You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/02/26 15:30:45 UTC
svn commit: r1450186 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authentication/
main/java/org/apache/jackrabbit/oak/security/authentication/token/
main/java/org/apache/jackrabbit/oak/security/authentication/us...
Author: angela
Date: Tue Feb 26 14:30:45 2013
New Revision: 1450186
URL: http://svn.apache.org/r1450186
Log:
OAK-91 : Implement Authentication Support (wip)
- add support for pre-authenticated subjects and compliant handling of null-credentials login
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java
- copied, changed from r1450105, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
Removed:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java Tue Feb 26 14:30:45 2013
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.security.authentication;
import java.security.AccessController;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.Credentials;
import javax.security.auth.Subject;
@@ -30,6 +31,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authentication.JaasLoginContext;
import org.apache.jackrabbit.oak.spi.security.authentication.LoginContext;
import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.PreAuthContext;
import org.apache.jackrabbit.oak.spi.state.NodeStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -64,11 +66,20 @@ public class LoginContextProviderImpl im
public LoginContext getLoginContext(Credentials credentials, String workspaceName)
throws LoginException {
Subject subject = getSubject();
+ if (subject != null && credentials == null) {
+ log.debug("Found pre-authenticated subject: No further login actions required.");
+ return new PreAuthContext(subject);
+ }
+
+ if (subject == null) {
+ subject = new Subject();
+ }
CallbackHandler handler = getCallbackHandler(credentials, workspaceName);
return new JaasLoginContext(appName, subject, handler, configuration);
}
//------------------------------------------------------------< private >---
+ @CheckForNull
private static Subject getSubject() {
Subject subject = null;
try {
@@ -76,12 +87,10 @@ public class LoginContextProviderImpl im
} catch (SecurityException e) {
log.debug("Can't check for pre-authentication. Reason:", e.getMessage());
}
- if (subject == null) {
- subject = new Subject();
- }
return subject;
}
+ @Nonnull
private CallbackHandler getCallbackHandler(Credentials credentials, String workspaceName) {
return new CallbackHandlerImpl(credentials, workspaceName, nodeStore, commitHook, indexProvider, securityProvider);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java Tue Feb 26 14:30:45 2013
@@ -32,7 +32,7 @@ import javax.security.auth.login.LoginEx
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.Root;
-import org.apache.jackrabbit.oak.security.authentication.AuthInfoImpl;
+import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.callback.TokenProviderCallback;
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java Tue Feb 26 14:30:45 2013
@@ -32,7 +32,7 @@ import javax.security.auth.callback.Unsu
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.oak.api.AuthInfo;
-import org.apache.jackrabbit.oak.security.authentication.AuthInfoImpl;
+import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java (from r1450105, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java&r1=1450105&r2=1450186&rev=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java Tue Feb 26 14:30:45 2013
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.jackrabbit.oak.security.authentication;
+package org.apache.jackrabbit.oak.spi.security.authentication;
import java.security.Principal;
import java.util.Collections;
@@ -27,7 +27,7 @@ import org.apache.jackrabbit.oak.api.Aut
/**
* Default implementation of the AuthInfo interface.
*/
-public class AuthInfoImpl implements AuthInfo {
+public final class AuthInfoImpl implements AuthInfo {
private final String userID;
private final Map<String,?> attributes;
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java?rev=1450186&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java Tue Feb 26 14:30:45 2013
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+import javax.security.auth.Subject;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * LoginContext for pre-authenticated subjects that don't require further
+ * validation nor additional login/logout steps.
+ */
+public final class PreAuthContext implements LoginContext {
+
+ /**
+ * logger instance
+ */
+ private static final Logger log = LoggerFactory.getLogger(PreAuthContext.class);
+
+ private final Subject subject;
+
+ public PreAuthContext(Subject subject) {
+ this.subject = subject;
+ }
+
+ @Override
+ public Subject getSubject() {
+ return subject;
+ }
+
+ @Override
+ public void login() {
+ // nothing to do
+ }
+
+ @Override
+ public void logout() {
+ // nothing to do
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java?rev=1450186&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java Tue Feb 26 14:30:45 2013
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.util.Collections;
+import java.util.Set;
+import javax.jcr.GuestCredentials;
+import javax.jcr.SimpleCredentials;
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginException;
+
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.AuthInfo;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.junit.Test;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.fail;
+
+public class PreAuthTest extends AbstractSecurityTest {
+
+ @Override
+ protected Configuration getConfiguration() {
+ return new Configuration() {
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String s) {
+ return new AppConfigurationEntry[0];
+ }
+ };
+ }
+
+ @Test
+ public void testValidSubject() throws Exception {
+ final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()), Collections.<Object>emptySet(), Collections.<Object>emptySet());
+ ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ try {
+ return login(null);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+ }, null);
+
+ try {
+ assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+ } finally {
+ if (cs != null) {
+ cs.close();
+ }
+ }
+ }
+
+ @Test
+ public void testValidSubjectWithCredentials() throws Exception {
+ Set<SimpleCredentials> publicCreds = Collections.singleton(new SimpleCredentials("testUserId", new char[0]));
+ final Subject subject = new Subject(false, Collections.singleton(new TestPrincipal()), publicCreds, Collections.<Object>emptySet());
+ ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ try {
+ return login(null);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+ }, null);
+
+ try {
+ assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+ } finally {
+ if (cs != null) {
+ cs.close();
+ }
+ }
+ }
+
+ @Test
+ public void testValidReadSubjectWithCredentials() throws Exception {
+ Set<SimpleCredentials> publicCreds = Collections.singleton(new SimpleCredentials("testUserId", new char[0]));
+ final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()), publicCreds, Collections.<Object>emptySet());
+ ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ try {
+ return login(null);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+ }, null);
+
+ try {
+ assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+ } finally {
+ if (cs != null) {
+ cs.close();
+ }
+ }
+ }
+
+ @Test
+ public void testValidSubjectWithAuthInfo() throws Exception {
+ AuthInfo info = new AuthInfoImpl("testUserId", Collections.<String, Object>emptyMap(), Collections.<Principal>emptySet());
+ Set<AuthInfo> publicCreds = Collections.singleton(info);
+ final Subject subject = new Subject(false, Collections.singleton(new TestPrincipal()), publicCreds, Collections.<Object>emptySet());
+ ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ try {
+ return login(null);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+ }, null);
+
+ try {
+ assertSame(info, cs.getAuthInfo());
+ } finally {
+ if (cs != null) {
+ cs.close();
+ }
+ }
+ }
+
+ @Test
+ public void testSubjectAndCredentials() throws Exception {
+ final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()), Collections.<Object>emptySet(), Collections.<Object>emptySet());
+ ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ ContentSession cs;
+ try {
+ cs = login(new GuestCredentials());
+ return cs;
+ } catch (Exception e) {
+ return null;
+ }
+ }
+ }, null);
+
+ assertNull("Login should have failed.", cs);
+ }
+
+ @Test
+ public void testNullLogin() throws Exception {
+ ContentSession cs = null;
+ try {
+ cs = login(null);
+ fail("Null login without pre-auth subject should fail");
+ } catch (LoginException e) {
+ // success
+ } finally {
+ if (cs != null) {
+ cs.close();
+ }
+ }
+ }
+
+ private class TestPrincipal implements Principal {
+
+ @Override
+ public String getName() {
+ return "test";
+ }
+ }
+}
\ No newline at end of file