/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.karaf.jaas.modules.properties;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Field;
import java.security.MessageDigest;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.felix.utils.properties.Properties;
import org.apache.karaf.jaas.boot.principal.GroupPrincipal;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.karaf.jaas.boot.principal.UserPrincipal;
import org.apache.karaf.jaas.modules.AbstractKarafLoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* JAAS Login module for user / password, based on two properties files.
*/
public class DigestPasswordLoginModule extends AbstractKarafLoginModule {
private static final transient Logger LOGGER = LoggerFactory.getLogger(DigestPasswordLoginModule.class);
static final String USER_FILE = "users";
private MessageDigest digest;
private String usersFile;
public void initialize(Subject sub, CallbackHandler handler, Map sharedState, Map options) {
super.initialize(sub,handler,options);
usersFile = (String) options.get(USER_FILE);
if (debug) {
LOGGER.debug("Initialized debug={} usersFile={}", debug, usersFile);
}
}
public String doPasswordDigest(String nonce, String created, String password) {
String passwdDigest = null;
try {
passwdDigest = doPasswordDigest(nonce, created, password.getBytes("UTF-8"));
} catch (Exception e) {
LOGGER.debug(e.getMessage(), e);
}
return passwdDigest;
}
public String doPasswordDigest(String nonce, String created, byte[] password) {
String passwdDigest = null;
try {
byte[] b1 = nonce != null ? new Base64().decode(nonce) : new byte[0];
byte[] b2 = created != null ? created.getBytes("UTF-8") : new byte[0];
byte[] b3 = password;
byte[] b4 = new byte[b1.length + b2.length + b3.length];
int offset = 0;
System.arraycopy(b1, 0, b4, offset, b1.length);
offset += b1.length;
System.arraycopy(b2, 0, b4, offset, b2.length);
offset += b2.length;
System.arraycopy(b3, 0, b4, offset, b3.length);
byte[] digestBytes = generateDigest(b4);
passwdDigest = new String(new Base64().encodeBase64(digestBytes));
} catch (Exception e) {
LOGGER.debug(e.getMessage(), e);
}
return passwdDigest;
}
/**
* Generate a (SHA1) digest of the input bytes. The MessageDigest instance that backs this
* method is cached for efficiency.
* @param inputBytes the bytes to digest
* @return the digest of the input bytes
* @throws WSSecurityException
*/
public synchronized byte[] generateDigest(byte[] inputBytes) {
try {
if (digest == null) {
digest = MessageDigest.getInstance("SHA-1");
}
return digest.digest(inputBytes);
} catch (Exception e) {
throw new RuntimeException("Error in generating digest", e);
}
}
public boolean login() throws LoginException {
if (usersFile == null) {
throw new LoginException("The property users may not be null");
}
File f = new File(usersFile);
if (!f.exists()) {
throw new LoginException("Users file not found at " + f);
}
Properties users;
try {
users = new Properties(f);
} catch (IOException ioe) {
throw new LoginException("Unable to load user properties file " + f);
}
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
if (callbackHandler != null) {
try {
callbackHandler.handle(callbacks);
} catch (IOException ioe) {
throw new LoginException(ioe.getMessage());
} catch (UnsupportedCallbackException uce) {
throw new LoginException(uce.getMessage() + " not available to obtain information from user");
}
}
// user callback get value
if (((NameCallback) callbacks[0]).getName() == null) {
throw new LoginException("Username can not be null");
}
user = ((NameCallback) callbacks[0]).getName();
if (user.startsWith(PropertiesBackingEngine.GROUP_PREFIX)) {
// you can't log in under a group name
throw new FailedLoginException("login failed");
}
// password callback get value
if (((PasswordCallback) callbacks[1]).getPassword() == null) {
throw new LoginException("Password can not be null");
}
String password = new String(((PasswordCallback) callbacks[1]).getPassword());
// user infos container read from the users properties file
String userInfos = null;
try {
userInfos = (String) users.get(user);
} catch (NullPointerException e) {
//error handled in the next statement
}
if (userInfos == null) {
if (!this.detailedLoginExcepion) {
throw new FailedLoginException("login failed");
} else {
throw new FailedLoginException("User " + user + " does not exist");
}
}
// the password is in the first position
String[] infos = userInfos.split(",");
String storedPassword = infos[0];
CallbackHandler myCallbackHandler = null;
try {
Field field = callbackHandler.getClass().getDeclaredField("ch");
field.setAccessible(true);
myCallbackHandler = (CallbackHandler) field.get(callbackHandler);
} catch (Exception e) {
throw new LoginException("Unable to load underlying callback handler");
}
if (myCallbackHandler instanceof NameDigestPasswordCallbackHandler) {
NameDigestPasswordCallbackHandler digestCallbackHandler = (NameDigestPasswordCallbackHandler)myCallbackHandler;
storedPassword = doPasswordDigest(digestCallbackHandler.getNonce(),
digestCallbackHandler.getCreatedTime(),
storedPassword);
}
// check the provided password
if (!checkPassword(password, storedPassword)) {
if (!this.detailedLoginExcepion) {
throw new FailedLoginException("login failed");
} else {
throw new FailedLoginException("Password for " + user + " does not match");
}
}
principals = new HashSet<Principal>();
principals.add(new UserPrincipal(user));
for (int i = 1; i < infos.length; i++) {
if (infos[i].trim().startsWith(PropertiesBackingEngine.GROUP_PREFIX)) {
// it's a group reference
principals.add(new GroupPrincipal(infos[i].trim().substring(PropertiesBackingEngine.GROUP_PREFIX.length())));
String groupInfo = (String) users.get(infos[i].trim());
if (groupInfo != null) {
String[] roles = groupInfo.split(",");
for (int j = 1; j < roles.length; j++) {
principals.add(new RolePrincipal(roles[j].trim()));
}
}
} else {
// it's an user reference
principals.add(new RolePrincipal(infos[i].trim()));
}
}
users.clear();
if (debug) {
LOGGER.debug("Successfully logged in {}", user);
}
return true;
}
public boolean abort() throws LoginException {
clear();
if (debug) {
LOGGER.debug("abort");
}
return true;
}
public boolean logout() throws LoginException {
subject.getPrincipals().removeAll(principals);
principals.clear();
if (debug) {
LOGGER.debug("logout");
}
return true;
}
}