jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1337087 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: core/ security/authentication/ spi/security/authentication/
Date Fri, 11 May 2012 09:43:05 GMT
Author: angela
Date: Fri May 11 09:43:05 2012
New Revision: 1337087

URL: http://svn.apache.org/viewvc?rev=1337087&view=rev
Log:
 OAK-91 - Implement Authentication Support (WIP)
 
 - add initial draft of provider for login context
 - add GuestLoginModule for backwards compability with jr2 null-login handling

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java?rev=1337087&r1=1337086&r2=1337087&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
Fri May 11 09:43:05 2012
@@ -24,12 +24,10 @@ import org.apache.jackrabbit.oak.api.Con
 import org.apache.jackrabbit.oak.api.QueryEngine;
 import org.apache.jackrabbit.oak.kernel.KernelNodeStore;
 import org.apache.jackrabbit.oak.query.QueryEngineImpl;
-import org.apache.jackrabbit.oak.security.authentication.CallbackHandlerImpl;
-import org.apache.jackrabbit.oak.security.authentication.ConfigurationImpl;
-import org.apache.jackrabbit.oak.security.principal.KernelPrincipalProvider;
+import org.apache.jackrabbit.oak.security.authentication.LoginContextProviderImpl;
 import org.apache.jackrabbit.oak.spi.QueryIndexProvider;
 import org.apache.jackrabbit.oak.spi.commit.EmptyCommitHook;
-import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.apache.jackrabbit.oak.spi.state.NodeStore;
 import org.slf4j.Logger;
@@ -37,7 +35,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.jcr.Credentials;
 import javax.jcr.NoSuchWorkspaceException;
-import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 
@@ -53,14 +50,11 @@ public class ContentRepositoryImpl imple
     // TODO: retrieve default wsp-name from configuration
     private static final String DEFAULT_WORKSPACE_NAME = "default";
 
-    private static final String APP_NAME = "jackrabbit.oak";
+    private final LoginContextProvider loginContextProvider;
 
     private final QueryEngine queryEngine;
     private final NodeStore nodeStore;
 
-    private final Configuration authConfig;
-    private final PrincipalProvider principalProvider;
-
     /**
      * Utility constructor that creates a new in-memory repository with default
      * query index provider. This constructor is intended to be used within
@@ -82,9 +76,8 @@ public class ContentRepositoryImpl imple
         QueryIndexProvider qip = (indexProvider == null) ? getDefaultIndexProvider(microKernel)
: indexProvider;
         queryEngine = new QueryEngineImpl(nodeStore, microKernel, qip);
 
-        // TODO: use configurable authentication config and principal provider
-        authConfig = new ConfigurationImpl();
-        principalProvider = new KernelPrincipalProvider();
+        // TODO: use configurable context provider
+        loginContextProvider = new LoginContextProviderImpl(this);
 
         // FIXME: workspace setup must be done elsewhere...
         NodeState root = nodeStore.getRoot();
@@ -111,17 +104,14 @@ public class ContentRepositoryImpl imple
             workspaceName = DEFAULT_WORKSPACE_NAME;
         }
 
-        // TODO: add proper implementation
-        // TODO  - authentication against configurable spi-authentication
-        // TODO  - validation of workspace name (including access rights for the given 'user')
-        LoginContext loginContext = new LoginContext(APP_NAME, null, new CallbackHandlerImpl(credentials,
principalProvider), authConfig);
-        loginContext.login();
-
         NodeState wspRoot = nodeStore.getRoot().getChildNode(workspaceName);
         if (wspRoot == null) {
             throw new NoSuchWorkspaceException(workspaceName);
         }
 
