Author: fmeschbe
Date: Sun Feb 8 20:24:50 2009
New Revision: 742157
URL: http://svn.apache.org/viewvc?rev=742157&view=rev
Log:
SLING-839 Apply patch by Rory Douglas (thanks)
Added:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
(with props)
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
(with props)
Modified:
incubator/sling/trunk/extensions/openidauth/pom.xml
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/OpenIDUserUtil.java
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.java
incubator/sling/trunk/extensions/openidauth/src/main/resources/OSGI-INF/metatype/metatype.properties
incubator/sling/trunk/extensions/openidauth/src/main/resources/SLING-INF/content/apps/openid/auth/login/html.jsp
Modified: incubator/sling/trunk/extensions/openidauth/pom.xml
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/pom.xml?rev=742157&r1=742156&r2=742157&view=diff
==============================================================================
--- incubator/sling/trunk/extensions/openidauth/pom.xml (original)
+++ incubator/sling/trunk/extensions/openidauth/pom.xml Sun Feb 8 20:24:50 2009
@@ -157,5 +157,10 @@
<artifactId>jetty-util</artifactId>
<version>7.0.0.pre5</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.jcr.jackrabbit.server</artifactId>
+ <version>2.0.3-incubator-SNAPSHOT</version>
+ </dependency>
</dependencies>
</project>
Modified:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/OpenIDUserUtil.java
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/OpenIDUserUtil.java?rev=742157&r1=742156&r2=742157&view=diff
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/OpenIDUserUtil.java
(original)
+++
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/OpenIDUserUtil.java
Sun Feb 8 20:24:50 2009
@@ -19,7 +19,7 @@
package org.apache.sling.openidauth;
public class OpenIDUserUtil {
- public static String getPrinicpalName(String openIdIdentifier) {
+ public static String getPrincipalName(String openIdIdentifier) {
if(openIdIdentifier.endsWith("/")) {
openIdIdentifier =
openIdIdentifier.substring(0,openIdIdentifier.length()-1);
}
Modified:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.java?rev=742157&r1=742156&r2=742157&view=diff
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.java
(original)
+++
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.java
Sun Feb 8 20:24:50 2009
@@ -19,16 +19,25 @@
package org.apache.sling.openidauth.impl;
import java.io.IOException;
+import java.security.Principal;
+import java.util.Map;
import java.util.Properties;
import javax.jcr.Credentials;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.engine.auth.AuthenticationHandler;
import org.apache.sling.engine.auth.AuthenticationInfo;
+import org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin;
+import org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin;
import org.apache.sling.openidauth.OpenIDConstants;
import org.apache.sling.openidauth.OpenIDUserUtil;
import org.apache.sling.openidauth.OpenIDConstants.OpenIDFailure;
@@ -50,11 +59,11 @@
* description="%auth.openid.description"
* @scr.property name="service.description" value="Apache Sling OpenID
Authentication Handler"
* @scr.property name="service.vendor" value="The Apache Software Foundation"
- * @scr.property nameRef="AuthenticationHandler.PATH_PROPERTY" values.0="/"
+ * @scr.property nameRef="AuthenticationHandler.PATH_PROPERTY" values.0="/"
* @scr.service
*/
public class OpenIDAuthenticationHandler implements
- AuthenticationHandler {
+ AuthenticationHandler, LoginModulePlugin {
/** default log */
private final Logger log = LoggerFactory.getLogger(getClass());
@@ -174,7 +183,6 @@
static final String SLASH = "/";
private ComponentContext context;
- private String openIdUserPassword;
private String loginForm;
private String authSuccessUrl;
@@ -269,11 +277,21 @@
// if the response is already committed, we have a problem !!
