All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.glassfish.security.common.FileRealmHelper Maven / Gradle / Ivy

There is a newer version: 8.0.0-JDK17-M7
Show newest version
/*
 * Copyright (c) 2022 Contributors to the Eclipse Foundation
 * Copyright (c) 2011, 2018 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0, which is available at
 * http://www.eclipse.org/legal/epl-2.0.
 *
 * This Source Code may also be made available under the following Secondary
 * Licenses when the conditions for such availability set forth in the
 * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
 * version 2 with the GNU Classpath Exception, which is available at
 * https://www.gnu.org/software/classpath/license.html.
 *
 * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
 */

package org.glassfish.security.common;

import com.sun.enterprise.util.Utility;
import com.sun.enterprise.util.i18n.StringManager;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;


/**
 * Helper class for implementing file password authentication.
 *
 * 

This class provides administration methods for the file realm. It is * used by the FileRealm class to provide the FileRealm functionality. But * some administration classes that need direct access to the File without * using the security module use this class directly. * *

Format of the keyfile used by this class is one line per user * containing username;password;groups where: *

    *
  • username - Name string. *
  • password - A salted SHA hash (SSHA) of the user password or "RESET" *
  • groups - A comma separated list of group memberships. *
*

If the password is "RESET", then the password must be reset before * that user can authenticate. * *

The file realm needs the following properties in its configuration: *

    *
  • file - Full path to the keyfile to load *
  • jaas-ctx - JAAS context name used to access LoginModule for * authentication. *
* * @author Tom Mueller */ public final class FileRealmHelper { // These are property names which should be in auth-realm in server.xml public static final String PARAM_KEYFILE="file"; // Separators in keyfile (user;pwd-info;group[,group]*) private static final String FIELD_SEP=";"; private static final String GROUP_SEP=","; private static final String COMMENT="#"; // Valid non-alphanumeric/whitespace chars in user/group name public static final String MISC_VALID_CHARS="_-."; // Number of bytes of salt for SSHA private static final int SALT_SIZE=8; // Contains cache of keyfile data private final HashMap userTable = new HashMap<>(); // user=>FileRealmUser private final HashMap groupSizeMap = new HashMap<>(); // maps of groups with value cardinality of group private final File keyfile; private static final String SSHA_TAG = "{SSHA}"; private static final String algoSHA = "SHA"; private static final String algoSHA256 = "SHA-256"; private static final String resetKey = "RESET"; private static final StringManager sm = StringManager.getManager(FileRealmHelper.class); /** * Constructor. * *

The created FileRealmHelper instance is not registered in the * Realm registry. This constructor can be used by admin tools * to create a FileRealmHelper instance which can be edited by adding or * removing users and then saved to disk, without affecting the * installed realm instance. * *

The file provided should always exist. A default (empty) keyfile * is installed with the server so this should always be the case * unless the user has manually deleted this file. If this file * path provided does not point to an existing file this constructor * will first attempt to create it. If this succeeds the constructor * returns normally and an empty keyfile will have been created; otherwise * an exception is thrown. * * @param keyfile Full path to the keyfile to read for user data. * @exception IOException If the configuration parameters * identify a corrupt keyfile */ public FileRealmHelper(String keyfileName) throws IOException { keyfile = new File(keyfileName); // if not existent, try to create if (!keyfile.exists()) { if (keyfile.createNewFile() == false) { throw new IOException(sm.getString("filerealm.badwrite", keyfileName)); } } loadKeyFile(); } /** * Returns names of all the users in this particular realm. * * @return enumeration of user names (strings) */ public Set getUserNames() { return userTable.keySet(); } /** * Returns the information recorded about a particular named user. * * @param name Name of the user whose information is desired. * @return The user object, or null if the user doesn't exist. */ public FileRealmHelper.User getUser(String name) { return userTable.get(name); } /** * Returns names of all the groups in this particular realm. * Note that this will not return assign-groups. * * @return enumeration of group names (strings) */ public Set getGroupNames() { return groupSizeMap.keySet(); } /** * Returns the name of all the groups that this user belongs to. * @param username Name of the user in this realm whose group listing * is needed. * @return Array of group names (strings) or null if the user does * not exist. */ public String[] getGroupNames(String username) { User ud = userTable.get(username); if (ud == null) { return null; } return ud.getGroups(); } /** * Authenticates a user. * *

