Examples with Credentials javax.jcr.Credentials used on opensource projects

Example 21 with Credentials

use of javax.jcr.Credentials in project jackrabbit by apache.

the class AbstractLoginModule method login.

/**
     * Method to authenticate a <code>Subject</code> (phase 1).
     * <p>
     * The login is divided into 3 Phases:
     * <p>
     * <b>1) User-ID resolution</b><br>
     * In a first step it is tried to resolve a User-ID for further validation.
     * As for JCR the identification is marked with the {@link Credentials}
     * interface, credentials are accessed in this phase.<br>
     * If no User-ID can be found, anonymous access is granted with the ID of
     * the anonymous user (as defined in the security configuration).
     * Anonymous access can be switched off removing the configuration entry.
     * <br> This implementation uses two helper-methods, which allow for
     * customization:
     * <ul>
     * <li>{@link #getCredentials()} and</li>
     * <li>{@link #getUserID(Credentials)}</li>
     * </ul>
     * <p>
     *
     * <b>2) User-Principal resolution </b><br>
     * In a second step it is tested, if the resolved User-ID belongs to a User
     * known to the system, i.e. if the {@link PrincipalProvider} has a principal
     * for the given ID and the principal can be found via
     * {@link PrincipalProvider#findPrincipals(String)}.<br>
     * The provider implementation can be set by the LoginModule configuration.
     * If the option is missing, the system default principal provider will
     * be used.
     * <p>
     * <b>3) Verification</b><br>
     * There are four cases, how the User-ID can be verified:
     * The login is anonymous, pre-authenticated or the login is the result of
     * an impersonation request (see {@link javax.jcr.Session#impersonate(Credentials)}
     * or of a login to the Repository ({@link javax.jcr.Repository#login(Credentials)}).
     * The concrete implementation of the LoginModule is responsible for all
     * four cases:
     * <ul>
     * <li>{@link #isAnonymous(Credentials)}</li>
     * <li>{@link #isPreAuthenticated(Credentials)}</li>
     * <li>{@link #authenticate(Principal, Credentials)}</li>
     * <li>{@link #impersonate(Principal, Credentials)}</li>
     * </ul>
     *
     * Under the following conditions, the login process is aborted and the
     * module is marked to be ignored:
     * <ul>
     * <li>No User-ID could be resolve, and anonymous access is switched off</li>
     * <li>No Principal is found for the User-ID resolved</li>
     * </ul>
     *
     * Under the following conditions, the login process is marked to be invalid
     * by throwing an LoginException:
     * <ul>
     * <li>It is an impersonation request, but the impersonator is not allowed
     * to impersonate to the requested User-ID</li>
     * <li>The user tries to login, but the Credentials can not be verified.</li>
     * </ul>
     * <p>
     * The LoginModule keeps the Credentials and the Principal as instance fields,
     * to mark that login has been successful.
     *
     * @return true if the authentication succeeded, or false if this
     *         <code>LoginModule</code> should be ignored.
     * @throws LoginException if the authentication fails
     * @see javax.security.auth.spi.LoginModule#login()
     * @see #getCredentials()
     * @see #getUserID(Credentials)
     * @see #getImpersonatorSubject(Credentials)
     */
public boolean login() throws LoginException {
    if (!isInitialized()) {
        log.warn("Unable to perform login: initialization not completed.");
        return false;
    }
    // check the availability and validity of Credentials
    Credentials creds = getCredentials();
    if (creds == null) {
        log.debug("No credentials available -> try default (anonymous) authentication.");
    } else if (!supportsCredentials(creds)) {
        log.debug("Unsupported credentials implementation : " + creds.getClass().getName());
        return false;
    }
    try {
        Principal userPrincipal = getPrincipal(creds);
        if (userPrincipal == null) {
            // unknown or disabled user or a group
            log.debug("No valid user -> ignore.");
            return false;
        }
        boolean authenticated;
        // test for anonymous, pre-authentication, impersonation or common authentication.
        if (isAnonymous(creds) || isPreAuthenticated(creds)) {
            authenticated = true;
        } else if (isImpersonation(creds)) {
            authenticated = impersonate(userPrincipal, creds);
        } else {
            authenticated = authenticate(userPrincipal, creds);
        }
        // process authenticated user
        if (authenticated) {
            if (creds instanceof SimpleCredentials) {
                credentials = (SimpleCredentials) creds;
            } else {
                credentials = new SimpleCredentials(getUserID(creds), new char[0]);
            }
            principal = userPrincipal;
            return true;
        }
    } catch (RepositoryException e) {
        log.error("Login failed:", e);
    }
    return false;
}

Example 22 with Credentials

use of javax.jcr.Credentials in project jackrabbit by apache.

the class AbstractLoginModule method getCredentials.

