use of javax.jcr.SimpleCredentials in project jackrabbit by apache.
the class AbstractLoginModule method login.
/**
* Method to authenticate a <code>Subject</code> (phase 1).
* <p>
* The login is divided into 3 Phases:
* <p>
* <b>1) User-ID resolution</b><br>
* In a first step it is tried to resolve a User-ID for further validation.
* As for JCR the identification is marked with the {@link Credentials}
* interface, credentials are accessed in this phase.<br>
* If no User-ID can be found, anonymous access is granted with the ID of
* the anonymous user (as defined in the security configuration).
* Anonymous access can be switched off removing the configuration entry.
* <br> This implementation uses two helper-methods, which allow for
* customization:
* <ul>
* <li>{@link #getCredentials()} and</li>
* <li>{@link #getUserID(Credentials)}</li>
* </ul>
* <p>
*
* <b>2) User-Principal resolution </b><br>
* In a second step it is tested, if the resolved User-ID belongs to a User
* known to the system, i.e. if the {@link PrincipalProvider} has a principal
* for the given ID and the principal can be found via
* {@link PrincipalProvider#findPrincipals(String)}.<br>
* The provider implementation can be set by the LoginModule configuration.
* If the option is missing, the system default principal provider will
* be used.
* <p>
* <b>3) Verification</b><br>
* There are four cases, how the User-ID can be verified:
* The login is anonymous, pre-authenticated or the login is the result of
* an impersonation request (see {@link javax.jcr.Session#impersonate(Credentials)}
* or of a login to the Repository ({@link javax.jcr.Repository#login(Credentials)}).
* The concrete implementation of the LoginModule is responsible for all
* four cases:
* <ul>
* <li>{@link #isAnonymous(Credentials)}</li>
* <li>{@link #isPreAuthenticated(Credentials)}</li>
* <li>{@link #authenticate(Principal, Credentials)}</li>
* <li>{@link #impersonate(Principal, Credentials)}</li>
* </ul>
*
* Under the following conditions, the login process is aborted and the
* module is marked to be ignored:
* <ul>
* <li>No User-ID could be resolve, and anonymous access is switched off</li>
* <li>No Principal is found for the User-ID resolved</li>
* </ul>
*
* Under the following conditions, the login process is marked to be invalid
* by throwing an LoginException:
* <ul>
* <li>It is an impersonation request, but the impersonator is not allowed
* to impersonate to the requested User-ID</li>
* <li>The user tries to login, but the Credentials can not be verified.</li>
* </ul>
* <p>
* The LoginModule keeps the Credentials and the Principal as instance fields,
* to mark that login has been successful.
*
* @return true if the authentication succeeded, or false if this
* <code>LoginModule</code> should be ignored.
* @throws LoginException if the authentication fails
* @see javax.security.auth.spi.LoginModule#login()
* @see #getCredentials()
* @see #getUserID(Credentials)
* @see #getImpersonatorSubject(Credentials)
*/
public boolean login() throws LoginException {
if (!isInitialized()) {
log.warn("Unable to perform login: initialization not completed.");
return false;
}
// check the availability and validity of Credentials
Credentials creds = getCredentials();
if (creds == null) {
log.debug("No credentials available -> try default (anonymous) authentication.");
} else if (!supportsCredentials(creds)) {
log.debug("Unsupported credentials implementation : " + creds.getClass().getName());
return false;
}
try {
Principal userPrincipal = getPrincipal(creds);
if (userPrincipal == null) {
// unknown or disabled user or a group
log.debug("No valid user -> ignore.");
return false;
}
boolean authenticated;
// test for anonymous, pre-authentication, impersonation or common authentication.
if (isAnonymous(creds) || isPreAuthenticated(creds)) {
authenticated = true;
} else if (isImpersonation(creds)) {
authenticated = impersonate(userPrincipal, creds);
} else {
authenticated = authenticate(userPrincipal, creds);
}
// process authenticated user
if (authenticated) {
if (creds instanceof SimpleCredentials) {
credentials = (SimpleCredentials) creds;
} else {
credentials = new SimpleCredentials(getUserID(creds), new char[0]);
}
principal = userPrincipal;
return true;
}
} catch (RepositoryException e) {
log.error("Login failed:", e);
}
return false;
}
use of javax.jcr.SimpleCredentials in project jackrabbit by apache.
the class AbstractLoginModule method getCredentials.
/**
* Method tries to resolve the {@link Credentials} used for login. It takes
* authentication-extension of an already authenticated {@link Subject} into
* account.
