added support for JACC authetnication to allow delegation to applicat…

…ion server security mechanism
AppFormer · Apr 10, 2013 · a389801 · a389801
1 parent add5192
commit a389801
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 13 deletions.
diff --git a/pom.xml b/pom.xml
@@ -60,7 +60,7 @@
     <gwt-dnd.version>3.1.2</gwt-dnd.version>
     <hamcrest.version>1.3</hamcrest.version>
     <jasypt.version>1.9.0</jasypt.version>
-    <jacc.version>1.4.0</jacc.version>
+    <jacc.version>1.4</jacc.version>
   </properties>
 
   <scm>
@@ -725,6 +725,13 @@
         <version>${jasypt.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>javax.security.jacc</groupId>
+        <artifactId>javax.security.jacc-api</artifactId>
+        <version>${jacc.version}</version>
+        <scope>provided</scope>
+      </dependency>
+
     </dependencies>
   </dependencyManagement>
 

diff --git a/...erfire-security-api/src/main/java/org/uberfire/security/impl/auth/UserNameCredential.java b/...erfire-security-api/src/main/java/org/uberfire/security/impl/auth/UserNameCredential.java
@@ -0,0 +1,15 @@
+package org.uberfire.security.impl.auth;
+
+import org.uberfire.security.auth.Credential;
+
+public class UserNameCredential implements Credential {
+    private final String userName;
+
+    public UserNameCredential(final String userName) {
+        this.userName = userName;
+    }
+
+    public String getUserName() {
+        return userName;
+    }
+}
diff --git a/...ecurity-api/src/main/java/org/uberfire/security/impl/auth/UsernamePasswordCredential.java b/...ecurity-api/src/main/java/org/uberfire/security/impl/auth/UsernamePasswordCredential.java
@@ -18,20 +18,15 @@
 
 import org.uberfire.security.auth.Credential;
 
-public class UsernamePasswordCredential implements Credential {
+public class UsernamePasswordCredential extends UserNameCredential {
 
-    private final String userName;
     private final Object passwd;
 
     public UsernamePasswordCredential(final String userName, final Object passwd) {
-        this.userName = userName;
+        super(userName);
         this.passwd = passwd;
     }
 
-    public String getUserName() {
-        return userName;
-    }
-
     public Object getPassword() {
         return passwd;
     }

diff --git a/uberfire-security/uberfire-security-server/pom.xml b/uberfire-security/uberfire-security-server/pom.xml
@@ -69,6 +69,11 @@
       <artifactId>slf4j-api</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>javax.security.jacc</groupId>
+      <artifactId>javax.security.jacc-api</artifactId>
+    </dependency>
+
   </dependencies>
 
 </project>
diff --git a/...berfire-security-server/src/main/java/org/uberfire/security/server/SecurityConstants.java b/...berfire-security-server/src/main/java/org/uberfire/security/server/SecurityConstants.java
@@ -57,4 +57,7 @@ public interface SecurityConstants {
     final String LOGOUT_URI = "/uf_logout";
 
     final String SUBJECT_ON_SESSION_KEY = "org.uf.subject";
+
+    final String ROLES_IN_CONTEXT_KEY = "org.uf.context.roles";
+
 }
diff --git a/...re-security-server/src/main/java/org/uberfire/security/server/UberFireSecurityFilter.java b/...re-security-server/src/main/java/org/uberfire/security/server/UberFireSecurityFilter.java
@@ -188,15 +188,18 @@ private AuthenticationManager getAuthenticationManager( final Map<String, String
 
     private AuthenticationScheme getAuthenticationScheme( final Map<String, String> options ) {
         final String authScheme = options.get( AUTH_SCHEME_KEY );
+        AuthenticationScheme scheme = null;
         if ( authScheme == null || authScheme.isEmpty() ) {
             return new FormAuthenticationScheme();
+        }  else {
+            scheme =  loadConfigClazz( authScheme, AuthenticationScheme.class );
         }
 
-        if ( authScheme.equalsIgnoreCase( FORM ) ) {
+        if ( scheme == null && authScheme.equalsIgnoreCase( FORM ) ) {
             return new FormAuthenticationScheme();
         }
 
-        return null;
+        return scheme;
     }
 
     @Override
@@ -296,7 +299,7 @@ private <T> T loadConfigClazz( final String clazzName,
         try {
             final Class<?> clazz = Class.forName( clazzName );
 
-            if ( !clazz.isAssignableFrom( typeOf ) ) {
+            if ( !typeOf.isAssignableFrom( clazz ) ) {
                 LOG.error( "Invalid class type '" + typeOf.getName() + "'" );
                 return null;
             }

diff --git a/...server/src/main/java/org/uberfire/security/server/auth/DefaultAuthenticationProvider.java b/...server/src/main/java/org/uberfire/security/server/auth/DefaultAuthenticationProvider.java
@@ -27,6 +27,7 @@
 import org.uberfire.security.auth.AuthenticationStatus;
 import org.uberfire.security.auth.Credential;
 import org.uberfire.security.auth.Principal;
+import org.uberfire.security.impl.auth.UserNameCredential;
 import org.uberfire.security.impl.auth.UsernamePasswordCredential;
 
 import static java.util.Collections.*;
@@ -74,7 +75,7 @@ public Principal getPrincipal() {
             };
         }
 
