jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1397042 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authentication/ security/authentication/token/ spi/security/authentication/
Date Thu, 11 Oct 2012 13:31:44 GMT
Author: angela
Date: Thu Oct 11 13:31:43 2012
New Revision: 1397042

URL: http://svn.apache.org/viewvc?rev=1397042&view=rev
Log:
 OAK-91 - Implement Authentication Support (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
Thu Oct 11 13:31:43 2012
@@ -22,6 +22,7 @@ import javax.jcr.GuestCredentials;
 import javax.jcr.RepositoryException;
 import javax.jcr.SimpleCredentials;
 import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
 
 import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -52,32 +53,39 @@ public class AuthenticationImpl implemen
     }
 
     @Override
-    public boolean authenticate(Credentials credentials) {
-        Tree userTree = getUserTree();
-        if (userTree == null || userProvider.isDisabled(userTree)) {
+    public boolean authenticate(Credentials credentials) throws LoginException {
+        if (userId == null || userProvider == null) {
             return false;
         }
 
+        Tree userTree = userProvider.getAuthorizable(userId, AuthorizableType.USER);
+        if (userTree == null) {
+            throw new LoginException("Unknown user " + userId);
+        }
+        if (userProvider.isDisabled(userTree)) {
+            throw new LoginException("User with ID " + userId + " has been disabled.");
+        }
+
         boolean success;
         if (credentials instanceof SimpleCredentials) {
             SimpleCredentials creds = (SimpleCredentials) credentials;
             success = PasswordUtility.isSame(userProvider.getPasswordHash(userTree), creds.getPassword());
+            checkSuccess(success, "UserId/Password mismatch.");
         } else if (credentials instanceof ImpersonationCredentials) {
             AuthInfo info = ((ImpersonationCredentials) credentials).getImpersonatorInfo();
             success = impersonate(info, userTree);
+            checkSuccess(success, "Impersonation not allowed.");
         } else {
-            // guest login is allowed if an anonymous user exists in the content (see getUserTree
above)
+            // guest login is allowed if an anonymous user exists in the content (see get
user above)
             success = (credentials instanceof GuestCredentials);
         }
         return success;
     }
 
     //--------------------------------------------------------------------------
-    private Tree getUserTree() {
-        if (userProvider == null || userId == null) {
-            return null;
-        } else {
-            return userProvider.getAuthorizable(userId, AuthorizableType.USER);
+    private static void checkSuccess(boolean success, String msg) throws LoginException {
+        if (!success) {
+            throw new LoginException(msg);
         }
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
Thu Oct 11 13:31:43 2012
@@ -88,7 +88,7 @@ import org.slf4j.LoggerFactory;
  *
  *
  */
-public class LoginModuleImpl extends AbstractLoginModule {
+public final class LoginModuleImpl extends AbstractLoginModule {
 
     private static final Logger log = LoggerFactory.getLogger(LoginModuleImpl.class);
 
@@ -114,15 +114,20 @@ public class LoginModuleImpl extends Abs
         credentials = getCredentials();
         userID = getUserID();
 
+        if (credentials == null || userID == null) {
+            log.debug("Could not extract userId/credentials");
+            return false;
+        }
+
         Authentication authentication = new AuthenticationImpl(userID, getUserProvider(),
getPrincipalProvider());
         boolean success = authentication.authenticate(credentials);
         if (success) {
             principals = getPrincipals(userID);
 
-            log.debug("Login: adding Credentials to shared state.");
+            log.debug("Adding Credentials to shared state.");
             sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
 
-            log.debug("Login: adding login name to shared state.");
+            log.debug("Adding login name to shared state.");
             sharedState.put(SHARED_KEY_LOGIN_NAME, userID);
         }
         return success;
@@ -131,6 +136,7 @@ public class LoginModuleImpl extends Abs
     @Override
     public boolean commit() throws LoginException {
         if (credentials == null || principals.isEmpty()) {
+            clearState();
             return false;
         } else {
             if (!subject.isReadOnly()) {
@@ -144,19 +150,21 @@ public class LoginModuleImpl extends Abs
         }
     }
 