This method is invoked by the FileLoginModule in order to * authenticate a user in the file realm. The authentication decision * is kept within the realm class implementation in order to keep * the password cache in a single location with no public accessors, * to simplify future improvements. * * @param user Name of user to authenticate. * @param password Password provided by client. * @returns Array of group names the user belongs to, or null if * authentication fails. */ public String[] authenticate(String user, char[] password) { User ud = userTable.get(user); if (ud == null) { return null; } if (resetKey.equals(ud.getAlgo())) { return null; } boolean ok = false; try { ok = SSHA.verify(ud.getSalt(), ud.getHash(), Utility.convertCharArrayToByteArray(password, Charset.defaultCharset().displayName()), ud.getAlgo()); } catch (Exception e) { return null; } if (!ok) { return null; } return ud.getGroups(); } /* * Test whether their is a user in the FileRealm that has a password that * has been set, i.e., something other than the resetKey. */ public boolean hasAuthenticatableUser() { for (User ud : userTable.values()) { if (!resetKey.equals(ud.getAlgo())) { return true; } } return false; } //--------------------------------------------------------------------- // File realm maintenance methods for admin. /** * Return false if any char of the string is not alphanumeric or space * or other permitted character. * For a username it will allow an @ symbol. To allow for the case of type * [email protected]. It will not allow the same symbol for a group name * @param String the name to be validated * @param boolean true if the string is a username, false if it is * a group name * */ private static boolean isValid(String s, boolean userName) { for (int i=0; iThis method throws an exception if the provided value is not * valid. The message of the exception provides a reason why it is * not valid. This is used internally by add/modify User to * validate the client-provided values. It is not necessary for * the client to call these methods first. However, these are * provided as public methods for convenience in case some client * (e.g. GUI client) wants to provide independent field validation * prior to calling add/modify user. * * @param name User name to validate. * @throws IllegalArgumentException Thrown if the value is not valid. * */ public static void validateUserName(String name) throws IllegalArgumentException { if (name == null || name.length() == 0) { String msg = sm.getString("filerealm.noname"); throw new IllegalArgumentException(msg); } if (!isValid(name, true)) { String msg = sm.getString("filerealm.badname", name); throw new IllegalArgumentException(msg); } if (!name.equals(name.trim())) { String msg = sm.getString("filerealm.badspaces", name); throw new IllegalArgumentException(msg); } } /** * Validates syntax of a password. * *

This method throws an exception if the provided value is not * valid. The message of the exception provides a reason why it is * not valid. This is used internally by add/modify User to * validate the client-provided values. It is not necessary for * the client to call these methods first. However, these are * provided as public methods for convenience in case some client * (e.g. GUI client) wants to provide independent field validation * prior to calling add/modify user. * * @param pwd Password to validate. * @throws IllegalArgumentException Thrown if the value is not valid. * */ public static void validatePassword(char[] pwd) throws IllegalArgumentException { if (Arrays.equals(null, pwd)) { String msg = sm.getString("filerealm.emptypwd"); throw new IllegalArgumentException(msg); } for(char c:pwd) { if (Character.isSpaceChar(c)) { String msg = sm.getString("filerealm.badspacespwd"); throw new IllegalArgumentException(msg); } } } /** * Validates syntax of a group name. * *

This method throws an exception if the provided value is not * valid. The message of the exception provides a reason why it is * not valid. This is used internally by add/modify User to * validate the client-provided values. It is not necessary for * the client to call these methods first. However, these are * provided as public methods for convenience in case some client * (e.g. GUI client) wants to provide independent field validation * prior to calling add/modify user. * * @param group Group name to validate. * @throws IllegalArgumentException Thrown if the value is not valid. * */ public static void validateGroupName(String group) throws IllegalArgumentException { if (group == null || group.length() == 0) { String msg = sm.getString("filerealm.nogroup"); throw new IllegalArgumentException(msg); } if (!isValid(group, false)) { String msg = sm.getString("filerealm.badchars", group); throw new IllegalArgumentException(msg); } if (!group.equals(group.trim())) { String msg = sm.getString("filerealm.badspaces", group); throw new IllegalArgumentException(msg); } } /** * Validates syntax of a list of group names. * *