+        LoginContext loginContext = loginContextProvider.getLoginContext(credentials, workspaceName);
+        loginContext.login();
+
         return new ContentSessionImpl(loginContext, workspaceName, nodeStore, queryEngine);
     }
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java?rev=1337087&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
Fri May 11 09:43:05 2012
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.Credentials;
+import javax.jcr.GuestCredentials;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * The {@code GuestLoginModule} is intended to provide backwards compatibility
+ * with the login handling present in the JCR reference implementation located
+ * in jackrabbit-core. While the specification claims that {@link javax.jcr.Repository#login}
+ * with {@code null} Credentials implies that the authentication process is
+ * handled externally, the default implementation jackrabbit-core treated it
+ * as 'anonymous' login such as covered by using {@link GuestCredentials}.<p/>
+ *
+ * This {@code LoginModule} implementation performs the following tasks upon
+ * {@link #login()}.
+ *
+ * <ol>
+ *     <li>Try to retrieve JCR credentials from the {@link CallbackHandler} using
+ *     the {@link CredentialsCallback}</li>
+ *     <li>In case no credentials could be obtained it pushes a new instance of
+ *     {@link GuestCredentials} to the shared stated. Subsequent login module
+ *     in the authentication process may retrieve the {@link GuestCredentials}
+ *     instead of failing to obtain any credentials.</li>
+ * </ol>
+ *
+ * Note however that this implementation does not populate the subject during
+ * {@link #commit() phase 2} of the authentication process. This responsibility
+ * is delegated to a subsequent login module implementation that may or may not
+ * use the {@code GuestCredentials} this module added to the share state.<p/>
+ *
+ * The authentication configuration using this {@code LoginModule} could for
+ * example look as follows:
+ *
+ * <pre>
+ *
+ *    jackrabbit.oak {
+ *            org.apache.jackrabbit.oak.security.authentication.GuestLoginModule  optional;
+ *            org.apache.jackrabbit.oak.security.authentication.LoginModuleImpl required;
+ *    };
+ *
+ * </pre>
+ *
+ * In this case calling {@link javax.jcr.Repository#login()} would be equivalent
+ * to {@link javax.jcr.Repository#login(javax.jcr.Credentials) repository.login(new GuestCredentials()}.
+ */
+public class GuestLoginModule implements LoginModule {
+
+    private static final Logger log = LoggerFactory.getLogger(GuestLoginModule.class);
+
+    private CallbackHandler callbackHandler;
+    private Map sharedState;
+
+    //--------------------------------------------------------< LoginModule >---
+    @Override
+    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,
?> sharedState, Map<String, ?> options) {
+        this.callbackHandler = callbackHandler;
+        this.sharedState = sharedState;
+    }
+
+    @Override
+    public boolean login() throws LoginException {
+        if (callbackHandler != null) {
+            CredentialsCallback ccb = new CredentialsCallback();
+            try {
+                callbackHandler.handle(new Callback[] {ccb});
+                Credentials credentials = ccb.getCredentials();
+                if (credentials == null) {
+                    Set<Credentials> sharedCredentials;
+                    Object sharedObj = sharedState.get(LoginModuleImpl.SHARED_KEY_CREDENTIALS);
+                    if (sharedObj == null || !(sharedObj instanceof Set)) {
+                        sharedCredentials = new HashSet<Credentials>();
+                    } else {
+                        sharedCredentials = (Set) sharedObj;
+                    }
+                    sharedCredentials.add(new GuestCredentials());
+                    sharedState.put(LoginModuleImpl.SHARED_KEY_CREDENTIALS, sharedCredentials);
+                    return true;
+                }
+            } catch (IOException e) {
+                log.debug("Login: Failed to retrieve Credentials from CallbackHandler", e);
+            } catch (UnsupportedCallbackException e) {
+                log.debug("Login: Failed to retrieve Credentials from CallbackHandler", e);
+            }
+        }
+
+        // ignore this login module
+        return false;
+    }
+
+    @Override
+    public boolean commit() throws LoginException {
+        // not populating the subject as this login module delegates this
+        // responsibility to a subsequent login module.
+        return true;
+    }
+
+    @Override
+    public boolean abort() throws LoginException {
+        // nothing to do
+        return true;
+    }
+
+    @Override
+    public boolean logout() throws LoginException {
+        // nothing to do.
+        return true;
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java?rev=1337087&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
Fri May 11 09:43:05 2012
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication;
+
+import org.apache.jackrabbit.oak.api.ContentRepository;
+import org.apache.jackrabbit.oak.security.principal.KernelPrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
+
+import javax.jcr.Credentials;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+/**
+ * LoginContextProviderImpl...
+ */
+public class LoginContextProviderImpl implements LoginContextProvider {
+
+    private static final String APP_NAME = "jackrabbit.oak";
+
+    private final Configuration authConfig;
+    private final PrincipalProvider principalProvider;
+
+    public LoginContextProviderImpl(ContentRepository repository) {
+        // TODO: use configurable authentication config and principal provider
+        authConfig = new ConfigurationImpl();
+        principalProvider = new KernelPrincipalProvider();
+    }
+
+    @Override
+    public LoginContext getLoginContext(Credentials credentials, String workspaceName) throws
LoginException {
+        // TODO: add proper implementation
+        // TODO  - authentication against configurable spi-authentication
+        // TODO  - validation of workspace name (including access rights for the given 'user')
+        return new LoginContext(APP_NAME, null, new CallbackHandlerImpl(credentials, principalProvider),
authConfig);
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt?rev=1337087&r1=1337086&r2=1337087&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt
Fri May 11 09:43:05 2012
@@ -1,4 +1,5 @@
 differences regarding jackrabbit 2.x implementation
 ================================================================================
 
-- null credential login is no longer treated equivalent to GuestCredentials.
\ No newline at end of file
+- null credential login is no longer treated equivalent to GuestCredentials
+  -> GuestLoginModule for those cases that backwards compatibility
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java?rev=1337087&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
Fri May 11 09:43:05 2012
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+import javax.jcr.Credentials;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+/**
+ * Configurable provider taking care of building a {@code LoginContext} for
+ * the desired authentication mechanism.<p/>
+ *
+ * This provider defines a single method {@link #getLoginContext(javax.jcr.Credentials, String)}
+ * that takes the {@link Credentials credentials} and the workspace name such
+ * as passed to {@link org.apache.jackrabbit.oak.api.ContentRepository#login(javax.jcr.Credentials,
String)}.
+ */
+public interface LoginContextProvider {
+
+    /**
+     * Returns a new instance of {@link LoginContext} that handles authentication.
+     *
+     * @param credentials The {@link Credentials} such as passed to the
+     * {@link org.apache.jackrabbit.oak.api.ContentRepository#login(javax.jcr.Credentials,
String) login}
+     * method of the repository.
+     * @param workspaceName The name of the workspace that is being accessed by
+     * the login called.
+     * @return A new {@code LoginContext}
+     * @throws LoginException If an error occurs while creating a new context.
+     */
+    LoginContext getLoginContext(Credentials credentials, String workspaceName) throws LoginException;
+}
\ No newline at end of file



Mime
View raw message