Example 1 with AuthContext
use of org.apache.jackrabbit.core.security.authentication.AuthContext in project jackrabbit by apache.
the class RepositoryImpl method login.
//-----------------------------------------------------------< Repository >
/**
* {@inheritDoc}
*/
public Session login(Credentials credentials, String workspaceName) throws LoginException, NoSuchWorkspaceException, RepositoryException {
try {
shutdownLock.readLock().acquire();
} catch (InterruptedException e) {
throw new RepositoryException("Login lock could not be acquired", e);
}
try {
// check sanity of this instance
sanityCheck();
if (workspaceName == null) {
workspaceName = repConfig.getDefaultWorkspaceName();
}
// check if workspace exists (will throw NoSuchWorkspaceException if not)
getWorkspaceInfo(workspaceName);
if (credentials == null) {
// try to obtain the identity of the already authenticated
// subject from access control context
Session session = extendAuthentication(workspaceName);
if (session != null) {
// successful extended authentication
return session;
} else {
log.debug("Attempt to login without Credentials and Subject -> try login with null credentials.");
}
}
// not preauthenticated -> try login with credentials
AuthContext authCtx = context.getSecurityManager().getAuthContext(credentials, new Subject(), workspaceName);
authCtx.login();
// create session, and add SimpleCredentials attributes (JCR-1932)
SessionImpl session = createSession(authCtx, workspaceName);
if (credentials instanceof SimpleCredentials) {
SimpleCredentials sc = (SimpleCredentials) credentials;
for (String name : sc.getAttributeNames()) {
if (!TokenBasedAuthentication.isMandatoryAttribute(name)) {
session.setAttribute(name, sc.getAttribute(name));
}
}
}
Set<TokenCredentials> tokenCreds = session.getSubject().getPublicCredentials(TokenCredentials.class);
if (!tokenCreds.isEmpty()) {
TokenCredentials tc = tokenCreds.iterator().next();
for (String name : tc.getAttributeNames()) {
if (!TokenBasedAuthentication.isMandatoryAttribute(name)) {
session.setAttribute(name, tc.getAttribute(name));
}
}
}
log.debug("User {} logged in to workspace {}", session.getUserID(), workspaceName);
return session;
} catch (SecurityException se) {
throw new LoginException("Unable to access authentication information", se);
} catch (javax.security.auth.login.LoginException le) {
throw new LoginException(le.getMessage(), le);
} catch (AccessDeniedException ade) {
// authenticated subject is not authorized for the specified workspace
throw new LoginException("Workspace access denied", ade);
} finally {
shutdownLock.readLock().release();
}
}
Also used :
AccessDeniedException(javax.jcr.AccessDeniedException)
AuthContext(org.apache.jackrabbit.core.security.authentication.AuthContext)
RepositoryException(javax.jcr.RepositoryException)
Subject(javax.security.auth.Subject)
SimpleCredentials(javax.jcr.SimpleCredentials)
LoginException(javax.jcr.LoginException)
Session(javax.jcr.Session)
TokenCredentials(org.apache.jackrabbit.api.security.authentication.token.TokenCredentials)
Example 2 with AuthContext
use of org.apache.jackrabbit.core.security.authentication.AuthContext in project jackrabbit by apache.
the class RepositoryImpl method extendAuthentication.
/**
* Tries to add Principals to a given subject:
* First Access the Subject from the current AccessControlContext,
* If Subject is found the LoginContext is evoked for it, in order
* to possibly allow for extension of preauthenticated Subject.<br>
* In contrast to a login with Credentials, a Session is created, even if the
* Authentication failed.<br>
* If the {@link Subject} is marked to be unmodificable or if the
* authentication of the the Subject failed Session is build for unchanged
* Subject.
*
* @param workspaceName must not be null
* @return if a Subject is exsting null else
* @throws RepositoryException
* @throws AccessDeniedException
*/
private Session extendAuthentication(String workspaceName) throws RepositoryException, AccessDeniedException {
Subject subject = null;
try {
AccessControlContext acc = AccessController.getContext();
subject = Subject.getSubject(acc);
} catch (SecurityException e) {
log.warn("Can't check for preauthentication. Reason: {}", e.getMessage());
}
if (subject == null) {
log.debug("No preauthenticated subject found -> return null.");
return null;
}
Session s;
if (subject.isReadOnly()) {
log.debug("Preauthenticated Subject is read-only -> create Session");
s = createSession(subject, workspaceName);
} else {
log.debug("Found preauthenticated Subject, try to extend authentication");
// login either using JAAS or custom LoginModule
AuthContext authCtx = context.getSecurityManager().getAuthContext(null, subject, workspaceName);
try {
authCtx.login();
s = createSession(authCtx, workspaceName);
} catch (javax.security.auth.login.LoginException e) {
// subject could not be extended
log.debug("Preauthentication could not be extended");
s = createSession(subject, workspaceName);
}
}
return s;
}
Also used :
AccessControlContext(java.security.AccessControlContext)
AuthContext(org.apache.jackrabbit.core.security.authentication.AuthContext)
Subject(javax.security.auth.Subject)
Session(javax.jcr.Session)
Aggregations
Session (javax.jcr.Session)2
Subject (javax.security.auth.Subject)2
AuthContext (org.apache.jackrabbit.core.security.authentication.AuthContext)2
AccessControlContext (java.security.AccessControlContext)1
AccessDeniedException (javax.jcr.AccessDeniedException)1
LoginException (javax.jcr.LoginException)1
RepositoryException (javax.jcr.RepositoryException)1
SimpleCredentials (javax.jcr.SimpleCredentials)1
TokenCredentials (org.apache.jackrabbit.api.security.authentication.token.TokenCredentials)1
