JaasSecurityDomainIdentityLoginModule


1   /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10  * the License, or (at your option) any later version.
11  *
12  * This software is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this software; if not, write to the Free
19  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21  */
22  package org.jboss.resource.security;
23  
24  import java.security.acl.Group  ;
25  import java.security.Principal  ;
26  import java.security.PrivilegedExceptionAction  ;
27  import java.security.AccessController  ;
28  import java.security.PrivilegedActionException  ;
29  import java.util.Map  ;
30  import javax.resource.spi.security.PasswordCredential  ;
31  import javax.security.auth.Subject  ;
32  import javax.security.auth.callback.CallbackHandler  ;
33  import javax.security.auth.login.LoginException  ;
34  import javax.management.ObjectName  ;
35  import javax.management.MBeanServer  ;
36  
37  import org.jboss.security.SimplePrincipal;
38  import org.jboss.logging.Logger;
39  
40  /** A login module for statically defining a data source username and password
41   that uses a password that has been ecrypted by a JaasSecurityDomain. The
42   base64 format of the data source password may be generated using the PBEUtils
43   command:
44   
45   java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils salt count
46     domain-password data-source-password
47  
48   salt : the Salt attribute from the JaasSecurityDomain
49   count : the IterationCount attribute from the JaasSecurityDomain
50   domain-password : the plaintext password that maps to the KeyStorePass
51     attribute from the JaasSecurityDomain
52   data-source-password : the plaintext password for the data source that
53     should be encrypted with the JaasSecurityDomain password
54  
55   for example:
56  
57   java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master ''
58   Encoded password: E5gtGMKcXPP
59  
60   A sample login-config.xml configuration entry would be:
61   
62   <application-policy name = "EncryptedHsqlDbRealm">
63      <authentication>
64         <login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
65         flag = "required">
66            <module-option name = "userName">sa</module-option>
67            <module-option name = "password">E5gtGMKcXPP</module-option>
68            <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
69            <module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
70         </login-module>
71      </authentication>
72   </application-policy>
73  
74  
75   @author Scott.Stark@jboss.org
76   @author <a HREF="mailto:noel.rocher@jboss.org">Noel Rocher</a> 29, june 2004 username & userName issue
77   @version $Revision: 37459 $
78   */
79  public class JaasSecurityDomainIdentityLoginModule
80     extends AbstractPasswordCredentialLoginModule
81  {
82     private static final Logger log = Logger.getLogger(JaasSecurityDomainIdentityLoginModule.class);
83  
84     private String   username;
85     private String   password;
86     private ObjectName   jaasSecurityDomain;
87  
88     public void initialize(Subject   subject, CallbackHandler   handler,
89        Map   sharedState, Map   options)
90     {
91        super.initialize(subject, handler, sharedState, options);
92        // NR : we keep this username for compatibility
93        username = (String  ) options.get("username");
94        if( username == null )
95        {
96          // NR : try with userName
97          username = (String  ) options.get("userName");        
98          if( username == null )
99          {
100          throw new IllegalArgumentException  ("The user name is a required option");
101         }
102      }
103 
104       password = (String  ) options.get("password");
105       if( password == null )
106       {
107          throw new IllegalArgumentException  ("The password is a required option");
108       }
109 
110       String   name = (String  ) options.get("jaasSecurityDomain");
111       if( name == null )
112       {
113          throw new IllegalArgumentException  ("The jaasSecurityDomain is a required option");
114       }
115 
116       try
117       {
118          jaasSecurityDomain = new ObjectName  (name);
119       }
120       catch(Exception   e)
121       {
122          throw new IllegalArgumentException  ("Invalid jaasSecurityDomain: " + e.getMessage());
123       }
124    }
125 
126    public boolean login() throws LoginException  
127    {
128       log.trace("login called");
129       if( super.login() == true )
130          return true;
131 
132       super.loginOk = true;
133       return true;
134    }
135 
136    public boolean commit() throws LoginException  
137    {
138       Principal   principal = new SimplePrincipal(username);
139       SubjectActions.addPrincipals(subject, principal);
140       sharedState.put("javax.security.auth.login.name", username);
141       // Decode the encrypted password
142       try
143       {
144          char[] decodedPassword = DecodeAction.decode(password,
145             jaasSecurityDomain, getServer());
146          PasswordCredential   cred = new PasswordCredential  (username, decodedPassword);
147          cred.setManagedConnectionFactory(getMcf());
148          SubjectActions.addCredentials(subject, cred);
149       }
150       catch(Exception   e)
151       {
152          log.debug("Failed to decode password", e);
153          throw new LoginException  ("Failed to decode password: " + e.getMessage());
154       }
155       return true;
156    }
157 
158    public boolean abort()
159    {
160       username = null;
161       password = null;
162       return true;
163    }
164 
165    protected Principal   getIdentity()
166    {
167       log.trace("getIdentity called, username=" + username);
168       Principal   principal = new SimplePrincipal(username);
169       return principal;
170    }
171 
172    protected Group  [] getRoleSets() throws LoginException  
173    {
174       Group  [] empty = new Group  [0];
175       return empty;
176    }
177 
178    private static class DecodeAction implements PrivilegedExceptionAction  
179    {
180       String   password;
181       ObjectName   jaasSecurityDomain;
182       MBeanServer   server;
183       
184       DecodeAction(String   password, ObjectName   jaasSecurityDomain,
185          MBeanServer   server)
186       {
187          this.password = password;
188          this.jaasSecurityDomain = jaasSecurityDomain;
189          this.server = server;
190       }
191 
192       /**
193        * 
194        * @return
195        * @throws Exception
196        */ 
197       public Object   run() throws Exception  
198       {
199          // Invoke the jaasSecurityDomain.decodeb64 op
200          Object  [] args = {password};
201          String  [] sig = {String  .class.getName()};
202          byte[] secret = (byte[]) server.invoke(jaasSecurityDomain,
203             "decode64", args, sig);
204          // Convert to UTF-8 base char array
205          String   secretPassword = new String  (secret, "UTF-8");
206          return secretPassword.toCharArray();
207       }
208       static char[] decode(String   password, ObjectName   jaasSecurityDomain,
209          MBeanServer   server)
210          throws Exception  
211       {
212          DecodeAction action = new DecodeAction(password, jaasSecurityDomain, server);
213          try
214          {
215             char[] decode = (char[]) AccessController.doPrivileged(action);
216             return decode;
217          }
218          catch(PrivilegedActionException   e)
219          {
220             throw e.getException();
221          }
222       }
223    }
224 }
225
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags