/*
* JOSSO: Java Open Single Sign-On
*
* Copyright 2004-2009, Atricore, Inc.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*
*/
package org.josso.jb5.agent;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.josso.gateway.identity.SSORole;
import org.josso.gateway.identity.SSOUser;
import org.josso.gateway.identity.service.BaseRoleImpl;
import org.josso.gateway.identity.service.BaseUserImpl;
import org.josso.jaspi.agent.SSOGatewayLoginModule;
/**
* SSOGatewayLogin Module for JBoss.
*
* Adds support for the unauthenticatedIdentity property used by JBoss.
*/
public class JBossSSOGatewayLoginModule extends SSOGatewayLoginModule {
private static final Log logger = LogFactory.getLog(JBossSSOGatewayLoginModule.class);
/** the principal to use when user is not authenticated **/
protected SSOUser _unauthenticatedIdentity;
private Subject _savedSubject;
/**
* This method supports the unauthenticatedIdentity property used by JBoss.
*
* @see org.josso.jaspi.agent.SSOGatewayLoginModule#initialize(Subject, CallbackHandler, Map, Map)
*/
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
_savedSubject = subject;
super.initialize(subject, callbackHandler, sharedState, options);
// Check for unauthenticatedIdentity option.
String name = (String) options.get("unauthenticatedIdentity");
if (name != null) {
try {
_unauthenticatedIdentity = createIdentity(name);
logger.debug("Saw unauthenticatedIdentity="+name);
} catch(Exception e) {
logger.warn("Failed to create custom unauthenticatedIdentity", e);
}
}
}
/**
* This method supports the unauthenticatedIdentity property used by JBoss.
*
* @see org.josso.jaspi.agent.SSOGatewayLoginModule#login()
*/
public boolean login() throws LoginException {
if (!super.login()) {
// We have an unauthenticated user, use configured Principal
if (_unauthenticatedIdentity != null) {
logger.debug("Authenticated as unauthenticatedIdentity : " + _unauthenticatedIdentity);
_ssoUserPrincipal = _unauthenticatedIdentity;
_succeeded = true;
return true;
}
return false;
}
return true;
}
/**
* The Subject saved in the previously executed initialize() method, is modified
* by adding a new special Group called "Roles" whose members are the SSO user roles.
* JBoss will fetch user roles by examining such group.
*
* @see org.josso.jaspi.agent.SSOGatewayLoginModule#logout()
*/
public boolean commit() throws LoginException {
boolean rc = false;
rc = super.commit();
Set ssoRolePrincipals = _savedSubject.getPrincipals(SSORole.class);
Group targetGrp = new BaseRoleImpl("Roles");
Iterator i = ssoRolePrincipals.iterator();
while (i.hasNext()) {
Principal p = (Principal)i.next();
targetGrp.addMember(p); // Add user role to "Roles" group
}
// Add the "Roles" group to the Subject so that JBoss can fetch user roles.
_savedSubject.getPrincipals().add(targetGrp);
Set ssoUserPrincipals = _savedSubject.getPrincipals(SSOUser.class);
Group callerPrincipal = new BaseRoleImpl("CallerPrincipal");
Iterator j = ssoUserPrincipals.iterator();
if (j.hasNext()) {
Principal user = (Principal) j.next();
callerPrincipal.addMember(user);
}
// Add the "CallerPrincipal" group to the Subject so that JBoss can fetch user.
_savedSubject.getPrincipals().add(callerPrincipal);
return rc;
}
/**
* Retreives the list of roles associated to current principal.
* This method supports the unauthenticatedIdentity property used by JBoss.
*/
protected SSORole[] getRoleSets() throws LoginException {
if (_ssoUserPrincipal == _unauthenticatedIdentity) {
// Using unauthenticatedIdentity ...
if(logger.isDebugEnabled()) {
logger.debug("Using unauthenticatedIdentity " + _ssoUserPrincipal + ", returning no roles.");
}
return new SSORole[0];
}
return super.getRoleSets();
}
/**
* Creates BaseUser implementation with the given name.
*
* @param username username
* @return BaseUserImpl
*/
protected SSOUser createIdentity(String username) {
return new BaseUserImpl(username);
}
}