001: /*
002: * JOSSO: Java Open Single Sign-On
003: *
004: * Copyright 2004-2008, Atricore, Inc.
005: *
006: * This is free software; you can redistribute it and/or modify it
007: * under the terms of the GNU Lesser General Public License as
008: * published by the Free Software Foundation; either version 2.1 of
009: * the License, or (at your option) any later version.
010: *
011: * This software is distributed in the hope that it will be useful,
012: * but WITHOUT ANY WARRANTY; without even the implied warranty of
013: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014: * Lesser General Public License for more details.
015: *
016: * You should have received a copy of the GNU Lesser General Public
017: * License along with this software; if not, write to the Free
018: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
019: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
020: */
021:
022: package org.josso.tc50.agent.jaas;
023:
024: import org.apache.commons.logging.Log;
025: import org.apache.commons.logging.LogFactory;
026: import org.josso.Lookup;
027: import org.josso.gateway.identity.SSORole;
028: import org.josso.gateway.identity.SSOUser;
029: import org.josso.gateway.identity.exceptions.SSOIdentityException;
030: import org.josso.gateway.identity.service.SSOIdentityManager;
031:
032: import javax.security.auth.Subject;
033: import javax.security.auth.callback.*;
034: import javax.security.auth.login.FailedLoginException;
035: import javax.security.auth.login.LoginException;
036: import javax.security.auth.spi.LoginModule;
037: import java.util.Map;
038:
039: /**
040: * SSO Gateway JAAS Login Module.
041: *
042: * This Login Module authenticates an SSO Session against the Single Sign-on Gateway
043: * by getting the associated user and roles and filling it to the provided Subject.
044: * This way clients can obtain the authenticated identity associated with the session and use it
045: * to protect resources (ie: web, etc.).
046: *
047: * @author <a href="mailto:gbrigand@josso.org">Gianluca Brigandi</a>
048: * @version CVS $Id: SSOGatewayLoginModule.java 508 2008-02-18 13:32:29Z sgonzalez $
049: */
050: public class SSOGatewayLoginModule implements LoginModule {
051:
052: private static final Log logger = LogFactory
053: .getLog(SSOGatewayLoginModule.class);
054:
055: // initial state
056: private Subject _subject;
057: private CallbackHandler _callbackHandler;
058:
059: // the authentication status
060: protected boolean _succeeded;
061: protected boolean commitSucceeded;
062:
063: // the logged user and his roles.
064: protected SSOUser _ssoUserPrincipal;
065: protected SSORole[] _ssoRolePrincipals;
066:
067: /**
068: * Initialize this LoginModule
069: *
070: * @param subject the Subject to be authenticated.
071: *
072: * @param callbackHandler a CallbackHandler for communicating
073: * with the end user (prompting for user names and
074: * passwords, for example).
075: *
076: * @param sharedState shared LoginModule state.
077: *
078: * @param options options specified in the login Configuration
079: * for this particular LoginModule.
080: */
081: public void initialize(Subject subject,
082: CallbackHandler callbackHandler, Map sharedState,
083: Map options) {
084:
085: this ._subject = subject;
086: this ._callbackHandler = callbackHandler;
087: }
088:
089: /**
090: * Authenticate the user by prompting for the SSO Session Identifier assigned by the SSO Gateway on logon.
091: *
092: * This method obtains from the gateway, using the provided session identifier, the user associated with
093: * such session identifier.
094: * Only the NameCallBack is used, since its not a user/password pair but only one value containing the session
095: * identifier. Any other callback type is ignored.
096: *
097: * @return true in all cases since this LoginModule
098: * should not be ignored.
099: *
100: * @exception javax.security.auth.login.FailedLoginException if the authentication fails.
101: *
102: * @exception javax.security.auth.login.LoginException if this LoginModule
103: * is unable to perform the authentication.
104: */
105: public boolean login() throws LoginException {
106:
107: if (_callbackHandler == null)
108: throw new LoginException(
109: "Error: no CallbackHandler available "
110: + "to garner authentication information from the user");
111:
112: Callback[] callbacks = new Callback[2];
113:
114: // Just ask for the session identifier
115: callbacks[0] = new NameCallback("JOSSO Session Identifier");
116: callbacks[1] = new PasswordCallback("password", false);
117:
118: String ssoSessionId;
119: String ssoSessionId2 = null;
120: try {
121: _callbackHandler.handle(callbacks);
122: ssoSessionId = ((NameCallback) callbacks[0]).getName();
123: if (((PasswordCallback) callbacks[1]).getPassword() != null)
124: ssoSessionId2 = String
125: .valueOf(((PasswordCallback) callbacks[1])
126: .getPassword());
127: } catch (java.io.IOException ioe) {
128: throw new LoginException(ioe.toString());
129: } catch (UnsupportedCallbackException uce) {
130: throw new LoginException(
131: "Error: "
132: + uce.getCallback().toString()
133: + " not available to garner authentication information "
134: + "from the user");
135: }
136:
137: logger.debug("Session requested authentication to gateway : "
138: + ssoSessionId + "/" + ssoSessionId2);
139:
140: try {
141:
142: if (ssoSessionId2 != null
143: && !ssoSessionId2.equals(ssoSessionId))
144: ssoSessionId = ssoSessionId2;
145:
146: // If no session is found, ignore this module.
