Author: angela
Date: Wed May 16 11:58:06 2012
New Revision: 1339127

URL: http://svn.apache.org/viewvc?rev=1339127&view=rev
Log:
 OAK-91 - Implement Authentication Support (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/Authentication.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java
      - copied, changed from r1339118, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCredentials.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCallback.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCredentials.java
Modified:
    jackrabbit/oak/trunk/oak-core/pom.xml
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/api/AuthInfo.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java

Modified: jackrabbit/oak/trunk/oak-core/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/pom.xml?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-core/pom.xml Wed May 16 11:58:06 2012
@@ -44,7 +44,7 @@
               org.apache.jackrabbit.oak.util,
               org.apache.jackrabbit.oak.namepath,
               org.apache.jackrabbit.oak.plugins.name,
-              org.apache.jackrabbit.oak.security.principal,
+              org.apache.jackrabbit.oak.spi.security.authentication,
               org.apache.jackrabbit.oak.spi.security.principal
             </Export-Package>
             <Bundle-Activator>

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/api/AuthInfo.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/api/AuthInfo.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/api/AuthInfo.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/api/AuthInfo.java Wed May 16 11:58:06 2012
@@ -23,6 +23,23 @@ package org.apache.jackrabbit.oak.api;
  */
 public interface AuthInfo {
 
+    AuthInfo EMPTY = new AuthInfo() {
+        @Override
+        public String getUserID() {
+            return null;
+        }
+
+        @Override
+        public String[] getAttributeNames() {
+            return new String[0];
+        }
+
+        @Override
+        public Object getAttribute(String attributeName) {
+            return null;
+        }
+    };
+
     /**
      * Return the user ID to be exposed on the JCR Session object. It refers
      * to the ID of the user associated with the Credentials passed to the
@@ -48,5 +65,4 @@ public interface AuthInfo {
      * @return The attribute or {@code null}.
      */
     Object getAttribute(String attributeName);
-
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java Wed May 16 11:58:06 2012
@@ -25,7 +25,6 @@ import org.apache.jackrabbit.oak.spi.sta
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.SimpleCredentials;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import java.io.IOException;
@@ -36,7 +35,6 @@ import java.util.Set;
  */
 class ContentSessionImpl implements ContentSession {
 
-    /** Logger instance */
     private static final Logger log = LoggerFactory.getLogger(ContentSessionImpl.class);
 
     private final LoginContext loginContext;
@@ -54,25 +52,12 @@ class ContentSessionImpl implements Cont
 
     @Override
     public AuthInfo getAuthInfo() {
-        // todo implement properly with extension point or pass it with the constructor...
-        Set<SimpleCredentials> creds = loginContext.getSubject().getPublicCredentials(SimpleCredentials.class);
-        final SimpleCredentials sc = (creds.isEmpty()) ? new SimpleCredentials(null, new char[0]) : creds.iterator().next();
-        return new AuthInfo() {
-            @Override
-            public String  getUserID() {
-                return sc.getUserID();
-            }
-
-            @Override
-            public String[] getAttributeNames() {
-                return sc.getAttributeNames();
-            }
-
-            @Override
-            public Object getAttribute(String attributeName) {
-                return sc.getAttribute(attributeName);
-            }
-        };
+        Set<AuthInfo> infoSet = loginContext.getSubject().getPublicCredentials(AuthInfo.class);
+        if (infoSet.isEmpty()) {
+            return AuthInfo.EMPTY;
+        } else {
+            return infoSet.iterator().next();
+        }
     }
 
