DelegationLoginModule.java

/*
 * JBoss, Home of Professional Open Source
 * Copyright 2013, Red Hat, Inc. and/or its affiliates, and individual
 * contributors by the @authors tag. See the copyright.txt in the
 * distribution for a full listing of individual contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * http://www.apache.org/licenses/LICENSE-2.0
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.jboss.as.quickstarts.ejb_security_interceptors;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Map;
import java.util.Properties;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.login.LoginException;

import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.callback.ObjectCallback;
import org.jboss.security.auth.spi.AbstractServerLoginModule;

/**
 * Login module to make the decision if one user can ask for the current request to be switched to an alternative specified
 * user.
 * 
 * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
 */
public class DelegationLoginModule extends AbstractServerLoginModule {

    private static final String DELEGATION_PROPERTIES = "delegationProperties";

    private static final String DEFAULT_DELEGATION_PROPERTIES = "delegation-mapping.properties";

    private Properties delegationMappings;

    private Principal identity;

    @Override
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
        addValidOptions(new String[] { DELEGATION_PROPERTIES });
        super.initialize(subject, callbackHandler, sharedState, options);

        String propertiesName;
        if (options.containsKey(DELEGATION_PROPERTIES)) {
            propertiesName = (String) options.get(DELEGATION_PROPERTIES);
        } else {
            propertiesName = DEFAULT_DELEGATION_PROPERTIES;
        }
        try {
            delegationMappings = loadProperties(propertiesName);
        } catch (IOException e) {
            throw new IllegalArgumentException(String.format("Unable to load properties '%s'", propertiesName), e);
        }
    }

    @SuppressWarnings("unchecked")
    @Override
    public boolean login() throws LoginException {
        if (super.login() == true) {
            log.debug("super.login()==true");
            return true;
        }

        // Time to see if this is a delegation request.
        NameCallback ncb = new NameCallback("Username:");
        ObjectCallback ocb = new ObjectCallback("Password:");

        try {
            callbackHandler.handle(new Callback[] { ncb, ocb });
        } catch (Exception e) {
            if (e instanceof RuntimeException) {
                throw (RuntimeException) e;
            }
            return false; // If the CallbackHandler can not handle the required callbacks then no chance.
        }

        String name = ncb.getName();
        Object credential = ocb.getCredential();

        if (credential instanceof OuterUserCredential) {
            // This credential type will only be seen for a delegation request, if not seen then the request is not for us.

            if (delegationAcceptable(name, (OuterUserCredential) credential)) {

                identity = new SimplePrincipal(name);
                if (getUseFirstPass()) {
                    String userName = identity.getName();
                    if (log.isDebugEnabled())
                        log.debug("Storing username '" + userName + "' and empty password");
                    // Add the username and an empty password to the shared state map
                    sharedState.put("javax.security.auth.login.name", identity);
                    sharedState.put("javax.security.auth.login.password", "");
                }
                loginOk = true;
                return true;
            }
        }

        return false; // Attempted login but not successful.
    }

    /**
     * Make a trust user to decide if the user switch is acceptable.
     * 
     * The default implementation checks the Properties for the user that opened the connection looking for a match, the
     * property read is then used to check if the connection user can delegate to the user specified.
     * 
     * The following entries will be checked in the Properties in this order: - user@realm - This is an exact match for the user
     * / realm combination of the connection user. user@* - This entry allows a match by username for any realm. *@realm - This
     * entry allows for any user in the realm specified. * - This matches all users.
     * 
     * Once an entry has been found the Properties will not be read again, even if the entry loaded does not allow delegation.
     * 
     * The value for the property is either '*' which means delegation to any user is allowed or a comma separate list of users
     * that can be delegated to.
     * 
     * @param requestedUser - The user this request wants to be authorized as.
     * @param connectionUser - The use of the connection to the server.
     * @return true if a switch is acceptable, false otherwise.
     */
    protected boolean delegationAcceptable(String requestedUser, OuterUserCredential connectionUser) {
        if (delegationMappings == null) {
            return false;
        }

        String[] allowedMappings = loadPropertyValue(connectionUser.getName(), connectionUser.getRealm());
        if (allowedMappings.length == 1 && "*".equals(allowedMappings[1])) {
            // A wild card mapping was found.
            return true;
        }
        for (String current : allowedMappings) {
            if (requestedUser.equals(current)) {
                return true;
            }
        }

        return false;
    }

    private String[] loadPropertyValue(final String userName, final String realm) {
        String value = null;

        value = delegationMappings.getProperty(userName + "@" + realm);
        if (value == null) {
            value = delegationMappings.getProperty(userName + "@*");
        }
        if (value == null) {
            value = delegationMappings.getProperty("*@" + realm);
        }
        if (value == null) {
            value = delegationMappings.getProperty("*");
        }

        if (value == null) {
            return new String[0];
        } else {
            return value.split(",");
        }
    }

    @Override
    protected Principal getIdentity() {
        return identity;
    }

    @Override
    protected Group[] getRoleSets() throws LoginException {
        Group roles = new SimpleGroup("Roles");
        Group callerPrincipal = new SimpleGroup("CallerPrincipal");
        Group[] groups = { roles, callerPrincipal };
        callerPrincipal.addMember(getIdentity());
        return groups;
    }

    private Properties loadProperties(final String name) throws IOException {
        ClassLoader classLoader = SecurityActions.getContextClassLoader();
        URL url = classLoader.getResource(name);
        InputStream is = url.openStream();
        try {
            Properties props = new Properties();
            props.load(is);
            return props;

        } finally {
            is.close();
        }
    }

}