if (!response.isCommitted()) {
+ // If we're here & we have a valid authenticated user
+ // probably we failed the repository login (no repo user
+ // configured for the authenticated principal)
+ OpenIdUser user =
(OpenIdUser)request.getAttribute(OpenIDConstants.OPEN_ID_USER_ATTRIBUTE);
+ if(user != null && user.isAuthenticated()) {
+ request.getSession().setAttribute(
+
OpenIDConstants.OPENID_FAILURE_REASON_ATTRIBUTE,
+
OpenIDConstants.OpenIDFailure.REPOSITORY);
+ }
+
// requestAuthentication is only called after a failed
authentication
// so it makes sense to remove any existing login
- // original URL is set only if it doesn't already exist
relyingParty.invalidate(request, response);
-
+
+ // original URL is set only if it doesn't already exist
if(request.getSession().getAttribute(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE) ==
null) {
String originalUrl = request.getRequestURI() +
(request.getQueryString() != null ? "?" +
request.getQueryString() : "");
@@ -328,10 +346,6 @@
protected void activate(ComponentContext componentContext) {
context = componentContext;
- openIdUserPassword = OsgiUtil.toString(
-
context.getProperties().get(PROP_OPENID_USERS_PASSWORD),
- DEFAULT_OPENID_USERS_PASSWORD);
-
loginForm = OsgiUtil.toString(
context.getProperties().get(PROP_LOGIN_FORM),
DEFAULT_LOGIN_FORM);
@@ -478,7 +492,7 @@
if(user.isAuthenticated()) {
// user already authenticated
request.setAttribute(OpenIdUser.ATTR_NAME, user);
- return getAuthInfoFromIdentifier(user.getIdentity());
+ return getAuthInfoFromUser(user);
} else if(user.isAssociated()) {
if(RelyingParty.isAuthResponse(request)) {
if(relyingParty.verifyAuth(user, request,
response)) {
@@ -558,11 +572,49 @@
return attr;
}
- private AuthenticationInfo getAuthInfoFromIdentifier(String id) {
- String jcrId = OpenIDUserUtil.getPrinicpalName(id);
+ private AuthenticationInfo getAuthInfoFromUser(OpenIdUser user) {
+ String jcrId = OpenIDUserUtil.getPrincipalName(user.getIdentity());
- Credentials creds = new
SimpleCredentials(jcrId,openIdUserPassword.toCharArray());
+ SimpleCredentials creds = new SimpleCredentials(jcrId,new char[0]);
+ creds.setAttribute(getClass().getName(), user);
return new AuthenticationInfo(OpenIDConstants.OPEN_ID_AUTH_TYPE,
creds);
}
+ public boolean canHandle(Credentials credentials) {
+ if(credentials != null && credentials instanceof
SimpleCredentials) {
+ SimpleCredentials sc = (SimpleCredentials)credentials;
+ OpenIdUser user =
(OpenIdUser)sc.getAttribute(getClass().getName());
+ if(user != null) {
+ return user.isAssociated();
+ }
+ }
+ return false;
+ }
+
+ public void doInit(CallbackHandler callbackHandler, Session session,
+ Map options) throws LoginException {
+ return;
+ }
+
+ public AuthenticationPlugin getAuthentication(Principal principal,
+ Credentials creds) throws RepositoryException {
+ return new OpenIDAuthenticationPlugin(principal);
+ }
+
+ public Principal getPrincipal(Credentials credentials) {
+ if(credentials != null && credentials instanceof
SimpleCredentials) {
+ SimpleCredentials sc = (SimpleCredentials)credentials;
+ OpenIdUser user =
(OpenIdUser)sc.getAttribute(getClass().getName());
+ if(user != null) {
+ return new OpenIDPrincipal(user);
+ }
+ }
+ return null;
+ }
+
+ public int impersonate(Principal principal, Credentials credentials)
+ throws RepositoryException, FailedLoginException {
+ return LoginModulePlugin.IMPERSONATION_DEFAULT;
+ }
+
}
\ No newline at end of file
Added:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java?rev=742157&view=auto
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
(added)
+++
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
Sun Feb 8 20:24:50 2009
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.openidauth.impl;
+
+import java.security.Principal;
+
+import javax.jcr.Credentials;
+import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
+
+import org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin;
+import org.apache.sling.openidauth.OpenIDUserUtil;
+
+import com.dyuproject.openid.OpenIdUser;
+
+public class OpenIDAuthenticationPlugin implements AuthenticationPlugin {
+
+ private Principal principal;
+
+ public OpenIDAuthenticationPlugin(Principal p) {
+ this.principal = p;
+ }
+
+ public boolean authenticate(Credentials credentials)
+ throws RepositoryException {
+ if(credentials instanceof SimpleCredentials) {
+ OpenIdUser user =
(OpenIdUser)((SimpleCredentials)credentials)
+
.getAttribute(OpenIDAuthenticationHandler.class.getName());
+ if(user != null) {
+ return principal.getName().equals(
+ OpenIDUserUtil.getPrincipalName(
+
user.getIdentity())) &&
+ user.isAuthenticated();
+ }
+ }
+ throw new RepositoryException("Can't authenticate credentials
of type: " + credentials.getClass());
+ }
+
+}
Propchange:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDAuthenticationPlugin.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev Url
Added:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java?rev=742157&view=auto
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
(added)
+++
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
Sun Feb 8 20:24:50 2009
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.openidauth.impl;
+
+import java.security.Principal;
+
+import org.apache.sling.openidauth.OpenIDUserUtil;
+
+import com.dyuproject.openid.OpenIdUser;
+
+public class OpenIDPrincipal implements Principal {
+
+ private String name;
+ private OpenIdUser user;
+
+ public OpenIDPrincipal(OpenIdUser user) {
+ this.user = user;
+ this.name = this.user != null ?
