View Javadoc
1   /**
2    * This file Copyright (c) 2003-2015 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.jaas.sp.jcr;
35  
36  import info.magnolia.cms.beans.config.ContentRepository;
37  import info.magnolia.cms.security.PrincipalUtil;
38  import info.magnolia.cms.security.User;
39  import info.magnolia.cms.security.UserManager;
40  import info.magnolia.context.Context;
41  import info.magnolia.context.MgnlContext;
42  import info.magnolia.init.MagnoliaConfigurationProperties;
43  import info.magnolia.objectfactory.Components;
44  
45  import java.io.IOException;
46  import java.io.Serializable;
47  import java.util.Arrays;
48  import java.util.Map;
49  
50  import javax.security.auth.Subject;
51  import javax.security.auth.callback.Callback;
52  import javax.security.auth.callback.CallbackHandler;
53  import javax.security.auth.callback.NameCallback;
54  import javax.security.auth.callback.PasswordCallback;
55  import javax.security.auth.callback.UnsupportedCallbackException;
56  import javax.security.auth.login.FailedLoginException;
57  import javax.security.auth.login.LoginException;
58  import javax.security.auth.spi.LoginModule;
59  
60  import org.apache.jackrabbit.core.security.UserPrincipal;
61  import org.slf4j.Logger;
62  import org.slf4j.LoggerFactory;
63  
64  /**
65   * Login module for internal Jackrabbit authentication, validates the JackRabbit 'admin' user and uses the Subject
66   * provided by the magnolia context.
67   *
68   * Note that Jackrabbit requires the login module to be serializable.
69   */
70  public class JackrabbitAuthenticationModule implements LoginModule, Serializable {
71  
72      private static final Logger log = LoggerFactory.getLogger(JackrabbitAuthenticationModule.class);
73  
74      private Subject subject;
75      private CallbackHandler callbackHandler;
76      private String name;
77  
78      @Override
79      public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
80          this.subject = subject;
81          this.callbackHandler = callbackHandler;
82      }
83  
84      @Override
85      public boolean login() throws LoginException {
86  
87          if (this.callbackHandler == null) {
88              throw new LoginException("Error: no CallbackHandler available");
89          }
90  
91          Callback[] callbacks = new Callback[2];
92          callbacks[0] = new NameCallback("name");
93          callbacks[1] = new PasswordCallback("pswd", false);
94  
95          char[] password;
96          try {
97              this.callbackHandler.handle(callbacks);
98              this.name = ((NameCallback) callbacks[0]).getName();
99              password = ((PasswordCallback) callbacks[1]).getPassword();
100         } catch (IOException ioe) {
101             throw new LoginException(ioe.toString());
102         } catch (UnsupportedCallbackException ce) {
103             throw new LoginException(ce.getCallback().toString() + " not available");
104         }
105 
106         // When we log in to register workspaces and node types we do it as 'admin', we do this in SystemContext but we
107         // can't use the context here because it's bound to the system user which is configured in the repository and
108         // attempting to access it would fail. More specifically calling MgnlContext.getSubject() fails as a result of
109         // trying to use SecuritySupport.
110 
111         if (getAdminUser().equals(this.name)) {
112             if (!Arrays.equals(password, getAdminPassword().toCharArray())) {
113                 throw new FailedLoginException();
114             }
115             compileAdminPrincipals();
116             return true;
117         }
118 
119         Context context = MgnlContext.hasInstance() ? MgnlContext.getInstance() : null;
120         if (context == null) {
121             throw new FailedLoginException("Cannot login, magnolia context is not set");
122         }
123 
124         Subject magnoliaSubject = context.getSubject();
125         if (magnoliaSubject == null) {
126             throw new FailedLoginException("Cannot login, invalid setup or deserialization error");
127         }
128 
129         if (isSuperuser(magnoliaSubject)) {
130             compileAdminPrincipals();
131             return true;
132         }
133 
134         compileUserPrincipals(magnoliaSubject);
135         return true;
136     }
137 
138     @Override
139     public boolean commit() throws LoginException {
140         return true;
141     }
142 
143     @Override
144     public boolean abort() throws LoginException {
145         return false;
146     }
147 
148     @Override
149     public boolean logout() throws LoginException {
150         callbackHandler = null;
151         name = null;
152         return true;
153     }
154 
155     private void compileUserPrincipals(Subject magnoliaSubject) {
156         subject.getPrincipals().addAll(magnoliaSubject.getPrincipals());
157         subject.getPrincipals().add(new UserPrincipal(name));
158     }
159 
160     private void compileAdminPrincipals() {
161         this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(getAdminUser()));
162     }
163 
164     protected String getAdminUser() {
165         String user = ContentRepository.REPOSITORY_USER;
166         if (user == null) {
167             MagnoliaConfigurationProperties mcp = Components.getSingleton(MagnoliaConfigurationProperties.class);
168             user = mcp.getProperty("magnolia.connection.jcr.userId");
169         }
170         if (user == null) {
171             user = System.getProperty("magnolia.connection.jcr.userId");
172         }
173         return user;
174     }
175 
176     protected String getAdminPassword() {
177         String user = ContentRepository.REPOSITORY_PSWD;
178         if (user == null) {
179             MagnoliaConfigurationProperties mcp = Components.getSingleton(MagnoliaConfigurationProperties.class);
180             user = mcp.getProperty("magnolia.connection.jcr.password");
181         }
182         if (user == null) {
183             user = System.getProperty("magnolia.connection.jcr.password");
184         }
185         return user;
186     }
187 
188     /**
189      * Returns true if the subject has a principal that represents the magnolia superuser.
190      */
191     private boolean isSuperuser(Subject magnoliaSubject) {
192         User user = PrincipalUtil.findPrincipal(magnoliaSubject, User.class);
193         return user != null && UserManager.SYSTEM_USER.equals(user.getName());
194     }
195 }