/**
     * Method tries to resolve the {@link Credentials} used for login. It takes
     * authentication-extension of an already authenticated {@link Subject} into
     * account.
     * <p>
     * Therefore the credentials are retrieved as follows:
     * <ol>
     * <li>Test if the shared state contains credentials.</li>
     * <li>Ask CallbackHandler for Credentials with using a {@link
     * CredentialsCallback}. Expects {@link CredentialsCallback#getCredentials}
     * to return an instance of {@link Credentials}.</li>
     * <li>Ask the Subject for its public <code>SimpleCredentials</code> see
     * {@link Subject#getPublicCredentials(Class)}, thus enabling to
     * pre-authenticate the Subject.</li>
     * </ol>
     *
     * @return Credentials or null if not found
     * @see #login()
     */
protected Credentials getCredentials() {
    Credentials credentials = null;
    if (sharedState.containsKey(KEY_CREDENTIALS)) {
        credentials = (Credentials) sharedState.get(KEY_CREDENTIALS);
    } else {
        try {
            CredentialsCallback callback = new CredentialsCallback();
            callbackHandler.handle(new Callback[] { callback });
            credentials = callback.getCredentials();
            if (credentials != null && supportsCredentials(credentials)) {
                sharedState.put(KEY_CREDENTIALS, credentials);
            }
        } catch (UnsupportedCallbackException e) {
            log.warn("Credentials-Callback not supported try Name-Callback");
        } catch (IOException e) {
            log.error("Credentials-Callback failed: " + e.getMessage() + ": try Name-Callback");
        }
    }
    // if still no credentials -> try to retrieve them from the subject.
    if (null == credentials) {
        // try if subject contains SimpleCredentials
        Set<SimpleCredentials> preAuthCreds = subject.getPublicCredentials(SimpleCredentials.class);
        if (!preAuthCreds.isEmpty()) {
            credentials = preAuthCreds.iterator().next();
        }
    }
    if (null == credentials) {
        // try if subject contains GuestCredentials
        Set<GuestCredentials> preAuthCreds = subject.getPublicCredentials(GuestCredentials.class);
        if (!preAuthCreds.isEmpty()) {
            credentials = preAuthCreds.iterator().next();
        }
    }
    return credentials;
}

Example 23 with Credentials

use of javax.jcr.Credentials in project jackrabbit by apache.

the class UserImplTest method testCredentials.

public void testCredentials() throws RepositoryException, NoSuchAlgorithmException, UnsupportedEncodingException {
    User u = (User) userMgr.getAuthorizable(uID);
    Credentials uc = u.getCredentials();
    assertTrue(uc instanceof CryptedSimpleCredentials);
    assertTrue(((CryptedSimpleCredentials) uc).matches((SimpleCredentials) creds));
}

Example 24 with Credentials

use of javax.jcr.Credentials in project jackrabbit-oak by apache.

the class PreAuthLoginModule method login.

@Override
public boolean login() {
    Credentials credentials = getCredentials();
    if (credentials instanceof PreAuthCredentials) {
        PreAuthCredentials pac = (PreAuthCredentials) credentials;
        String userId = pac.getUserId();
        if (userId == null) {
            pac.setMessage(PreAuthCredentials.PRE_AUTH_FAIL);
        } else {
            sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new PreAuthenticatedLogin(userId));
            sharedState.put(SHARED_KEY_CREDENTIALS, new SimpleCredentials(userId, new char[0]));
            sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
            pac.setMessage(PreAuthCredentials.PRE_AUTH_DONE);
        }
    }
    return false;
}

Example 25 with Credentials

use of javax.jcr.Credentials in project jackrabbit-oak by apache.

the class UserAuthentication method authenticate.

//-----------------------------------------------------< Authentication >---
@Override
public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
    if (credentials == null || loginId == null) {
        return false;
    }
    boolean success = false;
    try {
        UserManager userManager = config.getUserManager(root, NamePathMapper.DEFAULT);
        Authorizable authorizable = userManager.getAuthorizable(loginId);
        if (authorizable == null) {
            return false;
        }
        if (authorizable.isGroup()) {
            throw new AccountNotFoundException("Not a user " + loginId);
        }
        User user = (User) authorizable;
        if (user.isDisabled()) {
            throw new AccountLockedException("User with ID " + loginId + " has been disabled: " + user.getDisabledReason());
        }
        if (credentials instanceof SimpleCredentials) {
            SimpleCredentials creds = (SimpleCredentials) credentials;
            Credentials userCreds = user.getCredentials();
            if (loginId.equals(creds.getUserID()) && userCreds instanceof CredentialsImpl) {
                success = PasswordUtil.isSame(((CredentialsImpl) userCreds).getPasswordHash(), creds.getPassword());
            }
            checkSuccess(success, "UserId/Password mismatch.");
            if (isPasswordExpired(user)) {
                // UserConstants.CREDENTIALS_ATTRIBUTE_NEWPASSWORD attribute set
                if (!changePassword(user, creds)) {
                    throw new CredentialExpiredException("User password has expired");
                }
            }
        } else if (credentials instanceof ImpersonationCredentials) {
            ImpersonationCredentials ipCreds = (ImpersonationCredentials) credentials;
            AuthInfo info = ipCreds.getImpersonatorInfo();
            success = equalUserId(ipCreds, loginId) && impersonate(info, user);
            checkSuccess(success, "Impersonation not allowed.");
        } else {
            // guest login is allowed if an anonymous user exists in the content (see get user above)
            success = (credentials instanceof GuestCredentials) || credentials == PreAuthenticatedLogin.PRE_AUTHENTICATED;
        }
        userId = user.getID();
        principal = user.getPrincipal();
    } catch (RepositoryException e) {
        throw new LoginException(e.getMessage());
    }
    return success;
}