principal> userPrincipal = subject
+ .getPrincipals(X500Principal.class);
+ if (userPrincipal.isEmpty())
+ throw new LoginException("Subject must be pre-authenticated");
+ if (userPrincipal.size() > 1)
+ throw new LoginException("Multiple user principals "
+ + userPrincipal);
- // Add special Jackrabbit roles
- if (isAdmin)
- principals.add(new AdminPrincipal("admin"));
- if (isAnonymous)// anonymous
- principals.add(new AnonymousPrincipal());
return true;
+
+ // Set<Principal> principals = subject.getPrincipals();
+ // if (principals.isEmpty()) {// system
+ // throw new LoginException("Subject must be pre-authenticated");
+ // // subject.getPrincipals().add(new AdminPrincipal("admin"));
+ // // return true;
+ // }
+ // boolean isAdmin = false;
+ // boolean isAnonymous = false;
+ // // FIXME make it more generic
+ // for (Principal principal : principals) {
+ // if (principal.getName().equalsIgnoreCase(
+ // "cn=admin,ou=roles,ou=node"))
+ // isAdmin = true;
+ // else if (principal.getName().equalsIgnoreCase(
+ // "cn=anonymous,ou=roles,ou=node"))
+ // isAnonymous = true;
+ // }
+ //
+ // if (isAnonymous && isAdmin)
+ // throw new LoginException("Cannot be admin and anonymous");
+ //
+ // // Add special Jackrabbit roles
+ // if (isAdmin)
+ // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
+ // if (isAnonymous)// anonymous
+ // principals.add(new AnonymousPrincipal());
+ // return true;
}
@Override
@Override
public boolean logout() throws LoginException {
- subject.getPrincipals().removeAll(
- subject.getPrincipals(AdminPrincipal.class));
+ Set<SystemAuth> initPrincipal = subject
+ .getPrincipals(SystemAuth.class);
+ if (!initPrincipal.isEmpty()) {
+ subject.getPrincipals(AdminPrincipal.class);
+ return true;
+ }
+ // subject.getPrincipals().removeAll(
+ // subject.getPrincipals(AdminPrincipal.class));
return true;
}
-
}