OpenIDUserUtil.getPrincipalName(user.getIdentity()) : "";
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public OpenIdUser getUser() {
+ return user;
+ }
+}
Propchange:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
incubator/sling/trunk/extensions/openidauth/src/main/java/org/apache/sling/openidauth/impl/OpenIDPrincipal.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev Url
Modified:
incubator/sling/trunk/extensions/openidauth/src/main/resources/OSGI-INF/metatype/metatype.properties
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/resources/OSGI-INF/metatype/metatype.properties?rev=742157&r1=742156&r2=742157&view=diff
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/resources/OSGI-INF/metatype/metatype.properties
(original)
+++
incubator/sling/trunk/extensions/openidauth/src/main/resources/OSGI-INF/metatype/metatype.properties
Sun Feb 8 20:24:50 2009
@@ -38,12 +38,6 @@
path is configured, it is regarded as inactive. If the handler should be \
used for all requests, the path should be '/'.
-auth.priority.name = Authentication priority
-auth.priority.description = This handler's priority for attempting to
authenticate a request
-
-request.auth.priority.name = Authentication Challenge priority
-request.auth.priority.description = This handler's priority for issuing an
authentication challenge
-
openid.use.cookie.name = Use cookie
openid.use.cookie.description = Use a cookie to persist the authentication.
If this is \
false, uses an HTTP session attribute.
@@ -113,13 +107,6 @@
are sent to the Provider as form parameters. If this is empty, the URLs are
generated \
using the hostname found in the original request.
-openid.users.password.name = OpenID users repository password
-openid.users.password.description = The password for an OpenID user repository
\
-login. Since OpenID Providers do not share the user's password with \
-the Relaying Party, all OpenID-authenticated users must use a configured \
-repository password. This pasword is currently stored in the bundle config \
-so is as secure the repository admin password (!).
-
openid.anon.auth.resources.name = Access auth resources anonymously
openid.anon.auth.resources.description = Causes the authenticator to
authenticate the \
request as the anonymous user for the local login, auth failure & logout
pages. \
Modified:
incubator/sling/trunk/extensions/openidauth/src/main/resources/SLING-INF/content/apps/openid/auth/login/html.jsp
URL:
http://svn.apache.org/viewvc/incubator/sling/trunk/extensions/openidauth/src/main/resources/SLING-INF/content/apps/openid/auth/login/html.jsp?rev=742157&r1=742156&r2=742157&view=diff
==============================================================================
---
incubator/sling/trunk/extensions/openidauth/src/main/resources/SLING-INF/content/apps/openid/auth/login/html.jsp
(original)
+++
incubator/sling/trunk/extensions/openidauth/src/main/resources/SLING-INF/content/apps/openid/auth/login/html.jsp
Sun Feb 8 20:24:50 2009
@@ -29,6 +29,8 @@
failureMessage = "Unable to find OpenID provider";
} else if (failureReason == OpenIDConstants.OpenIDFailure.ASSOCIATION) {
failureMessage = "Unable to associate with OpenID provider";
+ } else if (failureReason == OpenIDConstants.OpenIDFailure.REPOSITORY) {
+ failureMessage = "No matching repository user found";
} else if (failureReason != null) {
failureMessage = "Unknown login error";
}
@@ -105,7 +107,8 @@
<div class="login-status">
<% if (failureReason != null) { %>
<div class="error"><%= failureMessage
%></div>
- <% } else if(currentLogin != null) { %>
+ <% } %>
+ <% if(currentLogin != null) { %>
Currently logged in as:
<span class="username"><%= currentLogin
%></span>
<% } %>
