Author: djencks
Date: Sat Aug 1 23:13:12 2009
New Revision: 799958
URL: http://svn.apache.org/viewvc?rev=799958&view=rev
Log:
GERONIMO-4779 Implement a name-only login module that just adds principals for known users,
does not check passwords. Useful for client-cert and e.g. openid authentication
Added:
geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
- copied, changed from r799520, geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
Copied: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
(from r799520, geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java)
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java?p2=geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java&p1=geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java&r1=799520&r2=799958&rev=799958&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
Sat Aug 1 23:13:12 2009
@@ -49,41 +49,36 @@
import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
import org.apache.geronimo.security.jaas.WrappingLoginModule;
import org.apache.geronimo.system.serverinfo.ServerInfo;
-import org.apache.geronimo.crypto.SimpleEncryption;
import org.apache.geronimo.crypto.EncryptionManager;
import org.apache.geronimo.crypto.encoders.Base64;
import org.apache.geronimo.crypto.encoders.HexTranslator;
/**
- * A LoginModule that reads a list of credentials and group from files on disk. The
- * files should be formatted using standard Java properties syntax. Expects
+ * This login module should only be used if the user is already authenticated, such as from
client cert or openid,
+ * and the only remaining task is to add group information.
+ *
+ * A LoginModule that reads groups from a file on disk. The
+ * file should be formatted using standard Java properties syntax. Expects
* to be run by a GenericSecurityRealm (doesn't work on its own).
* <p/>
- * This login module checks security credentials so the lifecycle methods must return true
to indicate success
- * or throw LoginException to indicate failure.
+ * This login module does not check security credentials so the lifecycle methods must return
true to indicate success
+ * or throw a LoginException if the user is not known or supplied in the callback.
*
* @version $Rev$ $Date$
*/
-public class PropertiesFileLoginModule implements LoginModule {
- public final static String USERS_URI = "usersURI";
+public class PropertiesFileNoPasswordLoginModule implements LoginModule {
public final static String GROUPS_URI = "groupsURI";
- public final static String DIGEST = "digest";
- public final static String ENCODING = "encoding";
- public final static List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(USERS_URI,
GROUPS_URI, DIGEST, ENCODING));
-
- private static final Logger log = LoggerFactory.getLogger(PropertiesFileLoginModule.class);
-
- final Properties users = new Properties();
+ public final static List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(GROUPS_URI));
+
+ private static final Logger log = LoggerFactory.getLogger(PropertiesFileNoPasswordLoginModule.class);
+
final Map<String, Set<String>> groups = new HashMap<String, Set<String>>();
- private String digest;
- private String encoding;
private boolean loginSucceeded;
private Subject subject;
private CallbackHandler handler;
private String username;
- private String password;
private final Set<Principal> allPrincipals = new HashSet<Principal>();
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,
Map options) {
@@ -97,32 +92,9 @@
}
try {
ServerInfo serverInfo = (ServerInfo) options.get(JaasLoginModuleUse.SERVERINFO_LM_OPTION);
- final String users = (String) options.get(USERS_URI);
final String groups = (String) options.get(GROUPS_URI);
- digest = (String) options.get(DIGEST);
- encoding = (String) options.get(ENCODING);
-
- if (digest != null && !digest.equals("")) {
- // Check if the digest algorithm is available
- try {
- MessageDigest.getInstance(digest);
- } catch (NoSuchAlgorithmException e) {
- log.error("Initialization failed. Digest algorithm " + digest + " is
not available.", e);
- throw new IllegalArgumentException(
- "Unable to configure properties file login module: " + e.getMessage(),
e);
- }
- if (encoding != null && !"hex".equalsIgnoreCase(encoding) &&
!"base64".equalsIgnoreCase(encoding)) {
- log.error("Initialization failed. Digest Encoding " + encoding + " is
not supported.");
- throw new IllegalArgumentException(
- "Unable to configure properties file login module. Digest Encoding
" + encoding + " not supported.");
- }
- }
- if (users == null || groups == null) {
