You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by fm...@apache.org on 2009/10/14 15:29:06 UTC
svn commit: r825125 -
/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
Author: fmeschbe
Date: Wed Oct 14 13:29:05 2009
New Revision: 825125
URL: http://svn.apache.org/viewvc?rev=825125&view=rev
Log:
JCR-2355 Add support for pre-authenticated repository access
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java?rev=825125&r1=825124&r2=825125&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java Wed Oct 14 13:29:05 2009
@@ -66,12 +66,31 @@
private static final String KEY_CREDENTIALS = "org.apache.jackrabbit.credentials";
private static final String KEY_LOGIN_NAME = "javax.security.auth.login.name";
+ /**
+ * The name of the login module configuration option providing the name
+ * of the SimpleCredentials attribute used to identify a pre-authenticated
+ * login.
+ *
+ * @see #isPreAuthenticated(Credentials)
+ */
+ private static final String PRE_AUTHENTICATED_ATTRIBUTE_OPTION = "trust_credentials_attribute";
+
private String principalProviderClassName;
- private boolean initialized;
+ private boolean initialized;
protected String adminId;
protected String anonymousId;
+ /**
+ * The name of the credentials attribute providing a hint that the
+ * credentials should be taken as is and the user requesting access
+ * has already been authenticated outside of this LoginModule.
+ *
+ * @see #getTrustedCredentialsAttributeName()
+ */
+ private String preAuthAttributeName;
+
+
protected CallbackHandler callbackHandler;
protected Principal principal;
@@ -154,6 +173,14 @@
if (anonymousId == null) {
anonymousId = repositoryCb.getAnonymousId();
}
+ // trusted credentials attribute name (may be missing to not
+ // support) (normalized to null aka missing aka unset if an empty
+ // string)
+ preAuthAttributeName = (String) options.get(PRE_AUTHENTICATED_ATTRIBUTE_OPTION);
+ if (preAuthAttributeName != null
+ && preAuthAttributeName.length() == 0) {
+ preAuthAttributeName = null;
+ }
//log config values for debug
if (log.isDebugEnabled()) {
@@ -221,12 +248,15 @@
* be used.<p/>
*
* <b>3) Verfication</b><br>
- * There are two cases, how the User-ID can be verfied:
- * Either the login is the result of an impersonation request (see
- * {@link javax.jcr.Session#impersonate(Credentials)} or of a login to the Repository ({@link
- * javax.jcr.Repository#login(Credentials)}). The concrete implementation
- * of the LoginModule is responsible for both impersonation and login:
+ * There are four cases, how the User-ID can be verfied:
+ * The login is anonymous, preauthenticated or the login is the result of
+ * an impersonation request (see {@link javax.jcr.Session#impersonate(Credentials)}
+ * or of a login to the Repository ({@link javax.jcr.Repository#login(Credentials)}).
+ * The concrete implementation of the LoginModule is responsible for all
+ * four cases:
* <ul>
+ * <li>{@link #isAnonymous(Credentials)}</li>
+ * <li>{@link #isPreAuthenticated(Credentials)}</li>
* <li>{@link #authenticate(Principal, Credentials)}</li>
* <li>{@link #impersonate(Principal, Credentials)}</li>
* </ul>
@@ -276,8 +306,8 @@
return false;
}
boolean authenticated;
- // test for anonymous, impersonation or common authentication.
- if (isAnonymous(creds)) {
+ // test for anonymous, pre-authentication, impersonation or common authentication.
+ if (isAnonymous(creds) || isPreAuthenticated(creds)) {
authenticated = true;
} else if (isImpersonation(creds)) {
authenticated = impersonate(userPrincipal, creds);
@@ -705,4 +735,44 @@
public void setPrincipalProvider(String principalProvider) {
this.principalProviderClassName = principalProvider;
}
+
+ /**
+ * The name of the credentials attribute providing a hint that the
+ * credentials should be taken as is and the user requesting access
+ * has already been authenticated outside of this LoginModule.
+ * <p>
+ * This name is configured as the value of the LoginModule configuration
+ * parameter <code>trust_credentials_attribute</code>. If the configuration
+ * parameter is missing (or empty) the name is not set and this method
+ * returns <code>null</code>.
+ *
+ * @see #isPreAuthenticated(Credentials)
+ */
+ protected final String getPreAuthAttributeName() {
+ return preAuthAttributeName;
+ }
+
+ /**
+ * Returns <code>true</code> if the credentials should be considered as
+ * pre-authenticated and a password check is not required.
+ * <p>
+ * This base class implementation returns <code>true</code> if the
+ * <code>creds</code> object is a SimpleCredentials instance and the
+ * configured {@link #getTrustedCredentialsAttributeName() trusted
+ * credentials property} is set to a non-<code>null</code> value in the
+ * credentials attributes.
+ * <p>
+ * Extensions of this class may overwrite this method to apply more or
+ * different checks to the credentials.
+ *
+ * @param creds The Credentials to check
+ *
+ * @see #getPreAuthAttributeName()
+ */
+ protected boolean isPreAuthenticated(final Credentials creds) {
+ final String preAuthAttrName = getPreAuthAttributeName();
+ return preAuthAttrName != null
+ && (creds instanceof SimpleCredentials)
+ && ((SimpleCredentials) creds).getAttribute(preAuthAttrName) != null;
+ }
}