-        final UsernamePasswordCredential realCredential = UsernamePasswordCredential.class.cast(credential);
+        final UserNameCredential realCredential = UserNameCredential.class.cast(credential);
 
         if (!authenticationSource.authenticate(realCredential)) {
             return new AuthenticationResult() {

diff --git a/...ity-server/src/main/java/org/uberfire/security/server/auth/HttpAuthenticationManager.java b/...ity-server/src/main/java/org/uberfire/security/server/auth/HttpAuthenticationManager.java
@@ -163,7 +163,7 @@ public String getName() {
         }
 
         final String originalRequest = requestCache.remove(httpContext.getRequest().getSession().getId());
-        if (originalRequest != null && !originalRequest.isEmpty()) {
+        if (originalRequest != null && !originalRequest.isEmpty() && !httpContext.getResponse().isCommitted()) {
             try {
                 httpContext.getResponse().sendRedirect(originalRequest);
             } catch (IOException e) {
@@ -179,5 +179,7 @@ public void logout(final SecurityContext context) throws AuthenticationException
         for (final AuthenticatedStorageProvider storeProvider : authStorageProviders) {
             storeProvider.cleanup(context);
         }
+        final HttpSecurityContext httpContext = checkInstanceOf("context", context, HttpSecurityContext.class);
+        httpContext.getRequest().getSession().invalidate();
     }
 }
diff --git a/...rity-server/src/main/java/org/uberfire/security/server/auth/JACCAuthenticationScheme.java b/...rity-server/src/main/java/org/uberfire/security/server/auth/JACCAuthenticationScheme.java
@@ -0,0 +1,26 @@
+package org.uberfire.security.server.auth;
+
+import org.uberfire.security.SecurityContext;
+import org.uberfire.security.auth.AuthenticationScheme;
+import org.uberfire.security.auth.Credential;
+import org.uberfire.security.impl.auth.UserNameCredential;
+import org.uberfire.security.server.HttpSecurityContext;
+
+import static org.kie.commons.validation.Preconditions.checkInstanceOf;
+
+public class JACCAuthenticationScheme extends FormAuthenticationScheme implements AuthenticationScheme {
+
+    @Override
+    public void challengeClient(SecurityContext context) {
+
+    }
+
+    @Override
+    public Credential buildCredential(SecurityContext context) {
+
+        final HttpSecurityContext httpSecurityContext = checkInstanceOf("context", context, HttpSecurityContext.class);
+
+        final String userName = httpSecurityContext.getRequest().getUserPrincipal().getName();
+        return new UserNameCredential(userName);
+    }
+}
diff --git a/...rver/src/main/java/org/uberfire/security/server/auth/source/JACCAuthenticationSource.java b/...rver/src/main/java/org/uberfire/security/server/auth/source/JACCAuthenticationSource.java
@@ -0,0 +1,100 @@
+package org.uberfire.security.server.auth.source;
+
+import java.security.acl.Group;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.security.auth.Subject;
+import javax.security.jacc.PolicyContext;
+
+import org.uberfire.security.Role;
+import org.uberfire.security.auth.AuthenticationSource;
+import org.uberfire.security.auth.Credential;
+import org.uberfire.security.auth.Principal;
+import org.uberfire.security.auth.RoleProvider;
+import org.uberfire.security.impl.auth.UserNameCredential;
+
+import static org.kie.commons.validation.Preconditions.checkInstanceOf;
+import static org.uberfire.security.server.SecurityConstants.*;
+
+public class JACCAuthenticationSource implements AuthenticationSource, RoleProvider{
+
+    public static final String DEFAULT_ROLE_PRINCIPLE_NAME = "Roles";
+    private String rolePrincipleName = DEFAULT_ROLE_PRINCIPLE_NAME;
+
+    @Override
+    public void initialize(Map<String, ?> options) {
+        if (options.containsKey(ROLES_IN_CONTEXT_KEY)) {
+            rolePrincipleName = (String) options.get(ROLES_IN_CONTEXT_KEY);
+        }
+    }
+
+    @Override public boolean supportsCredential(Credential credential) {
+        if (credential == null) {
+            return false;
+        }
+        return credential instanceof UserNameCredential;
+    }
+
+    @Override public boolean authenticate(Credential credential) {
+        final UserNameCredential userNameCredential = checkInstanceOf("credential", credential, UserNameCredential.class);
+        try {
+            Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
+
+            if (subject != null) {
+                Set<java.security.Principal> principals = subject.getPrincipals();
+
+                if (principals != null) {
+                    for (java.security.Principal p : principals) {
+                        if (p.getName().equals(userNameCredential.getUserName())) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return false;
+    }
+
+    @Override
+    public List<Role> loadRoles(Principal principal) {
+        List<Role> roles = null;
+        try {
+            Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
+
+            if (subject != null) {
+                Set<java.security.Principal> principals = subject.getPrincipals();
+
+                if (principals != null) {
+                    roles = new ArrayList<Role>();
+                    for (java.security.Principal p : principals) {
+                        if (p instanceof Group && rolePrincipleName.equalsIgnoreCase(p.getName())) {
+                            Enumeration<? extends java.security.Principal> groups = ((Group) p).members();
+
+                            while (groups.hasMoreElements()) {
+                                final java.security.Principal groupPrincipal = (java.security.Principal) groups.nextElement();
+                                roles.add(new Role() {
+                                    @Override
+                                    public String getName() {
+                                        return groupPrincipal.getName();
+                                    }
+                                });
+
+                            }
+                            break;
+
+                        }
+
+                    }
+                }
+            }
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+        return roles;
+    }
+}