geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dwo...@apache.org
Subject svn commit: r558586 - in /geronimo/server/trunk: applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/ modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/
Date Mon, 23 Jul 2007 02:24:30 GMT
Author: dwoods
Date: Sun Jul 22 19:24:27 2007
New Revision: 558586

URL: http://svn.apache.org/viewvc?view=rev&rev=558586
Log:
GERONIMO-1716 Add usage of SimpleEncryption to PropertiesFileLoginModule and Admin Console

Modified:
    geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
    geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java

Modified: geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java?view=diff&rev=558586&r1=558585&r2=558586
==============================================================================
--- geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
(original)
+++ geronimo/server/trunk/applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/PropertiesLoginModuleManager.java
Sun Jul 22 19:24:27 2007
@@ -28,24 +28,31 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Properties;
 import java.util.Set;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.geronimo.common.GeronimoSecurityException;
 import org.apache.geronimo.gbean.GBeanInfo;
 import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
 import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.security.jaas.LoginModuleGBean;
 import org.apache.geronimo.security.jaas.LoginModuleSettings;
 import org.apache.geronimo.system.serverinfo.ServerInfo;
 import org.apache.geronimo.util.encoders.Base64;
 import org.apache.geronimo.util.encoders.HexTranslator;
+import org.apache.geronimo.util.SimpleEncryption;
 
 /**
  * @version $Rev$ $Date$
  */
-public class PropertiesLoginModuleManager {
+public class PropertiesLoginModuleManager implements GBeanLifecycle {
+    private static Log log = LogFactory.getLog(PropertiesLoginModuleManager.class);
 
     private ServerInfo serverInfo;
 
@@ -68,7 +75,7 @@
         this.loginModule = loginModule;
     }
 
-    private void refreshUsers() {
+    private void refreshUsers() throws GeronimoSecurityException {
         users.clear();
         InputStream in = null;
         try {
@@ -106,61 +113,48 @@
         }
     }
 
-    public String[] getUsers() throws GeronimoSecurityException {
+    private void clearAll() {
         users.clear();
-        InputStream in = null;
-        try {
-            in = serverInfo.resolveServer(getUsersURI()).toURL().openStream();
-            users.load(in);
-        } catch (Exception e) {
-            throw new GeronimoSecurityException(e);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException ignored) {
-                    // ignored
-                }
-            }
-        }
+        groups.clear();
+    }
+
+    public void refreshAll() throws GeronimoSecurityException {
+        refreshGroups();
+        refreshUsers();
+    }
+
+    public String[] getUsers() throws GeronimoSecurityException {
+        refreshUsers();
         return (String[]) users.keySet().toArray(new String[0]);
     }
 
     public String[] getGroups() throws GeronimoSecurityException {
-        groups.clear();
-        InputStream in = null;
-        try {
-            in = serverInfo.resolveServer(getGroupsURI()).toURL().openStream();
-            groups.load(in);
-        } catch (Exception e) {
-            throw new GeronimoSecurityException(e);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException ignored) {
-                    // ignored
-                }
-            }
-        }
+        refreshGroups();
         return (String[]) groups.keySet().toArray(new String[0]);
     }
 
     public void addUserPrincipal(Hashtable properties)
             throws GeronimoSecurityException {
-        if (users.getProperty((String) properties.get("UserName")) != null) {
-            throw new GeronimoSecurityException("User principal "
-                    + properties.get("UserName") + " already exists.");
+
+        refreshUsers();
+        String name = (String) properties.get("UserName");
+        if (users.getProperty(name) != null) {
+            log.warn("addUserPrincipal() UserName="+name+" already exists.");
+            throw new GeronimoSecurityException("User principal="+name+" already exists.");
         }
         try {
-            refreshUsers();
-            String digest = getDigest();
-            String user = (String) properties.get("UserName");
-            String password = (String) properties.get("Password");
-            if(digest != null && !digest.equals("")) {
-                password = digestPassword(password, digest, getEncoding());
+            String realPassword = (String) properties.get("Password");
+            if (realPassword != null) {
+                String digest = getDigest();
+                if(digest != null && !digest.equals("")) {
+                    realPassword = digestPassword(realPassword, digest, getEncoding());
+                }
+                if (!(realPassword.startsWith("{Standard}"))) {
+                    // update the password
+                    realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
+                }
             }
-            users.setProperty(user, password);
+            users.setProperty(name, realPassword);
             store(users, serverInfo.resolveServer(getUsersURI()).toURL());
         } catch (Exception e) {
             throw new GeronimoSecurityException("Cannot add user principal: "
@@ -170,8 +164,8 @@
 
