/* * JOSSO: Java Open Single Sign-On * * Copyright 2004-2009, Atricore, Inc. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * */ package org.josso.jb5.agent; import java.security.Principal; import java.security.acl.Group; import java.util.Iterator; import java.util.Map; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.josso.gateway.identity.SSORole; import org.josso.gateway.identity.SSOUser; import org.josso.gateway.identity.service.BaseRoleImpl; import org.josso.gateway.identity.service.BaseUserImpl; import org.josso.jaspi.agent.SSOGatewayLoginModule; /** * SSOGatewayLogin Module for JBoss. * * Adds support for the unauthenticatedIdentity property used by JBoss. */ public class JBossSSOGatewayLoginModule extends SSOGatewayLoginModule { private static final Log logger = LogFactory.getLog(JBossSSOGatewayLoginModule.class); /** the principal to use when user is not authenticated **/ protected SSOUser _unauthenticatedIdentity; private Subject _savedSubject; /** * This method supports the unauthenticatedIdentity property used by JBoss. * * @see org.josso.jaspi.agent.SSOGatewayLoginModule#initialize(Subject, CallbackHandler, Map, Map) */ public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { _savedSubject = subject; super.initialize(subject, callbackHandler, sharedState, options); // Check for unauthenticatedIdentity option. String name = (String) options.get("unauthenticatedIdentity"); if (name != null) { try { _unauthenticatedIdentity = createIdentity(name); logger.debug("Saw unauthenticatedIdentity="+name); } catch(Exception e) { logger.warn("Failed to create custom unauthenticatedIdentity", e); } } } /** * This method supports the unauthenticatedIdentity property used by JBoss. * * @see org.josso.jaspi.agent.SSOGatewayLoginModule#login() */ public boolean login() throws LoginException { if (!super.login()) { // We have an unauthenticated user, use configured Principal if (_unauthenticatedIdentity != null) { logger.debug("Authenticated as unauthenticatedIdentity : " + _unauthenticatedIdentity); _ssoUserPrincipal = _unauthenticatedIdentity; _succeeded = true; return true; } return false; } return true; } /** * The Subject saved in the previously executed initialize() method, is modified * by adding a new special Group called "Roles" whose members are the SSO user roles. * JBoss will fetch user roles by examining such group. * * @see org.josso.jaspi.agent.SSOGatewayLoginModule#logout() */ public boolean commit() throws LoginException { boolean rc = false; rc = super.commit(); Set ssoRolePrincipals = _savedSubject.getPrincipals(SSORole.class); Group targetGrp = new BaseRoleImpl("Roles"); Iterator i = ssoRolePrincipals.iterator(); while (i.hasNext()) { Principal p = (Principal)i.next(); targetGrp.addMember(p); // Add user role to "Roles" group } // Add the "Roles" group to the Subject so that JBoss can fetch user roles. _savedSubject.getPrincipals().add(targetGrp); Set ssoUserPrincipals = _savedSubject.getPrincipals(SSOUser.class); Group callerPrincipal = new BaseRoleImpl("CallerPrincipal"); Iterator j = ssoUserPrincipals.iterator(); if (j.hasNext()) { Principal user = (Principal) j.next(); callerPrincipal.addMember(user); } // Add the "CallerPrincipal" group to the Subject so that JBoss can fetch user. _savedSubject.getPrincipals().add(callerPrincipal); return rc; } /** * Retreives the list of roles associated to current principal. * This method supports the unauthenticatedIdentity property used by JBoss. */ protected SSORole[] getRoleSets() throws LoginException { if (_ssoUserPrincipal == _unauthenticatedIdentity) { // Using unauthenticatedIdentity ... if(logger.isDebugEnabled()) { logger.debug("Using unauthenticatedIdentity " + _ssoUserPrincipal + ", returning no roles."); } return new SSORole[0]; } return super.getRoleSets(); } /** * Creates BaseUser implementation with the given name. * * @param username username * @return BaseUserImpl */ protected SSOUser createIdentity(String username) { return new BaseUserImpl(username); } }