Search in sources :

Example 56 with SimpleCredentials

use of javax.jcr.SimpleCredentials in project jackrabbit by apache.

the class AbstractLoginModule method login.

/**
     * Method to authenticate a <code>Subject</code> (phase 1).
     * <p>
     * The login is divided into 3 Phases:
     * <p>
     * <b>1) User-ID resolution</b><br>
     * In a first step it is tried to resolve a User-ID for further validation.
     * As for JCR the identification is marked with the {@link Credentials}
     * interface, credentials are accessed in this phase.<br>
     * If no User-ID can be found, anonymous access is granted with the ID of
     * the anonymous user (as defined in the security configuration).
     * Anonymous access can be switched off removing the configuration entry.
     * <br> This implementation uses two helper-methods, which allow for
     * customization:
     * <ul>
     * <li>{@link #getCredentials()} and</li>
     * <li>{@link #getUserID(Credentials)}</li>
     * </ul>
     * <p>
     *
     * <b>2) User-Principal resolution </b><br>
     * In a second step it is tested, if the resolved User-ID belongs to a User
     * known to the system, i.e. if the {@link PrincipalProvider} has a principal
     * for the given ID and the principal can be found via
     * {@link PrincipalProvider#findPrincipals(String)}.<br>
     * The provider implementation can be set by the LoginModule configuration.
     * If the option is missing, the system default principal provider will
     * be used.
     * <p>
     * <b>3) Verification</b><br>
     * There are four cases, how the User-ID can be verified:
     * The login is anonymous, pre-authenticated or the login is the result of
     * an impersonation request (see {@link javax.jcr.Session#impersonate(Credentials)}
     * or of a login to the Repository ({@link javax.jcr.Repository#login(Credentials)}).
     * The concrete implementation of the LoginModule is responsible for all
     * four cases:
     * <ul>
     * <li>{@link #isAnonymous(Credentials)}</li>
     * <li>{@link #isPreAuthenticated(Credentials)}</li>
     * <li>{@link #authenticate(Principal, Credentials)}</li>
     * <li>{@link #impersonate(Principal, Credentials)}</li>
     * </ul>
     *
     * Under the following conditions, the login process is aborted and the
     * module is marked to be ignored:
     * <ul>
     * <li>No User-ID could be resolve, and anonymous access is switched off</li>
     * <li>No Principal is found for the User-ID resolved</li>
     * </ul>
     *
     * Under the following conditions, the login process is marked to be invalid
     * by throwing an LoginException:
     * <ul>
     * <li>It is an impersonation request, but the impersonator is not allowed
     * to impersonate to the requested User-ID</li>
     * <li>The user tries to login, but the Credentials can not be verified.</li>
     * </ul>
     * <p>
     * The LoginModule keeps the Credentials and the Principal as instance fields,
     * to mark that login has been successful.
     *
     * @return true if the authentication succeeded, or false if this
     *         <code>LoginModule</code> should be ignored.
     * @throws LoginException if the authentication fails
     * @see javax.security.auth.spi.LoginModule#login()
     * @see #getCredentials()
     * @see #getUserID(Credentials)
     * @see #getImpersonatorSubject(Credentials)
     */
public boolean login() throws LoginException {
    if (!isInitialized()) {
        log.warn("Unable to perform login: initialization not completed.");
        return false;
    }
    // check the availability and validity of Credentials
    Credentials creds = getCredentials();
    if (creds == null) {
        log.debug("No credentials available -> try default (anonymous) authentication.");
    } else if (!supportsCredentials(creds)) {
        log.debug("Unsupported credentials implementation : " + creds.getClass().getName());
        return false;
    }
    try {
        Principal userPrincipal = getPrincipal(creds);
        if (userPrincipal == null) {
            // unknown or disabled user or a group
            log.debug("No valid user -> ignore.");
            return false;
        }
        boolean authenticated;
        // test for anonymous, pre-authentication, impersonation or common authentication.
        if (isAnonymous(creds) || isPreAuthenticated(creds)) {
            authenticated = true;
        } else if (isImpersonation(creds)) {
            authenticated = impersonate(userPrincipal, creds);
        } else {
            authenticated = authenticate(userPrincipal, creds);
        }
        // process authenticated user
        if (authenticated) {
            if (creds instanceof SimpleCredentials) {
                credentials = (SimpleCredentials) creds;
            } else {
                credentials = new SimpleCredentials(getUserID(creds), new char[0]);
            }
            principal = userPrincipal;
            return true;
        }
    } catch (RepositoryException e) {
        log.error("Login failed:", e);
    }
    return false;
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) RepositoryException(javax.jcr.RepositoryException) GuestCredentials(javax.jcr.GuestCredentials) SimpleCredentials(javax.jcr.SimpleCredentials) Credentials(javax.jcr.Credentials) Principal(java.security.Principal)

Example 57 with SimpleCredentials

use of javax.jcr.SimpleCredentials in project jackrabbit by apache.

the class AbstractLoginModule method getCredentials.

/**
     * Method tries to resolve the {@link Credentials} used for login. It takes
     * authentication-extension of an already authenticated {@link Subject} into
     * account.
     * <p>
     * Therefore the credentials are retrieved as follows:
     * <ol>
     * <li>Test if the shared state contains credentials.</li>
     * <li>Ask CallbackHandler for Credentials with using a {@link
     * CredentialsCallback}. Expects {@link CredentialsCallback#getCredentials}
     * to return an instance of {@link Credentials}.</li>
     * <li>Ask the Subject for its public <code>SimpleCredentials</code> see
     * {@link Subject#getPublicCredentials(Class)}, thus enabling to
     * pre-authenticate the Subject.</li>
     * </ol>
     *
     * @return Credentials or null if not found
     * @see #login()
     */
protected Credentials getCredentials() {
    Credentials credentials = null;
    if (sharedState.containsKey(KEY_CREDENTIALS)) {
        credentials = (Credentials) sharedState.get(KEY_CREDENTIALS);
    } else {
        try {
            CredentialsCallback callback = new CredentialsCallback();
            callbackHandler.handle(new Callback[] { callback });
            credentials = callback.getCredentials();
            if (credentials != null && supportsCredentials(credentials)) {
                sharedState.put(KEY_CREDENTIALS, credentials);
            }
        } catch (UnsupportedCallbackException e) {
            log.warn("Credentials-Callback not supported try Name-Callback");
        } catch (IOException e) {
            log.error("Credentials-Callback failed: " + e.getMessage() + ": try Name-Callback");
        }
    }
    // if still no credentials -> try to retrieve them from the subject.
    if (null == credentials) {
        // try if subject contains SimpleCredentials
        Set<SimpleCredentials> preAuthCreds = subject.getPublicCredentials(SimpleCredentials.class);
        if (!preAuthCreds.isEmpty()) {
            credentials = preAuthCreds.iterator().next();
        }
    }
    if (null == credentials) {
        // try if subject contains GuestCredentials
        Set<GuestCredentials> preAuthCreds = subject.getPublicCredentials(GuestCredentials.class);
        if (!preAuthCreds.isEmpty()) {
            credentials = preAuthCreds.iterator().next();
        }
    }
    return credentials;
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) IOException(java.io.IOException) GuestCredentials(javax.jcr.GuestCredentials) SimpleCredentials(javax.jcr.SimpleCredentials) Credentials(javax.jcr.Credentials) GuestCredentials(javax.jcr.GuestCredentials)

Example 58 with SimpleCredentials

use of javax.jcr.SimpleCredentials in project jackrabbit by apache.

the class CallbackHandlerImpl method handle.

