geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r799958 - /geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
Date Sat, 01 Aug 2009 23:13:12 GMT
Author: djencks
Date: Sat Aug  1 23:13:12 2009
New Revision: 799958

URL: http://svn.apache.org/viewvc?rev=799958&view=rev
Log:
GERONIMO-4779 Implement a name-only login module that just adds principals for known users,
does not check passwords.  Useful for client-cert and e.g. openid authentication

Added:
    geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
      - copied, changed from r799520, geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java

Copied: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
(from r799520, geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java)
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java?p2=geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java&p1=geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java&r1=799520&r2=799958&rev=799958&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileLoginModule.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java
Sat Aug  1 23:13:12 2009
@@ -49,41 +49,36 @@
 import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
 import org.apache.geronimo.security.jaas.WrappingLoginModule;
 import org.apache.geronimo.system.serverinfo.ServerInfo;
-import org.apache.geronimo.crypto.SimpleEncryption;
 import org.apache.geronimo.crypto.EncryptionManager;
 import org.apache.geronimo.crypto.encoders.Base64;
 import org.apache.geronimo.crypto.encoders.HexTranslator;
 
 
 /**
- * A LoginModule that reads a list of credentials and group from files on disk.  The
- * files should be formatted using standard Java properties syntax.  Expects
+ * This login module should only be used if the user is already authenticated, such as from
client cert or openid,
+ * and the only remaining task is to add group information.
+ *
+ * A LoginModule that reads groups from a file on disk.  The
+ * file should be formatted using standard Java properties syntax.  Expects
  * to be run by a GenericSecurityRealm (doesn't work on its own).
  * <p/>
- * This login module checks security credentials so the lifecycle methods must return true
to indicate success
- * or throw LoginException to indicate failure.
+ * This login module does not check security credentials so the lifecycle methods must return
true to indicate success
+ * or throw a LoginException if the user is not known or supplied in the callback.
  *
  * @version $Rev$ $Date$
  */
-public class PropertiesFileLoginModule implements LoginModule {
-    public final static String USERS_URI = "usersURI";
+public class PropertiesFileNoPasswordLoginModule implements LoginModule {
     public final static String GROUPS_URI = "groupsURI";
-    public final static String DIGEST = "digest";
-    public final static String ENCODING = "encoding";
-    public final static List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(USERS_URI,
GROUPS_URI, DIGEST, ENCODING));
-
-    private static final Logger log = LoggerFactory.getLogger(PropertiesFileLoginModule.class);
-    
-    final Properties users = new Properties();
+    public final static List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(GROUPS_URI));
+
+    private static final Logger log = LoggerFactory.getLogger(PropertiesFileNoPasswordLoginModule.class);
+
     final Map<String, Set<String>> groups = new HashMap<String, Set<String>>();
-    private String digest;
-    private String encoding;
 
     private boolean loginSucceeded;
     private Subject subject;
     private CallbackHandler handler;
     private String username;
-    private String password;
     private final Set<Principal> allPrincipals = new HashSet<Principal>();
 
     public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,
Map options) {
@@ -97,32 +92,9 @@
         }
         try {
             ServerInfo serverInfo = (ServerInfo) options.get(JaasLoginModuleUse.SERVERINFO_LM_OPTION);
-            final String users = (String) options.get(USERS_URI);
             final String groups = (String) options.get(GROUPS_URI);
-            digest = (String) options.get(DIGEST);
-            encoding = (String) options.get(ENCODING);
-
-            if (digest != null && !digest.equals("")) {
-                // Check if the digest algorithm is available
-                try {
-                    MessageDigest.getInstance(digest);
-                } catch (NoSuchAlgorithmException e) {
-                    log.error("Initialization failed. Digest algorithm " + digest + " is
not available.", e);
-                    throw new IllegalArgumentException(
-                            "Unable to configure properties file login module: " + e.getMessage(),
e);
-                }
-                if (encoding != null && !"hex".equalsIgnoreCase(encoding) &&
!"base64".equalsIgnoreCase(encoding)) {
-                    log.error("Initialization failed. Digest Encoding " + encoding + " is
not supported.");
-                    throw new IllegalArgumentException(
-                            "Unable to configure properties file login module. Digest Encoding
" + encoding + " not supported.");
-                }
-            }
-            if (users == null || groups == null) {
-                throw new IllegalArgumentException("Both " + USERS_URI + " and " + GROUPS_URI
+ " must be provided!");
-            }
-            URI usersURI = new URI(users);
             URI groupsURI = new URI(groups);
-            loadProperties(serverInfo, usersURI, groupsURI);
+            loadProperties(serverInfo, groupsURI);
         } catch (Exception e) {
             log.error("Initialization failed", e);
             throw new IllegalArgumentException("Unable to configure properties file login
module: " + e.getMessage(),
@@ -130,17 +102,12 @@
         }
     }
 
-    public void loadProperties(ServerInfo serverInfo, URI userURI, URI groupURI) throws GeronimoSecurityException
{
+    public void loadProperties(ServerInfo serverInfo, URI groupURI) throws GeronimoSecurityException
{
         try {
-            URI userFile = serverInfo.resolveServer(userURI);
             URI groupFile = serverInfo.resolveServer(groupURI);
-            InputStream stream = userFile.toURL().openStream();
-            users.clear();
-            users.load(stream);
-            stream.close();
 
             Properties temp = new Properties();
-            stream = groupFile.toURL().openStream();
+            InputStream stream = groupFile.toURL().openStream();
             temp.load(stream);
             stream.close();
 
@@ -154,9 +121,7 @@
                     userset = new HashSet<String>();
                     groups.put(groupName, userset);
                 }
-                for (String user : userList) {
-                    userset.add(user);
-                }
+                userset.addAll(Arrays.asList(userList));
             }
 
         } catch (Exception e) {
@@ -173,36 +138,21 @@
      */
     public boolean login() throws LoginException {
         loginSucceeded = false;
-        Callback[] callbacks = new Callback[2];
+        Callback[] callbacks = new Callback[1];
 
         callbacks[0] = new NameCallback("User name");
-        callbacks[1] = new PasswordCallback("Password", false);
         try {
             handler.handle(callbacks);
         } catch (IOException ioe) {
             throw (LoginException) new LoginException().initCause(ioe);
         } catch (UnsupportedCallbackException uce) {
-            throw (LoginException) new LoginException().initCause(uce);
+            return false;
         }
         assert callbacks.length == 2;
         username = ((NameCallback) callbacks[0]).getName();
         if (username == null || username.equals("")) {
             // Clear out the private state
             username = null;
-            password = null;
-            throw new FailedLoginException();
-        }
-        String realPassword = users.getProperty(username);
-        // Decrypt the password if needed, so we can compare it with the supplied one
-        if (realPassword != null) {
-            realPassword = (String) EncryptionManager.decrypt(realPassword);
-        }
-        char[] entered = ((PasswordCallback) callbacks[1]).getPassword();
-        password = entered == null ? null : new String(entered);
-        if (!checkPassword(realPassword, password)) {
-            // Clear out the private state
-            username = null;
-            password = null;
             throw new FailedLoginException();
         }
 
@@ -234,7 +184,6 @@
         }
         // Clear out the private state
         username = null;
-        password = null;
 
         return loginSucceeded;
     }
@@ -243,7 +192,6 @@
         if(loginSucceeded) {
             // Clear out the private state
             username = null;
-            password = null;
             allPrincipals.clear();
         }
         return loginSucceeded;
@@ -253,7 +201,6 @@
         // Clear out the private state
         loginSucceeded = false;
         username = null;
-        password = null;
         if(!subject.isReadOnly()) {
             // Remove principals added by this LoginModule
             subject.getPrincipals().removeAll(allPrincipals);
@@ -262,44 +209,4 @@
         return true;
     }
 
-    /**
-     * This method checks if the provided password is correct.  The original password may
have been digested.
-     *
-     * @param real     Original password in digested form if applicable
-     * @param provided User provided password in clear text
-     * @return true     If the password is correct
-     */
-    private boolean checkPassword(String real, String provided) {
-        if (real == null && provided == null) {
-            return true;
-        }
-        if (real == null || provided == null) {
-            return false;
-        }
-
-        //both non-null
-        if (digest == null || digest.equals("")) {
-            // No digest algorithm is used
-            return real.equals(provided);
-        }
-        try {
-            // Digest the user provided password
-            MessageDigest md = MessageDigest.getInstance(digest);
-            byte[] data = md.digest(provided.getBytes());
-            if (encoding == null || "hex".equalsIgnoreCase(encoding)) {
-                // Convert bytes to hex digits
-                byte[] hexData = new byte[data.length * 2];
-                HexTranslator ht = new HexTranslator();
-                ht.encode(data, 0, data.length, hexData, 0);
-                // Compare the digested provided password with the actual one
-                return real.equalsIgnoreCase(new String(hexData));
-            } else if ("base64".equalsIgnoreCase(encoding)) {
-                return real.equals(new String(Base64.encode(data)));
-            }
-        } catch (NoSuchAlgorithmException e) {
-            // Should not occur.  Availability of algorithm has been checked at initialization
-            log.error("Should not occur.  Availability of algorithm has been checked at initialization.",
e);
-        }
-        return false;
-    }
-}
+}
\ No newline at end of file



Mime
View raw message