1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.jaas.sp.jcr;
35
36 import info.magnolia.cms.security.MgnlUser;
37 import info.magnolia.cms.security.MgnlUserManager;
38 import info.magnolia.cms.security.SecuritySupport;
39 import info.magnolia.cms.security.User;
40 import info.magnolia.cms.security.UserManager;
41 import info.magnolia.jaas.sp.AbstractLoginModule;
42 import info.magnolia.jaas.sp.UserAwareLoginModule;
43
44 import java.io.Serializable;
45 import java.security.Principal;
46 import java.util.Collections;
47 import java.util.HashMap;
48 import java.util.Map;
49
50 import javax.security.auth.login.AccountLockedException;
51 import javax.security.auth.login.AccountNotFoundException;
52 import javax.security.auth.login.FailedLoginException;
53 import javax.security.auth.login.LoginException;
54
55 import org.apache.commons.codec.binary.Base64;
56 import org.apache.commons.lang.StringUtils;
57 import org.apache.jackrabbit.core.security.UserPrincipal;
58 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
59
60
61
62
63
64
65 public class MagnoliaAuthenticationModule extends AbstractLoginModule implements UserAwareLoginModule, Serializable {
66
67 private static final boolean logAdmin = false;
68 protected User user;
69
70
71
72
73
74
75 public class MagnoliaJRAdminPrincipal extends AdminPrincipal implements Principal, Serializable {
76 public MagnoliaJRAdminPrincipal(String name) {
77 super(name);
78 }
79 }
80
81
82
83
84
85 @Override
86 public void validateUser() throws LoginException {
87 initUser();
88
89 if (this.user == null) {
90 throw new AccountNotFoundException("User account " + this.name + " not found.");
91 }
92
93 matchPassword();
94
95 if (!this.user.isEnabled()) {
96 throw new AccountLockedException("User account " + this.name + " is locked.");
97 }
98
99 if (!UserManager.ANONYMOUS_USER.equals(user.getName()) && !isAdmin()) {
100
101 getUserManager().updateLastAccessTimestamp(user);
102 }
103 }
104
105 private UserManager getUserManager() {
106
107 if (logAdmin || !"admin".equals(name)) {
108 log.debug("getting user manager for realm " + realm.getName());
109 }
110 return SecuritySupport.Factory.getInstance().getUserManager(realm.getName());
111 }
112
113
114
115 protected void initUser() throws LoginException {
116 if (logAdmin || !"admin".equals(name)) {
117 log.debug("initializing user {}", name);
118 }
119
120
121 if (isAdmin()) {
122 Map<String, String> props = new HashMap<String, String>();
123
124 props.put(MgnlUserManager.PROPERTY_PASSWORD, new String(Base64.encodeBase64("admin".getBytes())));
125 MgnlUser user = new MgnlUser(name, null, Collections.EMPTY_LIST, Collections.EMPTY_LIST,props);
126 this.user = user;
127
128 return;
129 }
130
131 long start = System.currentTimeMillis();
132 this.user = getUserManager().getUser(name);
133 if (logAdmin || !"admin".equals(name)) {
134 log.debug("initialized user {} in {}ms", name, (System.currentTimeMillis() - start));
135 }
136 }
137
138 protected void matchPassword() throws LoginException {
139 String serverPassword = user.getPassword();
140
141 if (StringUtils.isEmpty(serverPassword)) {
142 throw new FailedLoginException("we do not allow users with no password");
143 }
144
145 if (!StringUtils.equals(serverPassword, new String(this.pswd))) {
146 throw new FailedLoginException("passwords do not match");
147 }
148 }
149
150
151
152
153 @Override
154 public void setEntity() {
155 if (isAdmin()) {
156
157 this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(name));
158
159 return;
160 } else if ("superuser".equals(name)) {
161
162 this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(name));
163 } else {
164
165
166 this.subject.getPrincipals().add(new UserPrincipal(name));
167
168 }
169
170
171 this.subject.getPrincipals().add(this.user);
172 this.subject.getPrincipals().add(this.realm);
173
174
175 collectGroupNames();
176 collectRoleNames();
177 }
178
179 private boolean isAdmin() {
180
181 return this.name != null && this.name.equals("admin");
182 }
183
184
185
186
187 @Override
188 public void setACL() {
189 }
190
191
192
193
194 public void collectRoleNames() {
195 for (String role : this.user.getAllRoles()) {
196 addRoleName(role);
197 }
198 }
199
200
201
202
203 public void collectGroupNames() {
204 for (String group : this.user.getAllGroups()) {
205 addGroupName(group);
206 }
207 }
208
209 @Override
210 public User getUser() {
211 return user;
212 }
213 }