001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.resource.security;
023:
024: import java.security.acl.Group;
025: import java.security.Principal;
026: import java.security.PrivilegedExceptionAction;
027: import java.security.AccessController;
028: import java.security.PrivilegedActionException;
029: import java.util.Map;
030: import javax.resource.spi.security.PasswordCredential;
031: import javax.security.auth.Subject;
032: import javax.security.auth.callback.CallbackHandler;
033: import javax.security.auth.login.LoginException;
034: import javax.management.ObjectName;
035: import javax.management.MBeanServer;
036:
037: import org.jboss.security.SimplePrincipal;
038: import org.jboss.logging.Logger;
039:
040: /** A login module for statically defining a data source username and password
041: that uses a password that has been ecrypted by a JaasSecurityDomain. The
042: base64 format of the data source password may be generated using the PBEUtils
043: command:
044:
045: java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils salt count
046: domain-password data-source-password
047:
048: salt : the Salt attribute from the JaasSecurityDomain
049: count : the IterationCount attribute from the JaasSecurityDomain
050: domain-password : the plaintext password that maps to the KeyStorePass
051: attribute from the JaasSecurityDomain
052: data-source-password : the plaintext password for the data source that
053: should be encrypted with the JaasSecurityDomain password
054:
055: for example:
056:
057: java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master ''
058: Encoded password: E5gtGMKcXPP
059:
060: A sample login-config.xml configuration entry would be:
061:
062: <application-policy name = "EncryptedHsqlDbRealm">
063: <authentication>
064: <login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
065: flag = "required">
066: <module-option name = "userName">sa</module-option>
067: <module-option name = "password">E5gtGMKcXPP</module-option>
068: <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
069: <module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
070: </login-module>
071: </authentication>
072: </application-policy>
073:
074:
075: @author Scott.Stark@jboss.org
076: @author <a href="mailto:noel.rocher@jboss.org">Noel Rocher</a> 29, june 2004 username & userName issue
077: @version $Revision: 57189 $
078: */
079: public class JaasSecurityDomainIdentityLoginModule extends
080: AbstractPasswordCredentialLoginModule {
081: private static final Logger log = Logger
082: .getLogger(JaasSecurityDomainIdentityLoginModule.class);
083:
084: private String username;
085: private String password;
086: private ObjectName jaasSecurityDomain;
087:
088: public void initialize(Subject subject, CallbackHandler handler,
089: Map sharedState, Map options) {
090: super .initialize(subject, handler, sharedState, options);
091: // NR : we keep this username for compatibility
092: username = (String) options.get("username");
093: if (username == null) {
094: // NR : try with userName
095: username = (String) options.get("userName");
096: if (username == null) {
097: throw new IllegalArgumentException(
098: "The user name is a required option");
099: }
100: }
101:
102: password = (String) options.get("password");
103: if (password == null) {
104: throw new IllegalArgumentException(
105: "The password is a required option");
106: }
107:
108: String name = (String) options.get("jaasSecurityDomain");
109: if (name == null) {
110: throw new IllegalArgumentException(
111: "The jaasSecurityDomain is a required option");
112: }
113:
114: try {
115: jaasSecurityDomain = new ObjectName(name);
116: } catch (Exception e) {
117: throw new IllegalArgumentException(
118: "Invalid jaasSecurityDomain: " + e.getMessage());
119: }
120: }
121:
122: public boolean login() throws LoginException {
123: log.trace("login called");
124: if (super .login() == true)
125: return true;
126:
127: super .loginOk = true;
128: return true;
129: }
130:
131: public boolean commit() throws LoginException {
132: Principal principal = new SimplePrincipal(username);
133: SubjectActions.addPrincipals(subject, principal);
134: sharedState.put("javax.security.auth.login.name", username);
135: // Decode the encrypted password
136: try {
137: char[] decodedPassword = DecodeAction.decode(password,
138: jaasSecurityDomain, getServer());
139: PasswordCredential cred = new PasswordCredential(username,
140: decodedPassword);
141: cred.setManagedConnectionFactory(getMcf());
142: SubjectActions.addCredentials(subject, cred);
143: } catch (Exception e) {
144: log.debug("Failed to decode password", e);
145: throw new LoginException("Failed to decode password: "
146: + e.getMessage());
147: }
148: return true;
149: }
150:
151: public boolean abort() {
152: username = null;
153: password = null;
154: return true;
155: }
156:
157: protected Principal getIdentity() {
158: log.trace("getIdentity called, username=" + username);
159: Principal principal = new SimplePrincipal(username);
160: return principal;
161: }
162:
163: protected Group[] getRoleSets() throws LoginException {
164: Group[] empty = new Group[0];
165: return empty;
166: }
167:
168: private static class DecodeAction implements
169: PrivilegedExceptionAction {
170: String password;
171: ObjectName jaasSecurityDomain;
172: MBeanServer server;
173:
174: DecodeAction(String password, ObjectName jaasSecurityDomain,
175: MBeanServer server) {
176: this .password = password;
177: this .jaasSecurityDomain = jaasSecurityDomain;
178: this .server = server;
179: }
180:
181: /**
182: *
183: * @return
184: * @throws Exception
185: */
186: public Object run() throws Exception {
187: // Invoke the jaasSecurityDomain.decodeb64 op
188: Object[] args = { password };
189: String[] sig = { String.class.getName() };
190: byte[] secret = (byte[]) server.invoke(jaasSecurityDomain,
191: "decode64", args, sig);
192: // Convert to UTF-8 base char array
193: String secretPassword = new String(secret, "UTF-8");
194: return secretPassword.toCharArray();
195: }
196:
197: static char[] decode(String password,
198: ObjectName jaasSecurityDomain, MBeanServer server)
199: throws Exception {
200: DecodeAction action = new DecodeAction(password,
201: jaasSecurityDomain, server);
202: try {
203: char[] decode = (char[]) AccessController
204: .doPrivileged(action);
205: return decode;
206: } catch (PrivilegedActionException e) {
207: throw e.getException();
208: }
209: }
210: }
211: }
|