     @Override

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java?rev=1339127&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java Wed May 16 11:58:06 2012
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication;
+
+import org.apache.jackrabbit.oak.api.AuthInfo;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * AuthInfoImpl... TODO
+ */
+public class AuthInfoImpl implements AuthInfo {
+
+    private final String userID;
+    private final Map<String,?> attributes;
+    private final Set<Principal> principals;
+
+    public AuthInfoImpl(String userID, Map<String, ?> attributes, Set<Principal> principals) {
+        this.userID = userID;
+        this.attributes = (attributes == null) ? Collections.<String, Object>emptyMap() : attributes;
+        this.principals = principals;
+    }
+
+    Set<Principal> getPrincipals() {
+        return principals;
+    }
+
+    //-----------------------------------------------------------< AuthInfo >---
+    @Override
+    public String getUserID() {
+        return userID;
+    }
+
+    @Override
+    public String[] getAttributeNames() {
+        return attributes.keySet().toArray(new String[attributes.size()]);
+    }
+
+    @Override
+    public Object getAttribute(String attributeName) {
+        return attributes.get(attributeName);
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/Authentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/Authentication.java?rev=1339127&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/Authentication.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/Authentication.java Wed May 16 11:58:06 2012
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication;
+
+import javax.jcr.Credentials;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * The {@code Authentication} interface defines methods to validate
+ * {@link javax.jcr.Credentials Credentials} during the
+ * {@link javax.security.auth.spi.LoginModule#login() login step} of the
+ * authentication process. The validation depends on the authentication
+ * mechanism in place.<p/>
+ *
+ * A given implementation may only handle certain types of {@code Credentials}
+ * as the authentication process is tightly coupled to the semantics of the
+ * {@code Credentials}.<p/>
+ *
+ * For example a implementation may only be able to validate UserID/password
+ * pairs such as passed with {@link javax.jcr.SimpleCredentials}, while another
+ * might be responsible for validating login token issued by the repository or
+ * an external access token generation mechanism.
+ */
+public interface Authentication {
+
+    // TODO: evaluate if that should part of SPI package.
+
+    /**
+     * Validates the specified {@code Credentials} and returns {@code true} if
+     * the validation was successful.
+     *
+     * @param credentials to verify
+     * @return {@code true} if the validation was successful; {@code false}
+     * if the specified credentials are not supported or if validation failed.
+     */
+    boolean authenticate(Credentials credentials);
+
+    /**
+     * Test if the given subject (i.e. any of the principals it contains) is
+     * allowed to impersonate.
+     *
+     * @param principals a set of principals to test.
+     * @return true if this {@code Impersonation} allows the specified
+     * set of principals to impersonate.
+     */
+    boolean impersonate(Set<Principal> principals);
+
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java?rev=1339127&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java Wed May 16 11:58:06 2012
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication;
+
+import javax.jcr.Credentials;
+import javax.jcr.GuestCredentials;
+import javax.jcr.SimpleCredentials;
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * AuthenticationImpl...
+ */
+public class AuthenticationImpl implements Authentication {
+
+    private final String userID;
+
+    public AuthenticationImpl(String userID) {
+        this.userID = userID;
+    }
+
+    @Override
+    public boolean authenticate(Credentials credentials) {
+        if (credentials instanceof SimpleCredentials) {
+            // TODO
+            return true;
+        } else if (credentials instanceof GuestCredentials) {
+            // TODO
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    @Override
+    public boolean impersonate(Set<Principal> principals) {
+        // TODO
+        return true;
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java Wed May 16 11:58:06 2012
@@ -24,7 +24,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.jcr.Credentials;
 import javax.jcr.SimpleCredentials;
-import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
@@ -40,7 +39,6 @@ import java.io.IOException;
  *     <li>{@link CredentialsCallback}</li>
  *     <li>{@link NameCallback}</li>
  *     <li>{@link PasswordCallback}</li>
- *     <li>{@link ImpersonationCallback}</li>
  *     <li>{@link PrincipalProviderCallback}</li>
  * </ul>
  */
@@ -69,8 +67,6 @@ public class CallbackHandlerImpl impleme
                 ((NameCallback) callback).setName(getName());
             } else if (callback instanceof PasswordCallback) {
                 ((PasswordCallback) callback).setPassword(getPassword());
-            } else if (callback instanceof ImpersonationCallback) {
-                ((ImpersonationCallback) callback).setImpersonator(getImpersonationSubject());
             } else if (callback instanceof PrincipalProviderCallback) {
                 ((PrincipalProviderCallback) callback).setPrincipalProvider(principalProvider);
             } else {
@@ -96,17 +92,4 @@ public class CallbackHandlerImpl impleme
             return null;
         }
     }
-
-    private Subject getImpersonationSubject() {
-        if (credentials instanceof ImpersonationCredentials) {
-            return ((ImpersonationCredentials) credentials).getImpersonatingSubject();
-        } else if (credentials instanceof SimpleCredentials) {
-            Object attr = ((SimpleCredentials) credentials).getAttribute(ImpersonationCredentials.IMPERSONATOR_ATTRIBUTE);
-            if (attr instanceof Subject) {
-                return (Subject) attr;
-            }
-        }
-
-        return null;
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/GuestLoginModule.java Wed May 16 11:58:06 2012
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.oak.security.authentication;
 