This is equivalent to calling validateGroupName on every element * of the groupList. * * @param groupList Array of group names to validate. * @throws IASSecurityException Thrown if the value is not valid. * * */ public static void validateGroupList(String[] groupList) throws IllegalArgumentException { if (groupList == null || groupList.length == 0) { return; // empty list is ok } for (String element : groupList) { validateGroupName(element); } } /** * Adds new user to file realm. User cannot exist already. * * @param name User name. * @param password Cleartext password for the user. * @param groupList List of groups to which user belongs. * @throws IllegalArgumentException If there are problems adding user. * */ public synchronized void addUser(String name, char[] password, String[] groupList) throws IllegalArgumentException { validateUserName(name); validatePassword(password); validateGroupList(groupList); if (userTable.containsKey(name)) { String msg = sm.getString("filerealm.dupuser", name); throw new IllegalArgumentException(msg); } addGroupNames(groupList); User ud = createNewUser(name, password, groupList); userTable.put(name, ud); } /** * Remove user from file realm. User must exist. * * @param name User name. * @throws IllegalArgumentException If user does not exist. * */ public synchronized void removeUser(String name) throws IllegalArgumentException { if (!userTable.containsKey(name)) { String msg = sm.getString("filerealm.nouser", name); throw new IllegalArgumentException(msg); } User oldUser = userTable.get(name); userTable.remove(name); reduceGroups(oldUser.getGroups()); } /** * Update data for an existing user. User must exist. * * @param name Current name of the user to update. * @param newName New name to give this user. It can be the same as * the original name. Otherwise it must be a new user name which * does not already exist as a user. * @param password Cleartext password for the user. If non-null the user * password is changed to this value. If null, the original password * is retained. * @param groupList List of groups to which user belongs. * @throws IllegalArgumentException If there are problems adding user. */ public synchronized void updateUser(String name, String newName, char[] password, String[] groups) throws IllegalArgumentException { // user to modify must exist first validateUserName(name); if (!userTable.containsKey(name)) { String msg = sm.getString("filerealm.nouser", name); throw new IllegalArgumentException(msg); } // do general validation validateUserName(newName); validateGroupList(groups); if (password != null) { // null here means re-use previous so is ok validatePassword(password); } // can't duplicate unless modifying itself if (!name.equals(newName) && userTable.containsKey(newName)) { String msg = sm.getString("filerealm.dupuser", name); throw new IllegalArgumentException(msg); } User oldUser = userTable.get(name); assert (oldUser != null); // create user using new name User newUser = new User(newName); // set groups as provided by parameter // use old groups if no new groups given if (groups != null) { changeGroups(oldUser.getGroups(), groups); newUser.setGroups(groups); } else { newUser.setGroups(oldUser.getGroups()); } // use old password if no new pwd given if (password==null) { newUser.setSalt(oldUser.getSalt()); newUser.setHash(oldUser.getHash()); //If the original algo was RESET, change it to //the default - SHA-256 if(oldUser.getAlgo().equals(resetKey)) { newUser.setAlgo(algoSHA256); } else { newUser.setAlgo(oldUser.getAlgo()); } } else { setPassword(newUser, password); //ALways update passwords with SHA-256 algo newUser.setAlgo(algoSHA256); } userTable.remove(name); userTable.put(newName, newUser); } /** * Write keyfile data out to disk. The file generation is sychronized * within this class only, caller is responsible for any other * file locking or revision management as deemed necessary. * @throws IOException if there is a failure */ public void persist() throws IOException { synchronized (FileRealmHelper.class) { FileOutputStream out = null; try { out = new FileOutputStream(keyfile); for (Map.Entry uval : userTable.entrySet()) { String algo = uval.getValue().getAlgo(); String entry = encodeUser(uval.getKey(), uval.getValue(),algo); out.write(entry.getBytes()); } } catch (IOException e) { throw e; } catch (Exception e) { String msg = sm.getString("filerealm.badwrite", e.toString()); throw new IOException(msg); } finally { if (out != null) { out.close(); } } } } //--------------------------------------------------------------------- // Private methods. /** * Add group names to the groups table. It is assumed all entries are * valid group names. * */ private void addGroupNames(String[] groupList) { if (groupList != null) { for (String element : groupList) { Integer groupSize = groupSizeMap.get(element); groupSizeMap.put(element,Integer.valueOf((groupSize != null) ? (groupSize.intValue() + 1): 1)); } } } /** * This method reduces the group size by 1 and remove group name from * internal group list if resulting group size is 0. */ private void reduceGroups(String[] groupList) { if (groupList != null) { for (String element : groupList) { Integer groupSize = groupSizeMap.get(element); if (groupSize != null) { int gpSize = groupSize.intValue() - 1; if (gpSize > 0) { groupSizeMap.put(element, Integer.valueOf(gpSize)); } else { groupSizeMap.remove(element); } } } } } /** * This method update the internal group list. */ private void changeGroups(String[] oldGroupList, String[] newGroupList) { addGroupNames(newGroupList); reduceGroups(oldGroupList); } /** * Load keyfile from config and populate internal cache. * */ private void loadKeyFile() throws IOException { BufferedReader input = null; try { input = new BufferedReader(new FileReader(keyfile)); while (input.ready()) { String line = input.readLine(); if (line != null && !line.startsWith(COMMENT) && line.indexOf(FIELD_SEP) >= 0) { User ud = decodeUser(line, groupSizeMap); userTable.put(ud.getName(), ud); } } } catch (Exception e) { throw new IOException(e.toString()); } finally { if (input != null) { try { input.close(); } catch(Exception ex) { } } } } /** * Encodes one user entry containing info stored in FileRealmUser object. * * @param name User name. * @param ud User object containing info. * @returns String containing a line with encoded user data. * @throws IASSecurityException Thrown on failure. * */ private static String encodeUser(String name, User ud, String algo) { StringBuilder sb = new StringBuilder(); sb.append(name); sb.append(FIELD_SEP); if (resetKey.equals(algo)) { sb.append(resetKey); } else { String ssha = SSHA.encode(ud.getSalt(), ud.getHash(), algo); sb.append(ssha); } sb.append(FIELD_SEP); String[] groups = ud.getGroups(); if (groups != null) { for (int grp = 0; grp < groups.length; grp++) { if (grp > 0) { sb.append(GROUP_SEP); } sb.append(groups[grp]); } } sb.append("\n"); return sb.toString(); } /** * Decodes a line from the keyfile. * * @param encodedLine A line from the keyfile containing user data. * @param newGroupSizeMap Groups found in the encodedLine are added to * this map. * @returns FileRealmUser Representing the loaded user. * @throws IllegalArgumentException Thrown on failure. * */ private static User decodeUser(String encodedLine, Map newGroupSizeMap) throws IllegalArgumentException { StringTokenizer st = new StringTokenizer(encodedLine, FIELD_SEP); String algo = algoSHA256; String user = null; String pwdInfo = null; String groupList = null; try { // these must be present user = st.nextToken(); pwdInfo = st.nextToken(); } catch (Exception e) { String msg = sm.getString("filerealm.syntaxerror", encodedLine); throw new IllegalArgumentException(msg); } if (st.hasMoreTokens()) { // groups are optional groupList = st.nextToken(); } User ud = new User(user); if (resetKey.equals(pwdInfo)) { ud.setAlgo(resetKey); } else { if(encodedLine.contains(SSHA_TAG)) { algo = algoSHA; } int resultLength = 32; if (algoSHA.equals(algo)) { resultLength = 20; } byte[] hash = new byte[resultLength]; byte[] salt = SSHA.decode(pwdInfo, hash, algo); ud.setHash(hash); ud.setSalt(salt); ud.setAlgo(algo); } List membership = new ArrayList<>(); if (groupList != null) { StringTokenizer gst = new StringTokenizer(groupList, GROUP_SEP); while (gst.hasMoreTokens()) { String g = gst.nextToken(); membership.add(g); Integer