* <p>
* Therefore the credentials are retrieved as follows:
* <ol>
* <li>Test if the shared state contains credentials.</li>
* <li>Ask CallbackHandler for Credentials with using a {@link
* CredentialsCallback}. Expects {@link CredentialsCallback#getCredentials}
* to return an instance of {@link Credentials}.</li>
* <li>Ask the Subject for its public <code>SimpleCredentials</code> see
* {@link Subject#getPublicCredentials(Class)}, thus enabling to
* pre-authenticate the Subject.</li>
* </ol>
*
* @return Credentials or null if not found
* @see #login()
*/
protected Credentials getCredentials() {
Credentials credentials = null;
if (sharedState.containsKey(KEY_CREDENTIALS)) {
credentials = (Credentials) sharedState.get(KEY_CREDENTIALS);
} else {
try {
CredentialsCallback callback = new CredentialsCallback();
callbackHandler.handle(new Callback[] { callback });
credentials = callback.getCredentials();
if (credentials != null && supportsCredentials(credentials)) {
sharedState.put(KEY_CREDENTIALS, credentials);
}
} catch (UnsupportedCallbackException e) {
log.warn("Credentials-Callback not supported try Name-Callback");
} catch (IOException e) {
log.error("Credentials-Callback failed: " + e.getMessage() + ": try Name-Callback");
}
}
// if still no credentials -> try to retrieve them from the subject.
if (null == credentials) {
// try if subject contains SimpleCredentials
Set<SimpleCredentials> preAuthCreds = subject.getPublicCredentials(SimpleCredentials.class);
if (!preAuthCreds.isEmpty()) {
credentials = preAuthCreds.iterator().next();
}
}
if (null == credentials) {
// try if subject contains GuestCredentials
Set<GuestCredentials> preAuthCreds = subject.getPublicCredentials(GuestCredentials.class);
if (!preAuthCreds.isEmpty()) {
credentials = preAuthCreds.iterator().next();
}
}
return credentials;
}
use of javax.jcr.SimpleCredentials in project jackrabbit by apache.
the class CallbackHandlerImpl method handle.
/**
* @param callbacks
* @throws IOException
* @throws UnsupportedCallbackException
* @see CallbackHandler#handle(Callback[])
*/
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof CredentialsCallback) {
((CredentialsCallback) callback).setCredentials(credentials);
} else if (callback instanceof RepositoryCallback) {
/*
if callback handler has been created with null session or
null principalProviderRegistry this handler cannot properly
deal with RepositoryCallback
*/
if (session == null || principalProviderRegistry == null) {
throw new UnsupportedCallbackException(callback);
}
RepositoryCallback rcb = (RepositoryCallback) callback;
rcb.setSession(session);
rcb.setPrincipalProviderRegistry(principalProviderRegistry);
rcb.setAdminId(adminId);
rcb.setAnonymousId(anonymousId);
} else if (credentials != null && credentials instanceof SimpleCredentials) {
SimpleCredentials simpleCreds = (SimpleCredentials) credentials;
if (callback instanceof NameCallback) {
String userId = simpleCreds.getUserID();
((NameCallback) callback).setName(userId);
} else if (callback instanceof PasswordCallback) {
char[] pw = simpleCreds.getPassword();
((PasswordCallback) callback).setPassword(pw);
} else if (callback instanceof ImpersonationCallback) {
Object impersAttr = simpleCreds.getAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE);
((ImpersonationCallback) callback).setImpersonator(impersAttr);
} else {
throw new UnsupportedCallbackException(callback);
}
} else {
throw new UnsupportedCallbackException(callback);
}
}
}
use of javax.jcr.SimpleCredentials in project jackrabbit by apache.
the class FailUpdateOnJournalExceptionTest method testFailedWrite.
// JCR-3783
public void testFailedWrite() throws Exception {
Session s = repo.login(new SimpleCredentials("admin", "admin".toCharArray()));
Node root = s.getRootNode();
root.addNode("foo");
s.save();
root.addNode("bar");
TestJournal.failRecordWrite = true;
try {
s.save();
fail("Session.save() must fail with RepositoryException when Journal write fails.");
} catch (RepositoryException e) {
// expected
} finally {
TestJournal.failRecordWrite = false;
}
// must succeed after refresh
s.refresh(false);
root.addNode("bar");
s.save();
}
use of javax.jcr.SimpleCredentials in project jackrabbit by apache.
the class NotUserAdministratorTest method setUp.
protected void setUp() throws Exception {
super.setUp();
// create a first user and retrieve the UserManager from the session
// created for that new user.
Principal p = getTestPrincipal();
String pw = buildPassword(p);
UserImpl u = (UserImpl) userMgr.createUser(p.getName(), pw);
save(superuser);
uID = u.getID();
// create a session for the other user.
uSession = getHelper().getRepository().login(new SimpleCredentials(uID, pw.toCharArray()));
uMgr = getUserManager(uSession);
}
Aggregations