 import org.apache.jackrabbit.oak.spi.security.authentication.CredentialsCallback;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -77,12 +78,16 @@ public class GuestLoginModule implements
 
     private static final Logger log = LoggerFactory.getLogger(GuestLoginModule.class);
 
+    private Subject subject;
     private CallbackHandler callbackHandler;
     private Map sharedState;
 
+    private GuestCredentials guestCredentials;
+
     //--------------------------------------------------------< LoginModule >---
     @Override
     public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
+        this.subject = subject;
         this.callbackHandler = callbackHandler;
         this.sharedState = sharedState;
     }
@@ -102,7 +107,8 @@ public class GuestLoginModule implements
                     } else {
                         sharedCredentials = (Set) sharedObj;
                     }
-                    sharedCredentials.add(new GuestCredentials());
+                    guestCredentials = new GuestCredentials();
+                    sharedCredentials.add(guestCredentials);
                     sharedState.put(LoginModuleImpl.SHARED_KEY_CREDENTIALS, sharedCredentials);
                     return true;
                 }
@@ -119,8 +125,10 @@ public class GuestLoginModule implements
 
     @Override
     public boolean commit() throws LoginException {
-        // not populating the subject as this login module delegates this
-        // responsibility to a subsequent login module.
+        if (guestCredentials != null) {
+            subject.getPublicCredentials().add(guestCredentials);
+            subject.getPrincipals().add(EveryonePrincipal.getInstance());
+        }
         return true;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java Wed May 16 11:58:06 2012
@@ -17,7 +17,9 @@
 package org.apache.jackrabbit.oak.security.authentication;
 
 import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
+import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.apache.jackrabbit.oak.spi.security.authentication.CredentialsCallback;
+import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
 import org.apache.jackrabbit.oak.spi.security.authentication.PrincipalProviderCallback;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
 import org.slf4j.Logger;
@@ -34,6 +36,7 @@ import javax.security.auth.login.LoginEx
 import javax.security.auth.spi.LoginModule;
 import java.io.IOException;
 import java.security.Principal;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -68,6 +71,7 @@ import java.util.Set;
  *     <li>{@link SimpleCredentials}</li>
  *     <li>{@link GuestCredentials}</li>
  *     <li>{@link TokenCredentials}</li>
+ *     <li>{@link ImpersonationCredentials}</li>
  * </ul>
  *
  * The {@link Credentials} obtained during the {@link #login()} are added to
@@ -105,12 +109,11 @@ public class LoginModuleImpl implements 
      */
     public static final String SHARED_KEY_CREDENTIALS = "org.apache.jackrabbit.oak.credentials";
 
-    //public static final String SHARED_KEY_LOGIN_NAME = "javax.security.auth.login.name";
-
     protected static final Set<Class> SUPPORTED_CREDENTIALS = new HashSet<Class>(2);
     static {
         SUPPORTED_CREDENTIALS.add(SimpleCredentials.class);
         SUPPORTED_CREDENTIALS.add(GuestCredentials.class);
+        SUPPORTED_CREDENTIALS.add(ImpersonationCredentials.class);
         SUPPORTED_CREDENTIALS.add(TokenCredentials.class);
     }
 