     public void removeUserPrincipal(String userPrincipal)
             throws GeronimoSecurityException {
+        refreshUsers();
         try {
-            refreshUsers();
             users.remove(userPrincipal);
             store(users, serverInfo.resolveServer(getUsersURI()).toURL());
         } catch (Exception e) {
@@ -182,19 +176,28 @@
 
     public void updateUserPrincipal(Hashtable properties)
             throws GeronimoSecurityException {
-        //same as add principal overriding the property
+        refreshUsers();
+        String name = (String) properties.get("UserName");
+        if (users.getProperty(name) == null) {
+            log.warn("updateUserPrincipal() UserName="+name+" does not exist.");
+            throw new GeronimoSecurityException("User principal="+name+" does not exist.");
+        }
         try {
-            refreshUsers();
-            String digest = getDigest();
-            String user = (String) properties.get("UserName");
-            String password = (String) properties.get("Password");
-            if(digest != null && !digest.equals("")) {
-                password = digestPassword(password, digest, getEncoding());
+            String realPassword = (String) properties.get("Password");
+            if (realPassword != null) {
+                String digest = getDigest();
+                if(digest != null && !digest.equals("")) {
+                    realPassword = digestPassword(realPassword, digest, getEncoding());
+                }
+                if (!(realPassword.startsWith("{Standard}"))) {
+                    // update the password
+                    realPassword = "{Standard}"+SimpleEncryption.encrypt(realPassword);
+                }
             }
-            users.setProperty(user, password);
+            users.setProperty(name, realPassword);
             store(users, serverInfo.resolveServer(getUsersURI()).toURL());
         } catch (Exception e) {
-            throw new GeronimoSecurityException("Cannot add user principal: "
+            throw new GeronimoSecurityException("Cannot update user principal: "
                     + e.getMessage(), e);
         }
     }
@@ -202,13 +205,13 @@
     public void addGroupPrincipal(Hashtable properties)
             throws GeronimoSecurityException {
         refreshGroups();
-        if (groups.getProperty((String) properties.get("GroupName")) != null) {
-            throw new GeronimoSecurityException("Group "
-                    + properties.get("GroupName") + " already exists.");
+        String group = (String) properties.get("GroupName");
+        if (groups.getProperty(group) != null) {
+            log.warn("addGroupPrincipal() GroupName="+group+" already exists.");
+            throw new GeronimoSecurityException("Group principal="+group+" already exists.");
         }
         try {
-            groups.setProperty((String) properties.get("GroupName"),
-                    (String) properties.get("Members"));
+            groups.setProperty(group, (String) properties.get("Members"));
             store(groups, serverInfo.resolveServer(getGroupsURI()).toURL());
         } catch (Exception e) {
             throw new GeronimoSecurityException("Cannot add group principal: "
@@ -232,12 +235,16 @@
             throws GeronimoSecurityException {
         //same as add group principal
         refreshGroups();
+        String group = (String) properties.get("GroupName");
+        if (groups.getProperty(group) == null) {
+            log.warn("updateGroupPrincipal() GroupName="+group+" does not exist.");
+            throw new GeronimoSecurityException("Group principal="+group+" does not exist.");
+        }
         try {
-            groups.setProperty((String) properties.get("GroupName"),
-                    (String) properties.get("Members"));
+            groups.setProperty(group, (String) properties.get("Members"));
             store(groups, serverInfo.resolveServer(getGroupsURI()).toURL());
         } catch (Exception e) {
-            throw new GeronimoSecurityException("Cannot add group principal: "
+            throw new GeronimoSecurityException("Cannot update group principal: "
                     + e.getMessage(), e);
         }
     }
@@ -257,19 +264,29 @@
     public String getPassword(String userPrincipal)
             throws GeronimoSecurityException {
         refreshUsers();
-        return users.getProperty(userPrincipal);
+        if (users.getProperty(userPrincipal) == null) {
+            log.warn("getPassword() User="+userPrincipal+" does not exist.");
+            throw new GeronimoSecurityException("User principal="+userPrincipal+" does not
exist.");
+        }
+        String realPassword = users.getProperty(userPrincipal);
+        if (realPassword != null) {
+            if (realPassword.startsWith("{Standard}")) {
+                // decrypt the password
+                realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
+            }
+        }
+        return realPassword;
     }
 
