View Javadoc

1   /**
2    * This file Copyright (c) 2003-2012 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.jaas.sp.jcr;
35  
36  import info.magnolia.cms.beans.config.ContentRepository;
37  import info.magnolia.cms.security.PrincipalUtil;
38  import info.magnolia.cms.security.User;
39  import info.magnolia.cms.security.UserManager;
40  import info.magnolia.context.Context;
41  import info.magnolia.context.MgnlContext;
42  import info.magnolia.init.MagnoliaConfigurationProperties;
43  import info.magnolia.objectfactory.Components;
44  
45  import java.io.IOException;
46  import java.io.Serializable;
47  import java.util.Arrays;
48  import java.util.Map;
49  
50  import javax.security.auth.Subject;
51  import javax.security.auth.callback.Callback;
52  import javax.security.auth.callback.CallbackHandler;
53  import javax.security.auth.callback.NameCallback;
54  import javax.security.auth.callback.PasswordCallback;
55  import javax.security.auth.callback.UnsupportedCallbackException;
56  import javax.security.auth.login.FailedLoginException;
57  import javax.security.auth.login.LoginException;
58  import javax.security.auth.spi.LoginModule;
59  
60  import org.apache.jackrabbit.core.security.UserPrincipal;
61  import org.slf4j.Logger;
62  import org.slf4j.LoggerFactory;
63  
64  /**
65   * Login module for internal Jackrabbit authentication, validates the JackRabbit 'admin' user and uses the Subject
66   * provided by the magnolia context.
67   *
68   * Note that Jackrabbit requires the login module to be serializable.
69   *
70   * @version $Id$
71   */
72  public class JackrabbitAuthenticationModule implements LoginModule, Serializable {
73  
74      private static final Logger log = LoggerFactory.getLogger(JackrabbitAuthenticationModule.class);
75  
76      private Subject subject;
77      private CallbackHandler callbackHandler;
78      private String name;
79  
80      @Override
81      public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
82          this.subject = subject;
83          this.callbackHandler = callbackHandler;
84      }
85  
86      @Override
87      public boolean login() throws LoginException {
88  
89          if (this.callbackHandler == null) {
90              throw new LoginException("Error: no CallbackHandler available");
91          }
92  
93          Callback[] callbacks = new Callback[2];
94          callbacks[0] = new NameCallback("name");
95          callbacks[1] = new PasswordCallback("pswd", false);
96  
97          char[] password;
98          try {
99              this.callbackHandler.handle(callbacks);
100             this.name = ((NameCallback) callbacks[0]).getName();
101             password = ((PasswordCallback) callbacks[1]).getPassword();
102         } catch (IOException ioe) {
103             throw new LoginException(ioe.toString());
104         } catch (UnsupportedCallbackException ce) {
105             throw new LoginException(ce.getCallback().toString() + " not available");
106         }
107 
108         // When we log in to register workspaces and node types we do it as 'admin', we do this in SystemContext but we
109         // can't use the context here because it's bound to the system user which is configured in the repository and
110         // attempting to access it would fail. More specifically calling MgnlContext.getSubject() fails as a result of
111         // trying to use SecuritySupport.
112 
113         if (getAdminUser().equals(this.name)) {
114             if (!Arrays.equals(password, getAdminPassword().toCharArray())) {
115                 throw new FailedLoginException();
116             }
117             compileAdminPrincipals();
118             return true;
119         }
120 
121         Context context = MgnlContext.hasInstance() ? MgnlContext.getInstance() : null;
122         if (context == null) {
123             throw new FailedLoginException("Cannot login, magnolia context is not set");
124         }
125 
126         Subject magnoliaSubject = context.getSubject();
127         if (magnoliaSubject == null) {
128             throw new FailedLoginException("Cannot login, invalid setup or deserialization error");
129         }
130 
131         if (isSuperuser(magnoliaSubject)) {
132             compileAdminPrincipals();
133             return true;
134         }
135 
136         compileUserPrincipals(magnoliaSubject);
137         return true;
138     }
139 
140     @Override
141     public boolean commit() throws LoginException {
142         return true;
143     }
144 
145     @Override
146     public boolean abort() throws LoginException {
147         return false;
148     }
149 
150     @Override
151     public boolean logout() throws LoginException {
152         callbackHandler = null;
153         name = null;
154         return true;
155     }
156 
157     private void compileUserPrincipals(Subject magnoliaSubject) {
158         subject.getPrincipals().addAll(magnoliaSubject.getPrincipals());
159         subject.getPrincipals().add(new UserPrincipal(name));
160     }
161 
162     private void compileAdminPrincipals() {
163         this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(getAdminUser()));
164     }
165 
166     protected String getAdminUser() {
167         String user = ContentRepository.REPOSITORY_USER;
168         if (user == null) {
169             MagnoliaConfigurationProperties mcp = Components.getSingleton(MagnoliaConfigurationProperties.class);
170             user = mcp.getProperty("magnolia.connection.jcr.userId");
171         }
172         if (user == null) {
173             user = System.getProperty("magnolia.connection.jcr.userId");
174         }
175         return user;
176     }
177 
178     protected String getAdminPassword() {
179         String user = ContentRepository.REPOSITORY_PSWD;
180         if (user == null) {
181             MagnoliaConfigurationProperties mcp = Components.getSingleton(MagnoliaConfigurationProperties.class);
182             user = mcp.getProperty("magnolia.connection.jcr.password");
183         }
184         if (user == null) {
185             user = System.getProperty("magnolia.connection.jcr.password");
186         }
187         return user;
188     }
189 
190     /**
191      * Returns true if the subject has a principal that represents the magnolia superuser.
192      */
193     private boolean isSuperuser(Subject magnoliaSubject) {
194         User user = PrincipalUtil.findPrincipal(magnoliaSubject, User.class);
195         return user != null && UserManager.SYSTEM_USER.equals(user.getName());
196     }
197 }