-    @Override
-    public boolean abort() throws LoginException {
-        credentials = null;
-        principals = null;
-        return true;
-    }
-
     //------------------------------------------------< AbstractLoginModule >---
     @Override
     protected Set<Class> getSupportedCredentials() {
         return SUPPORTED_CREDENTIALS;
     }
 
+    @Override
+    protected void clearState() {
+        super.clearState();
+
+        credentials = null;
+        principals = null;
+        userID = null;
+    }
+
     //--------------------------------------------------------------------------
     @CheckForNull
     private String getUserID() {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
Thu Oct 11 13:31:43 2012
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.securi
 import java.util.Date;
 import javax.annotation.Nonnull;
 import javax.jcr.Credentials;
+import javax.security.auth.login.LoginException;
 
 import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
@@ -48,13 +49,15 @@ class TokenAuthentication implements Aut
 
     //-----------------------------------------------------< Authentication >---
     @Override
-    public boolean authenticate(Credentials credentials) {
-        boolean success = false;
-        if (credentials instanceof TokenCredentials) {
+    public boolean authenticate(Credentials credentials) throws LoginException {
+        if (tokenProvider != null && credentials instanceof TokenCredentials) {
             TokenCredentials tc = (TokenCredentials) credentials;
-            success = validateCredentials(tc);
+            if (!validateCredentials(tc)) {
+                throw new LoginException("Invalid token credentials.");
+            }
         }
-        return success;
+        // no tokenProvider or other credentials implementation -> not handled here.
+        return false;
     }
 
     //-----------------------------------------------------------< internal >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
Thu Oct 11 13:31:43 2012
@@ -43,7 +43,7 @@ import org.slf4j.LoggerFactory;
  * {@code LoginModule} implementation that is able to handle login request
  * based on {@link TokenCredentials}.
  */
-public class TokenLoginModule extends AbstractLoginModule {
+public final class TokenLoginModule extends AbstractLoginModule {
 
     /**
      * logger instance

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
Thu Oct 11 13:31:43 2012
@@ -66,7 +66,6 @@ public abstract class AbstractLoginModul
      */
     public static final String SHARED_KEY_LOGIN_NAME = "javax.security.auth.login.name";
 
-
     protected Subject subject;
     protected CallbackHandler callbackHandler;
     protected Map sharedState;
@@ -86,16 +85,23 @@ public abstract class AbstractLoginModul
 
     @Override
     public boolean logout() throws LoginException {
-        if (subject.getPrincipals().isEmpty() || subject.getPublicCredentials(Credentials.class).isEmpty())
{
-            return false;
-        } else {
+        boolean success = false;
+        if (!subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty())
{
             // clear subject if not readonly
             if (!subject.isReadOnly()) {
                 subject.getPrincipals().clear();
                 subject.getPublicCredentials().clear();
             }
-            return true;
+            success = true;
         }
+        // TODO: check if state should be cleared
+        return success;
+    }
+
+    @Override
+    public boolean abort() throws LoginException {
+        clearState();
+        return true;
     }
 
     //--------------------------------------------------------------------------
@@ -240,4 +246,12 @@ public abstract class AbstractLoginModul
         }
         return root;
     }
+
+    /**
+     * Clear state information that has been created during {@link #login()}.
+     */
+    protected void clearState() {
+        securityProvider = null;
+        root = null;
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
Thu Oct 11 13:31:43 2012
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.oak.spi.security.authentication;
 
 import javax.jcr.Credentials;
+import javax.security.auth.login.LoginException;
 
 /**
  * The {@code Authentication} interface defines methods to validate
@@ -42,7 +43,9 @@ public interface Authentication {
      *
      * @param credentials to verify
      * @return {@code true} if the validation was successful; {@code false}
-     * if the specified credentials are not supported or if validation failed.
+     * if the specified credentials are not supported and this authentication
+     * implementation cannot verify their validity.
+     * @throws LoginException if the authentication failed.
      */
-    boolean authenticate(Credentials credentials);
+    boolean authenticate(Credentials credentials) throws LoginException;
 }
\ No newline at end of file



Mime
View raw message