groupSize = (Integer)newGroupSizeMap.get(g); newGroupSizeMap.put(g, Integer.valueOf((groupSize != null) ? (groupSize.intValue() + 1) : 1)); } } ud.setGroups(membership.toArray(new String[membership.size()])); return ud; } /** * Produce a user with given data. * * @param name User name. * @param pwd Cleartext password. * @param groups Group membership. * @returns FileRealmUser Representing the created user. * */ private static User createNewUser(String name, char[] pwd, String[] groups) { User ud = new User(name); if (groups == null) { groups = new String[0]; } ud.setGroups(groups); //Always create new users with SHA-256 ud.setAlgo(algoSHA256); setPassword(ud, pwd); return ud; } /** * Sets the password in a user object. Of course the password is not * really stored so a salt is generated, hash computed, and these two * values are stored in the user object provided. * */ private static void setPassword(User user, char[] pwd) throws IllegalArgumentException { assert (user != null); //Copy the password to another reference before storing it to the //instance field. byte[] pwdBytes = null; try { pwdBytes = Utility.convertCharArrayToByteArray(pwd, Charset.defaultCharset().displayName()); } catch(Exception ex) { throw new IllegalArgumentException(ex); } SecureRandom rng = SharedSecureRandomImpl.get(); byte[] salt=new byte[SALT_SIZE]; rng.nextBytes(salt); user.setSalt(salt); String algo = user.getAlgo(); if(algo == null) { algo = algoSHA256; } byte[] hash = SSHA.compute(salt, pwdBytes, algo); user.setHash(hash); } /** * Represents a FileRealm user. */ public static class User implements UserPrincipal { private static final long serialVersionUID = 1L; private final String name; private String[] groups; private String realm; private byte[] salt; private byte[] hash; private String algo; /** * Constructor. */ public User(String name) { this.name = name; } /** * Constructor. * * @param name User name. * @param groups Group memerships. * @param realm Realm. * @param salt SSHA salt. * @param hash SSHA password hash. */ public User(String name, String[] groups, String realm, byte[] salt, byte[] hash, String algo) { this.name = name; this.groups = groups; this.realm = realm; this.hash = hash; this.salt = salt; this.algo = algo; } /** * Gets the name of the Principal as a java.lang.String * * @return the name of the principal. */ @Override public String getName() { return name; } /** * Returns salt value. */ public byte[] getSalt() { return salt; } /** * Set salt value. */ public void setSalt(byte[] salt) { this.salt = salt; } /** * Get hash value. */ public byte[] getHash() { return hash; } /** * Set hash value. */ public void setHash(byte[] hash) { this.hash = hash; } /** * Return the names of the groups this user belongs to. * * @return String[] List of group memberships. */ public String[] getGroups() { return groups; } /** * Set group membership. */ public void setGroups(String[] grp) { this.groups = grp; } /** * @return the algo */ public String getAlgo() { return algo; } /** * @param algo the algo to set */ public void setAlgo(String algo) { this.algo = algo; } @Override public boolean equals(Object obj) { if (obj == null) { return false; } if (getClass() != obj.getClass()) { return false; } final User other = (User) obj; if (!Arrays.deepEquals(this.groups, other.groups)) { return false; } if ((this.realm == null) ? (other.realm != null) : !this.realm.equals(other.realm)) { return false; } if (!Arrays.equals(this.salt, other.salt)) { return false; } if (!Arrays.equals(this.hash, other.hash)) { return false; } if ((this.algo == null) ? (other.algo != null) : !this.algo.equals(other.algo)) { return false; } return super.equals(obj); } @Override public int hashCode() { int hc = 5; hc = 17 * hc + Arrays.deepHashCode(this.groups); hc = 17 * hc + (this.realm == null ? 0 : this.realm.hashCode()); hc = 17 * hc + Arrays.hashCode(this.salt); hc = 17 * hc + Arrays.hashCode(this.hash); hc = 17 * hc + (this.algo == null ? 0 : this.algo.hashCode()); hc = 17 * super.hashCode(); return hc; } /** * @return same as {@link #getName()} */ @Override public String toString() { return getName(); } } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy