jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1071241 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authentication/ test/java/org/apache/jackrabbit/core/integration/ test/java/org/apache/jackrabbit/core/security/authentication/ test/java/org...
Date Wed, 16 Feb 2011 13:35:59 GMT
Author: angela
Date: Wed Feb 16 13:35:58 2011
New Revision: 1071241

URL: http://svn.apache.org/viewvc?rev=1071241&view=rev
Log:
JCR-2851 - Authentication Mechanism Based on Login Token
JCR-2894 - AbstractLoginModule#logout() : credentials will not be clared as Subject.getPublicCredentials(Class)
isn't backed by the subject internal set

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/integration/SessionImplTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModuleTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/token/TokenBasedLoginTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java?rev=1071241&r1=1071240&r2=1071241&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
Wed Feb 16 13:35:58 2011
@@ -415,14 +415,14 @@ public abstract class AbstractLoginModul
      * @see javax.security.auth.spi.LoginModule#logout()
      */
     public boolean logout() throws LoginException {
-        Set<Principal> thisPrincipals = subject.getPrincipals();
-        Set<SimpleCredentials> thisCredentials = subject.getPublicCredentials(SimpleCredentials.class);
-        if (thisPrincipals == null || thisCredentials == null
-                || thisPrincipals.isEmpty() || thisCredentials.isEmpty()) {
+        if (subject.getPrincipals().isEmpty() || subject.getPublicCredentials(Credentials.class).isEmpty())
{
             return false;
         } else {
-            thisPrincipals.clear();
-            thisCredentials.clear();
+            // clear subject if not readonly
+            if (!subject.isReadOnly()) {
+                subject.getPrincipals().clear();
+                subject.getPublicCredentials().clear();
+            }
             return true;
         }
     }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.java?rev=1071241&r1=1071240&r2=1071241&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.java
Wed Feb 16 13:35:58 2011
@@ -79,10 +79,9 @@ public class DefaultLoginModule extends 
     private UserManager userManager;
 
     /**
-     * The login token extracted from TokenCredentials or null in case of
-     * another credentials.
+     * The TokenCredentials or null in case of another credentials.
      */
-    private String loginToken;
+    private TokenCredentials tokenCredentials;
 
     //--------------------------------------------------------< LoginModule >---
     /**
@@ -91,27 +90,31 @@ public class DefaultLoginModule extends 
     @Override
     public boolean commit() throws LoginException {
         boolean success = super.commit();
-        if (success && !disableTokenAuth && TokenBasedAuthentication.doCreateToken(credentials))
{
-            Session s = null;
-            try {
-                /*
-                use a different session instance to create the token
-                node in order to prevent concurrent modifications with
-                the shared system session.
-                */
-                s = session.createSession(session.getWorkspace().getName());
-                Credentials tc = TokenBasedAuthentication.createToken(user, credentials,
tokenExpiration, s);
-                if (tc != null) {
-                    subject.getPublicCredentials().add(tc);
-                }
-            } catch (RepositoryException e) {
-                LoginException le = new LoginException("Failed to commit: " + e.getMessage());
-                le.initCause(e);
-                throw le;
-            } finally {
-                if (s != null) {
-                    s.logout();
+        if (success && !disableTokenAuth) {
+            if (TokenBasedAuthentication.doCreateToken(credentials)) {
+                Session s = null;
+                try {
+                    /*
+                    use a different session instance to create the token
+                    node in order to prevent concurrent modifications with
+                    the shared system session.
+                    */
+                    s = session.createSession(session.getWorkspace().getName());
+                    Credentials tc = TokenBasedAuthentication.createToken(user, credentials,
tokenExpiration, s);
+                    if (tc != null) {
+                        subject.getPublicCredentials().add(tc);
+                    }
+                } catch (RepositoryException e) {
+                    LoginException le = new LoginException("Failed to commit: " + e.getMessage());
+                    le.initCause(e);
+                    throw le;
+                } finally {
+                    if (s != null) {
+                        s.logout();
+                    }
                 }
+            } else if (tokenCredentials != null) {
+                subject.getPublicCredentials().add(tokenCredentials);
             }
         }
         return success;
@@ -200,9 +203,9 @@ public class DefaultLoginModule extends 
         // handle TokenCredentials
         if (!disableTokenAuth && TokenBasedAuthentication.isTokenBasedLogin(credentials))
{
             // special token based login
-            loginToken = ((TokenCredentials) credentials).getToken();
+            tokenCredentials = ((TokenCredentials) credentials);
             try {
-                Node n = session.getNodeByIdentifier(loginToken);
+                Node n = session.getNodeByIdentifier(tokenCredentials.getToken());
                 final NodeImpl userNode = (NodeImpl) n.getParent().getParent();
                 final String principalName = userNode.getProperty(UserImpl.P_PRINCIPAL_NAME).getString();
                 if (userNode.isNodeType(UserImpl.NT_REP_USER)) {
@@ -236,8 +239,8 @@ public class DefaultLoginModule extends 
      */
     @Override
     protected Authentication getAuthentication(Principal principal, Credentials creds) throws
RepositoryException {
-        if (!disableTokenAuth && loginToken != null) {
-            Authentication authentication = new TokenBasedAuthentication(loginToken, tokenExpiration,
session);
+        if (!disableTokenAuth && tokenCredentials != null) {
+            Authentication authentication = new TokenBasedAuthentication(tokenCredentials.getToken(),
tokenExpiration, session);
             if (authentication.canHandle(creds)) {
                 return authentication;
             }

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/integration/SessionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/integration/SessionImplTest.java?rev=1071241&r1=1071240&r2=1071241&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/integration/SessionImplTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/integration/SessionImplTest.java
Wed Feb 16 13:35:58 2011
@@ -105,6 +105,7 @@ public class SessionImplTest extends Abs
         } finally {
             s1.logout();
             assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
         }
 
 
@@ -117,6 +118,7 @@ public class SessionImplTest extends Abs
         } finally {
             s2.logout();
             assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
         }
 
         Session s3 = sImpl.createSession(null);
@@ -128,6 +130,7 @@ public class SessionImplTest extends Abs
         } finally {
             s3.logout();
             assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
         }
     }
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModuleTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModuleTest.java?rev=1071241&r1=1071240&r2=1071241&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModuleTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/DefaultLoginModuleTest.java
Wed Feb 16 13:35:58 2011
@@ -69,6 +69,9 @@ public class DefaultLoginModuleTest exte
             "   <param name=\"disableTokenAuth\" value=\"true\"/>\n" +
             "</LoginModule>" +
             "</Security>";
+    
+    private SimpleCredentials simpleCredentials = new SimpleCredentials("admin", "admin".toCharArray());
+    private Session securitySession;
 
     @Override
     protected void setUp() throws Exception {
@@ -90,16 +93,89 @@ public class DefaultLoginModuleTest exte
         super.cleanUp();
     }
 
-    private SimpleCredentials simpleCredentials = new SimpleCredentials("admin", "admin".toCharArray());
-    private Session securitySession;
-
     public void testSimpleCredentialsLogin() throws Exception {
         AuthContext ac = getAuthContext(simpleCredentials, DEFAULT_CONFIG);
         ac.login();
         ac.logout();
     }
 
-    public void testTokenCredentials() throws Exception {
+    public void testSimpleCredentialsLoginLogout() throws Exception {
+        AuthContext ac = getAuthContext(simpleCredentials, DEFAULT_CONFIG);
+        ac.login();
+
+        Subject subject = ac.getSubject();
+        assertFalse(subject.getPrincipals().isEmpty());
+        assertFalse(subject.getPublicCredentials().isEmpty());
+        assertFalse(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+
+        ac.logout();
+        assertTrue(subject.getPrincipals().isEmpty());
+        assertTrue(subject.getPublicCredentials().isEmpty());
+        assertTrue(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+    }
+
+    public void testTokenCredentialsLoginLogout() throws Exception {
+        simpleCredentials.setAttribute(TokenBasedAuthentication.TOKEN_ATTRIBUTE, "");
+        try {
+            // login with simple credentials forcing token creation.
+            AuthContext ac = getAuthContext(simpleCredentials, DEFAULT_CONFIG);
+            ac.login();
+
+            Subject subject = ac.getSubject();
+
+            assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
+            assertFalse(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+            assertFalse(subject.getPublicCredentials(TokenCredentials.class).isEmpty());
+            assertEquals(2, subject.getPublicCredentials(Credentials.class).size());
+
+            TokenCredentials tokenCredentials = subject.getPublicCredentials(TokenCredentials.class).iterator().next();
+
+            ac.logout();
+
+            // second login with token credentials
+            ac = getAuthContext(tokenCredentials, DEFAULT_CONFIG);
+            ac.login();
+
+            subject = ac.getSubject();
+
+            assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
+            assertFalse(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+            assertFalse(subject.getPublicCredentials(TokenCredentials.class).isEmpty());
+            assertEquals(2, subject.getPublicCredentials(Credentials.class).size());
+
+            ac.logout();
+            assertTrue(subject.getPrincipals().isEmpty());            
+            assertTrue(subject.getPublicCredentials().isEmpty());
+            assertTrue(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+            assertTrue(subject.getPublicCredentials(TokenCredentials.class).isEmpty());
+        } finally {
+            simpleCredentials.removeAttribute(TokenBasedAuthentication.TOKEN_ATTRIBUTE);
+        }
+    }
+
+    public void testDisabledTokenCredentials() throws Exception {
+        simpleCredentials.setAttribute(TokenBasedAuthentication.TOKEN_ATTRIBUTE, "");
+        try {
+            AuthContext ac = getAuthContext(simpleCredentials, DISABLE_TOKEN_CONFIG);
+            ac.login();
+
+            Subject subject = ac.getSubject();
+
+            assertFalse(subject.getPrincipals().isEmpty());
+            assertFalse(subject.getPublicCredentials().isEmpty());
+            assertFalse(subject.getPublicCredentials(SimpleCredentials.class).isEmpty());
+            assertTrue(subject.getPublicCredentials(TokenCredentials.class).isEmpty());
+            assertEquals(1, subject.getPublicCredentials(Credentials.class).size());
+
+            ac.logout();
+        } finally {
+            simpleCredentials.removeAttribute(TokenBasedAuthentication.TOKEN_ATTRIBUTE);
+        }
+    }
+
+    public void testDisabledTokenCredentials2() throws Exception {
         simpleCredentials.setAttribute(TokenBasedAuthentication.TOKEN_ATTRIBUTE, "");
         try {
             AuthContext ac = getAuthContext(simpleCredentials, DEFAULT_CONFIG);

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/token/TokenBasedLoginTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/token/TokenBasedLoginTest.java?rev=1071241&r1=1071240&r2=1071241&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/token/TokenBasedLoginTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/token/TokenBasedLoginTest.java
Wed Feb 16 13:35:58 2011
@@ -67,9 +67,6 @@ public class TokenBasedLoginTest extends
             Principal p = testuser.getPrincipal();
             if (p instanceof ItemBasedPrincipal) {
                 testuserPath = ((ItemBasedPrincipal) p).getPath();
-                if (!superuser.nodeExists(testuserPath)) {
-                    throw new NotExecutableException();
-                }
             } else {
                 throw new NotExecutableException();
             }
@@ -117,29 +114,35 @@ public class TokenBasedLoginTest extends
             Set<TokenCredentials> tokenCreds = ((SessionImpl) s).getSubject().getPublicCredentials(TokenCredentials.class);
             assertFalse(tokenCreds.isEmpty());
             assertEquals(1, tokenCreds.size());
-            TokenCredentials tc = tokenCreds.iterator().next();
-            assertEquals(tc.getToken(), s.getAttribute(TOKEN_ATTRIBUTE));
+
+            TokenCredentials tc = tokenCreds.iterator().next();          
+            token = tc.getToken();
+
+            assertEquals(token, s.getAttribute(TOKEN_ATTRIBUTE));
             for (String attrName : tc.getAttributeNames()) {
                 assertEquals(tc.getAttribute(attrName), s.getAttribute(attrName));
             }
-            assertEquals(tc.getToken(), s.getAttribute(TOKEN_ATTRIBUTE));
 
-            Node userNode = superuser.getNode(testuserPath);
+            // only test node characteristics if user-node resided within the same
+            // workspace as 'superuser' has been created for.
+            if (superuser.nodeExists(testuserPath)) {
+                Node userNode = superuser.getNode(testuserPath);
 
-            assertTrue(userNode.hasNode(TOKENS_NAME));
+                assertTrue(userNode.hasNode(TOKENS_NAME));
 
-            Node tNode = userNode.getNode(TOKENS_NAME);
-            assertTrue(tNode.hasNodes());
+                Node tNode = userNode.getNode(TOKENS_NAME);
+                assertTrue(tNode.hasNodes());
 
-            Node ttNode = tNode.getNodes().nextNode();
-            assertTrue(ttNode.hasProperty("attr"));
-            assertEquals("attr", ttNode.getProperty("attr").getString());
+                Node ttNode = tNode.getNodes().nextNode();
+                assertTrue(ttNode.hasProperty("attr"));
+                assertEquals("attr", ttNode.getProperty("attr").getString());
 
-            assertTrue(ttNode.hasProperty(TOKEN_ATTRIBUTE + ".any"));
-            assertEquals("any", ttNode.getProperty(TOKEN_ATTRIBUTE + ".any").getString());
+                assertTrue(ttNode.hasProperty(TOKEN_ATTRIBUTE + ".any"));
+                assertEquals("any", ttNode.getProperty(TOKEN_ATTRIBUTE + ".any").getString());
 
-            token = ttNode.getIdentifier();
-            assertEquals(token, tc.getToken());
+                String id = ttNode.getIdentifier();
+                assertEquals(token, id);
+            }
 
         } finally {
             s.logout();
@@ -152,6 +155,19 @@ public class TokenBasedLoginTest extends
         s = repo.login(tokenOnly);
         try {
             assertEquals(creds.getUserID(), s.getUserID());
+
+            Set<TokenCredentials> tokenCreds = ((SessionImpl) s).getSubject().getPublicCredentials(TokenCredentials.class);
+            assertFalse(tokenCreds.isEmpty());
+            assertEquals(1, tokenCreds.size());
+
+            TokenCredentials tc = tokenCreds.iterator().next();
+            token = tc.getToken();
+
+            assertEquals(token, s.getAttribute(TOKEN_ATTRIBUTE));
+            for (String attrName : tc.getAttributeNames()) {
+                assertEquals(tc.getAttribute(attrName), s.getAttribute(attrName));
+            }
+
         } finally {
             s.logout();
         }



Mime
View raw message