/**
     * @param callbacks
     * @throws IOException
     * @throws UnsupportedCallbackException
     * @see CallbackHandler#handle(Callback[])
     */
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (Callback callback : callbacks) {
        if (callback instanceof CredentialsCallback) {
            ((CredentialsCallback) callback).setCredentials(credentials);
        } else if (callback instanceof RepositoryCallback) {
            /*
                if callback handler has been created with null session or
                null principalProviderRegistry this handler cannot properly
                deal with RepositoryCallback
                */
            if (session == null || principalProviderRegistry == null) {
                throw new UnsupportedCallbackException(callback);
            }
            RepositoryCallback rcb = (RepositoryCallback) callback;
            rcb.setSession(session);
            rcb.setPrincipalProviderRegistry(principalProviderRegistry);
            rcb.setAdminId(adminId);
            rcb.setAnonymousId(anonymousId);
        } else if (credentials != null && credentials instanceof SimpleCredentials) {
            SimpleCredentials simpleCreds = (SimpleCredentials) credentials;
            if (callback instanceof NameCallback) {
                String userId = simpleCreds.getUserID();
                ((NameCallback) callback).setName(userId);
            } else if (callback instanceof PasswordCallback) {
                char[] pw = simpleCreds.getPassword();
                ((PasswordCallback) callback).setPassword(pw);
            } else if (callback instanceof ImpersonationCallback) {
                Object impersAttr = simpleCreds.getAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE);
                ((ImpersonationCallback) callback).setImpersonator(impersAttr);
            } else {
                throw new UnsupportedCallbackException(callback);
            }
        } else {
            throw new UnsupportedCallbackException(callback);
        }
    }
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Example 59 with SimpleCredentials

use of javax.jcr.SimpleCredentials in project jackrabbit by apache.

the class FailUpdateOnJournalExceptionTest method testFailedWrite.

// JCR-3783
public void testFailedWrite() throws Exception {
    Session s = repo.login(new SimpleCredentials("admin", "admin".toCharArray()));
    Node root = s.getRootNode();
    root.addNode("foo");
    s.save();
    root.addNode("bar");
    TestJournal.failRecordWrite = true;
    try {
        s.save();
        fail("Session.save() must fail with RepositoryException when Journal write fails.");
    } catch (RepositoryException e) {
    // expected
    } finally {
        TestJournal.failRecordWrite = false;
    }
    // must succeed after refresh
    s.refresh(false);
    root.addNode("bar");
    s.save();
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) Node(javax.jcr.Node) RepositoryException(javax.jcr.RepositoryException) Session(javax.jcr.Session)

Example 60 with SimpleCredentials

use of javax.jcr.SimpleCredentials in project jackrabbit by apache.

the class NotUserAdministratorTest method setUp.

protected void setUp() throws Exception {
    super.setUp();
    // create a first user and retrieve the UserManager from the session
    // created for that new user.
    Principal p = getTestPrincipal();
    String pw = buildPassword(p);
    UserImpl u = (UserImpl) userMgr.createUser(p.getName(), pw);
    save(superuser);
    uID = u.getID();
    // create a session for the other user.
    uSession = getHelper().getRepository().login(new SimpleCredentials(uID, pw.toCharArray()));
    uMgr = getUserManager(uSession);
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) Principal(java.security.Principal)

Aggregations

SimpleCredentials (javax.jcr.SimpleCredentials)289 Test (org.junit.Test)142 Session (javax.jcr.Session)83 ContentSession (org.apache.jackrabbit.oak.api.ContentSession)60 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)53 User (org.apache.jackrabbit.api.security.user.User)41 Credentials (javax.jcr.Credentials)39 JackrabbitSession (org.apache.jackrabbit.api.JackrabbitSession)35 UserManager (org.apache.jackrabbit.api.security.user.UserManager)34 LoginException (javax.security.auth.login.LoginException)30 Node (javax.jcr.Node)28 RepositoryException (javax.jcr.RepositoryException)25 Principal (java.security.Principal)22 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)21 GuestCredentials (javax.jcr.GuestCredentials)20 LoginException (javax.jcr.LoginException)19 TokenCredentials (org.apache.jackrabbit.api.security.authentication.token.TokenCredentials)19 AuthInfo (org.apache.jackrabbit.oak.api.AuthInfo)18 Before (org.junit.Before)18 ImpersonationCredentials (org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials)17