JAASRealmLoginManager.java

/**
 * Copyright (c) 2009 Juwi MacMillan Group GmbH
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *         http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package de.juwimm.cms.safeguard.realmlogin;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import org.apache.log4j.Logger;

import de.juwimm.cms.authorization.SimpleCallbackHandler;
import de.juwimm.cms.safeguard.model.RealmJaasHbm;
import de.juwimm.cms.safeguard.model.RealmJaasHbmDao;

/**
 * <strong>only works properly in JBoss!!!</strong>
 * @author <a href="mailto:michael.meyer@juwimm.com">Michael Meyer</a>
 * @author <a href="mailto:carsten.schalm@juwimm.com">Carsten Schalm</a>
 * company Juwi|MacMillan Group Gmbh, Walsrode, Germany
 * @version $Id$
 */
public class JAASRealmLoginManager implements SafeguardLoginManager {
	private static Logger log = Logger.getLogger(JAASRealmLoginManager.class);
	private final String userName;
	private final String password;
	private final String roleNeeded;
	private final Integer realmId;
	private final RealmJaasHbmDao realmJaasHbmDao;

	public JAASRealmLoginManager(RealmJaasHbmDao realmJaasHbmDao, Integer realmId, String userName, String password, String roleNeeded) {
		this.password = password;
		this.realmId = realmId;
		this.userName = userName;
		this.roleNeeded = roleNeeded;
		this.realmJaasHbmDao = realmJaasHbmDao;
	}

	@SuppressWarnings("unchecked")
	public byte login() {
		byte login = SafeguardLoginManager.LOGIN_UNAUTHENTICATED;
		try {
			RealmJaasHbm realm = realmJaasHbmDao.load(this.realmId);
			LoginContext lc = new LoginContext(realm.getJaasPolicyName(), new SimpleCallbackHandler(this.userName, this.password));
			lc.login();
			if (this.roleNeeded != null && this.roleNeeded.length() > 0) {
				login = SafeguardLoginManager.LOGIN_UNAUTHORIZED;
				// check required role for this realm
				Principal requiredRole = new PrincipalImpl(this.roleNeeded);
				Subject user = lc.getSubject();
				if (log.isDebugEnabled()) log.debug(user.getClass().getName() + ": " + user);
				Set<Principal> principalSet = user.getPrincipals();
				Iterator<Principal> it = principalSet.iterator();
				while (login < SafeguardLoginManager.LOGIN_SUCCESSFULLY && it.hasNext()) {
					Principal principal = it.next();
					if (log.isDebugEnabled()) log.debug(principal.getClass().getName() + ": " + principal.getName() + ": " + principal);
					if (principal instanceof Group) {
						Group group = (Group) principal;
						if (group.getName().equalsIgnoreCase("roles")) {
							Enumeration e=group.members();
							while (e.hasMoreElements()) {
								Principal p = (Principal) e.nextElement();
								if(p.getName().equalsIgnoreCase(requiredRole.getName())){
									login = SafeguardLoginManager.LOGIN_SUCCESSFULLY;
								}
							}
							if (group.isMember(requiredRole)) login = SafeguardLoginManager.LOGIN_SUCCESSFULLY;
						}
						if (log.isDebugEnabled()) {
							Enumeration members = group.members();
							while (members.hasMoreElements()) {
								Principal member = (Principal) members.nextElement();
								if (log.isDebugEnabled()) log.debug(member.getClass().getName() + ": " + member.getName() + ": " + member);
							}
						}
					}
				}
			} else {
				login = SafeguardLoginManager.LOGIN_SUCCESSFULLY;
			}
			if (log.isDebugEnabled()) log.debug("user \"" + this.userName + "\" at realm " + this.realmId + " is logedin: " + login);
		} catch (LoginException e) {
			log.error("Error loging in user " + this.userName + " on JaasRealm " + this.realmId + ": " + e.getMessage(), e);
		}
		return login;
	}

	public Collection<String> getRoles() {
		HashSet<String> rolesSet = new HashSet<String>();
		try {
			RealmJaasHbm realm = realmJaasHbmDao.load(this.realmId);
			LoginContext lc = new LoginContext(realm.getJaasPolicyName(), new SimpleCallbackHandler(this.userName, this.password));
			lc.login();
			Subject user = lc.getSubject();
			Set<Principal> principalSet = user.getPrincipals();
			Iterator<Principal> it = principalSet.iterator();
			while (it.hasNext()) {
				Principal principal = it.next();
				if (principal instanceof Group) {
					Group group = (Group) principal;
					if (group.getName().equalsIgnoreCase("roles")) {
						Enumeration members = group.members();
						while (members.hasMoreElements()) {
							Principal member = (Principal) members.nextElement();
							rolesSet.add(member.getName());
						}
					}
				}
			}
			lc.logout();
		} catch (LoginException e) {
			log.error("Error getting roles: " + e.getMessage(), e);
		}
		return rolesSet;
	}

}

class PrincipalImpl implements Principal {
	private final String name;

	public PrincipalImpl(String name) {
		this.name = name;
	}

	public String getName() {
		return name;
	}
}