@@ -120,6 +123,7 @@ public class LoginModuleImpl implements 
 
     private Set<Credentials> credentials;
     private Set<Principal> principals;
+    private String userID;
 
     //--------------------------------------------------------< LoginModule >---
     @Override
@@ -135,12 +139,15 @@ public class LoginModuleImpl implements 
     public boolean login() throws LoginException {
         // TODO
         credentials = getCredentials();
-        if (supportsCredentials()) {
-            principals = getPrincipals();
-            return true;
-        } else {
-            return false;
+        principals = getPrincipals();
+        userID = getUserID();
+
+        Authentication authentication = new AuthenticationImpl(userID);
+        boolean success = authenticate(authentication);
+        if (!success) {
+            success = impersonate(authentication);
         }
+        return success;
     }
 
     @Override
@@ -150,6 +157,7 @@ public class LoginModuleImpl implements 
         if (!subject.isReadOnly()) {
             subject.getPrincipals().addAll(principals);
             subject.getPublicCredentials().addAll(credentials);
+            subject.getPublicCredentials().add(getAuthInfo());
         } else {
             log.debug("Could not add information to read only subject {}", subject);
         }
@@ -237,30 +245,23 @@ public class LoginModuleImpl implements 
         return sharedCredentials;
     }
 
-    private boolean supportsCredentials() {
-        for (Credentials creds : credentials) {
-            if (isSupportedCredentials(creds)) {
-                return true;
+    private <T extends Credentials> java.util.Set<T> getCredentials(java.lang.Class<T> credentialsClass) {
+        Set<T> cds = new HashSet<T>();
+        for (Credentials c : credentials) {
+            if (credentialsClass.isAssignableFrom(c.getClass())) {
+                cds.add((T) c);
             }
         }
-        return false;
-    }
-
-    private static boolean isSupportedCredentials(Credentials credentials) {
-        return SUPPORTED_CREDENTIALS.contains(credentials.getClass());
+        return cds;
     }
 
     private static Principal getPrincipal(Credentials credentials, PrincipalProvider principalProvider) {
         Principal principal = null;
-        if (isSupportedCredentials(credentials)) {
-            if (credentials instanceof SimpleCredentials) {
-                String userID = ((SimpleCredentials) credentials).getUserID();
-                principal = principalProvider.getPrincipal(userID); // FIXME
-            } else if (credentials instanceof GuestCredentials) {
-                principal = principalProvider.getPrincipal("anonymous"); // FIXME
-            } else if (credentials instanceof TokenCredentials) {
-                // TODO
-            }
+        if (credentials instanceof SimpleCredentials) {
+            String userID = ((SimpleCredentials) credentials).getUserID();
+            principal = principalProvider.getPrincipal(userID); // FIXME
+        } else if (credentials instanceof GuestCredentials) {
+            principal = principalProvider.getPrincipal("anonymous"); // FIXME
         }
 
         return principal;
@@ -301,4 +302,52 @@ public class LoginModuleImpl implements 
         }
         return principalProvider;
     }
+
+    private String getUserID() {
+        // TODO add proper implementation
+        String userID = null;
+        Credentials c = credentials.iterator().next();
+        if (c instanceof SimpleCredentials) {
+            userID = ((SimpleCredentials) c).getUserID();
+        } else if (c instanceof GuestCredentials) {
+            userID = "anonymous";
+        } else if (c instanceof ImpersonationCredentials) {
+            Credentials bc = ((ImpersonationCredentials) c).getBaseCredentials();
+            if (bc instanceof SimpleCredentials) {
+                userID = ((SimpleCredentials) bc).getUserID();
+            }
+        }
+        return userID;
+    }
+
+    private boolean impersonate(Authentication authentication) {
+        for (ImpersonationCredentials ic : getCredentials(ImpersonationCredentials.class)) {
+            AuthInfo info = ic.getImpersonatorInfo();
+            if (info instanceof AuthInfoImpl) {
+                if (authentication.impersonate(((AuthInfoImpl) info).getPrincipals())) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private boolean authenticate(Authentication authentication) {
+        for (Credentials creds : credentials) {
+            if (authentication.authenticate(creds)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private AuthInfo getAuthInfo() {
+        Map<String, Object> attributes = new HashMap<String, Object>();
+        for (SimpleCredentials sc : getCredentials(SimpleCredentials.class)) {
+            for (String attrName : sc.getAttributeNames()) {
+                attributes.put(attrName, sc.getAttribute(attrName));
+            }
+        }
+        return new AuthInfoImpl(userID, attributes, principals);
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/diff.txt Wed May 16 11:58:06 2012
@@ -2,4 +2,6 @@ differences regarding jackrabbit 2.x imp
 ================================================================================
 
