InternalAuthenticationProvider.java

/**
 * NOTE: This copyright does *not* cover user programs that use HQ
 * program services by normal system calls through the application
 * program interfaces provided as part of the Hyperic Plug-in Development
 * Kit or the Hyperic Client Development Kit - this is merely considered
 * normal use of the program, and does *not* fall under the heading of
 *  "derived work".
 *
 *  Copyright (C) [2009-2010], VMware, Inc.
 *  This file is part of HQ.
 *
 *  HQ is free software; you can redistribute it and/or modify
 *  it under the terms version 2 of the GNU General Public License as
 *  published by the Free Software Foundation. This program is distributed
 *  in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 *  even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 *  PARTICULAR PURPOSE. See the GNU General Public License for more
 *  details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
 *  USA.
 *
 */

package org.hyperic.hq.security;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;

import org.hyperic.hq.authz.server.session.AuthzSubject;
import org.hyperic.hq.authz.shared.AuthzConstants;
import org.hyperic.hq.authz.shared.AuthzSubjectManager;
import org.hyperic.hq.common.shared.ServerConfigManager;
import org.hyperic.util.ConfigPropertyException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;

/**
 * This class is responsible for authenticating a user using HQ's internal user
 * store. It can also be configured to enable guest user access as well as
 * override the guest username.
 */
public class InternalAuthenticationProvider implements AuthenticationProvider {

    private final AuthzSubjectManager authzSubjectManager;
    private final Set<HQAuthenticationProvider> hqAuthenticationProviders;
    private final ServerConfigManager serverConfigManager;

    public InternalAuthenticationProvider(AuthzSubjectManager authzSubjectManager,
                                          Set<HQAuthenticationProvider> hqAuthenticationProviders, ServerConfigManager serverConfigManager) {
        this.authzSubjectManager = authzSubjectManager;
        this.hqAuthenticationProviders = hqAuthenticationProviders;
        this.serverConfigManager = serverConfigManager;
    }

    public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        // Check if we're dealing with a guest user...
        AuthzSubject guestUser = authzSubjectManager.getSubjectById(AuthzConstants.guestId);

        if (guestUser == null || !guestUser.getActive() ||
            !guestUser.getName().equalsIgnoreCase(username)) {
            // ...we're not dealing with a guest authentication...
            AuthenticationException lastException = null;
            Authentication result = null;
            Properties serverConfig;
            try {
                serverConfig = serverConfigManager.getConfig();
            } catch (ConfigPropertyException e) {
                throw new AuthenticationServiceException(
                    "Unable to read server configuration to determine authentication type", e);
            }
            for (HQAuthenticationProvider authProvider : hqAuthenticationProviders) {
                if (authProvider.supports(serverConfig, authentication.getDetails())) {
                    try {
                        result = authProvider.authenticate(username, password);
                    }catch (UserDisabledException e) {
                    	throw e;
                    }catch (AuthenticationException e) {
                        lastException = e;
                    } catch (Exception e) {
						lastException = new AuthenticationException(e.getMessage(), e) {
						};
					}
                    if (result != null) {
                        return result;
                    }
                }
            }
            if (lastException != null) {
                throw lastException;
            }
        }
       //Return a token for guest user
        List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
        // ...TODO right now, every user is given the "ROLE HQ USER" grant authority, once we fully integrate with
        // spring security this should be updated with a better approach...
        grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_HQ_USER"));
        return new UsernamePasswordAuthenticationToken(username, password, grantedAuthorities);
    }

    public boolean supports(Class<? extends Object> authentication) {
        // ...for now, we only support objects that implement Authentication if
        // we find that we need more information
        // we can add some interfaces to make sure we get that information and
        // check for it here...
        return Authentication.class.getClass().isInstance(authentication);
    }
}