- throw new IllegalArgumentException("Both " + USERS_URI + " and " + GROUPS_URI
+ " must be provided!");
- }
- URI usersURI = new URI(users);
URI groupsURI = new URI(groups);
- loadProperties(serverInfo, usersURI, groupsURI);
+ loadProperties(serverInfo, groupsURI);
} catch (Exception e) {
log.error("Initialization failed", e);
throw new IllegalArgumentException("Unable to configure properties file login
module: " + e.getMessage(),
@@ -130,17 +102,12 @@
}
}
- public void loadProperties(ServerInfo serverInfo, URI userURI, URI groupURI) throws GeronimoSecurityException
{
+ public void loadProperties(ServerInfo serverInfo, URI groupURI) throws GeronimoSecurityException
{
try {
- URI userFile = serverInfo.resolveServer(userURI);
URI groupFile = serverInfo.resolveServer(groupURI);
- InputStream stream = userFile.toURL().openStream();
- users.clear();
- users.load(stream);
- stream.close();
Properties temp = new Properties();
- stream = groupFile.toURL().openStream();
+ InputStream stream = groupFile.toURL().openStream();
temp.load(stream);
stream.close();
@@ -154,9 +121,7 @@
userset = new HashSet<String>();
groups.put(groupName, userset);
}
- for (String user : userList) {
- userset.add(user);
- }
+ userset.addAll(Arrays.asList(userList));
}
} catch (Exception e) {
@@ -173,36 +138,21 @@
*/
public boolean login() throws LoginException {
loginSucceeded = false;
- Callback[] callbacks = new Callback[2];
+ Callback[] callbacks = new Callback[1];
callbacks[0] = new NameCallback("User name");
- callbacks[1] = new PasswordCallback("Password", false);
try {
handler.handle(callbacks);
} catch (IOException ioe) {
throw (LoginException) new LoginException().initCause(ioe);
} catch (UnsupportedCallbackException uce) {
- throw (LoginException) new LoginException().initCause(uce);
+ return false;
}
assert callbacks.length == 2;
username = ((NameCallback) callbacks[0]).getName();
if (username == null || username.equals("")) {
// Clear out the private state
username = null;
- password = null;
- throw new FailedLoginException();
- }
- String realPassword = users.getProperty(username);
- // Decrypt the password if needed, so we can compare it with the supplied one
- if (realPassword != null) {
- realPassword = (String) EncryptionManager.decrypt(realPassword);
- }
- char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
- password = entered == null ? null : new String(entered);
- if (!checkPassword(realPassword, password)) {
- // Clear out the private state
- username = null;
- password = null;
throw new FailedLoginException();
}
@@ -234,7 +184,6 @@
}
// Clear out the private state
username = null;
- password = null;
return loginSucceeded;
}
@@ -243,7 +192,6 @@
if(loginSucceeded) {
// Clear out the private state
username = null;
- password = null;
allPrincipals.clear();
}
return loginSucceeded;
@@ -253,7 +201,6 @@
// Clear out the private state
loginSucceeded = false;
username = null;
- password = null;
if(!subject.isReadOnly()) {
// Remove principals added by this LoginModule
subject.getPrincipals().removeAll(allPrincipals);
@@ -262,44 +209,4 @@
return true;
}
- /**
- * This method checks if the provided password is correct. The original password may
have been digested.
- *
- * @param real Original password in digested form if applicable
- * @param provided User provided password in clear text
- * @return true If the password is correct
- */
- private boolean checkPassword(String real, String provided) {
- if (real == null && provided == null) {
- return true;
- }
- if (real == null || provided == null) {
- return false;
- }
-
- //both non-null
- if (digest == null || digest.equals("")) {
- // No digest algorithm is used
- return real.equals(provided);
- }
- try {
- // Digest the user provided password
- MessageDigest md = MessageDigest.getInstance(digest);
- byte[] data = md.digest(provided.getBytes());
- if (encoding == null || "hex".equalsIgnoreCase(encoding)) {
- // Convert bytes to hex digits
- byte[] hexData = new byte[data.length * 2];
- HexTranslator ht = new HexTranslator();
- ht.encode(data, 0, data.length, hexData, 0);
- // Compare the digested provided password with the actual one
- return real.equalsIgnoreCase(new String(hexData));
- } else if ("base64".equalsIgnoreCase(encoding)) {
- return real.equals(new String(Base64.encode(data)));
- }
- } catch (NoSuchAlgorithmException e) {
- // Should not occur. Availability of algorithm has been checked at initialization
- log.error("Should not occur. Availability of algorithm has been checked at initialization.",
e);
- }
- return false;
- }
-}
+}
\ No newline at end of file
|