You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ju...@apache.org on 2012/10/02 19:12:21 UTC
svn commit: r1393038 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
core/ plugins/type/ security/authentication/ spi/security/authentication/
Author: jukka
Date: Tue Oct 2 17:12:21 2012
New Revision: 1393038
URL: http://svn.apache.org/viewvc?rev=1393038&view=rev
Log:
OAK-91: Implement Authentication Support
Add a new OakLoginContext interface that allows simple
authentication components like the new OpenLoginContextProvider
to avoid the somewhat complex JAAS configuration and class
loading bits.
The related JaasLoginContext class acts as a bridge between the
JAAS LoginContext class and the OakLoginContext interface.
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/JaasLoginContext.java
- copied, changed from r1393009, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OakLoginContext.java
- copied, changed from r1393009, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java
Removed:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/type/InitialContent.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginContextProvider.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java Tue Oct 2 17:12:21 2012
@@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.core;
import javax.annotation.Nonnull;
import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
-import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.mk.api.MicroKernel;
@@ -41,6 +40,7 @@ import org.apache.jackrabbit.oak.spi.que
import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.OakLoginContext;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -164,7 +164,8 @@ public class ContentRepositoryImpl imple
throw new NoSuchWorkspaceException(workspaceName);
}
- LoginContext loginContext = loginContextProvider.getLoginContext(credentials, workspaceName);
+ OakLoginContext loginContext =
+ loginContextProvider.getLoginContext(credentials, workspaceName);
loginContext.login();
return new ContentSessionImpl(loginContext, accProvider, workspaceName,
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java Tue Oct 2 17:12:21 2012
@@ -20,7 +20,6 @@ import java.io.IOException;
import java.util.Set;
import javax.annotation.Nonnull;
-import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.oak.api.AuthInfo;
@@ -29,6 +28,7 @@ import org.apache.jackrabbit.oak.api.Cor
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.commit.ConflictHandlerProvider;
import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.OakLoginContext;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlProvider;
import org.apache.jackrabbit.oak.spi.state.NodeStore;
import org.slf4j.Logger;
@@ -41,14 +41,14 @@ class ContentSessionImpl implements Cont
private static final Logger log = LoggerFactory.getLogger(ContentSessionImpl.class);
- private final LoginContext loginContext;
+ private final OakLoginContext loginContext;
private final AccessControlProvider accProvider;
private final String workspaceName;
private final NodeStore store;
private final ConflictHandlerProvider conflictHandlerProvider;
private final QueryIndexProvider indexProvider;
- public ContentSessionImpl(LoginContext loginContext,
+ public ContentSessionImpl(OakLoginContext loginContext,
AccessControlProvider accProvider, String workspaceName,
NodeStore store, ConflictHandlerProvider conflictHandlerProvider,
QueryIndexProvider indexProvider) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/type/InitialContent.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/type/InitialContent.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/type/InitialContent.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/type/InitialContent.java Tue Oct 2 17:12:21 2012
@@ -110,19 +110,11 @@ public class InitialContent extends Defa
};
Oak oak = new Oak(mk);
- oak.with(securityProvider);
-
- // TODO: The context class loader hack below shouldn't be needed
- // with a properly OSGi-compatible JAAS implementation
- Thread thread = Thread.currentThread();
- ClassLoader loader = thread.getContextClassLoader();
+ oak.with(securityProvider); // TODO: this shouldn't be needed
try {
- thread.setContextClassLoader(Oak.class.getClassLoader());
return oak.createContentRepository().login(null, null).getLatestRoot();
} catch (Exception e) {
throw new IllegalStateException("Unable to create a Root", e);
- } finally {
- thread.setContextClassLoader(loader);
}
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java Tue Oct 2 17:12:21 2012
