ServerLoginModule.java

/**
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.brixcms.rmiserver.jackrabbit;

import org.apache.jackrabbit.core.security.UserPrincipal;
import org.apache.jackrabbit.core.security.authentication.CredentialsCallback;
import org.brixcms.rmiserver.Role;
import org.brixcms.rmiserver.User;

import javax.jcr.Credentials;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

public class ServerLoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;

    private final Authorizer authorizer;

    /**
     * local principals that were logged in
     */
    private final Set<Principal> principals = new HashSet<Principal>();

    /**
     * Constructor
     *
     * @param authorizer authorizer
     */
    public ServerLoginModule(Authorizer authorizer) {
        this.authorizer = authorizer;
    }


    /**
     * {@inheritDoc}
     */
    public void initialize(Subject subject, CallbackHandler callbackHandler,
                           Map<String, ?> sharedState, Map<String, ?> options) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
    }

    /**
     * {@inheritDoc}
     */
    public boolean login() throws LoginException {
        try {
            // clear any existing principals
            principals.clear();

            // authorize
            Credentials credentials = getCredentials();
            User user = authorizer.authorize(credentials, Role.WEBDAV, Role.RMI);

            // store authorized principal
            principals.add(new UserPrincipal(user.getLogin()));

            return true;
        } catch (AuthorizationException e) {
            principals.clear();
            throw new FailedLoginException(e.getMessage());
        }
    }

    /**
     * {@inheritDoc}
     */
    public boolean commit() throws LoginException {
        if (principals.isEmpty()) {
            return false;
        } else {
            // add authenticated principals to the subject
            subject.getPrincipals().addAll(principals);
            return true;
        }
    }

    /**
     * {@inheritDoc}
     */
    public boolean abort() throws LoginException {
        if (principals.isEmpty()) {
            return false;
        } else {
            logout();
        }
        return true;
    }

    /**
     * {@inheritDoc}
     */
    public boolean logout() throws LoginException {
        subject.getPrincipals().removeAll(principals);
        principals.clear();
        return true;
    }

    private Credentials getCredentials() throws LoginException {
        if (callbackHandler == null) {
            throw new LoginException("Null callback handler");
        }

        CredentialsCallback ccb = new CredentialsCallback();
        try {
            callbackHandler.handle(new Callback[]{ccb});
        } catch (Exception e) {
            throw new LoginException("Failed to retrieve login credentials");
        }
        return ccb.getCredentials();
    }
}