Java tutorial
/* * HSM Proxy Project. * Copyright (C) 2013 FedICT. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License version * 3.0 as published by the Free Software Foundation. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, see * http://www.gnu.org/licenses/. */ package be.fedict.hsm.model.security; import java.security.Principal; import java.util.Map; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * Application JAAS Login Module. Besides assigning a role (RBAC), this login * module also maps from the credential towards a specific application * identifier (implies a form of discretionary access control). * * @author Frank Cornelis * */ public class ApplicationLoginModule implements LoginModule { private static final Log LOG = LogFactory.getLog(ApplicationLoginModule.class); private Subject subject; private CallbackHandler callbackHandler; private ApplicationSecurityBean applicationSecurityBean; private String authenticatedApplication; public ApplicationLoginModule() { super(); LOG.debug("constructor"); } @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { LOG.debug("initialize"); this.subject = subject; this.callbackHandler = callbackHandler; this.applicationSecurityBean = ApplicationSecurityBean.getInstance(); } @Override public boolean login() throws LoginException { LOG.debug("login"); NameCallback nameCallback = new NameCallback("username"); PasswordCallback passwordCallback = new PasswordCallback("password", false); Callback[] callbacks = new Callback[] { nameCallback, passwordCallback }; try { this.callbackHandler.handle(callbacks); } catch (Exception e) { throw new LoginException(e.getMessage()); } String username = nameCallback.getName(); char[] credential = passwordCallback.getPassword(); String authenticatedApplication = this.applicationSecurityBean.getAuthenticatedApplication(username, credential); if (null == authenticatedApplication) { throw new LoginException("invalid application: " + username); } this.authenticatedApplication = authenticatedApplication; return true; } @Override public boolean commit() throws LoginException { if (null != this.authenticatedApplication) { LOG.debug("commit"); Set<Principal> principals = this.subject.getPrincipals(); principals.add(new SimplePrincipal(this.authenticatedApplication)); JBossRolesGroup rolesGroup = new JBossRolesGroup(); rolesGroup.addMember(new SimplePrincipal(ApplicationRoles.APPLICATION)); principals.add(rolesGroup); reset(); } return true; } @Override public boolean abort() throws LoginException { LOG.debug("abort"); logout(); return true; } @Override public boolean logout() throws LoginException { reset(); this.subject.getPrincipals().clear(); return true; } private void reset() { this.authenticatedApplication = null; } }