@@ -17,15 +17,18 @@
package org.apache.jackrabbit.oak.security.authentication;
import org.apache.jackrabbit.oak.security.principal.TmpPrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.JaasLoginContext;
import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.OakLoginContext;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.annotation.Nonnull;
import javax.jcr.Credentials;
import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.AccessController;
@@ -47,13 +50,17 @@ public class LoginContextProviderImpl im
principalProvider = new TmpPrincipalProvider();
}
- @Override
- public LoginContext getLoginContext(Credentials credentials, String workspaceName) throws LoginException {
+ @Override @Nonnull
+ public OakLoginContext getLoginContext(
+ Credentials credentials, String workspaceName)
+ throws LoginException {
// TODO: add proper implementation
// TODO - authentication against configurable spi-authentication
// TODO - validation of workspace name (including access rights for the given 'user')
Subject subject = getSubject();
- return new LoginContext(APP_NAME, subject, new CallbackHandlerImpl(credentials, principalProvider), authConfig);
+ CallbackHandler handler =
+ new CallbackHandlerImpl(credentials, principalProvider);
+ return new JaasLoginContext(APP_NAME, subject, handler, authConfig);
}
//-------------------------------------------------===--------< private >---
Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/JaasLoginContext.java (from r1393009, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/JaasLoginContext.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/JaasLoginContext.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java&r1=1393009&r2=1393038&rev=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/JaasLoginContext.java Tue Oct 2 17:12:21 2012
@@ -16,40 +16,42 @@
*/
package org.apache.jackrabbit.oak.spi.security.authentication;
-import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
/**
- * This class implements a {@link LoginModule} which allows any authenticating
- * Subject to login.
+ * Bridge class that connects the JAAS {@link LoginContext} class with the
+ * {@link OakLoginContext} interface used by Oak.
*/
-public class OpenLoginModule implements LoginModule {
+public class JaasLoginContext extends LoginContext implements OakLoginContext {
- @Override
- public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> stringMap, Map<String, ?> stringMap1) {
- // nothing to do
+ public JaasLoginContext(String name) throws LoginException {
+ super(name);
}
- @Override
- public boolean login() throws LoginException {
- return true;
+ public JaasLoginContext(String name, Subject subject)
+ throws LoginException {
+ super(name, subject);
}
- @Override
- public boolean commit() throws LoginException {
- return true;
+ public JaasLoginContext(String name, CallbackHandler handler)
+ throws LoginException {
+ super(name, handler);
}
- @Override
- public boolean abort() throws LoginException {
- return true;
+ public JaasLoginContext(
+ String name, Subject subject, CallbackHandler handler)
+ throws LoginException {
+ super(name, subject, handler);
}
- @Override
- public boolean logout() throws LoginException {
- return true;
+ public JaasLoginContext(
+ String name, Subject subject, CallbackHandler handler,
+ Configuration configuration) throws LoginException {
+ super(name, subject, handler, configuration);
}
+
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java Tue Oct 2 17:12:21 2012
@@ -16,14 +16,14 @@
*/
package org.apache.jackrabbit.oak.spi.security.authentication;
+import javax.annotation.Nonnull;
import javax.jcr.Credentials;
-import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
/**
- * Configurable provider taking care of building a {@code LoginContext} for
- * the desired authentication mechanism.<p/>
- *
+ * Configurable provider taking care of building login contexts for
+ * the desired authentication mechanism.
+ * <p>
* This provider defines a single method {@link #getLoginContext(javax.jcr.Credentials, String)}
* that takes the {@link Credentials credentials} and the workspace name such
* as passed to {@link org.apache.jackrabbit.oak.api.ContentRepository#login(javax.jcr.Credentials, String)}.
@@ -31,15 +31,19 @@ import javax.security.auth.login.LoginEx
public interface LoginContextProvider {
/**
- * Returns a new instance of {@link LoginContext} that handles authentication.
+ * Returns a new login context instance for handling authentication.
