001: /*
002: * JOSSO: Java Open Single Sign-On
003: *
004: * Copyright 2004-2008, Atricore, Inc.
005: *
006: * This is free software; you can redistribute it and/or modify it
007: * under the terms of the GNU Lesser General Public License as
008: * published by the Free Software Foundation; either version 2.1 of
009: * the License, or (at your option) any later version.
010: *
011: * This software is distributed in the hope that it will be useful,
012: * but WITHOUT ANY WARRANTY; without even the implied warranty of
013: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014: * Lesser General Public License for more details.
015: *
016: * You should have received a copy of the GNU Lesser General Public
017: * License along with this software; if not, write to the Free
018: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
019: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
020: */
021:
022: package org.josso.jb32.agent;
023:
024: import org.apache.commons.logging.Log;
025: import org.apache.commons.logging.LogFactory;
026: import org.josso.gateway.identity.SSORole;
027: import org.josso.gateway.identity.SSOUser;
028: import org.josso.gateway.identity.service.BaseRoleImpl;
029: import org.josso.gateway.identity.service.BaseUserImpl;
030: import org.josso.tc50.agent.jaas.SSOGatewayLoginModule;
031:
032: import javax.security.auth.Subject;
033: import javax.security.auth.callback.CallbackHandler;
034: import javax.security.auth.login.LoginException;
035: import java.security.Principal;
036: import java.security.acl.Group;
037: import java.util.Iterator;
038: import java.util.Map;
039: import java.util.Set;
040:
041: /**
042: * SSOGatewayLogin Module for JBoss.
043: * <p>
044: * It specialized the SSOGatewayLoginModule by associating an additional
045: * group called ("Roles") which contains user roles.
046: * The original SSOGatewayLoginModule associates the user and its roles directly
047: * as Subject's Principals. This won't work in JBoss since it obtains user roles
048: * from a special Group that must be called "Roles".
049: * This LoginModule adds this special group, adds the roles as members of it and
050: * associates such group to the Subject as built by the SSOGatewayLoginModule.
051: * <p>
052: * To configure this JAAS Login Module module, add to the
053: * $JBOSS_HOME/server/default/conf/login-config.xml file the following entry :
054: * <p>
055: <pre>
056: <policy>
057: <!-- Used by JOSSO Agents for authenticating users against the Gateway -->
058: <application-policy name = "josso">
059: <authentication>
060: <login-module code = "org.josso.jb32.agent.JBossSSOGatewayLoginModule"
061: flag = "required">
062: <module-option name="debug">true</module-option>
063: <module-option name="unauthenticatedIdentity">guest</module-option>
064: </login-module>
065: </authentication>
066: </application-policy>
067: ...
068: </policy>
069: </pre>
070: *
071: * @author <a href="mailto:gbrigand@josso.org">Gianluca Brigandi</a>
072: * @version CVS $Id: JBossSSOGatewayLoginModule.java 508 2008-02-18 13:32:29Z sgonzalez $
073: */
074:
075: public class JBossSSOGatewayLoginModule extends SSOGatewayLoginModule {
076:
077: private static final Log logger = LogFactory
078: .getLog(JBossSSOGatewayLoginModule.class);
079:
080: private Subject _savedSubject;
081:
082: /** the principal to use when user is not authenticated **/
083: protected SSOUser _unauthenticatedIdentity;
084:
085: /**
086: * Initialize this LoginModule .
087: * Save the received Subject to change it when commit() gets invoked.
088: *
089: * @param subject the Subject to be authenticated.
090: *
091: * @param callbackHandler a CallbackHandler for communicating
092: * with the end user (prompting for user names and
093: * passwords, for example).
094: *
095: * @param sharedState shared LoginModule state.
096: *
097: * @param options options specified in the login Configuration
098: * for this particular LoginModule.
099: */
100: public void initialize(Subject subject,
101: CallbackHandler callbackHandler, Map sharedState,
102: Map options) {
103:
104: _savedSubject = subject;
105: super
106: .initialize(subject, callbackHandler, sharedState,
107: options);
108: // Check for unauthenticatedIdentity option.
109: String name = (String) options.get("unauthenticatedIdentity");
110: if (name != null) {
111: try {
112: _unauthenticatedIdentity = createIdentity(name);
113: logger.debug("Saw unauthenticatedIdentity=" + name);
114: } catch (Exception e) {
115: logger
116: .warn(
117: "Failed to create custom unauthenticatedIdentity",
118: e);
119: }
120: }
121:
122: }
123:
124: /**
125: * This method supports the unauthenticatedIdentity property used by JBoss.
126: */
127: public boolean login() throws LoginException {
128:
129: if (!super .login()) {
130: // We have an unauthenticated user, use configured Principal
131: if (_unauthenticatedIdentity != null) {
132: logger
133: .debug("Authenticated as unauthenticatedIdentity : "
134: + _unauthenticatedIdentity);
135: _ssoUserPrincipal = _unauthenticatedIdentity;
136: _succeeded = true;
137: return true;
138: }
139: }
140:
141: return true;
142: }
143:
144: /*
145: * This method is called if the LoginContext's overall authentication succeeded.
146: *
147: * The Subject saved in the previously executed initialize() method, is modified
148: * by adding a new special Group called "Roles" whose members are the SSO user roles.
149: * JBoss will fetch user roles by examining such group.
150: *
151: * @exception LoginException if the commit fails.
152: *
153: * @return true if this LoginModule's own login and commit
154: * attempts succeeded, or false otherwise.
155: */
156: public boolean commit() throws LoginException {
157: boolean rc = false;
158: // HashMap setsMap = new HashMap();
159:
160: rc = super .commit();
161:
162: Set ssoRolePrincipals = _savedSubject
163: .getPrincipals(SSORole.class);
164: Group targetGrp = new BaseRoleImpl("Roles");
165: Iterator i = ssoRolePrincipals.iterator();
166: while (i.hasNext()) {
167: Principal p = (Principal) i.next();
168:
169: targetGrp.addMember(p); // Add user role to "Roles" group
170: }
171:
172: // Add the "Roles" group to the Subject so that JBoss can fetch user roles.
173: _savedSubject.getPrincipals().add(targetGrp);
174:
175: return rc;
176: }
177:
178: protected SSOUser createIdentity(String username) {
179: return new BaseUserImpl(username);
180: }
181:
182: protected SSORole[] getRoleSets() throws LoginException {
183: if (_ssoUserPrincipal == _unauthenticatedIdentity) {
184: // Using unauthenticatedIdentity ..
185: if (logger.isDebugEnabled())
186: logger.debug("Using unauthenticatedIdentity "
187: + _ssoUserPrincipal + ", returning no roles.");
188:
189: return new SSORole[0];
190: }
191: return super.getRoleSets();
192: }
193: }
|