 - null credential login is no longer treated equivalent to GuestCredentials
-  -> GuestLoginModule for those cases that backwards compatibility
\ No newline at end of file
+  -> GuestLoginModule for those cases that backwards compatibility
+
+- impersonation no longer uses simple credentials to transport the subject
\ No newline at end of file

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java (from r1339118, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCredentials.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCredentials.java&r1=1339118&r2=1339127&rev=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ImpersonationCredentials.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java Wed May 16 11:58:06 2012
@@ -14,49 +14,32 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.security.authentication;
+package org.apache.jackrabbit.oak.spi.security.authentication;
 
+import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.security.auth.Subject;
+import javax.jcr.Credentials;
 
 /**
  * ImpersonationCredentials...  TODO
  */
-public class ImpersonationCredentials {
+public class ImpersonationCredentials implements Credentials {
 
-    /**
-     * logger instance
-     */
-    private static final Logger log = LoggerFactory.getLogger(ImpersonationCredentials.class);
-
-     /**
-      * Constant for backwards compatibility with jackrabbit 2.x.
-      * It defines the name of the {@code SimpleCredentials} attribute where
-      * the {@code Subject} of the <i>impersonating</i> {@code Session}
-      * is stored.
-      *
-      * @see javax.jcr.Session#impersonate(javax.jcr.Credentials)
-      */
-    public static final String IMPERSONATOR_ATTRIBUTE = "org.apache.jackrabbit.core.security.impersonator";
+    private final Credentials baseCredentials;
+    private final AuthInfo authInfo;
 
-    private final String userID;
-    private Subject impersonatingSubject;
-
-    public ImpersonationCredentials(String userID) {
-        this.userID = userID;
-    }
-
-    public String getUserID() {
-        return userID;
+    public ImpersonationCredentials(Credentials baseCredentials, AuthInfo authInfo) {
+        this.baseCredentials = baseCredentials;
+        this.authInfo = authInfo;
     }
 
-    public Subject getImpersonatingSubject() {
-        return impersonatingSubject;
+    public Credentials getBaseCredentials() {
+        return baseCredentials;
     }
 
-    public void setImpersonatingSubject(Subject impersonatingSubject) {
-        this.impersonatingSubject = impersonatingSubject;
+    public AuthInfo getImpersonatorInfo() {
+        return authInfo;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1339127&r1=1339126&r2=1339127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Wed May 16 11:58:06 2012
@@ -20,6 +20,7 @@ import org.apache.jackrabbit.api.Jackrab
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.commons.AbstractSession;
+import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.ContentHandler;
@@ -96,8 +97,8 @@ public class SessionImpl extends Abstrac
     public Session impersonate(Credentials credentials) throws RepositoryException {
         ensureIsAlive();
 
-        // TODO
-        throw new UnsupportedRepositoryOperationException("TODO: Session.impersonate");
+        ImpersonationCredentials impCreds = new ImpersonationCredentials(credentials, dlg.getAuthInfo());
+        return getRepository().login(impCreds, dlg.getWorkspaceName());
     }
 
     @Override