     public Set getGroupMembers(String groupPrincipal)
             throws GeronimoSecurityException {
         Set memberSet = new HashSet();
-        groups.clear();
         refreshGroups();
         if (groups.getProperty(groupPrincipal) == null) {
+            log.warn("getGroupMembers() Group="+groupPrincipal+" does not exist.");
             return memberSet;
         }
-        String[] members = groups.getProperty(groupPrincipal)
-                .split(",");
+        String[] members = ((String)groups.getProperty(groupPrincipal)).split(",");
 
         memberSet.addAll(Arrays.asList(members));
         return memberSet;
@@ -291,8 +308,46 @@
         return (String) loginModule.getOptions().get(encodingKey);
     }
 
+    /**
+     * Allows the GBean at startup to request that all unencrypted passwords
+     * be updated.
+     */
+    private void encryptAllPasswords() throws GeronimoSecurityException {
+        log.debug("Checking passwords to see if any need encrypting");
+        refreshAll();
+        try {
+            String name;
+            boolean bUpdates=false;
+
+            for (Enumeration e=users.keys(); e.hasMoreElements(); ) {
+                name=(String)e.nextElement();
+                String realPassword = users.getProperty(name);
+                // Encrypt the password if needed, so we can compare it with the supplied
one
+                if (realPassword != null) {
+                    if (!(realPassword.startsWith("{Standard}"))) {
+                        // update the password in Properties to be encrypted
+                        users.setProperty(name, "{Standard}"+SimpleEncryption.encrypt(realPassword));
+                        // we have an updated password to save back to the file
+                        bUpdates = true;
+                    }
+                }
+            }
+
+            // rewrite the users.properties file if we had passwords to encrypt
+            if (bUpdates)
+            {
+                log.debug("Found password(s) that needed encrypting");
+                store(users, serverInfo.resolveServer(getUsersURI()).toURL());
+            }
+        } catch (Exception e) {
+            log.error("encryptAllPasswords failed", e);
+            throw new GeronimoSecurityException(e);
+        }
+    }
+
     private void store(Properties props, URL url) throws Exception {
         OutputStream out = null;
+        log.debug("Updating properties file="+url.toExternalForm());
         try {
             try {
                 URLConnection con = url.openConnection();
@@ -340,6 +395,22 @@
         return "";
     }
 
+    public void doFail() {
+        log.warn("Failed");
+    }
+
+    public void doStart() throws Exception {
+        log.debug("Starting gbean");
+        encryptAllPasswords();
+        log.debug("Started gbean");
+    }
+
+    public void doStop() throws Exception {
+        log.debug("Stopping gbean");
+        clearAll();
+        log.debug("Stopped gbean");
+    }
+
     public static final GBeanInfo GBEAN_INFO;
 
     static {
@@ -350,6 +421,7 @@
         infoFactory.addOperation("updateUserPrincipal", new Class[]{Hashtable.class});
         infoFactory.addOperation("getGroups");
         infoFactory.addOperation("getUsers");
+        infoFactory.addOperation("refreshAll");
 
         infoFactory.addOperation("updateUserPrincipal", new Class[]{Hashtable.class});
 

Modified: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java?view=diff&rev=558586&r1=558585&r2=558586
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
(original)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Sun Jul 22 19:24:27 2007
@@ -24,6 +24,8 @@
 import org.apache.geronimo.system.serverinfo.ServerInfo;
 import org.apache.geronimo.util.encoders.Base64;
 import org.apache.geronimo.util.encoders.HexTranslator;
+import org.apache.geronimo.util.SimpleEncryption;
+
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
@@ -112,6 +114,7 @@
             URI userFile = serverInfo.resolveServer(userURI);
             URI groupFile = serverInfo.resolveServer(groupURI);
             InputStream stream = userFile.toURL().openStream();
+            users.clear();
             users.load(stream);
             stream.close();
 
@@ -161,6 +164,12 @@
             return false;
         }
         String realPassword = users.getProperty(username);
+        // Decrypt the password if needed, so we can compare it with the supplied one
+        if (realPassword != null) {
+            if (realPassword.startsWith("{Standard}")) {
+                realPassword = (String) SimpleEncryption.decrypt(realPassword.substring(10));
+            }
+        }
         char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
         password = entered == null ? null : new String(entered);
         boolean result = (realPassword == null && password == null) ||



Mime
View raw message