All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.modeshape.jcr.security.JaasProvider Maven / Gradle / Ivy

There is a newer version: 5.4.1.Final
Show newest version
/*
 * ModeShape (http://www.modeshape.org)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.modeshape.jcr.security;

import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.modeshape.common.logging.Logger;
import org.modeshape.common.util.CheckArg;
import org.modeshape.jcr.ExecutionContext;
import org.modeshape.jcr.JcrI18n;
import org.modeshape.jcr.api.JaasCredentials;

/**
 * An implementation of {@link AuthenticationProvider} that uses a supplied JAAS policy to perform all authentication and
 * role-based authorization.
 */
public class JaasProvider implements AuthenticationProvider {

    private final String policyName;
    private final SubjectResolver subjectResolver;

    /**
     * Create a JAAS provider for authentication and authorization, using the supplied name for the login configuration.
     * 
     * @param policyName the name that will be used for the login context
     * @exception LoginException if the caller-specified name does not appear in the Configuration and
     *            there is no Configuration entry for "other", or if the
     *            auth.login.defaultCallbackHandler security property was set, but the implementation class could not be
     *            loaded.
     *            

*/ public JaasProvider( String policyName ) throws LoginException { CheckArg.isNotNull(policyName, "policyName"); this.policyName = policyName; // verify that the login context is valid ... new LoginContext(policyName); // Per MODE-1270, see if the JACC API is available (if so, we're running in an J2EE container // and need to provide a way to properly resolve the JAAS Subject)... JaasProvider.SubjectResolver subjectResolver = null; try { // Try to find the JACC PolicyContext class, which is entirely optional and provided only in J2EE containers ... getClass().getClassLoader().loadClass("javax.security.jacc.PolicyContext"); subjectResolver = new JaccSubjectResolver(); Logger.getLogger(getClass()) .debug("Enabling optional JACC approach for resolving the JAAS Subject (typically in J2EE containers)"); } catch (ClassNotFoundException cnfe) { // Must not be able to load the class ... Logger.getLogger(getClass()) .debug("Failed to find 'javax.security.jacc.PolicyContext', so assuming not in a J2EE container."); } this.subjectResolver = subjectResolver; } @Override public ExecutionContext authenticate( final Credentials credentials, String repositoryName, String workspaceName, ExecutionContext repositoryContext, Map sessionAttributes ) { try { if (credentials == null) { // There are no credentials, so see if there is an authenticated Subject ... Subject subject = Subject.getSubject(AccessController.getContext()); if (subject != null) { // There is, so use this subject ... return repositoryContext.with(new JaasSecurityContext(subject)); } if (subjectResolver != null) { // The Subject is still null (see MODE-1270), so try to resolve it ... subject = subjectResolver.resolveSubject(); if (subject != null) { return repositoryContext.with(new JaasSecurityContext(subject)); } } // There is no authenticated JAAS Subject and no credentials, so we can do nothing ... return null; } if (credentials instanceof SimpleCredentials) { SimpleCredentials simple = (SimpleCredentials)credentials; String[] attributeNames = simple.getAttributeNames(); if (attributeNames != null && attributeNames.length != 0) { sessionAttributes = new HashMap(); for (String attributeName : simple.getAttributeNames()) { Object attributeValue = simple.getAttribute(attributeName); sessionAttributes.put(attributeName, attributeValue); } } return repositoryContext.with(new JaasSecurityContext(policyName, simple.getUserID(), simple.getPassword())); } LoginContext loginContext = null; if (credentials instanceof JaasCredentials) { // Call directly ... loginContext = ((JaasCredentials)credentials).getLoginContext(); } else { // Look for a getter method ... try { final Method method = credentials.getClass().getMethod("getLoginContext"); Object result = AccessController.doPrivileged(new PrivilegedExceptionAction() { @Override public Object run() throws Exception { return method.invoke(credentials); } }); if (result instanceof LoginContext) { loginContext = (LoginContext)result; } else { Logger.getLogger(JaasProvider.class).error(JcrI18n.credentialsMustReturnLoginContext, credentials.getClass().getName()); } } catch (NoClassDefFoundError error) { // Not an implementation of Credentials that we know what to do with ... } catch (NoSuchMethodException error) { // Not an implementation of Credentials that we know what to do with ... } catch (PrivilegedActionException e) { // Not an implementation of Credentials that we can call ... Logger.getLogger(JaasProvider.class).warn(JcrI18n.noPrivilegeToGetLoginContextFromCredentials, credentials.getClass().getName()); } } if (loginContext != null) { Subject subject = loginContext.getSubject(); if (subject == null) { // Try authenticate first ... loginContext.login(); // Authentication succeeded ... subject = loginContext.getSubject(); if (subject == null && this.subjectResolver != null) { // The Subject is still null (see MODE-1270), so try to resolve it ... subject = this.subjectResolver.resolveSubject(); if (subject != null) { return repositoryContext.with(new JaasSecurityContext(subject)); } } if (subject == null) { // Still null; we don't know what to do about this, so fail ... return null; } } return repositoryContext.with(new JaasSecurityContext(loginContext)); } } catch (javax.security.auth.login.LoginException error) { // We've already verified that the JAAS policy name exists, so this error can only mean no authentication // so we can just continue ... } return null; } /** * An extension point for the JaasProvider class that allows for custom logic for finding the current JAAS Subject, if not * already available via the {@code Subject.getSubject(AccessController.getContext())} method. That method returns null in * J2EE applications. * * @see JaccSubjectResolver */ public static interface SubjectResolver { /** * Get the current JAAS Subject. * * @return the subject, or null if the Subject could not be resolved */ Subject resolveSubject(); } }