jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fmesc...@apache.org
Subject svn commit: r825125 - /jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
Date Wed, 14 Oct 2009 13:29:06 GMT
Author: fmeschbe
Date: Wed Oct 14 13:29:05 2009
New Revision: 825125

URL: http://svn.apache.org/viewvc?rev=825125&view=rev
Log:
JCR-2355 Add support for pre-authenticated repository access

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java?rev=825125&r1=825124&r2=825125&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
Wed Oct 14 13:29:05 2009
@@ -66,12 +66,31 @@
     private static final String KEY_CREDENTIALS = "org.apache.jackrabbit.credentials";
     private static final String KEY_LOGIN_NAME = "javax.security.auth.login.name";
 
+    /**
+     * The name of the login module configuration option providing the name
+     * of the SimpleCredentials attribute used to identify a pre-authenticated
+     * login.
+     *
+     * @see #isPreAuthenticated(Credentials)
+     */
+    private static final String PRE_AUTHENTICATED_ATTRIBUTE_OPTION = "trust_credentials_attribute";
+
     private String principalProviderClassName;
-    private boolean initialized; 
+    private boolean initialized;
 
     protected String adminId;
     protected String anonymousId;
 
+    /**
+     * The name of the credentials attribute providing a hint that the
+     * credentials should be taken as is and the user requesting access
+     * has already been authenticated outside of this LoginModule.
+     *
+     * @see #getTrustedCredentialsAttributeName()
+     */
+    private String preAuthAttributeName;
+
+
     protected CallbackHandler callbackHandler;
 
     protected Principal principal;
@@ -154,6 +173,14 @@
             if (anonymousId == null) {
                 anonymousId = repositoryCb.getAnonymousId();
             }
+            // trusted credentials attribute name (may be missing to not
+            // support) (normalized to null aka missing aka unset if an empty
+            // string)
+            preAuthAttributeName = (String) options.get(PRE_AUTHENTICATED_ATTRIBUTE_OPTION);
+            if (preAuthAttributeName != null
+                && preAuthAttributeName.length() == 0) {
+                preAuthAttributeName = null;
+            }
 
             //log config values for debug
             if (log.isDebugEnabled()) {
@@ -221,12 +248,15 @@
      * be used.<p/>
      *
      * <b>3) Verfication</b><br>
-     * There are two cases, how the User-ID can be verfied:
-     * Either the login is the result of an impersonation request (see
-     * {@link javax.jcr.Session#impersonate(Credentials)} or of a login to the Repository
({@link
-     * javax.jcr.Repository#login(Credentials)}). The concrete implementation
-     * of the LoginModule is responsible for both impersonation and login:
+     * There are four cases, how the User-ID can be verfied:
+     * The login is anonymous, preauthenticated or the login is the result of
+     * an impersonation request (see {@link javax.jcr.Session#impersonate(Credentials)}
+     * or of a login to the Repository ({@link javax.jcr.Repository#login(Credentials)}).
+     * The concrete implementation of the LoginModule is responsible for all
+     * four cases:
      * <ul>
+     * <li>{@link #isAnonymous(Credentials)}</li>
+     * <li>{@link #isPreAuthenticated(Credentials)}</li>
      * <li>{@link #authenticate(Principal, Credentials)}</li>
      * <li>{@link #impersonate(Principal, Credentials)}</li>
      * </ul>
@@ -276,8 +306,8 @@
                 return false;
             }
             boolean authenticated;
-            // test for anonymous, impersonation or common authentication.
-            if (isAnonymous(creds)) {
+            // test for anonymous, pre-authentication, impersonation or common authentication.
+            if (isAnonymous(creds) || isPreAuthenticated(creds)) {
                 authenticated = true;
             } else if (isImpersonation(creds)) {
                 authenticated = impersonate(userPrincipal, creds);
@@ -705,4 +735,44 @@
     public void setPrincipalProvider(String principalProvider) {
         this.principalProviderClassName = principalProvider;
     }
+
+    /**
+     * The name of the credentials attribute providing a hint that the
+     * credentials should be taken as is and the user requesting access
+     * has already been authenticated outside of this LoginModule.
+     * <p>
+     * This name is configured as the value of the LoginModule configuration
+     * parameter <code>trust_credentials_attribute</code>. If the configuration
+     * parameter is missing (or empty) the name is not set and this method
+     * returns <code>null</code>.
+     *
+     * @see #isPreAuthenticated(Credentials)
+     */
+    protected final String getPreAuthAttributeName() {
+        return preAuthAttributeName;
+    }
+
+    /**
+     * Returns <code>true</code> if the credentials should be considered as
+     * pre-authenticated and a password check is not required.
+     * <p>
+     * This base class implementation returns <code>true</code> if the
+     * <code>creds</code> object is a SimpleCredentials instance and the
+     * configured {@link #getTrustedCredentialsAttributeName() trusted
+     * credentials property} is set to a non-<code>null</code> value in the
+     * credentials attributes.
+     * <p>
+     * Extensions of this class may overwrite this method to apply more or
+     * different checks to the credentials.
+     *
+     * @param creds The Credentials to check
+     *
+     * @see #getPreAuthAttributeName()
+     */
+    protected boolean isPreAuthenticated(final Credentials creds) {
+        final String preAuthAttrName = getPreAuthAttributeName();
+        return preAuthAttrName != null
+            && (creds instanceof SimpleCredentials)
+            && ((SimpleCredentials) creds).getAttribute(preAuthAttrName) != null;
+    }
 }



Mime
View raw message