*
* @param credentials The {@link Credentials} such as passed to the
* {@link org.apache.jackrabbit.oak.api.ContentRepository#login(javax.jcr.Credentials, String) login}
* method of the repository.
* @param workspaceName The name of the workspace that is being accessed by
* the login called.
- * @return A new {@code LoginContext}
+ * @return a new login context
* @throws LoginException If an error occurs while creating a new context.
*/
- LoginContext getLoginContext(Credentials credentials, String workspaceName) throws LoginException;
+ @Nonnull
+ OakLoginContext getLoginContext(
+ Credentials credentials, String workspaceName)
+ throws LoginException;
+
}
\ No newline at end of file
Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OakLoginContext.java (from r1393009, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OakLoginContext.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OakLoginContext.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java&r1=1393009&r2=1393038&rev=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OakLoginContext.java Tue Oct 2 17:12:21 2012
@@ -16,40 +16,23 @@
*/
package org.apache.jackrabbit.oak.spi.security.authentication;
-import java.util.Map;
import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
/**
- * This class implements a {@link LoginModule} which allows any authenticating
- * Subject to login.
+ * Interface version of the JAAS {@link LoginContext} class. Used by Oak to
+ * make it easier to integrate non-JAAS authentication components while still
+ * retaining full JAAS support. The {@link JaasLoginContext} class acts as a
+ * bridge that connects the JAAS {@link LoginContext} class with this
+ * interface.
*/
-public class OpenLoginModule implements LoginModule {
+public interface OakLoginContext {
+
+ Subject getSubject();
+
+ void login() throws LoginException;
+
+ void logout() throws LoginException;
- @Override
- public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> stringMap, Map<String, ?> stringMap1) {
- // nothing to do
- }
-
- @Override
- public boolean login() throws LoginException {
- return true;
- }
-
- @Override
- public boolean commit() throws LoginException {
- return true;
- }
-
- @Override
- public boolean abort() throws LoginException {
- return true;
- }
-
- @Override
- public boolean logout() throws LoginException {
- return true;
- }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginContextProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginContextProvider.java?rev=1393038&r1=1393037&r2=1393038&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginContextProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenLoginContextProvider.java Tue Oct 2 17:12:21 2012
@@ -16,43 +16,41 @@
*/
package org.apache.jackrabbit.oak.spi.security.authentication;
-import java.util.Collections;
-
+import javax.annotation.Nonnull;
import javax.jcr.Credentials;
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
+import javax.security.auth.Subject;
+
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
/**
- * This class implements a {@link LoginContextProvider} which accepts any given
- * credentials using an {@link OpenLoginModule}.
+ * This class provides login contexts that accept any credentials.
*/
public class OpenLoginContextProvider implements LoginContextProvider {
- @Override
- public LoginContext getLoginContext(Credentials credentials,
- String workspaceName)
- throws LoginException {
- return new OpenLoginContext();
- }
-
- private static class OpenLoginContext extends LoginContext {
-
- private static final String APP_NAME = OpenLoginContext.class.getName();
-
- public OpenLoginContext() throws LoginException {
- super(APP_NAME, null, null, new Configuration() {
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- return new AppConfigurationEntry[]{
- new AppConfigurationEntry(OpenLoginModule.class.getName(),
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- Collections.<String, Object>emptyMap())
- };
- }
- });
+ @Override @Nonnull
+ public OakLoginContext getLoginContext(
+ Credentials credentials, String workspaceName) {
+ final Subject subject = new Subject();
+ if (credentials != null) {
+ subject.getPrivateCredentials().add(credentials);
}
+ subject.getPrincipals().add(EveryonePrincipal.getInstance());
+ subject.setReadOnly();
+
+ return new OakLoginContext() {
+ @Override
+ public Subject getSubject() {
+ return subject;
+ }
+ @Override
+ public void login() {
+ // do nothing
+ }
+ @Override
+ public void logout() {
+ // do nothing
+ }
+ };
}
}