147: if (ssoSessionId == null) {
148: logger.debug("Session authentication failed : "
149: + ssoSessionId);
150: _succeeded = false;
151: return false;
152: }
153:
154: SSOIdentityManager im = Lookup.getInstance()
155: .lookupSSOAgent().getSSOIdentityManager();
156: SSOUser ssoUser = im.findUserInSession(ssoSessionId);
157:
158: logger.debug("Session authentication succeeded : "
159: + ssoSessionId);
160: _ssoUserPrincipal = ssoUser;
161: _succeeded = true;
162:
163: } catch (SSOIdentityException e) {
164: // Ignore this ... (user does not exist for this session)
165: //if ( logger.isDebugEnabled())
166: logger.debug(e.getMessage());
167: _succeeded = false;
168: return false;
169:
170: } catch (Exception e) {
171: // logger.error("Session authentication failed : " + ssoSessionId, e);
172: _succeeded = false;
173: clearCredentials();
174: throw new FailedLoginException(
175: "Fatal error authenticating session : " + e);
176: }
177:
178: return true;
179: }
180:
181: /**
182: * This method is called if the LoginContext's overall authentication succeeded.
183: *
184: * Using the SSO user name, saved by the previosuly executed login() operation, obtains from the gateway
185: * the roles associated with the user and fills the Subject with the user and role principals.
186: * If this LoginModule's own authentication attempted failed, then this method removes any state that was
187: * originally saved.
188: *
189: * @exception LoginException if the commit fails.
190: *
191: * @return true if this LoginModule's own login and commit
192: * attempts succeeded, or false otherwise.
193: */
194: public boolean commit() throws LoginException {
195: if (_succeeded == false) {
196: return false;
197: } else {
198:
199: try {
200:
201: // Add the SSOUser as a Principal
202: if (!_subject.getPrincipals().contains(
203: _ssoUserPrincipal)) {
204: _subject.getPrincipals().add(_ssoUserPrincipal);
205: }
206:
207: logger
208: .debug("Added SSOUser Principal to the Subject : "
209: + _ssoUserPrincipal);
210:
211: _ssoRolePrincipals = getRoleSets();
212:
213: // Add to the Subject the SSORoles associated with the SSOUser .
214: for (int i = 0; i < _ssoRolePrincipals.length; i++) {
215: if (_subject.getPrincipals().contains(
216: _ssoRolePrincipals[i]))
217: continue;
218:
219: _subject.getPrincipals().add(_ssoRolePrincipals[i]);
220: logger
221: .debug("Added SSORole Principal to the Subject : "
222: + _ssoRolePrincipals[i]);
223: }
224:
225: commitSucceeded = true;
226: return true;
227: } catch (Exception e) {
228: // logger.error("Session login failed for Principal : " + _ssoUserPrincipal, e);
229: throw new LoginException(
230: "Session login failed for Principal : "
231: + _ssoUserPrincipal);
232: } finally {
233: // in any case, clean out state
234: clearCredentials();
235: }
236:
237: }
238: }
239:
240: /**
241: * This method is called if the LoginContext's
242: * overall authentication failed.
243: *
244: * @exception LoginException if the abort fails.
245: *
246: * @return false if this LoginModule's own login and/or commit attempts
247: * failed, and true otherwise.
248: */
249: public boolean abort() throws LoginException {
250: if (_succeeded == false) {
251: return false;
252: } else if (_succeeded == true && commitSucceeded == false) {
253: // login _succeeded but overall authentication failed
254: _succeeded = false;
255: clearCredentials();
256: } else {
257: // overall authentication _succeeded and commit _succeeded,
258: // but someone else's commit failed
259: logout();
260: }
261: return true;
262: }
263:
264: /**
265: * Logout the user.
266: *
267: * This method removes the SSO User and Role Principals from the Subject that were added by the commit()
268: * method.
269: *
270: * @exception LoginException if the logout fails.
271: *
272: * @return true in all cases since this LoginModule
273: * should not be ignored.
274: */
275: public boolean logout() throws LoginException {
276: _subject.getPrincipals().remove(_ssoUserPrincipal);
277: logger.debug("Removed SSOUser Principal from Subject : "
278: + _ssoUserPrincipal);
279:
280: // Remove all the SSORole Principals from the Subject.
281: for (int i = 0; i < _ssoRolePrincipals.length; i++) {
282: _subject.getPrincipals().remove(_ssoRolePrincipals[i]);
283: logger.debug("Removed SSORole Principal from Subject : "
284: + _ssoRolePrincipals[i]);
285: }
286:
287: _succeeded = commitSucceeded;
288: clearCredentials();
289: return true;
290: }
291:
292: /**
293: * Reset the login module state.
294: */
295: private void clearCredentials() {
296: _ssoUserPrincipal = null;
297: _ssoRolePrincipals = null;
298: }
299:
300: /**
301: * Retreives the list of roles associated to current principal
302: */
303: protected SSORole[] getRoleSets() throws LoginException {
304: try {
305: // obtain user roles principals and add it to the subject
306: SSOIdentityManager im = Lookup.getInstance()
307: .lookupSSOAgent().getSSOIdentityManager();
308:
309: return im.findRolesByUsername(_ssoUserPrincipal.getName());
310: } catch (Exception e) {
311: // logger.error("Session login failed for Principal : " + _ssoUserPrincipal, e);
312: throw new LoginException(
313: "Session login failed for Principal : "
314: + _ssoUserPrincipal);
315: }
316:
317: }
318: }
|