You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2012/10/11 15:31:44 UTC
svn commit: r1397042 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authentication/ security/authentication/token/
spi/security/authentication/
Author: angela
Date: Thu Oct 11 13:31:43 2012
New Revision: 1397042
URL: http://svn.apache.org/viewvc?rev=1397042&view=rev
Log:
OAK-91 - Implement Authentication Support (WIP)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java Thu Oct 11 13:31:43 2012
@@ -22,6 +22,7 @@ import javax.jcr.GuestCredentials;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.Tree;
@@ -52,32 +53,39 @@ public class AuthenticationImpl implemen
}
@Override
- public boolean authenticate(Credentials credentials) {
- Tree userTree = getUserTree();
- if (userTree == null || userProvider.isDisabled(userTree)) {
+ public boolean authenticate(Credentials credentials) throws LoginException {
+ if (userId == null || userProvider == null) {
return false;
}
+ Tree userTree = userProvider.getAuthorizable(userId, AuthorizableType.USER);
+ if (userTree == null) {
+ throw new LoginException("Unknown user " + userId);
+ }
+ if (userProvider.isDisabled(userTree)) {
+ throw new LoginException("User with ID " + userId + " has been disabled.");
+ }
+
boolean success;
if (credentials instanceof SimpleCredentials) {
SimpleCredentials creds = (SimpleCredentials) credentials;
success = PasswordUtility.isSame(userProvider.getPasswordHash(userTree), creds.getPassword());
+ checkSuccess(success, "UserId/Password mismatch.");
} else if (credentials instanceof ImpersonationCredentials) {
AuthInfo info = ((ImpersonationCredentials) credentials).getImpersonatorInfo();
success = impersonate(info, userTree);
+ checkSuccess(success, "Impersonation not allowed.");
} else {
- // guest login is allowed if an anonymous user exists in the content (see getUserTree above)
+ // guest login is allowed if an anonymous user exists in the content (see get user above)
success = (credentials instanceof GuestCredentials);
}
return success;
}
//--------------------------------------------------------------------------
- private Tree getUserTree() {
- if (userProvider == null || userId == null) {
- return null;
- } else {
- return userProvider.getAuthorizable(userId, AuthorizableType.USER);
+ private static void checkSuccess(boolean success, String msg) throws LoginException {
+ if (!success) {
+ throw new LoginException(msg);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java Thu Oct 11 13:31:43 2012
@@ -88,7 +88,7 @@ import org.slf4j.LoggerFactory;
*
*
*/
-public class LoginModuleImpl extends AbstractLoginModule {
+public final class LoginModuleImpl extends AbstractLoginModule {
private static final Logger log = LoggerFactory.getLogger(LoginModuleImpl.class);
@@ -114,15 +114,20 @@ public class LoginModuleImpl extends Abs
credentials = getCredentials();
userID = getUserID();
+ if (credentials == null || userID == null) {
+ log.debug("Could not extract userId/credentials");
+ return false;
+ }
+
Authentication authentication = new AuthenticationImpl(userID, getUserProvider(), getPrincipalProvider());
boolean success = authentication.authenticate(credentials);
if (success) {
principals = getPrincipals(userID);
- log.debug("Login: adding Credentials to shared state.");
+ log.debug("Adding Credentials to shared state.");
sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
- log.debug("Login: adding login name to shared state.");
+ log.debug("Adding login name to shared state.");
sharedState.put(SHARED_KEY_LOGIN_NAME, userID);
}
return success;
@@ -131,6 +136,7 @@ public class LoginModuleImpl extends Abs
@Override
public boolean commit() throws LoginException {
if (credentials == null || principals.isEmpty()) {
+ clearState();
return false;
} else {
if (!subject.isReadOnly()) {
@@ -144,19 +150,21 @@ public class LoginModuleImpl extends Abs
}
}
- @Override
- public boolean abort() throws LoginException {
- credentials = null;
- principals = null;
- return true;
- }
-
//------------------------------------------------< AbstractLoginModule >---
@Override
protected Set<Class> getSupportedCredentials() {
return SUPPORTED_CREDENTIALS;
}
+ @Override
+ protected void clearState() {
+ super.clearState();
+
+ credentials = null;
+ principals = null;
+ userID = null;
+ }
+
//--------------------------------------------------------------------------
@CheckForNull
private String getUserID() {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java Thu Oct 11 13:31:43 2012
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.securi
import java.util.Date;
import javax.annotation.Nonnull;
import javax.jcr.Credentials;
+import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
@@ -48,13 +49,15 @@ class TokenAuthentication implements Aut
//-----------------------------------------------------< Authentication >---
@Override
- public boolean authenticate(Credentials credentials) {
- boolean success = false;
- if (credentials instanceof TokenCredentials) {
+ public boolean authenticate(Credentials credentials) throws LoginException {
+ if (tokenProvider != null && credentials instanceof TokenCredentials) {
TokenCredentials tc = (TokenCredentials) credentials;
- success = validateCredentials(tc);
+ if (!validateCredentials(tc)) {
+ throw new LoginException("Invalid token credentials.");
+ }
}
- return success;
+ // no tokenProvider or other credentials implementation -> not handled here.
+ return false;
}
//-----------------------------------------------------------< internal >---
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java Thu Oct 11 13:31:43 2012
@@ -43,7 +43,7 @@ import org.slf4j.LoggerFactory;
* {@code LoginModule} implementation that is able to handle login request
* based on {@link TokenCredentials}.
*/
-public class TokenLoginModule extends AbstractLoginModule {
+public final class TokenLoginModule extends AbstractLoginModule {
/**
* logger instance
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java Thu Oct 11 13:31:43 2012
@@ -66,7 +66,6 @@ public abstract class AbstractLoginModul
*/
public static final String SHARED_KEY_LOGIN_NAME = "javax.security.auth.login.name";
-
protected Subject subject;
protected CallbackHandler callbackHandler;
protected Map sharedState;
@@ -86,16 +85,23 @@ public abstract class AbstractLoginModul
@Override
public boolean logout() throws LoginException {
- if (subject.getPrincipals().isEmpty() || subject.getPublicCredentials(Credentials.class).isEmpty()) {
- return false;
- } else {
+ boolean success = false;
+ if (!subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty()) {
// clear subject if not readonly
if (!subject.isReadOnly()) {
subject.getPrincipals().clear();
subject.getPublicCredentials().clear();
}
- return true;
+ success = true;
}
+ // TODO: check if state should be cleared
+ return success;
+ }
+
+ @Override
+ public boolean abort() throws LoginException {
+ clearState();
+ return true;
}
//--------------------------------------------------------------------------
@@ -240,4 +246,12 @@ public abstract class AbstractLoginModul
}
return root;
}
+
+ /**
+ * Clear state information that has been created during {@link #login()}.
+ */
+ protected void clearState() {
+ securityProvider = null;
+ root = null;
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java?rev=1397042&r1=1397041&r2=1397042&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java Thu Oct 11 13:31:43 2012
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.spi.security.authentication;
import javax.jcr.Credentials;
+import javax.security.auth.login.LoginException;
/**
* The {@code Authentication} interface defines methods to validate
@@ -42,7 +43,9 @@ public interface Authentication {
*
* @param credentials to verify
* @return {@code true} if the validation was successful; {@code false}
- * if the specified credentials are not supported or if validation failed.
+ * if the specified credentials are not supported and this authentication
+ * implementation cannot verify their validity.
+ * @throws LoginException if the authentication failed.
*/
- boolean authenticate(Credentials credentials);
+ boolean authenticate(Credentials credentials) throws LoginException;
}
\ No newline at end of file