Author: tripod
Date: Fri Mar 21 22:57:40 2014
New Revision: 1580079
URL: http://svn.apache.org/r1580079
Log:
OAK-1596 Provide mechanism for pre authenticated shared credentials
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.java
Modified:
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/package-info.java
Modified:
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java?rev=1580079&r1=1580078&r2=1580079&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java
(original)
+++
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java
Fri Mar 21 22:57:40 2014
@@ -37,6 +37,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import
org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
+import
org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin;
import
org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import
org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import
org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProviderManager;
@@ -160,15 +161,21 @@ public class ExternalLoginModule extends
if (idp == null || syncHandler == null) {
return false;
}
-
credentials = getCredentials();
- if (credentials == null) {
+
+ // check if we have a pre authenticated login from a previous login
module
+ final String userId;
+ final PreAuthenticatedLogin preAuthLogin = getSharedPreAuthLogin();
+ if (preAuthLogin != null) {
+ userId = preAuthLogin.getUserId();
+ } else {
+ userId = credentials instanceof SimpleCredentials ?
((SimpleCredentials) credentials).getUserID() : null;
+ }
+ if (userId == null && credentials == null) {
log.debug("No credentials found for external login module.
ignoring.");
return false;
}
- // remember userID as we need this so often
- final String userId = credentials instanceof SimpleCredentials ?
((SimpleCredentials) credentials).getUserID() : null;
try {
SyncedIdentity sId = null;
if (userId != null) {
@@ -189,12 +196,19 @@ public class ExternalLoginModule extends
}
}
- externalUser = idp.authenticate(credentials);
+ if (preAuthLogin != null) {
+ externalUser = idp.getUser(preAuthLogin.getUserId());
+ } else {
+ externalUser = idp.authenticate(credentials);
+ }
+
if (externalUser != null) {
log.debug("IDP {} returned valid user {}", idp.getName(),
externalUser);
- //noinspection unchecked
- sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
+ if (credentials != null) {
+ //noinspection unchecked
+ sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
+ }
//noinspection unchecked
sharedState.put(SHARED_KEY_LOGIN_NAME, externalUser.getId());
@@ -244,7 +258,9 @@ public class ExternalLoginModule extends
if (!principals.isEmpty()) {
if (!subject.isReadOnly()) {
subject.getPrincipals().addAll(principals);
- subject.getPublicCredentials().add(credentials);
+ if (credentials != null) {
+ subject.getPublicCredentials().add(credentials);
+ }
setAuthInfo(createAuthInfo(externalUser.getId(), principals),
subject);
} else {
log.debug("Could not add information to read only subject {}",
subject);
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java?rev=1580079&r1=1580078&r2=1580079&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
Fri Mar 21 22:57:40 2014
@@ -38,6 +38,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
import
org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
+import
org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.slf4j.Logger;
@@ -111,23 +112,31 @@ public final class LoginModuleImpl exten
@Override
public boolean login() throws LoginException {
+ final boolean success;
credentials = getCredentials();
- userId = getUserId();
- if (credentials == null || userId == null) {
- log.debug("Could not extract userId/credentials");
- return false;
+ // check if we have a pre authenticated login from a previous login
module
+ PreAuthenticatedLogin preAuthLogin = getSharedPreAuthLogin();
+ if (preAuthLogin != null) {
+ userId = preAuthLogin.getUserId();
+ Authentication authentication = new UserAuthentication(userId,
getUserManager());
+ success =
authentication.authenticate(UserAuthentication.PRE_AUTHENTICATED);
+
+ } else {
+ userId = getUserId();
+ Authentication authentication = new UserAuthentication(userId,
getUserManager());
+ success = authentication.authenticate(credentials);
}
- Authentication authentication = new UserAuthentication(userId,
getUserManager());
- boolean success = authentication.authenticate(credentials);
if (success) {
principals = getPrincipals(userId);
log.debug("Adding Credentials to shared state.");
+ //noinspection unchecked
sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
log.debug("Adding login name to shared state.");
+ //noinspection unchecked
sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
}
return success;
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.java?rev=1580079&r1=1580078&r2=1580079&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.java
Fri Mar 21 22:57:40 2014
@@ -58,6 +58,8 @@ import org.slf4j.LoggerFactory;
*/
class UserAuthentication implements Authentication {
+ static final Credentials PRE_AUTHENTICATED = new Credentials() { };
+
private static final Logger log =
LoggerFactory.getLogger(UserAuthentication.class);
private final String userId;
@@ -71,7 +73,7 @@ class UserAuthentication implements Auth
//-----------------------------------------------------< Authentication
>---
@Override
public boolean authenticate(Credentials credentials) throws LoginException
{
- if (userId == null || userManager == null) {
+ if (userId == null || userManager == null || credentials == null) {
return false;
}
@@ -105,7 +107,7 @@ class UserAuthentication implements Auth
checkSuccess(success, "Impersonation not allowed.");
} else {
// guest login is allowed if an anonymous user exists in the
content (see get user above)
- success = (credentials instanceof GuestCredentials);
+ success = (credentials instanceof GuestCredentials) ||
credentials == PRE_AUTHENTICATED;
}
} catch (RepositoryException e) {
throw new LoginException(e.getMessage());
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java?rev=1580079&r1=1580078&r2=1580079&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java
Fri Mar 21 22:57:40 2014
@@ -163,6 +163,12 @@ public abstract class AbstractLoginModul
*/
public static final String SHARED_KEY_ATTRIBUTES =
"javax.security.auth.login.attributes";
+ /**
+ * Key of the sharedState entry referring to pre authenticated login
information that is shared
+ * between multiple login modules.
+ */
+ public static final String SHARED_KEY_PRE_AUTH_LOGIN =
PreAuthenticatedLogin.class.getName();
+
protected Subject subject;
protected CallbackHandler callbackHandler;
protected Map sharedState;
@@ -312,6 +318,20 @@ public abstract class AbstractLoginModul
}
/**
+ * @return The pre authenticated login or {@code null}
+ * @see #SHARED_KEY_PRE_AUTH_LOGIN
+ */
+ @CheckForNull
+ protected PreAuthenticatedLogin getSharedPreAuthLogin() {
+ Object login = sharedState.get(SHARED_KEY_PRE_AUTH_LOGIN);
+ if (login instanceof PreAuthenticatedLogin) {
+ return (PreAuthenticatedLogin) login;
+ } else {
+ return null;
+ }
+ }
+
+ /**
* Tries to obtain the {@code SecurityProvider} object from the callback
* handler using a new SecurityProviderCallback and keeps the value as
* private field. If the callback handler isn't able to handle the
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.java?rev=1580079&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.java
Fri Mar 21 22:57:40 2014
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+/**
+ * {@code PreAuthenticatedLogin} is used as marker in the shared map of the
login context. it indicates that the
+ * respective user is pre authenticated on an external system. Note that is
class is only used internally by the
+ * login modules and cannot be "abused" from outside.
+ */
+final public class PreAuthenticatedLogin {
+
+ private final String userId;
+
+ public PreAuthenticatedLogin(String userId) {
+ this.userId = userId;
+ }
+
+ public String getUserId() {
+ return userId;
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/package-info.java?rev=1580079&r1=1580078&r2=1580079&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/package-info.java
Fri Mar 21 22:57:40 2014
@@ -14,8 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("0.16")
-@Export(optional = "provide:=true")
+@Version("0.17")
package org.apache.jackrabbit.oak.spi.security.authentication;
import aQute.bnd.annotation.Version;
